Below we outline some key aspects your company should note in relation to the Personal Data Protection Act (PDPA) in Singapore.
Businesses are handling more and more personal data as technology advances make this easier each year. In response, the government and legislators are continuously issuing new guidance and requirements to keep consumers informed and their data safe.
Regulations vary between countries, and it can be challenging to ensure compliance when you operate in multiple jurisdictions.
Ideas covered in this article:
- What is Personal Data and the PDPA?
- Obligations under the PDPA
- Data Protection Officers (DPO)
- Do Not Call (DNC) Registry
- PDPA and GDPR
What is Personal Data and the PDPA?
Personal data refers to data about an individual who can be identified from that data, or from that data together with other information to which the organisation has or is likely to have access to. Most organisations hold personal data. This may include the personal data of their clients, suppliers and even their employees. The PDPA provides guidelines to protect such information.
The PDPA provides a baseline standard of protection for personal data in Singapore. It works in addition to other regulatory frameworks and any applicable sector-specific legislation (for example the Banking Act and Insurance Act). The PDPA comprises various requirements governing the collection, use, disclosure and care of personal data in Singapore. This does not mean that you are not allowed to handle personal data in Singapore. On the contrary, the PDPA recognises the need to protect individuals’ personal data and the need of organisations to collect, use or disclose personal data for legitimate and reasonable purposes. The legislation acts to ensure that personal data is not misused. It maintains consumer and investor trust in organizations and strengthens Singapore’s position as a trusted business hub. We will examine some of the key provisions of the PDPA below.
Obligations under the PDPA
The PDPA outlines ten main obligations for businesses to consider when creating their policies and processes in relation to handling personal data:
- Consent – You must obtain explicit consent from individuals to handle their personal data. You must also ensure that customers can withdraw their consent.
- Purpose limitation – You may only collect personal data that a reasonable person would consider appropriate in the circumstances.
- Notification – You must notify individuals that you are collecting their data and how it will be used.
- Access and Correction – Individuals have the right to request access to and to correct their personal data held by organisations.
- Accuracy – You should take steps to verify that the information you have gathered is accurate if you are using the data in a way that affects the individual or if you are transferring the data to another organisation.
- Protection – You must keep personal data safe. This includes both physical safety such as locked cabinets and online safety such as encryption and other cyber security solutions.
- Retention limitation – You may only retain personal data for a reasonable period to meet the purpose for which it was obtained.
- Transfer limitation – You may not transfer personal data to organisations outside Singapore unless you maintain control of the data.
- Data Breach Notification – Where required, you must notify individuals and/or the Commission of any data breach.
- Accountability – Organisations are required to take steps in order to ensure they meet their data protection obligations.
Many of these items can be covered in your Privacy Policy and Terms and Conditions. These are key documents so make sure they are readily available and easy for customers, suppliers and partners to understand.
Data Protection Officers (DPO)
Under the PDPA, Singapore registered companies are required to appoint at least one individual as the DPO to oversee data protection responsibilities and ensure the company is compliance with the PDPA. The DPO is to be appointed via ACRA filing and the details of the appointee must be available to the public.
The responsibilities of a DPO include, but are not limited to:
- Ensuring compliance with PDPA when developing and implementing policies and processes for handling personal data;
- Fostering a data protection culture among employees and communicating personal data protection policies to stakeholders;
- Managing personal data protection-related queries and complaints;
- Alerting management to any risks that might arise with regard to personal data; and
- Liaising with the PDPC on data protection matters, if necessary.
Do Not Call (DNC) Registry
The PDPA provides for the establishment of a national Do Not Call Registry. Through this service, individuals can register their telephone numbers to ensure they do not receive unwanted calls or marketing messages.
Organizations are prohibited from sending marketing messages or making marketing calls to numbers on the DNC Register. When sending marketing messages to other numbers, you must ensure that you provide an opt-out function. There are some exceptions to DNC requirements, such as messages about charitable causes and surveys. Additionally, if you have explicit consent, you may send marketing messages without checking the DNC Register.
PDPA and GDPR
The European Union General Data Protection Regulation, widely known as GDPR, is the EU-wide personal data protection legislation. GDPR may apply to organisations in Singapore if they offer goods or services to customers in the EU. The PDPA and GDPR regimes have different requirements, so compliance with one does not mean automatic compliance with the other. However, they are well aligned in many aspects and recent changes to the PDPA legislation have brought them closer.
The safety and appropriate use of personal data is important to both regulators and individuals. Developing sound policies and processes that are easily accessible is the best way to ensure compliance.
