Your personal data is important and you have a role to play in protecting your personal data. With the Personal Data Protection Act 2012 (PDPA), you will have more control over how your personal data is collected, used and disclosed. You also have rights of access and correction in relation to your personal data. This means that you may request any organisation which possesses your personal data to give you access to and amend your data as and when you find it necessary.
The Do Not Call (DNC) registry will also allow you to opt out of unsolicited marketing calls, messages and faxes.
What you need to know about the PDPA's data protection rules: Collection, Use and Disclosure
Access and Correction
- For personal data that organisations collect before the personal data protection provisions come into effect, organisations may continue to use such personal data for the purposes for which it was collected unless you inform the organisations that you do not consent to their use of your personal data.
- For personal data that organisations collect after the personal data protection provisions come into effect, organisations have to get your consent to the collection, use and disclosure of your personal data. To obtain your consent, the organisations should inform you of the purpose(s) for the collection, use or disclosure of your personal data. Feel free to ask the organisations to provide the contact of a person who can answer, on behalf of the organisation, your questions about the collection, use or disclosure of the personal data.
- Organisations should not, as a condition of supplying a product or service, require you to consent to the collection, use or disclosure of personal data beyond what is reasonable to provide that product or service to you.
- If you voluntarily provide your personal data to an organisation for a purpose, you may be deemed to have consented to the use of your personal data for that specific purpose.
- You may withdraw your consent for the collection, use or disclosure of your personal data by an organisation at any time, with reasonable notice. The organisation should inform you of the likely consequences of your withdrawal, and cease collecting, using or disclosing your personal data.
Care of Personal Data
- You can request to access your personal data that an organisation possesses or controls. You can also request to be provided with information about the ways in which such personal data has or may have been used or disclosed within the year before the request. However, in certain circumstances or in respect of certain types of personal data, organisations are prohibited from granting such access or may choose whether or not to provide such access.
- You can request an organisation to correct an error or omission in your personal data. The organisation should also send the corrected data to other organisations (or, with your consent, only to specific organisations) to which your data has been disclosed within a year the correction is made. Unless there are reasonable grounds for a correction not to be made, the organisation should correct your data as soon as practicable.
- Organisations should make reasonable effort to ensure that your personal data with them is accurate and complete, if your personal data is likely to be used to make a decision that affects you, or is likely to be disclosed to another organisation.
- Organisations should make reasonable security arrangements to protect personal data they possess or control, to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.
- Organisations should stop keeping your personal data when it is no longer necessary for legal or business purposes.
- Organisations may only transfer your personal data outside of Singapore if the organisations put in place measures to ensure that the protection provided to the personal data transferred is comparable to the protection under the PDPA, unless exempted by the Personal Data Protection Commission (PDPC). The measures to be put in place will be prescribed in due course.
There are, however, exceptions to these rules and they are generally purpose-based. For example, some of these exceptions relate to emergency situations, investigations, publicly available data or where the personal data is used for evaluative purposes. For more information, please refer to the Second to Sixth Schedules of the PDPA.
What should you do if you think your personal data has been collected, used or disclosed without your consent?
If you suspect that a particular organisation is not following the rules of the PDPA or would like to find out more about an organisation’s data protection policies and practices, you should contact the person designated by the organisation with the responsibility for ensuring its compliance with the PDPA to find out more about its data protection practices, and clarify your doubts on whether your personal data has been misused. Organisations are required to provide the contact details of such designated persons.
The data protection provisions will come into effect in mid 2014 and the DNC registry provisions will come into effect in early 2014, after the PDPA has been enacted on 2 January 2013. During the transition period, the PDPC will undertake public education and outreach efforts to ensure that both the organisations and public are ready when the PDPA comes into effect.
The PDPC will provide more information in due course on the enforcement regime and how a complaint may be filed.
The above is a summary of some highlights from the PDPA. You may wish to refer to the PDPA for more details.