1. Legislative Overview

The main legislation governing data protection in Singapore is the Personal Data Protection Act 2012 (“PDPA”). The principle objective of this legislation relates to the collection, use and disclosure of personal data which protect the personal data of the individual on the one hand and obliges organisations to abide by certain safeguards on the other hand.

The PDPA is in turn supported by subsidiary legislations, namely:

The PDPA supplements certain legislative and regulatory frameworks such as the Banking Act and Insurance Act which are industry specific.

II Governing Authority

The Personal Data Protection Commission (“PDPC”) is responsible for administering the PDPA with the Info-communications Media Development Authority designated as the PDPC.

III Scope of Application

The overall scope of the PDPA is to govern the collection, use and disclosure of personal data by organisations, and to establish and administer the Do Not Call Register.

IV Exceptions and Non-application

The following are exempted from PDPA’s application, namely:
(a) individual acting in a personal or domestic capacity;
(b) employee acting in the course of his or her employment with an organisation;
(c) public agency; or
(d) others as prescribed.

V Penalties for Violations

Violation of the PDPA will attract a fine, penalty and/or imprisonment, depending on the severity.

VI Personal Data Protection Obligations

In terms of safeguarding personal data, there are Data Protection Obligations under the PDPA for compliance, namely:

  1. Accountability Obligation
  2. Notification Obligation
  3. Consent Obligation
  4. Purpose Limitation Obligation
  5. Accuracy Obligation
  6. Protection Obligation
  7. Retention Limitation Obligation
  8. Transfer Limitation Obligation
  9. Access and Correction Obligation
  10. Data Breach Notification Obligation
  11. Data Portability Obligation

Further elaboration on the obligations can be viewed at the PDPC’s website.

VII Who Need To Register under the PDPA

At present, there is no requirement for registration under the PDPA for collecting, using, or processing personal data. However, there is need to enter the Do Not Call Register to benefit from the provisions thereto.

VIII Advisory Guidelines

In addition to the PDPA and subsidiary legislations, there are Advisory Guidelines which are recommendatory, namely:

In addition, there are industry led guidelines such as those developed by the Life Insurance Association Singapore.

IX. Data Protection Officer (DPO)

It is mandatory under the PDPA to designate at least one DPO whose contact details must be made available to the public. The duty of a DPO is to ensure the organisation’s compliance with the PDPA.

X Notification for Data Breach

An organisation must notify the PDPC for notifiable data breaches. A notifiable data breaches is a data breach which (i) results in, or is likely to result in, significant harm to an affected individual; or (ii) is, or is likely to be, of a significant scale.