General

1. What is 'personal data'?
2. When will the Personal Data Protection Act (PDPA) come into force?
3. What are the objectives of the PDPA?
4. How does the PDPA benefit me?
5. How is the PDPA different from the Spam Control Act?
6. What is 'deemed' consent?
7. What constitutes 'acting in personal or domestic capacity'?
8. What is 'business contact information'?

Collection, Use & Disclosure

1. How much personal data can an organisation collect about me?
2. What can an organisation do with my personal data that is collected before the PDPA is enacted?

Access & Correction

1. Can I request access to my personal data held by an organisation?
2. Can I request to correct my personal data held by an organisation?

Care of Personal Data

1. How long can an organisation retain my personal data for?
2. What are the rules on cross-border transfer of personal data?

Do Not Call Registry

1. How can the DNC registry help me?
2. When will the DNC registry be ready?
3. Is the DNC registry only open to Singapore telephone numbers?
4. Will my telephone number registered with the DNC registry expire?
5. Do I have to pay to register my telephone number with the DNC registry?
6. How can I register my telephone numbers with the DNC registry?
7. Will the DNC registry rules cover overseas telemarketers?
8. Are business-to-business (B2B) marketing calls or messages covered under the DNC registry?
9. Are emails and mail delivered by post covered under the DNC registry?
10. If an organisation has obtained consent from me before I registered with the DNC register, can the organisation still send marketing messages to me?

General

1. What is 'personal data'?

Personal data refers to data, whether true or not, about an individual who can be identified from that data; or from that data and other information to which the organisation has or is likely to have access.

This includes unique identifiers (e.g. NRIC number, passport number); as well as any set of data (e.g. name, age, address, telephone number, occupation, etc), which when taken together would be able to identify the individual. For example, Jack Lim, 36 years old, civil servant, lives at Blk 123 Bishan St 23.

Back to top

2. When will the Personal Data Protection Act (PDPA) come into force?

To allow time for organisations to adjust to the new law, the PDPA will be implemented in phases, with the provisions relating to the Do Not Call (DNC) registry coming into force in early 2014 and the provisions relating to the personal data protection coming into force in mid 2014.

Back to top

3. What are the objectives of the PDPA?

Complementing sector-specific frameworks, the PDPA will safeguard individuals’ personal data against misuse by regulating the proper management of personal data. Generally, individuals have the right to be informed of the purposes for which organisations are collecting, using or disclosing their personal data, giving individuals more control over how their personal data is used.

The PDPA also aims to enhance Singapore’s competitive advantages as a location for data hosting and management activities by strengthening Singapore’s reputation as a secure location for data, and giving assurance to businesses looking for safeguards to protect sensitive data sets.

Back to top

4. How does the PDPA benefit me?

The law will ensure that organisations put in place adequate safeguards to protect individuals’ personal data.  Organisations will generally be required to obtain your consent to the collection, use and disclosure of your personal data for their intended purposes and thus you  will have more control over how your personal data is used.

Back to top

5. How is the PDPA different from the Spam Control Act?

The Spam Control Act (“SCA”) sets out a framework to manage unsolicited commercial electronic messages sent in bulk through electronic mail, text and multimedia messaging, otherwise known as "spam". The SCA requires organisations to, among others, provide an unsubscribe facility within the spam message and include an header in the subject field of the message or where there is no subject field, as the first words in the message.

While the SCA manages the sending of spam messages, the PDPA sets out rules governing the proper collection, use and disclosure of personal data, which would include contact information of an individual. Under the PDPA, organisations are required to obtain consent for a stated purpose to collect, use or disclose the contact information of an individual, and safeguard such information, unless any exception applies.

In addition, the provisions relating to the DNC registry in the PDPA allow individuals to opt out of marketing messages (voice calls, SMS/MMS or fax) delivered to a Singapore telephone number.

Organisations are prohibited from sending marketing messages to Singapore telephone numbers registered with the DNC registry unless they have obtained clear and unambiguous consent, in writing or other accessible form, to the sending of the marketing message to the particular Singapore telephone number.

In relation to the sending of spam messages, the PDPA applies to the collection, use and disclosure of individuals’ contact information for such purposes, while the SCA governs the manner in which the spam message may be sent. These frameworks will operate concurrently.

Back to top

6. What is 'deemed' consent?

You are deemed to consent to the collection, use or disclosure of personal data by an organisation for a purpose if you voluntarily provide the personal data to the organisation for that purpose; and it is reasonable that you would do so.

For example, when you seek medical treatment in a medical facility, such as a clinic or hospital, and voluntarily provide your personal data, you would be deemed to have consented to the collection and use of your personal data by the medical facility hospital for that purpose.

Back to top

7. What constitutes ‘acting in personal or domestic capacity’?

These are purposes to do with your personal, family or household affairs. For example, if you keep a database of your friends’ and relatives’ names, addresses, contact numbers and birthdates for your own personal use, you are considered to be acting in a personal or domestic capacity. Your keeping of the database will not be covered under the PDPA.

Back to top

8. What is 'business contact information'?

Business contact information refers to your name, position name or title, business telephone number, business address, business electronic mail address or business fax number and any other similar information, not provided by you solely for your personal purposes.

Based on the above definition, business contact information will be excluded from the data protection requirements of the PDPA, except for the requirements relating to the Do Not Call (DNC) registry.

Back to top

Collection, Use & Disclosure

1. How much of my personal data can an organisation collect, use or disclose about me?

Under the PDPA, organisations may collect, use or disclose personal data only for purposes that a reasonable person would consider appropriate in the circumstances and that you have been notified of by the organisation unless an exception under the PDPA applies.

In addition, the organisation must obtain your consent to such collection, use or disclosure, unless any exception under the PDPA applies.

If the organisation wishes to collect any additional personal data, the organisation shall provide you the option of whether to consent to this.

Back to top

2. What can an organisation do with my personal data that is collected before the effective date of the data protection rules in mid 2014?

Generally organisations can continue to use the personal data that was collected prior to the effective date of the data protection rules, for the reasonable purposes for which the personal data was collected.

Consent will need to be obtained if the existing data is to be used for a new purpose different from the purpose for which it was collected, or if the existing data is to be disclosed to another organisation or individual, unless any exception applies. The exceptions from the need to seek consent for collection, use or disclosure are set out in the Second, Third and Fourth Schedule of the PDPA respectively. This includes exceptions catering to certain emergency situations, investigations, publicly available data or where the personal data is used for evaluative purposes.

As an example, if a company has been using your personal data to provide after-sales customer support prior to the PDPA, it can continue to do so after the PDPA comes into effect, even if it did not obtain consent previously. However, if it now intends to use the same personal data for direct marketing where it had not collected the personal data for this purpose, consent will need to be obtained for such a purpose.

Back to top

Access & Correction

1. Can I request access to my personal data held by an organisation?

You may request to access to your personal data held by an organisation. Organisations may charge a reasonable fee on a cost recovery basis.

However, organisations are prohibited from providing you access if the provision of the data may:

• cause immediate or grave harm to your safety or physical or mental health;
• threaten the safety or physical or mental health of another individual;
• reveal personal data about another individual;
• reveal the identity of the individual who has provided the personal data about you, and the individual has not consented to the disclosure of his or her identity; or
• be contrary to national interest.

In addition, there are cases where organisations may deny subject access requests.

For example, organisations will not be required to provide access to personal data if it is subject to legal professional privilege, or if the disclosure of the information would reveal confidential commercial information that could harm the competitive position of the organisation. There are also exclusions for access to and correction in respect of any examination conducted by an education institution, examination scripts and examination results prior to their release. Organisations may also refuse access to or correction of opinion data kept solely for an evaluative purpose as defined in the PDPA.

The specific exceptions may be found in section 21 and the Fifth Schedule of the PDPA.

Back to top

2. Can I request to correct my personal data held by an organisation?

You may request to correct an error or omission in the personal data an organisation holds about you.

The organisation is generally required to make the correction and send the corrected personal data to every other organisation to which the personal data was disclosed by the organisation within a year before the correction, unless the other organisation does not need the corrected personal data for any legal or business purpose. For example, the organisation may have disclosed your name and address to a delivery company it engaged on a once-off basis to deliver a product that you have purchased. Since the delivery has been completed, the organisation will not be required to send the corrected personal data to the delivery company.

The organisation may seek your consent to send your corrected data only to specific organisations, instead of to all the organisations the data was disclosed to.

An organisation need not make a correction where it is satisfied on reasonable grounds that a correction should not be made. In this case, the organisation shall annotate the personal data in its possession or under its control with the correction that is requested but not made.

An organisation is also not required to alter an opinion, including a professional or expert opinion.

Exceptions from correction requirement may be found in the Sixth Schedule of the PDPA.

Back to top

Care of Personal Data

1. How long can an organisation retain my personal data for?

The PDPA does not prescribe the retention period. However, an organisation shall cease to retain personal data as soon as the purpose of collection is no longer served by the retention, and retention is no longer necessary for business or legal purposes.

Back to top

2. What are the rules on cross-border transfer of personal data?

The PDPA will apply to all personal data collected, used or disclosed in Singapore. As such, organisations that collect personal data overseas and host and/or process it in Singapore will still be subject to relevant obligations under the PDPA from the point that such personal data is brought into Singapore.

For organisations that collect personal data here and transfer such data overseas, the PDPA requires that measures be put in place by the organisation here transferring the personal data, to provide a comparable standard of protection overseas. These measures will be prescribed and are envisioned to include the use of contractual agreements among the organisations involved in the transfer.

Back to top

Do Not Call Registry

1. How can the DNC registry help me?

The DNC registry lets you opt out of marketing messages addressed to your Singapore telephone number, such as those which promote or advertise goods or services, allowing you to have more control over the kind of messages you receive on your telephone, mobile telephone, or fax machine.

As the DNC registry is meant to focus on telemarketing calls or messages of a commercial nature sent to consumers, political messages, messages solely for market survey and the promotion of charitable or religious causes are not currently covered by the requirements relating to the DNC registry.

Other types of messages that are excluded include messages for Business-to-Business marketing, as these may be essential to the day-to-day operations between businesses do not affect consumers.

Organisations are required to check the DNC registry within certain time periods before sending any marketing message (60 days for the first six months of the DNC registry’s operations, and 30 days thereafter). Therefore, you should not receive marketing messages from organisations (except those you have given clear and unambiguous consent for, in written or other accessible form) 30 or 60 days after registration. However, during the period immediately after registration (within 60 days for the first six months of the DNC registry’s operations, and within 30 days thereafter), you may expect to still receive some marketing messages.

Back to top

2. When will the DNC registry be ready?

To allow time for organisations to adjust to the new law, the PDPA will be implemented in phases, with the provisions for the DNC registry rules coming into force in early 2014.

Back to top

3. Is the DNC registry only open to Singapore telephone numbers?

The DNC registry accepts registration of Singapore telephone numbers, including mobile, fixed-line, residential and business numbers. You will not be able to register overseas telephone numbers.

Although the DNC registry allows the registration of all eight-digit Singapore telephone numbers, in general, only the account-holder or subscriber of the telephone line should register the telephone number on the DNC registry. Where the account-holder of subscriber of the telephone line is the organisation and not the employee, employees should seek permission of the organisation if they wish to register their business numbers. In any case, the sending of Business-to-Business (B2B) marketing messages is not currently covered by the requirements relating to the DNC registry.

Back to top

4. Will my telephone number registered with the DNC registry expire?

Registrations of telephone numbers with the DNC registry do not expire. Your registration with the DNC registry will only be removed when the telecommunication service linked to your telephone number is terminated, or upon your withdrawal of the registration on the DNC registry.

Back to top

5. Do I have to pay to register my telephone number with the DNC registry?

Your registration with the DNC registry will be free-of-charge.

Back to top

6. How can I register my telephone number with the DNC registry?

The DNC registry will contain three separate Registers of Singapore telephone numbers to allow registrations for voice calls, text messages (SMS/MMS) and faxes. Generally, you will be able to register using various modes such as signing up by calling a toll-free number, via SMS and via a website. The details of the DNC registry registration will be made available at a later date.

Back to top

7. Will the DNC registry rules cover overseas telemarketers?

The PDPA shall apply to a marketing message addressed to your Singapore telephone number where:

• the sender is present in Singapore when the message is sent; or
• you are present in Singapore when the message is accessed.

If a Singapore organisation outsources the telemarketing function overseas, the Singapore organisation that authorised the sending of the message will need to comply with the DNC registry rules and will be responsible for the sending of the message.

If both the telemarketing organisation and the organisation which outsourced its telemarketing function are overseas organisations and they send the message while you are overseas, the DNC registry rules will not apply. For example, an overseas telecom service operator sending messages promoting their cheaper IDD service to you via the overseas telecom network will not need to check the DNC registry.

Back to top

8. Are business-to-business (B2B) marketing calls or messages covered under the DNC registry?

B2B marketing calls, SMS/MMS and fax messages are not within the scope of the DNC registry. The PDPC recognises that B2B marketing calls or messages may be essential to the day-to-day operations between businesses and note that consumers will not be affected by the exclusion of B2B marketing calls or messages as they are targeted at organisations.

However, organisations may register their Singapore telephone numbers with the DNC registry, and telemarketers that call or send a message to these registered numbers may not market to the individual. In general, only the account-holder or subscriber of the telephone line should register the telephone number on the DNC registry. Where the account-holder of subscriber of the telephone line is the organisation and not the employee, employees should seek permission of the organisation if they wish to register their business numbers.

Back to top

9. Are emails and mail delivered by post covered under the DNC registry?

The DNC registry covers marketing messages sent to Singapore telephone numbers. Emails and mails delivered by post are not included within the scope of the DNC registry.

Emails are not included within the scope of the DNC registry as unsolicited emails can be blocked through email filters. They also cause less of a nuisance to delete when received, as compared to telephone calls, SMS and fax messages, which are more difficult for the individual to filter.

As for junk mail, there are existing ways for individuals to reduce the volume of such mail, such as through the use of letterboxes with anti-junk mail features. Junk mail may also be less of a nuisance than telephone calls, SMS or MMS messages, or faxes, which are more likely to inconvenience an individual or interrupt his activities.

Back to top

10. If an organisation has obtained consent from me before I registered with the DNC registry, can the organisation still send marketing messages to me?

Yes, the organisation may send marketing messages to your Singapore telephone number if it has obtained your clear and unambiguous consent to the sending of the marketing message, in written or other accessible form, regardless of when you registered your number with the DNC registry.

If you change your mind, you may withdraw your consent from the organisation concerned. The organisation shall not prohibit you from withdrawing consent but this shall not affect the legal consequences arising from the withdrawal. The organisation shall inform you of the likely consequences to your withdrawal, and shall cease sending marketing messages to you.

Back to top