- Legislative Overview
The main legislation governing data protection in Singapore is the Personal Data Protection Act 2012 (“PDPA”). The principle objective of this legislation relates to the collection, use and disclosure of personal data which protect the personal data of the individual on the one hand and obliges organisations to abide by certain safeguards on the other hand.
The PDPA is in turn supported by subsidiary legislations, namely:
- Personal Data Protection (Do Not Call Registry) Regulations 2013
- Personal Data Protection (Statutory Bodies) Notification 2013
- Personal Data Protection (Prescribed Law Enforcement Agencies) Notification 2014
- Personal Data Protection (Prescribed Healthcare Bodies) Notification 2015
- Personal Data Protection (Prescribed Law Enforcement Agency) Notification 2020
- Personal Data Protection (Composition of Offences) Regulations 2021
- Personal Data Protection (Enforcement) Regulations 2021
- Personal Data Protection Regulations 2021
- Personal Data Protection (Appeal) Regulations 2021
- Personal Data Protection (Notification of Data Breaches) Regulations 2021
The PDPA supplements certain legislative and regulatory frameworks such as the Banking Act and Insurance Act which are industry specific.
II Governing Authority
The Personal Data Protection Commission (“PDPC”) is responsible for administering the PDPA with the Info-communications Media Development Authority designated as the PDPC.
III Scope of Application
The overall scope of the PDPA is to govern the collection, use and disclosure of personal data by organisations, and to establish and administer the Do Not Call Register.
IV Exceptions and Non-application
The following are exempted from PDPA’s application, namely:
(a) individual acting in a personal or domestic capacity;
(b) employee acting in the course of his or her employment with an organisation;
(c) public agency; or
(d) others as prescribed.
V Penalties for Violations
Violation of the PDPA will attract a fine, penalty and/or imprisonment, depending on the severity.
VI Personal Data Protection Obligations
In terms of safeguarding personal data, there are Data Protection Obligations under the PDPA for compliance, namely:
- Accountability Obligation
- Notification Obligation
- Consent Obligation
- Purpose Limitation Obligation
- Accuracy Obligation
- Protection Obligation
- Retention Limitation Obligation
- Transfer Limitation Obligation
- Access and Correction Obligation
- Data Breach Notification Obligation
- Data Portability Obligation
Further elaboration on the obligations can be viewed at the PDPC’s website.
VII Who Need To Register under the PDPA
At present, there is no requirement for registration under the PDPA for collecting, using, or processing personal data. However, there is need to enter the Do Not Call Register to benefit from the provisions thereto.
VIII Advisory Guidelines
In addition to the PDPA and subsidiary legislations, there are Advisory Guidelines which are recommendatory, namely:
- Introduction to Guidelines
- Advisory Guidelines for Management Corporations
- Advisory Guidelines for the Healthcare Sector
- Advisory Guidelines on the Do Not Call Provisions
- Advisory Guidelines for the Social Service Sector
- Advisory Guidelines on Requiring Consent for Marketing Purposes
- Advisory Guidelines on Application of PDPA to Election Activities
- Advisory Guidelines on Enforcement of Data Protection Provisions Advisory Guidelines on the Personal Data Protection Act for Selected Topics
- Advisory Guidelines on Key Concepts in the Personal Data Protection Act
- Advisory Guidelines for the Education Sector
- Advisory Guidelines for the Telecommunication Sector
- Advisory Guidelines on the Personal Data Protection Act for NRIC and other National Identification Numbers
- Advisory Guidelines for the Real Estate Agency Sector
- Advisory Guidelines on In-vehicle Recordings by Transport Services for Hire
In addition, there are industry led guidelines such as those developed by the Life Insurance Association Singapore.
IX. Data Protection Officer (DPO)
It is mandatory under the PDPA to designate at least one DPO whose contact details must be made available to the public. The duty of a DPO is to ensure the organisation’s compliance with the PDPA.
X Notification for Data Breach
An organisation must notify the PDPC for notifiable data breaches. A notifiable data breaches is a data breach which (i) results in, or is likely to result in, significant harm to an affected individual; or (ii) is, or is likely to be, of a significant scale.