The Singapore Personal Data Protection Act, 2012 (PDPA) provides a framework for companies to follow for personal data protection. It comprises various rules governing the collection, use, disclosure and care of personal data.
By regulating the flow of personal data among organizations, the PDPA also has the important mission to maintain Singapore’s position as a trusted, world-class hub for businesses.
Every business in Singapore must understand what this regulation entails, its importance in the compliance and cybersecurity ecosystem, and the steps to become compliant with PDPA.
What is PDPA
The Personal Data Protection Act, 2012 (PDPA) considers an individual’s right to data protection and an organization’s commercial right to collect, use or disclose personal data for a reasonable purpose.
Due to an increase in commercial activities of the organizations, many individuals are concerned about how their data is being used. Therefore, PDPA was enacted to balance the interests of an individual with that organization.
PDPA is administered and enforced by the Personal Data Protection Commission (PDPC). The PDPC represents the Singapore Government, and it serves as the primary authority dealing with matters related to personal data protection. This governing body is entrusted with formulating and implementing policies related to protecting personal data. Their responsibilities include issuing policies, regulations, and advisory guidelines to direct organizations and help them comply with the PDPA. They also act as an enforcement authority by handling individual complaints against an organization and imposing penalties on defaulters.
The PDPA Obligations
When it comes to data protection, PDPA imposes the following nine obligations on organizations:
Organizations must only collect, use or disclose personal data for purposes for which an individual gives expressed or deemed consent. Organizations must also provide the notification for the purpose. Individuals must be allowed to withdraw consent.
PDPA states that an organization may collect, use or disclose personal data about an individual only for purposes that a reasonable person would consider appropriate in the circumstances; and that the individual has been informed of.
Organizations must notify individuals of the purposes for which their data is collected, used, or disclosed on or before such collection, use or disclosure. The breach notification obligation is still under review in the case of PDPA.
- Access and Correction
Upon request made by an individual, organizations should make corrections to the data or inform individuals about the details of the data collected.
Organizations must make information about data protection policies, practices, and complaints processes available on request. It must also designate one or more individuals as a Data Protection Officer to ensure that the organization complies with the PDPA.
Organizations should take reasonable security arrangements to protect the personal data that they possess or control to prevent unauthorized access, collection, use, disclosure, or similar risks.
Organizations should take reasonable efforts to ensure that the personal data collected is accurate and complete.
Organizations should cease retention of personal data or anonymize the personal data when it is no longer necessary for any business or legal purpose.
Organizations must transfer personal data to another country only according to the requirements prescribed under PDPA.
In order to make the PDPA obligations easier, PDPC has issued a 10 step PDPA checklist: