Complying with the Personal Data Act of Singapore

As a result of recent regulations, Singapore companies are required to obtain the consent of an individual before they can collect, use, or disclose any personal information related to that individual. The Personal Data Protection Act (or PDPA) relies on two main pillars for protecting consumers: the Do Not Call (DNC) Registry and general data protection provisions. If you manage a company based in Singapore, you should understand the scope of this regulation and its possible impact on the operations of your firm. This article provides such an overview of the PDPA.

Ready to setup your company?

INCORPORATE ONLINE →

How the PDPA defines personal data

Personal data is any data that can be used to identify an individual on its own, which is considered uniquely identifying data. In addition, generic data used along with uniquely identifying data is also considered personal data. Although not exhaustive, the Personal Data Protection Act Commission (PDPAC) has prepared a list of examples of personal data.


Uniquely identifying data:

  • Full name
  • NRIC Number or FIN (Foreign Identification Number)
  • Passport number
  • Personal mobile telephone number
  • Facial image of an individual (e.g. in a photograph or video recording)
  • Voice of an individual (e.g. in a voice recording)
  • Fingerprint
  • Iris image
  • DNA profile


Generic data:

  • Gender
  • Age
  • Nationality
  • Past employment
  • Education
  • Income
  • Spending habits
  • Medical information

Types of personal data that are exempt:

  • Business contact information such as an individual’s name, position, title, business phone number, business address, business email address or business fax number.
  • Personal data that has been recorded at least 100 years
  • Personal data of a person who has been deceased for over 10 years

Compliance under PDPA

In the PDPA, the government of Singapore has outlined 8 obligations that companies collecting and using personal data must follow.

  1. Consent, Purpose Limitation and Notification Obligation
  2. Access and Correction Obligation
  3. Accuracy Obligation
  4. Protection Obligation
  5. Retention Limitation Obligation
  6. Transfer Limitation Obligation
  7. Openness Obligation
  8. Do Not Call Provisions

The Obligations for Organisations under PDPA

1. Consent, Purpose Limitation and Notification Obligation

The PDPA requires organisations to develop and implement policies and procedures that clearly notify customers that their personal data is being collected. In addition, companies must notify customers on how the data may be used and where it may be disclosed. Lastly, before any personal data is collected, the customer must first offer their consent.

How to comply

  • Create a privacy policy that is available to the public: The PDPAC recommends companies create a privacy policy that can be displayed publically, for example on the company website.
  • Obtain consent from customers in your terms and conditions: The PDPA requires that customers must voluntarily give their consent through an opt-in mechanism rather than an opt-out failure.
  • Allow Customers to withdraw their consent to collect personal data

2. Access and Correction Obligation

If requested companies must provide customers with their personal data that has been collected and inform the customer on how the data has been used or disclosed in the past year. In addition companies must change the personal data of a customer if requested.

How to Comply

  • Provide customers with their personal data within 30 days: Under the PDPA, if a company cannot respond to a customer’s access request within 30 days, then the company will have an additional 30 days from the date they were unable to fulfill the request to respond in writing to the customer.
  • Allow customers to update, correct and delete data

3. Accuracy Obligation

Companies must take reasonable steps to verify that the data they store on customers is accurate if they plan to use personal data to make decisions regarding the customer, or disclose the personal data.

How to Comply

  • Require verbal or written confirmation from the customer: Companies can require customers to make a verbal or written confirmation that the personal data provided is accurate and complete. Furthermore, in cases where the recency of the data is important, companies can also take measures to confirm the personal data provided by the customer is up-to-date.
  • Take extra steps to verify data from a third party provider: Companies can obtain confirmation from a third party data provider that the accuracy of the personal data has been verified.

4. Protection Obligation

Companies must protect any personal data in order to prevent the unauthorised access, collection, use, disclosure, copying, modification or disposal.

How to Comply

  • Take cybersecurity measures to safeguards data: The PDPAC recommendations include but are not limited to:
    • Ensuring computer networks are secure
    • Adopting appropriate access controls
    • Encrypting personal data
    • Installing appropriate computer security software and using suitable computer security settings
    • Eliminating all personal data from devices that are to be recycled, sold or disposed
    • Updating computer security and IT equipment regularly
  • Take physical security measures to safeguard data: The PDPAC recommendations include but are not limited to:
    • Marking confidential documents clearly and prominently
    • Storing confidential documents in locked file cabinet systems
    • Restricting employee access to confidential documents on a need-to-know basis
    • Using privacy filters to minimise unauthorised personnel from viewing personal data on laptops
    • Properly disposing of confidential documents that are no longer needed, through shredding or similar means
  • Take administrative measures to ensure personal data security: The PDPAC recommendations include but are not limited to:
    • Requiring employees to be bound by confidentiality obligations in their employment agreements
    • Implementing robust policies and procedures (with disciplinary consequences for breaches) regarding confidentiality obligations
    • Conducting regular training sessions for staff to impart good practices in handling personal data and strengthen awareness of threats to security of personal data
    • Ensuring that only the appropriate amount of personal data is held, as holding excessive data will also increase the efforts required to protect personal data

5. Retention Limitation Obligation

Companies are required to dispose of personal data as soon as it has fulfilled a legal or business purpose.

How to Comply

  • Prepare an appropriate personal data retention policy: Fintech companies can develop procedures that outline when stored personal data will be periodically reviewed. Furthermore, policies can be established on how to best store personal data so that it complies with the retention limitation obligation.
  • Dispose of personal data as soon as it’s no longer useful: The PAPAC examples of how to cease to retain documents include but are not limited to:
    • Returning the documents to the customer
    • Transferring the document to another person based on the instructions from the customer
    • Destroying the documents. by shredding them or disposing of them in an appropriate manner
    • Anonymising the personal data (more on anonymising data here)

6. Transfer Limitation Obligation

  • Companies cannot transfer data to a country outside of Singapore.

7. Openness Obligation

  • Companies must develop and implement policies to meet its obligations under the PDPA.

How to Comply

  • Designate an individual responsible for compliance with the PDPA: Companies must designate at least one person who will ensure compliance with the PDPA. Note that the PDPA compliance officer does not need to be an employee of the company.

8. Do-Not-Call-Provisions

Fintech companies are required to check the Do-not-call register and receive unambiguous consent from customers before they send marketing material

How to Comply

  • Check the Do-not-call register before sending marketing material: Companies are required to check the DNC registry within 30 days of sending marketing material to a customer through a Singapore phone number.
  • Receive unambiguous consent: Companies are not required to check the Do-Not-Call registry if they have already received clear and unambiguous consent from customers to receive marketing messages through their Singapore phone number. Please see more examples of ways to receive clear and unambiguous consent here

TABLE OF CONTENTS

  1. How the PDPA defines personal data
  2. Compliance under PDPA
  3. Further resources for PDPA compliance

RELATED ARTICLES

Online Platform

Incorporate and manage your Singapore startup online at CorporateServices.com.
LEARN MORE

Further resources for PDPA compliance

The PDPAC has created a number of resources to help companies comply with PDPA regulations and stay up-to-date with new changes.

 
 

Quick Links