Needless to say, in today’s advanced Tech Age, an unlimited flow of data is being collected from customers daily and this massive amount is certainly being analyzed by organizations to gain more insight into its clients’ behavior. Due to such a situation, the need for a protection law to govern how personal data should be used is inevitable, hence Personal Data Protection Act (PDPA) is established in Singapore.
Particularly, it sets out rules regarding the collection, use, disclosure, and care of personal data. The Act recognizes not only the need of businesses to collect, use and disclose information but also the rights of individuals to access and correct their personal data.
Almost all organizations in Singapore, including business entities, have to comply with the Act. Thus, in this blog, BBCIncorp will provide you with PDPA Singapore guidelines that summarize what to obey and suggest some common practices follow.
1. Overview of the Singapore Personal Data Protection Act
Let’s have an insight into the scope of this Act:
1.1. Data to be covered by the Singapore PDPA
In general, personal data stored in both electronic and non-electronic forms is covered by the Singapore Personal Data Protection Act. An unit of data can be considered as personal data when an individual can be identified:
- From that data; or
- From that data and other data that an organization has or is likely to have access to.
However, the following types are not subject to the Act:
- Personal data about an individual kept in a record that has been existing for at least 100 years;
- Personal data about a deceased individual who has passed away for more than 10 years.
- Business contact information of an individual which is not provided for personal purposes such as name, business position title, business phone number and email address.
1.2. Targets to be applied by the Singapore PDPA
The Personal Data Protection Act imposed obligations regarding the collection, use, disclosure and care of personal data on nearly every business and organization in Singapore, except for:
Individual acting in a personal or domestic capacity;
Employees acting in the course of their employment with an organization;
Public agency or an organization acting on behalf of a public agency in respect of collecting, using or disclosing personal data;
A data intermediary is also exempted from the imposed obligations, but only partly, for its personal data processing on behalf of and for the purpose of another organization under a contract. To be more specific, personal data protection and retention obligations are still applied. In regard to definition, data intermediary is an organization which processes personal data on behalf of another organization but does not include employees of that other organization.
2. The PDPA Checklist for Businesses
Business organizations have to comply with Part II to VI of the Personal Data Protection Act. Below is the summary, the full detail can be found here.
2.1. Main Principles to Comply
An entity can collect, use or disclose personal data only when:
- An individual gives a consent to such action; or
- The action is required or authorized under this Act or any other written law; or
- An individual voluntarily provides personal data to the organization for a purpose.
At any time, a person may withdraw a given consent with a reasonable notice. An organization can inform and explain to that person the possible consequences of such withdrawing, however, cannot prohibit the individual from doing so.
An organization can collect, use or disclose personal data about an individual only for purposes:
- That is appropriate to a reasonable person in given circumstances; and
- That is informed to that individual, if applicable.
Regarding notification of purpose, the following information shall be informed to an individual:
- The purpose for the collection, use or disclosure of the personal data on or before the action takes place;
- The business contact information of a person who can answer related questions on behalf of the entity, if requested.
An organization, in case of collecting personal data about a person from another entity without the consent of the individual, must still provide sufficient information of the purpose for the collection to that other entity for consideration.
C. Access to personal data
An individual can make a request to receive from an organization:
- The personal data of the individual that is possessed and controlled by the organization; and
- Information on how such data has been used in the last one year.
Please note that an organization can still turn down the request if the provision of personal data is expected to:
- Threaten or do harm physically or mentally to any person, including the one making request;
- Breach another person’s data;
- Be against the national interest;
There are many more exceptions from access requirements which are mentioned in the Fifth Schedule of the Personal Data Protection Act in Singapore.
D. Personal data correction
An individual can also make a request to correct an error or omission regarding personal data. Unless there is a valid reason that such correction should not be made, an organization has to:
- Correct the data as soon as possible;
- Send the corrected data to the other entities to which the data was disclosed in the last 1 year.
E. Accuracy of personal data
The personal data collected must be accurate and complete if it is likely to be:
- Used to make decisions that affect the individual to whom the data relates; or
- Disclosed to another organization.
F. Protection of personal data
There should be a reasonable database security for risk avoidance such as unauthorized access, unwanted modification and hacking.
G. Retention of personal data
An organization shall stop to retain or remove the personal data when it is reasonable to assume that the retention is no longer necessary for legal or business purposes.
H. Overseas transfer
An organization can only transfer personal data to a foreign country or territory which has at least the same level of protection as the Personal Data Protection Act in Singapore.
2.2. Consequences for non-compliance
The organization not complying with any provision in Part III to VI of the Act must follow one or all of the following directions determined by the Commission which is The Info-communications Media Development Authority:
- Ceasing to collect, use or disclose personal data that violates the Act;
- Destroying personal data collected that violates the Act;
- Comply with any other direction of the Commission (to correct personal data, to make a refund and to provide data access to a complainant);
- Paying a penalty of an amount not exceeding $1 million which is determined by the Commission.
3. Common Practice
3.1. Using Checking Tool
You can use the PDPA Assessment Tool for Organizations (PATO) to check whether your business entity has fully complied with all the PDPA provisions or not. It is a helpful and also easy-to-use tool which provides questionnaire and questions on your business’s personal data protection and policies.
3.2. Appointing Data Protection Officers
All business organizations, including sole proprietorship, are legally required to appoint at least one Data Protection Officer (DPO). The DPO’s function is to ensure that the entity is complying with the Personal Data Protection Act by reviewing and updating your business’s policies in line with the latest regulation.
Furthermore, a Data Protection Officer also has to deal with complaint regarding PDPA requirements. Thus, it is also required that the business information of at least one DPO must be available and reachable to the public.
Since it is not stated in the PDPA where the DPO should be based, the DPO can either be an employee of your organization or an outsourcing third-party. It may be ideal for a person whose work relates to data protection to take on the role of DPO as one of his/her responsibilities.
Arranging an efficient data management framework will also be a good practice to well align your organization with the PDPA requirements. Such processes and policies in place are of great benefits for your entity in regard to relevant activities such as easier to assess as well as process the access or correction complaints, prepare detailed timelines for the retention or cease retention if there are such cases, ensure the sufficiency of data protection policies and review the engagement of your entity and your third parties under your control and compliance with the PDPA.
4. Summarized Main Points
- Personal Data Protection Act in Singapore is applied to almost all organizations in the city-state, covering nearly all kinds of personal data.
- Personal Data Protection Act in Singapore Guidelines for businesses:
- To grant consents before data collection, use, or disclosure
- To have appropriate purposes for data collection, use, or disclosure
- To provide data access when requested
- To correct false data when requested
- To collect complete and accurate data
- To have secured protection for database
- To stop data retention when it is no longer served the business purposes
- To transfer data overseas when only there is a standard protection level comparable to the Singapore PDPA
- Common practices to comply with the Singapore Personal Data Protection Act:
- Using the PDPA Assessment Tool for Organizations
- Appointing Data Officers or Offices
Should you have any related questions, feel free to message us! BBCIncorp is always willing to help!