What is PDPA – Singapore’s Personal Data Protection Act?

In this article, we’ll explain what the PDPA is, how it works, and who it affects?

The Personal Data Protection Act (PDPA) is a data protection law enacted by the Parliament of Singapore on 15 October 2012. The Act came into full effect in July 2014 and was recently updated in November 2020.

It governs all personal data collection use and disclosure by a private organization related to Singaporean citizens. However, the regulation also acknowledges the need for organizations to use and collect personal data in appropriate circumstances.

Under a recent review, a mandatory data breach notification regime was introduced. Here, organizations that suffer a data breach are obligated to notify the Singaporean authorities and data subjects unless an exception applies.

{{ compliant_register }}

The PDPA defines ten protection obligations, including:

1. Purpose limitation. Only use or disclose personal data for the purposes defined.
2. Notification. Inform the individuals on the purposes of collecting, using, and disclosing their personal data during collection.
3. Consent. Ensure that consent has been obtained from the individuals before collecting, using, or disclosure of their personal data.
4. Access and correction. Upon request, provide the individual’s personal data and information on how the individual’s personal data has been used or disclosed in the past year. Correct an individual’s personal data upon request.
5. Accuracy. Ensure that personal data is accurate and complete during collection or when making a decision that will affect the individual.
6. Protection. Keep personal data in your possession secure from unauthorized access, modification, disclosure, use, copying, whether in hardcopy or electronic form.
7. Retention limitation. Retain personal data only for business/legal purposes and securely destroy personal data when no longer needed.
8. Transfer limitation. Ensure overseas external organizations provide a standard of protection under the Singapore PDPA.
9. Openness. Designate a Data Protection Officer and publish their business contact information. Make available personal data protection policies and practices to the public and employees, including the complaint process.
10. Do-Not-Call (DNC). Do not send marketing messages to individuals registered in the National DNC registry through voice, text messages, or fax unless you have obtained their clear and unambiguous consent or have an ongoing relationship (for text/fax).

For those already familiar with the GDPR, many of these obligations will seem familiar. However, the PDPA predates the GDPR by several years.

The tenth obligation – Do-Not-Call – is not always regarded as an obligation but rather is part of the PDPA’s governing of telemarketing in Singapore. Instead, a tenth (or eleventh) obligation is the requirement to notify the authorities and data subjects following a data breach.

{{ divider }}

The Personal Data Protection Commission (PDPC) was established under the PDPA as the regulatory authority responsible for governing data protection in Singapore. The PDPC advises the government on future regulations and routinely publishes advisory guidelines for data protection.

The PDPC is part of the converged telecommunications and media regulator, the Infocomm Media Development Authority (IMDA). Both authorities are, in turn, under the purview of the Ministry of Communications and Information.

The creation of the PDPC is part of a push towards a “culture of accountability.” For instance, in 2019, the PDPC implemented the Data Protection Trustmark Certification. It is a voluntary enterprise-wide certification program created for an organization to demonstrate its accountable data protection practices.

The PDPC also enforces and prosecutes numerous organizations for PDPA violations: notably including SingHealth following the 2018 SingHealth data breach.

{{ divider }}

Like other data protection legislation, such as the UK and EU GDPR and Brazil’s LGPD, the PDPA contains “extra-territorial effects.” That means that organizations not based in Singapore can find themselves obligated to accord with the PDPA if an organization collects, uses, or discloses data within Singapore.

For instance, if a non-Singaporean company – like Facebook – collects data from Singaporeans online, then it is subject to the PDPA. It will also face penalties should it be found to not be in accordance with the regulation.

{{ divider }}

Should an organization be found to be in violation of the PDPA, then the PDPC reserve the right to enforce several penalties. These include requiring the organization to:

– Stop collecting, using, or disclosing personal data in contravention of the PDPA.
– Destroy personal data collected in contravention of the PDPA.
– Provide access to or correct personal data.
– Pay a financial penalty of up to SGD 1 million (approximately €625,735).

The latter fine is substantially lower than the penalties enforced under the EU GDPR, which can reach €20 million or 4% of the annual global turnover – whichever is highest. However, with the recent amendment, the PDPC now has the power to impose higher financial penalties. That includes a maximum of 10% of the organization’s annual turnover in Singapore (if the turnover exceeds SGD 10 million (approximately €6,257,210) or up to SGD 1 million (approximately €625,735).

Furthermore, penalized companies are also likely to suffer from reputational damage and public backlash.

{{ divider }}

The PDPA is the Singaporean data protection act. It governs the processing of personal data in the private sector. If you are business with dealings in Singapore, it is critical to familiarize yourself with the contents of the bill.

For further information, please refer to the PDPC website.

Sources:

https://www.dataguidance.com/notes/singapore-data-protection-overview
https://www.pwc.com/sg/en/personal-data-protection.html
https://en.wikipedia.org/wiki/Personal_Data_Protection_Act_2012
https://sso.agc.gov.sg/Act/PDPA2012?ProvIds=P1IV-#P1IV-
https://www.pdpc.gov.sg/

{{ compliant_scan }}