What is PDPA?
The Singapore Personal Data Protection Act, 2012 considers an individual’s right to data protection and an organization’s commercial right to collect, use or disclose personal data for a reasonable purpose.
Due to an increase in commercial activities of the organizations, many individuals are concerned about how their data is being used. Therefore, PDPA was enacted to balance the interests of an individual with that organization.
It is administered and enforced by the Personal Data Protection Commission (PDPC). The PDPC represents the Singapore Government, and it serves as the primary authority dealing with matters related to personal data protection. This governing body is entrusted with formulating and implementing policies related to protecting personal data. Their responsibilities include issuing policies, regulations, and advisory guidelines to direct organizations and help them comply with the PDPA. They also act as an enforcement authority by handling individual complaints against an organization and imposing penalties on defaulters.
The PDPA Obligations
When it comes to data protection, the Singapore PDPA imposes the following nine obligations on organizations:
- Consent
Organizations must only collect, use or disclose personal data for purposes for which an individual gives expressed or deemed consent. Organizations must also provide the notification for the purpose. Individuals must be allowed to withdraw consent.
- Purpose
It states that an organization may collect, use or disclose personal data about an individual only for purposes that a reasonable person would consider appropriate in the circumstances; and that the individual has been informed of.
- Notification
Organizations must notify individuals of the purposes for which their data is collected, used, or disclosed on or before such collection, use or disclosure. The breach notification obligation is still under review.
- Access and Correction
Upon request made by an individual, organizations should make corrections to the data or inform individuals about the details of the data collected.
- Openess
Organizations must make information about data protection policies, practices, and complaints processes available on request. It must also designate one or more individuals as a Data Protection Officer to ensure that the organization complies with the PDPA.
- Protection
Organizations should take reasonable security arrangements to protect the personal data that they possess or control to prevent unauthorized access, collection, use, disclosure, or similar risks.
- Accuracy
Organizations should take reasonable efforts to ensure that the personal data collected is accurate and complete.
- Retentention
Organizations should cease retention of personal data or anonymize the personal data when it is no longer necessary for any business or legal purpose.
- Transfer
Organizations must transfer personal data to another country only according to the requirements prescribed under PDPA.
PDPA Checklist
In order to make the Singapore PDPA obligations easier, PDPC has issued a 10 step checklist:
- Appoint A Data Protection Officer
- Notify Purpose(s) And Seek Consent
- Respond When Individuals Ask About Their Personal Data
- Allow Correction of Personal Data
- Secure Personal Data Held by the Organization
- Dispose of Personal Data That is No Longer Needed
- Ensure Protection Of Personal Data When Transferring Overseas
- Closely Manage Service Providers That Handle Personal Data
- Check The Do Not Call Registry
- Communicate Data Protection Policies, Practices, and Processes