What is Personal Data Protection Act (PDPA)?
The Personal Data Protection Act 2012 (PDPA) governs the collection, use and disclosure of personal data. The PDPA was passed by Parliament in October 2012 and came into force in 4 stages between January 2013 and July 2014.
The PDPA recognises both:
- The right of individuals (natural persons, whether living or dead) to protect their personal data; and
- The need of organisations (all corporate bodies – e.g. companies – and unincorporated bodies, including those formed or resident outside of Singapore) to collect, use or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances
The challenge
What is Personal Data?
Personal data means:
- Data about an individual who can be identified from that data itself; or
- Data about an individual who can be identified from that data and other information to which your business has or is likely to have access
Examples of personal data that can, on its own, identify an individual include:
- Biometric identifiers (face geometry or fingerprints)
- Name and NRIC number
- Photograph or video image of an individual
- Voice of an individual
- DNA profile
Note that the PDPA also protects, to a limited extent, the personal data of individuals who have been dead for 10 years or fewer. For such personal data, only the provisions relating to the disclosure and protection of personal data will apply.
What are the types of personal data the that PDPA does not apply to?
The PDPA does not apply to the following categories of personal data:
- Personal data that is contained in a record that has been in existence for at least 100 years; and
- Personal data about a deceased individual who has been dead for more than 10 years
- Business contact information, which is information not provided by an individual solely for personal purposes, and includes an individual’s:
- Name;
- Business title;
- Business telephone number; and
- Business address and email address
Who is Not Obliged to Comply with the PDPA?
The PDPA imposes obligations on organisations in respect of the collection, use and disclosure of personal data in Singapore.
The following persons, however, do not have to comply with these obligations:
- Any individual acting in a personal or domestic capacity;
- Any public agency; and
- Any organisation in the course of acting on behalf of a public agency in relation to the collection, use and disclosure of the personal data
Employees acting in the course of their employment with an organisation will have to adhere to their organisation’s policies for ensuring the organisation’s compliance with the PDPA. However, they themselves cannot be held personally liable for actions resulting in their organisation breaching the PDPA.
Additionally, organisations that are data intermediaries are partially excluded from these obligations.
The PDPA defines “data intermediary” as an organisation that processes personal data on behalf of another organisation. However, this definition does not include employees of the organisation (for which the data is being processed).
Ensuring compliance with PDPA obligations
- What personal data is being collected
- For compliance with the Protection Obligation
- Being aware of the types of personal data being collected will allow you to have a better picture of the type of protective measures needed and evaluate if the purposes for which such data is being collected are best served by the data collection.
- For what purposes the personal data is being collected
- For compliance with the Purpose Limitation Obligation and the Retention Limitation Obligation
- Who is collecting the personal data
- For compliance with the Consent Obligation and Notification Obligation
- Only authorised personnel who have received appropriate training in PDPA compliance should be involved in the collection process
- Where the personal data is stored
- For compliance with the Protection Obligation
- To whom the personal data is disclosed
- For compliance with the Access and Correction Obligation and Protection Obligation
- While your business has to provide access to the personal data of an individual who requests for it, you should verify the identity of the individual. For example, by requesting for appropriate identification documents before providing such access. This would in turn prevent inadvertent leaks of personal data.
Reputation Loss, Lost of Trust & Penalty
Consequences of Non-Compliance with the PDPA
Your business is accountable for its PDPA compliance in various ways.
For example, individuals may request for access to their personal data held by your business (see the Access and Correction Obligation above). They may also submit a complaint to the PDPC which will investigate your business’ conduct and compliance with the PDPA.
If it is found that your business is not PDPA-compliant, the PDPC may:
- Impose a financial penalty of up to $1 million
- Direct your business to stop collecting, using or disclosing personal data in contravention of the PDPA
- Direct your business to destroy personal data collected in contravention of the PDPA
In April 2016, the Business Times reported that 11 companies, including Challenger Technologies and K Box Entertainment Group (K Box), had been fined for breaching data protection obligations under the PDPA.
K Box, in particular, was given a financial penalty of $50,000 for failing to implement adequate security measures to protect the personal data of its members.
What Should You Do If You Collect, Use or Disclose Individuals’ Personal Data Throughout the Course of Your Business?
- If your business wants to store personal data in the cloud, you should take appropriate steps to ensure that the transfer of data to the cloud complies with the PDPA’s data protection laws.
- If your business issues newsletters through email, you should ensure that the creation and sending of your newsletter as well as the management of your subscriber list complies with the PDPA and other applicable laws.
- Should your business be involved in telemarketing, you should ensure that the relevant regulations, including those relating to the Do Not Call (DNC) Registry are complied with The DNC regime established under the PDPA, prohibits organisations from sending marketing messages to Singapore telephone numbers registered with the DNC Registry.
- If your business maintains physical or electronic records of personal data, these records have to be disposed of, using appropriate methods, as stipulated in the PDPA.
- Businesses are also not allowed to make copies of individuals’ NRICs, or collect, use or disclose NRIC numbers, unless this is required by law or required to verify an individual’s identity to a “high degree of fidelity”.