Personal Data Protection Act (PDPA)

    Singapore

    Personal Data Protection Act (PDPA)

    Personal Data Protection Act 2012 (No. 26 of 2012)

    The Personal Data Protection Act (PDPA) is the primary legislation for personal data protection in Singapore. The Act was passed on 15 October 2012 and came into full effect on July 2, 2014.

    Last Updated: July 30, 2019


  • General

    The PDPA sets a baseline standard of protection for personal data across Singapore’s economy by complementing sector-specific legislative and regulatory frameworks. This means that organizations will have to comply with the PDPA as well as the common law and other relevant laws that are applied to the specific industry that they belong to when handling personal data in their possession.

    The PDPA is designed to govern the collection, use and disclosure of personal data in Singapore by any private organization, including those that are not physically located in Singapore. It recognizes both the rights of individuals to protect their personal data, including rights of access and correction and the needs of organizations to collect, use or disclose personal data for legitimate and reasonable purposes.

    * Comparing with GDPR, PDPA tends to be more business-friendly. For example, there is no data breach notification requirement under the Act.

    A Personal Data Protection Commission (PDPC) is established as the enforcement body of this Act. The Personal Data Protection Commission (PDPC) was created to enforce the Act. The PDPC has a broad range of powers, including conducting investigations to verify compliance with the PDPA, ordering an organization to stop collecting or revealing data, ordering the destruction of the data and imposing financial sanctions of up to SG$ 1 million (USD 800,000) in case of a breach of the PDPA.

    A national Do Not Call Registry (DNC Registry) is established under the PDPA. The DNC Registry allows individuals to register their Singapore telephone numbers to opt out of receiving marketing phone calls, mobile text messages such as SMS or MMS, and faxes from organizations. PDPA created the Do Not Call Registry (DNC Registry) by which organizations are prohibited from sending marketing messages, in the form of voice calls, text or fax messages, to Singapore telephone numbers registered with the DNC Registry. Under the PDPA, any person or organization found guilty of the offence of sending telemarketing messages to Singapore telephone numbers without checking the DNC Registry will be liable to a fine of up to US$10,000 per message sent.

    *The DNC Registry provisions came into force on 2 January 2014 and more than 600,000 phone numbers have already been registered on the DNC Registry.

    Scope

    The PDPA applies to all private organizations that collect, use or disclose personal data in Singapore, regardless of their place of incorporation. The Act does not apply to:

    • processing activities of the public sector or any organization acting as an agent of a public agency in processing personal data;
    • business contact information;
    • employees acting on behalf of their employer;
    • organisation processing data for the purpose of complying with data protection legislation (e.g. the Personal Data Protection Commission);
    • personal data contained in records that are at least 100 years old;
    • personal data about deceased individuals who have been dead for over 10 years; and,
    • processing in the course of household activities.

    Definitions

    Personal Data means any data, whether true or not, about an individual who can be identified either from that data alone or from that data and other information to which the organization has or is likely to have access.

    Individual means any natural person whether living or deceased.

    Organization (equivalent to a controller under the GDPR) includes any individual, company, association or body of persons, corporate or unincorporated, whether or not — (a) formed or recognised under the law of Singapore; or (b)resident, or having an office or a place of business, in Singapore.

    Data intermediaries (equivalent to a data processor in the GDPR) are excluded from much of the PDPA obligations, although data intermediaries do need to abide by the provisions on the protection of personal data (section 24) and the deletion of personal data when the purposes are no longer served in their retention (section 25).

  • Lawfulness, Fairness and Nondiscrimination

    Consent

    Section 13(a) stipulates that Consent is required for collecting, using or disclosing an individual’s personal data. Consent is limited for the purpose for which it was given and may be withdrawn at any time, in which case the collection, use or disclosure of such personal data must immediately cease. Section 14 of the Act indicates that consent is only valid if the data subject has been previously informed of the purposes for the collection, use or disclosure of the personal data, as the case may be, on or before collecting the personal data, and of any other purpose for which the data subject has not been previously informed. This means that controllers ought to obtain consent for further purposes of which data subjects had not been made aware. Section 14.2 and Section 14.3 indicate that consent is not valid if:

    • it is requested as a condition for providing a product or service, require an individual to consent to the collection, use or disclosure of personal data about the individual beyond what is reasonable to provide the product or service to that individual; or
    • if it is obtained by providing false or misleading information with respect to the collection, use or disclosure of the personal data, or using deceptive or misleading practices.

    It is useful to note that under the PDPA, consent can be implied (e.g. when the data subject provides a controller with their personal data).

    Other lawful bases

    Sections 13(b) and 17 allow the collection, use or disclosure without the consent of the individual if it is authorised under this Act or any other written law. Section 17.1 refers to the Second Schedule for a list of lawful bases for collecting personal data without consent:

    • the collection is necessary for any purpose that is clearly in the interest of the individual if consent for its collection cannot be obtained in a timely way or the individual would not reasonably be expected to withhold consent;
    • the collection is necessary to respond to an emergency that threatens the life, health or safety of the individual or another individual;
    • the personal data is publicly available;
    • the collection is necessary for the national interest;
    • the collection is necessary for any investigation or proceedings if it is reasonable to expect that seeking the consent of the individual would compromise the availability or the accuracy of the personal data;
    • the collection is necessary for evaluative purposes;
    • the personal data is collected solely for artistic or literary purposes (freedom of expression);
    • the personal data is collected by a news organisation solely for its news activity (freedom of expression);
    • the personal data is collected for the controller to recover a debt owed to the organisation by the individual or for the organisation to pay to the individual a debt owed by the organisation;
    • the collection is necessary for the provision of legal services by the organisation to another person or for the organisation to obtain legal services;
    • the personal data is collected by a credit bureau from a member of the credit bureau to create a credit report, or by a member of the credit bureau from a credit report provided by the credit bureau to that member in relation to a transaction between the member and the individual;
    • the personal data is collected to confer an interest or a benefit on the individual under a private trust or a benefit plan, and to administer such trust or benefit plan, at the request of the settlor or the person establishing the benefit plan, as the case may be;
    • the personal data was provided to the controller by another individual to enable the organisation to provide a service for the personal or domestic purposes of that other individual;
    • the personal data is included in a document:
      • produced in the course, and for the purposes, of the individual’s employment, business or profession, and
      • collected for purposes consistent with the purposes for which the document was produced;
    • the personal data is collected by the individual’s employer and the collection is reasonable for the purpose of managing or terminating an employment relationship between the organisation and the individual;
    • if a controller enters a business asset transaction with another organization, the collection of personal data of employees, customers, directors, officer or shareholders is allowed, provided that the organisation collecting the personal data only uses or discloses the personal data collected for the same purposes for which the other organisation would have been permitted to use or disclose the data, and that it relates directly to the part of the other organisation or its business assets with which the business asset transaction is concerned;
    • the personal data was disclosed by a public agency, and the collection is consistent with the purpose of the disclosure by the public agency.

    Sections 13(b) and 17 allow the collection, use or disclosure without the consent of the individual if it is authorised under this Act or any other written law. Section 17.2 refers to the Third Schedule for a list of lawful bases for using personal data without consent:

    • the use is necessary for any purpose which is clearly in the interests of the individual, if consent for its use cannot be obtained in a timely way or the individual would not reasonably be expected to withhold consent;
    • the use is necessary to respond to an emergency that threatens the life, health or safety of the individual or another individual;
    • the personal data is publicly available;
    • the use is necessary for the national interest;
    • the use is necessary for any investigation or proceedings;
    • the use is necessary for evaluative purposes;
    • the personal data is used for the organisation to recover a debt owed to the organisation by the individual or for the organisation to pay to the individual a debt owed by the controller;
    • the use is necessary for the provision of legal services by the organisation to another person or for the organisation to obtain legal services;
    • for a research purpose, including historical or statistical research, provided that:
      • the research purpose cannot reasonably be accomplished unless the personal data is provided in an individually identifiable form,
      • it is impracticable for the organisation to seek the consent of the individual for the use,
      • the personal data will not be used to contact persons to ask them to participate in the research, and
      • linkage of the personal data to other information is not harmful to the individuals identified by the personal data and the benefits to be derived from the linkage are clearly in the public interest;
    • the data was collected based on any of the grounds listed in the Second Schedule and is used by the controller for a purpose that is consistent with the purpose of collection (e.g. if data was collected to safeguard the vital interests of the data subject, the use of those data ought to be consistent with safeguarding the vital interests of the data subject).

    Sections 13(b) and 17 allow the collection, use or disclosure without the consent of the individual if it is authorised under this Act or any other written law. Section 17.3 refers to the Fourth Schedule for a list of lawful bases for disclosing personal data without consent if:

    • the collection is necessary for any purpose that is clearly in the interest of the individual if consent for its collection cannot be obtained in a timely way or the individual would not reasonably be expected to withhold consent;
    • the collection is necessary to respond to an emergency that threatens the life, health or safety of the individual or another individual;
    • the personal data is publicly available;
    • the collection is necessary for the national interest;
    • the collection is necessary for any investigation or proceedings if it is reasonable to expect that seeking the consent of the individual would compromise the availability or the accuracy of the personal data;
    • the collection is necessary for evaluative purposes;
    • the personal data is collected solely for artistic or literary purposes (freedom of expression);
    • the personal data is collected by a news organisation solely for its news activity (freedom of expression);
    • the personal data is collected for the controller to recover a debt owed to the organisation by the individual or for the organisation to pay to the individual a debt owed by the organisation;
    • the collection is necessary for the provision of legal services by the organisation to another person or for the organisation to obtain legal services;
    • the personal data is collected by a credit bureau from a member of the credit bureau to create a credit report, or by a member of the credit bureau from a credit report provided by the credit bureau to that member in relation to a transaction between the member and the individual;
    • the personal data relates to current or former students of the controller, being an educational institution, and is disclosed to a public agency for the purposes of policy formulation or review;
    • the personal data relates to the current or former patients of a healthcare institution licensed under the Private Hospitals and Medical Clinics Act (Cap. 248) or any other prescribed healthcare body is disclosed to a public agency for the purposes of policy formulation or review;
    • the disclosure is for the purpose of contacting the next‑of‑kin or a friend of an injured, ill or deceased individual;
    • if a controller enters a business asset transaction with another organization, the collection of personal data of employees, customers, directors, officer or shareholders is allowed, provided that the organisation collecting the personal data only uses or discloses the personal data collected for the same purposes for which the other organisation would have been permitted to use or disclose the data, and that it relates directly to the part of the other organisation or its business assets with which the business asset transaction is concerned;
    • the disclosure is for archival or historical purposes if a reasonable person would not consider the personal data to be too sensitive to the individual to be disclosed at the proposed time;
    • the data was collected based on any of the grounds listed in the Second Schedule and is used by the controller for a purpose that is consistent with the purpose of collection (e.g. if data was collected to safeguard the vital interests of the data subject, the use of those data ought to be consistent with safeguarding the vital interests of the data subject).

    *When compared with the GDPR, the PDPA provides controllers with more leeway for processing personal data without consent.

    Legitimate interest

    There is no explicit mention to “legitimate interest”, but Schedules 2, 3 and 4 include cases that are parallel to cases of legitimate interest under EU Law. A few items listed in the Second Schedule regulate the collection of personal data based on a legitimate interest ground:

    • Personal data may be collected if the collection is necessary for any purpose that is clearly in the interest of the individual if consent for its collection cannot be obtained in a timely way or the individual would not reasonably be expected to withhold consent.
    • the collection is necessary for evaluative purposes;
    • the personal data is collected by a credit bureau from a member of the credit bureau to create a credit report, or by a member of the credit bureau from a credit report provided by the credit bureau to that member in relation to a transaction between the member and the individual;
    • the personal data is collected to confer an interest or a benefit on the individual under a private trust or a benefit plan, and to administer such trust or benefit plan, at the request of the settlor or the person establishing the benefit plan, as the case may be;
    • the personal data was provided to the organisation by another individual to enable the organisation to provide a service for the personal or domestic purposes of that other individual;
    • the personal data is collected by the individual’s employer and the collection is reasonable for the purpose of managing or terminating an employment relationship between the organisation and the individual.

    A few items listed in Third Schedule regulate the use of personal data based on a legitimate interest ground:

    • the use of personal data is necessary for any purpose that is clearly in the interest of the individual if consent for its use cannot be obtained in a timely way or the individual would not reasonably be expected to withhold consent;
    • the use of personal data is necessary for evaluative purposes;
    • the personal data is used for the organisation to recover a debt owed to the organisation by the individual or for the organisation to pay to the individual a debt owed by the organisation;
    • the data was collected based on any of the grounds listed in the Second Schedule and is used by the controller for a purpose that is consistent with the purpose of collection (e.g. if data was collected to safeguard the vital interests of the data subject, the use of those data ought to be consistent with safeguarding the vital interests of the data subject).

    A few items listed in the Fourth Schedule regulate the disclosure of personal data based on a legitimate interest ground:

    • the disclosure of personal data is necessary for any purpose that is clearly in the interest of the individual if consent for its use cannot be obtained in a timely way or the individual would not reasonably be expected to withhold consent;
    • the disclosure of personal data is necessary for evaluative purposes;
    • the personal data is disclosed by a member of a credit bureau to the credit bureau for the purpose of preparing credit reports, or in a credit report provided by a credit bureau to a member of the credit bureau in relation to a transaction between the member and the individual;
    • the disclosure is for the purpose of contacting the next‑of‑kin or a friend of an injured, ill or deceased individual;
    • the data was collected based on any of the grounds listed in the Second Schedule and is used by the controller for a purpose that is consistent with the purpose of collection (e.g. if data was collected to safeguard the vital interests of the data subject, the use of those data ought to be consistent with safeguarding the vital interests of the data subject).
  • Transparency and Free Access

    Not explicitly mentioned as a principle or ground for processing in the Act. However, the PDPA imposes several obligations for controllers to meet their openness requirement.

    Section 11.3 imposes on controllers the obligation to designate one or more internal or external individuals to be responsible for ensuring that the controller complies with the Act (see DPO topic below).

    Designating a DPO does not relieve controllers from any of their data protection obligations. In addition, Section 11.5 requires controllers to make available the contact details of the DPOs or delegates designated or whoever is able to answer data protection queries and requests on behalf of the controller. With regards to this, the Personal Data Protection Commission (PDPC) has officially stated in their 2017 Revised Advisory Guidelines on Key Concepts of the PDPA that in order to facilitate a controller’s ability to respond swiftly to queries or complaints “[a]s good practice, the business contact information of the relevant person should:

    • be readily accessible from Singapore,
    • operational during Singapore business hours and in the case of telephone numbers,
    • be Singapore telephone numbers”.

    In addition, Section 20 imposes on controllers the obligation to provide information to data subjects when relying on consent. In order for consent to be valid, organisations ought to: (a) inform the individual about the purposes for the collection, use or disclosure of the personal data, as the case may be, on or before collecting the personal data; (b) any other purpose of the use or disclosure of the personal data of which the individual has not been informed about, before the use or disclosure of the personal data for that purpose.

    The Act does not specify a particular manner or form in which controllers can inform data subjects of the processing activities and the purposes for which their personal data is collected, used or disclosed. It is left for controllers to determine the best way of complying with the openness obligation. According to the PDPC (the Data Protection Authority) important factors that controllers should take into account may include:

    • the circumstances and manner in which it will be collecting the personal data;
    • the amount of personal data to be collected;
    • the frequency at which the personal data will be collected; and
    • the channel through which the notification is provided (e.g. face-to-face or through a telephone conversation, issuing a privacy notice, etc.).

    In addition, the PDPC says that it is generally good practice to state this information in writing so that data subjects and controllers can refer to a clearly documented statement of the organisation’s purposes.

    It is accepted in Singapore to include a privacy notice in a contract, or within a service agreement if personal data is being collected in the course of entering into a contract with the data subjects. If the information is being collected as part of, for example, a pre-screening, the privacy notice can also be issued separately from a contract. This practice is in stark contrast with the obligations imposed under the GDPR, where it is always required to make a clear distinction between T&Cs and the document or method used for issuing “fair processing information” (articles 12, 13 and 14 of the GDPR).

    The PDPC offers good practice considerations relating to the notification obligation, including:

    • drafting the privacy notice in a way that is appropriate for the audience intended;
    • using a layered notice;
    • identifying those purposes that may be of special concern to the data subject;
    • choosing an appropriate channel to convey the information;
    • develop and maintain processes to ensure regular reviews of the effectiveness of the policies and procedures implemented.
  • Purpose specification, use limitation and suitability

    Section 18 (on the limitation of purpose and extent) limits the purpose for which a controller may collect and process personal data. In particular, section 18 stipulates that controllers may collect, use, or disclose personal data about an individual only:

    • for purposes that a reasonable person would consider appropriate in the circumstances (e.g. when offering a wi-fi hotspot it is not necessary to collect gender, age, or full address);
    • for purposes that the data subject has been previously informed about in compliance with section 20 (please refer to the entry on “Lawfulness, fairness and non-discrimination”).

    All personal data collected ought to be limited to the initial purpose identified. Using or disclosing the personal data for any other purpose requires obtaining consent again or, identifying any of the other legal grounds listed in the Second Schedule. If data is used or disclosed for a different purpose than the one identified initially, controllers ought to obtain consent again or identify any of the lawful bases listed in the Third and Fourth schedules.

    The PDPC has indicated that “whether a purpose is reasonable depends on whether a reasonable person would consider it appropriate in the circumstances”. Therefore, this has to be reviewed on a case-by-case basis taking into account the individual circumstances of the data subject and the context in which the processing operations will take or are taking place.

  • Data Minimisation, Storage Limitation and Accuracy

    Storage limitation

    The PDPA does not specify a fixed duration of time for which an organisation can retain personal data. Instead, the duration of time for which an organisation can legitimately retain personal data is assessed on a standard of reasonableness. Section 25, Part VI (Care of Personal Data) stipulates that controllers shall cease to retain documents containing personal data or remove the means by which the personal data can be associated with particular individuals, as soon as it is reasonable to assume that:

    • the purpose for which that personal data was collected is no longer being served by retention of the personal data:
      • personal data may be retained so long as one or more of the purposes for which it was collected remains valid, or
      • Personal information should not just be kept by controllers “just in case” they may need the data for other purposes;
    • retention is no longer necessary for legal or business purposes. Examples of situations whereby other legal or business purposes may apply for longer retention periods include:
      • the personal data is required for an ongoing legal action involving the controller;
      • retention of the data is necessary in order to comply with the organisation’s obligations under other applicable laws or standards;
      • the controller needs to retain the personal data to carry out its business operations (e.g. generate annual reports).

    Accuracy

    Section 23, Part VI (Care of Personal Data) stipulates that: An organisation shall make a reasonable effort to ensure that personal data collected by or on behalf of the organisation is accurate and complete if the personal data:

    • is likely to be used by the organisation to make a decision that affects the individual to whom the personal data relates; or
    • is likely to be disclosed by the organisation to another organisation.

    The PDPC suggests that controllers should make a reasonable effort to:

    • accurately record personal data that are directly or indirectly collected;
    • collect and record accurately the personal data that will be processed;
    • take the necessary steps to ensure the accuracy of the data; and
    • consider whether it is necessary to update the information.

    Section 23, Part VI (Care of Personal Data) stipulates that: An organisation shall make a reasonable effort to ensure that personal data collected by or on behalf of the organisation is accurate and complete if the personal data:

    • is likely to be used by the organisation to make a decision that affects the individual to whom the personal data relates; or
    • is likely to be disclosed by the organisation to another organisation.

    The PDPC suggests that controllers should make a reasonable effort to:

    • accurately record personal data that are directly or indirectly collected;
    • collect and record accurately the personal data that will be processed;
    • take the necessary steps to ensure the accuracy of the data; and
    • consider whether it is necessary to update the information.

    The “reasonableness” test implies this obligation has to be analysed on a case-by-case basis taking into account the nature of the data, the purposes for which those data will be processed, the reliability and accuracy of the information, and the potential impact that for the data subject concerned if the data were outdated, inaccurate or incomplete.

    *There is nothing in the PDPA regarding data minimisation as it is understood in EU data protection legislation.

  • Security & Prevention

    Section 24 (Care of Personal Data) stipulates that controllers shall protect personal data in their possession or under their control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks. The PDPA is not detailed concerning the different subcategories of data security (confidentiality, availability, integrity and resilience) but stretching the interpretation of Section 24 they are implicitly included in the wording of the law. However, there is not much in the PDPA regarding any appropriate mechanisms or safeguards.

    The PDPC recommends that in practice controllers should:

    • design and organise its security arrangements to fit the nature of the personal data held by the organisation and the possible harm that might result from a security breach;
    • identify reliable and well-trained personnel responsible for ensuring information security;
    • implement robust policies and procedures for ensuring appropriate levels of security for personal data of varying levels of sensitivity; and
    • be prepared and able to respond to information security breaches promptly and effectively.

    The Fourth Schedule [items 1(q) and 4(e)] stipulates that personal data may be disclosed to another organisation for research purposes without the consent of the data subject, provided that the organisation to which data will be disclosed has signed an agreement with the disclosing party providing assurance that they will comply with (among others) security and confidentiality conditions of the organisation disclosing the personal data. Stretching the interpretation of Section 24, combined with the Fourth Schedule [1(q) and 4(e)] it is safe to say that the law implicitly states that controllers ought to document their information security program.

  • Accountability & Record Keeping

    Accountability is not expressly mentioned as a principle or a requisite for the lawful processing of personal data in Singapore. Nevertheless, controllers are accountable for compliance with data protection obligations. The PDPC provides a list of four items indicative of controllers’ accountability obligations:

    • Organisations are accountable by providing individuals with access to their personal data. This enables data subjects to what personal data relating them is held by controllers and how those data have been used.
    • Upon submitting a complaint to the PDPC, a review or an investigation may be carried out by the authority to determine a controller’s conduct and compliance with the Act.
    • If it has been determined that a controller has contravened the data protection obligations, the PDPC can impose a hefty fine and/or give directions to the controller instructing how to become compliant.
    • Individuals have a right to initiate civil proceedings against a controller that has caused loss or damage to the plaintiff.

    In addition, Sections 29.1 and 30 (Part VII: Enforcement of Parts III and IV) give the DPA the power to instruct organisations about the necessary steps that have to be taken in order to ensure compliance with a requirement of the law which the controller is not meeting. Moreover, these directions can be registered in a District Court, which shall have jurisdiction to enforce any direction issued by the DPA.

    Record-keeping is not explicitly mentioned as an obligation in the PDPA, however, the PDPC has indicated that, as a good practice, controllers should keep a record of all access request received and processed documenting whether the request was granted or not.

  • DPO

    Section 11.3 (Part III: General Rules) imposes on organisations. (controllers) the obligation to designate one or more individuals responsible for ensuring that controllers comply with their data protection obligations. Section 11.4 provides that the designated responsible individual may delegate his or her tasks and responsibilities to another individual.

    Designating a DPO does not relieve controllers from any of their data protection obligations. In addition, Section 11.5 requires controllers to make available the contact details of the DPOs or delegates designated or whoever is able to answer data protection queries and requests on behalf of the controller. With regards to this, the Personal Data Protection Commission (PDPC) has officially stated in their 2017 Revised Advisory Guidelines on Key Concepts of the PDPA that in order to facilitate a controller’s ability to respond swiftly to queries or complaints “[a]s good practice, the business contact information of the relevant person should:

    • be readily accessible from Singapore,
    • operational during Singapore business hours and in the case of telephone numbers,
    • be Singapore telephone numbers”.
  • Privacy by Design

    Embedded within the openness (transparency) obligation in section 12 of the Act there is an obligation of controllers to implement the necessary policies and procedures to meet their data protection obligations. This information should be publicly available. In particular, controllers have the obligation to:

    • develop and implement policies and practices that are necessary for the organisation to meet the obligations of the organisation under this Act;
    • develop a process to receive and respond to complaints that may arise with respect to the application of this Act;
    • communicate to its staff information about the organisation’s policies and practices referred to in paragraph (a); and
    • upon request make information available about the policies, procedures and complaint processes.

    This is not nearly as complex as the GDPR approach to privacy by design and by default, but there is an obligation to embed a privacy and data protection culture into the business processes of a controller. Moreover, the PDPC recommends controllers, as a good practice, to develop processes to regularly review the effectiveness and relevance of the privacy notice, policies and practices.

  • PIA/DPIA

    There is no specific mention in the about impact assessments in the Act, but the PDPC offers a best practice that roughly seems like the basis for a DPIA.  In particular, the PDPC suggests controllers undertake risk assessments to understand if the security mechanisms implemented are adequate concerning:

    • the nature of the data,
    • the size of the organisation,
    • the amount of personal data in the control of a responsible party,
    • the procedures for internal access to the data (who and under what circumstances has access to the personal data), and
    • whether the personal data is being or will be processed by a data processor on behalf of the controller.
  • Data Subject Rights

    There are four rights laid down in the PDPA: a right to be informed about any personal data being processed, the right to access personal data in the possession of a controller, the right to have personal data rectified and the right of direct private action. Below we provide a practical description with a list of exceptions to each right.

    Right to be informed

    This is referred to in Singapore as the “Notification Obligation”. Section 20(a) and 20(b) – notification of purpose – imposes on data controllers the obligation to inform data subjects of the purposes for which their personal data will be collected, used and disclosed. Controllers must inform data subjects before any personal data is collected, used or disclosed. Providing data subjects with this information is essential if controllers are relying on consent as the lawful basis for processing their data.

    In addition, if a controller failed to share with the data subjects any purpose for use or disclosure of their data at the time of collection, the controller ought to inform the data subject about the purpose of the use or disclosure before such use or disclosure takes place.

    For more details about the manner in which controllers ought to notify data subjects, please read the entry titled “Transparency and Free Access” above.

    Exceptions

    Section 20.3 states that controllers do not have to comply with the notification obligation if:

    • the data subject concerned is deemed to have consented to the collection, use or disclosure of his or her personal data; or
    • the controller collects, uses or discloses personal data not relying on consent as the lawful ground for processing, but on Section 17 and any of the lawful grounds specified in the Second, Third, and Fourth Schedules

    Right of Access

    Section 21 stipulates that controllers shall – as soon as is reasonably possible, provide data subjects with:

    • their personal data that is in the possession or under the control of a data controller; and
    • information about the ways in which the personal data referred to in paragraph (a) has been or may have been used or disclosed by the controller within a year before the date of the request.

    In addition, data subjects have the right to request the contact details of the DPO. Section 20.1(c) stipulates that upon request by the individual, controllers ought to disclose the business contact information of an employee who is able to answer on behalf of the organisation the individual’s questions about the collection, use or disclosure of personal data.

    Section 21.5 states that If there are no restrictions or exceptions (see below) to the right to access, controllers ought to grant access to the personal data. If some of the personal data is subject to any of the exceptions listed below, the controller shall still grant access to data subjects, but ought to leave out any personal data subject to exceptions or restrictions.

    Exceptions

    Section 21.2 stipulates that controllers are not required to provide data subjects with their personal data in regard to the matters specified in the Fifth Schedule of the Act, namely data concerning:

    • opinion data kept solely for an evaluative purpose;
    • any examination conducted by an education institution, examination scripts and, prior to the release of examination results, examination results;
    • the personal data of the beneficiaries of a private trust kept solely for the purpose of administering the trust;
    • personal data kept by an arbitral institution or a mediation centre solely for the purposes of arbitration or mediation proceedings administered by the arbitral institution or mediation centre;
    • a document related to a prosecution if all proceedings related to the prosecution have not been completed;
    • personal data which is subject to legal privilege;
    • personal data which, if disclosed, would reveal confidential commercial information that could, in the opinion of a reasonable person, harm the competitive position of the controller;
    • personal data collected, used or disclosed without consent in the context of any investigation or proceedings, under paragraph 1(e) of the Second Schedule, paragraph 1(e) of the Third Schedule or paragraph 1(f) of the Fourth Schedule, respectively, for the purposes of an investigation if the investigation and associated proceedings and appeals have not been completed;
    • the personal data was collected or created by a mediator or arbitrator in the conduct of a mediation or arbitration for which he was appointed to act:
      • under a collective agreement under the Industrial Relations Act (Cap. 136) or by agreement between the parties to the mediation or arbitration,
      • under any written law, or
      • by a court, arbitral institution or mediation centre; or
    • any request:
      • that would unreasonably interfere with the operations of the controller because of the repetitious or systematic nature of the requests;
      • which burden or expense of providing access would be unreasonable to the controller or disproportionate to the data subject’s interests;
      • concerning information that does not exist or cannot be found;
      • concerning information that is trivial; or
      • that is frivolous or vexatious.
    • 3 and 21.4:

    Section 21.3 indicates that controllers shall not provide data subjects with their personal data or if providing them with that information could reasonably be expected to:

    • threaten the safety or physical or mental health of an individual other than the individual who made the request;
    • cause immediate or grave harm to the safety or to the physical or mental health of the individual who made the request;
    • reveal personal data about another individual;
    • reveal the identity of an individual who has provided personal data about another individual and the individual providing the personal data does not consent to the disclosure of his identity; or
    • be contrary to the national interest.

    Section 21.4 stipulates that controllers shall not inform any individual that it has disclosed personal data to a prescribed law enforcement agency if the disclosure was made without the consent of the individual pursuant to paragraph 1(f) or (n) of the Fourth Schedule, that is:

    • the disclosure is necessary for any investigation or proceedings, or
    • the personal data concerned is disclosed to an officer of a law enforcement agency. Such disclosure has to be backed by prior written authorisation issued and signed by the director of the relevant law enforcement agency (or a person of similar rank), certifying that disclosure of the personal data is necessary for the purposes of the functions or duties of the officer.

    Right to rectification

    After having accessed their personal data, Section 22 gives data subjects the right to request controllers to rectify any mistakes or omissions they may find in the data that is in the possession of the data subject. If a controller is satisfied that a correction should be made:

    • the information should be corrected as soon as it is reasonably feasible, and
    • the controller should send the rectified information to every party to which the personal data was disclosed by the controller within a year before the date when the correction was made. Provided that data subjects consent, Section 22.3 allows controllers — who are not a credit bureau — to send the corrected personal data only to a specified list of parties to which the personal data was disclosed (as opposed to sending it to all parties involved). All parties who receive the rectification notification should correct the personal data contained in their databases.

    If a controller has reasonable grounds to object to the rectification request, the controller shall annotate the personal data with the correction that was requested but not made (Section 22.5).

    Exceptions

    Section 22.7 stipulates that controllers are not required to comply with the right to rectification in respect of the matters specified in the Sixth Schedule (Exceptions from correction requirement), namely information regarding:

    • opinion data kept solely for an evaluative purpose;
    • any examination conducted by an education institution, examination scripts and, prior to the release of examination results, examination results;
    • the personal data of the beneficiaries of a private trust kept solely for the purpose of administering the trust;
    • personal data kept by an arbitral institution or a mediation centre solely for the purposes of arbitration or mediation proceedings administered by the arbitral institution or mediation centre; or
    • a document related to a prosecution if all proceedings related to the prosecution have not been completed.

    A right of private action

    Section 32.1 provides that any person who suffers loss or damage directly as a result of a contravention of any provision in Parts IV, V or VI (does not include Part III on General Rules with Respect to Protection of Personal Data) by an organisation shall have a right of action for relief in civil proceedings in a court of law. Section 32.3 stipulates that the court may grant to the plaintiff all or any of the following:

    • relief by way of injunction or declaration;
    • damages;
    • such other relief as the court thinks fit.
  • Vendor Management

    Although there is no explicit mention of the obligation of organisations (controllers) to engage their vendors with a legally binding instrument (e.g. a contract), Section 4.2 stipulates that data processors (“data intermediaries”) processing personal data on behalf of a controller will be subject to the security obligations (“protection obligation”) and to the retention limitation obligation. Data processors are not subject to any of the other data protection provisions contained in the Act.

    The relationship between the controller and the processor has to be evidenced in writing with a legally binding agreement. The interpretation of this provision could be stretched understand that there is an implicit obligation of controllers to engage their vendors with a contract because if there is no contract the vendor could be regarded as a controller. It is unclear who is responsible to engage whom, but given a shift in responsibilities and obligations, it is safe to say that ought to make sure that a legally binding agreement exists before commencing processing operations on behalf of a controller.

  • Cross-Border Data Transfers

    Section 26.1 lays down a general prohibition to the transfer of personal data to third countries. The exception to this prohibition is that the transfer takes place in accordance with requirements prescribed under this Act to ensure that organisations (receiving the personal data) in a third country provide a similar standard of protection to personal data. Any transfer to a third country can take place provided that the controller submits a written request for exemption to the prohibition. The PDPC should issue a notice in writing concerning the controller’s request. Section 26.3 and 26.4 stipulate that if an exemption is granted by the PDPC:

    • such exemption may be granted subject to any conditions that the PDPC considers necessary and should be specified in writing,
    • the PDPC may add to, vary, or revoke any of the conditions imposed,
    • the exemption does not need to be published in the official journal, and
    • the exemption may be revoked at any time by the PDPC.

    Cross-border data transfer mechanisms

    There are no specific mechanisms in the ACt, but the PDPC has issued some guidance. Controllers who wish to send personal data overseas have to take all appropriate steps to ensure that the recipient will comply with the data protection provisions in respect of the transferred personal data while such personal data remains in its possession or under its control. To achieve this, the recipient should be bound by legally enforceable obligations to provide to the personal data transferred a standard of protection that is comparable to that under the PDPA. In this regard, legally enforceable obligations include obligations imposed on the recipient include:

    • existing laws in the third country to which the recipient is bound;
    • a contract:
      • requiring the recipient to provide a standard of data protection comparable to that found under the PDPA, and
      • specifying the countries or territories to which the personal data may be transferred;
    • Binding Corporate Rules; or
    • Any other legally binding instrument.

    Exceptions

    A controller is considered to have fulfilled the requirement to take appropriate steps, and not required to request an exemption if:

    • the data subject consents. In order to rely on consent obtained from the data subject, the controller should provide the individual with a reasonable summary (in writing) of the extent to which the personal data transferred to those countries and territories will be protected to a standard comparable to the protection under the PDPA;
    • the transfer is necessary for the performance of a contract between the controller and the data subject, or to fulfil a request made by the data subject with the prospect to his entering into a contract;
    • the transfer is necessary for the performance of a contract between the controller and a third party that was entered into at the request of the data subject (or is entered into in the data subject’s interest);
    • the transfer is necessary for the use or disclosure where consent is not required, such as safeguarding the vital interests of the data subject. In this case, the controller has to make sure that the recipient of the personal data will not use the information for any other purpose but to safeguard the vital interests of the data subject;
    • the personal data is solely in transit through a third country (e.g., through routing equipment);
    • the personal data is already publicly available in Singapore.
  • DatabreachPedia

    Overview

    There is currently no mandatory breach notification requirement in Singapore. However, the Singapore Data Protection Commission (PDPC) strongly encourages organizations to notify personal data breaches.

    Is it Mandatory to Notify Individuals?

    No, but PDPC recommends it.

    Is it Mandatory to Notify Regulator?

    No, but PDPC recommends it.

    Notification Deadline

    As soon as possible, immediately if sensitive personal data is involved.

    Responsible Regulator

    Singapore Personal Data Protection Commission
    10 Pasir Panjang Road
    #03-01 Mapletree Business City
    Singapore 117438

    Tel. +65 6377 3131
    Fax: +65 6577 3888
    Email: [email protected]
    Web: https://www.pdpc.gov.sg/

    Breach Notification Format

    The individuals should be contacted through the most effective ways (e.g. social media, emails etc.). The PDPC should be notified through email as soon as possible where breaches might cause public concern or involved a risk of harm to individuals.

    Related Resources

    Other Resources

Want to learn more? Login to the full DataGuidance platform.

About OneTrust


OneTrust is the #1 most widely used privacy, security and third-party risk technology platform trusted by more than 3,000 companies to comply with the CCPA, GDPR, ISO27001 and hundreds of the world’s privacy and security laws. OneTrust's three primary offerings include OneTrust Privacy Management Software, OneTrust PreferenceChoice™ consent and preference management software, and OneTrust Vendorpedia™ third-party risk management software and vendor risk exchange. To learn more, visit OneTrust.com or connect on LinkedIn, Twitter and Facebook.