Organisation FAQs

Home

ORGANISATIONS Alternate Text

FAQs

FAQs

General

What is 'personal data'?
When will the Personal Data Protection Act (PDPA) come into force?
What are the objectives of the PDPA?
How does the PDPA benefit organisations?
How will the PDPA impact business costs?
How is the PDPA different from the Spam Control Act?
What is 'deemed' consent?
What constitutes 'acting in personal or domestic capacity'?
What is 'business contact information'?
What are data intermediaries and how are they different from other organisations?
Must all organisations appoint a data protection officer?

Collection, Use & Disclosure

How much personal data can an organisation collect?
What can an organisation do with respect to existing personal data collected before the effective date of the PDPA?

Access & Correction

Must an organisation provide access to an individual's personal data when a request is made?
Must an organisation provide correction to an individual's personal data when a request is made?

Care of Personal Data

How long can an organisation retain its customers' personal data for?
What must an organisation do to ensure the personal data collected is protected?
What are the rules on cross-border transfer of personal data?

Do Not Call Registry

What does an organisation need to do in order to send out marketing messages to Singapore telephone numbers?
When will the DNC registry be ready?
Is the DNC registry only open to Singapore telephone numbers?
Will telephone numbers registered with the DNC registry expire?
How much will it cost organisations to check the DNC registry?
When must an organisation check with the DNC registry?
Will the DNC registry rules cover overseas telemarketers?
Are business-to-business (B2B) marketing calls or messages covered under the DNC registry?
Are emails and mail delivered by post covered under the DNC registry?
If an organisation has obtained consent from an individual who is registered with the DNC registry, can the organisation send telemarketing messages to him or her?

General

1. What is 'personal data'?

Personal data refers to data, whether true or not, about an individual who can be identified from that data; or from that data and other information to which the organisation has or is likely to have access.

This includes unique identifiers (e.g. NRIC number, passport number); as well as any set of data (e.g. name, age, address, telephone number, occupation, etc), which when taken together would be able to identify the individual. For example, Jack Lim, 36 years old, civil servant, lives at Blk 123 Bishan St 23.

2. When will the Personal Data Protection Act (PDPA) come into force?

To allow time for organisations to adjust to the new law, the PDPA will be implemented in phases, with the provisions relating to the Do Not Call (DNC) registry coming into force in early 2014 and the provisions relating to the personal data protection coming into force in mid 2014. We intend to give advance notice of the specific dates in due course.

3. What are the objectives of the PDPA?

Complementing sector-specific frameworks, the PDPA will safeguard individuals’ personal data against misuse by regulating the proper management of personal data. Generally, individuals have the right to be informed of the purposes for which organisations are collecting, using or disclosing their personal data, giving individuals more control over how their personal data is used.

The PDPA also aims to enhance Singapore’s competitive advantages as a location for data hosting and management activities by strengthening Singapore’s reputation as a secure location for data, and giving assurance to businesses looking for safeguards to protect sensitive data sets.

4. How does the PDPA benefit organisations?

The PDPA will strengthen Singapore’s overall economic competitiveness, and enhance Singapore’s status as a trusted hub and choice location for global data management and processing services. The law will provide greater clarity on the rules and liabilities for businesses hosting personal data in Singapore. This will complement Singapore’s existing strengths, such as geographical location, reliability and advanced telecommunications infrastructure, to create a conducive environment for the fast-growing global data management and data processing industries, such as cloud computing , to thrive in Singapore. Having safeguards to protect data sets will also help facilitate the smooth transfer of data to and from jurisdictions that have enacted data protection laws, many of which place obligations on organisations to ensure sufficient protections for transfer of data overseas. These safeguards serve as an attractive draw for cloud computing and business analytics activities to be located in Singapore.

5. How will the PDPA impact business costs?

There may be some costs associated with complying with the PDPA, especially for businesses that have not adopted any data protection practices. Those that already have in place adequate data protection measures should not incur high incremental costs to comply with the new law. The impact on Small and Medium Enterprises should also be minimal if they do not collect, process or hold on to large amounts of personal data.

The costs should be viewed against the benefits of having such a law. The lack of a data protection regime potentially hinders the flow of information across borders and disadvantages Singapore businesses in the global economy, as data protection legislation is increasingly seen as a basic feature in an economy’s legal framework. Compliance with the proposed regime also sends a positive message and builds up trust and credibility with consumers. Businesses will be able to assure their customers that their personal data will be sufficiently protected.

The provisions of the PDPA were formulated keeping in mind the need to keep compliance costs manageable for businesses. A transition period (during which the PDPA is enacted but will not come into force) has been provided to allow organisations sufficient time to phase in the necessary measures to comply with the DP regime.

6. How is the PDPA different from the Spam Control Act?

The Spam Control Act (“SCA”) sets out a framework to manage unsolicited commercial electronic messages sent in bulk through electronic mail, text and multimedia messaging, otherwise known as "spam". The SCA requires organisations to, among others, provide an unsubscribe facility within the spam message and include an header in the subject field of the message or where there is no subject field, as the first words in the message.

While the SCA manages the sending of spam messages, the PDPA sets out rules governing the proper collection, use and disclosure of personal data, which would include contact information of an individual. Under the PDPA, organisations are required to obtain consent for a stated purpose to collect, use or disclose the contact information of an individual, and safeguard such information, unless exceptions apply.

In addition, the provisions relating to the DNC registry in the PDPA allow individuals to opt out of marketing messages (voice calls, SMS/MMS or fax) delivered to a Singapore telephone number.

Organisations are prohibited from sending marketing messages to Singapore telephone numbers registered with the DNC registry unless they have obtained clear and unambiguous consent, in writing or other accessible form, to the sending of the marketing message to the particular Singapore telephone number.In relation to the sending of spam messages, the PDPA applies to the collection, use and disclosure of individuals’ contact information for such purposes, while the SCA governs the manner in which the spam message may be sent. These frameworks will operate concurrently.

7. What is 'deemed' consent?

An individual is deemed to consent to the collection, use or disclosure of personal data by an organisation for a purpose if the individual voluntarily provides the personal data to the organisation for that purpose; and it is reasonable that he or she would do so.

For example, an individual seeking medical treatment in a medical facility, such as a clinic or hospital, would voluntarily provide his or her personal data for the purpose of seeking medical treatment. He or she would also have deemed to have consented to the collection and use of his or her personal data by the medical facility hospital for that purpose.

8. What constitutes ‘acting in personal or domestic capacity’?

These are purposes to do with an individual’s personal, family or household affairs. For example, when an individual keeps a database of his or her friends’ and relatives’ names, addresses, contact numbers and birthdates for his or her own personal use, he or she is considered to be acting in a personal or domestic capacity. His or her keeping of the database will not be covered under the PDPA.

9. What is 'business contact information'?

Business contact information refers to an individual’s name, position name or title, business telephone number, business address, business electronic mail address or business fax number and any other similar information about the individual, not provided by him or her solely for his or her personal purposes.

Based on the above definition, business contact information will be excluded from the data protection requirements of the PDPA, except for the requirements relating to the Do Not Call (DNC) registry.

10. What are data intermediaries and how are they different from other organisations?

An organisation shall be considered a data intermediary if it processes data on behalf of another organisation. Where the organisation processes personal data as a data intermediary pursuant to a contract which is evidenced or made in writing, the data intermediary will be subject to fewer obligations, namely those pertaining to protection and retention of personal data.

An example of a data intermediary could be an organisation which merely provides hosting or storage for personal data for another organisation.

Separately, the Electronic Transactions Act provides that a network service provider will not be subject to any liability under the PDPA, in respect of third-party material in the form of electronic records to which it merely provides access.

11. Must all organisations appoint a data protection officer?

All organisations, including sole proprietorships, are required to designate at least one person (a “data protection officer”) to be responsible for ensuring that the organisation complies with the PDPA, such as developing personal data policies for the organisation’s compliance with the PDPA. This may be a person whose scope of work solely relates to data protection or a person in the organisation who takes on this role as one of his multiple responsibilities.

To be clear, compliance by the organisation with the PDPA remains the responsibility of the organisation notwithstanding the appointment of the data protection officer.

Organisations are also required to ensure that at least one data protection officer’s business contact information is made available to the public.

Collection, Use & Disclosure

1. How much personal data can an organisation collect, use or disclose?

Under the PDPA, an organisation may collect, use or disclose personal data only for purposes that a reasonable person would consider appropriate in the circumstances and that the organisation has notified to the individual unless an exception under the PDPA applies.

In addition, the organisation must obtain the consent of the individual to such collection, use or disclosure, unless any exception under the PDPA applies.

In this regard, organisations shall not, as a condition of supplying a product or service, require an individual to consent to the collection, use or disclosure of personal data beyond what is reasonable to provide the product or service. For example, an organisation selling a consumer product to an individual should not require him or her to reveal his or her annual household income as a condition of selling him or her the product, although it may still ask him or her to provide such personal data as an optional field.

If the organisation wishes to collect any additional personal data, the organisation shall provide the individual the option of whether to consent to this.

2. What can an organisation do with respect to existing personal data collected before the effective date of the data protection rules in mid 2014?

Generally an organisation can continue to use the personal data that was collected prior to the effective date of the data protection rules, for the reasonable purposes for which the personal data was collected.

Consent will need to be obtained if the existing data is to be used for a new purpose different from the purpose for which it was collected, or if the existing data is to be disclosed to another organisation or individual, unless any exception applies. The exceptions from the need to seek consent for collection, use or disclosure are set out in the Second, Third and Fourth Schedule of the PDPA respectively. This includes exceptions catering to certain emergency situations, investigations, publicly available data or where the personal data is used for evaluative purposes.

As an example, if a company has been using its customer’s personal data to provide after-sales customer support prior to the PDPA, it can continue to do so after the PDPA comes into effect, even if it did not obtain consent previously. However, if it now intends to use the same personal data for direct marketing where it had not collected the personal data for this purpose, consent will need to be obtained for such a purpose.

Access & Correction

1. Must an organisation provide access to an individual's personal data when a request is made?

Organisations shall allow individuals to have access to their personal data that is possessed or controlled by the organisations, and may charge a reasonable fee on a cost recovery basis. There will be no prescribed amount of fees imposed on organisations, to allow for greater flexibility.

However, organisations are prohibited from providing an individual access if the provision of the data could reasonably be expected to:

cause immediate or grave harm to the individual’s safety or physical or mental health;
threaten the safety or physical or mental health of another individual;
reveal personal data about another individual;
reveal the identity of another individual who has provided the personal data, and the individual has not consented to the disclosure of his or her identity; or
be contrary to national interest.

In addition, there are cases where organisations may deny subject access requests.

For example, organisations will not be required to provide access to personal data if it is subject to legal professional privilege, or if the disclosure of the information would reveal confidential commercial information that could harm the competitive position of the organisation. There are also exclusions for access to and correction in respect of any examination conducted by an education institution, examination scripts and examination results prior to their release. Organisations may also refuse access to or correction of opinion data kept solely for an evaluative purpose as defined in the PDPA.

The specific exceptions may be found in section 21 and the Fifth Schedule of the PDPA.

2. Must an organisation provide correction to an individual's personal data when a request is made?

Upon request, an organisation is generally required to correct an error or omission and send the corrected personal data to every other organisation to which the personal data was disclosed by the organisation within a year before the correction, unless the other organisation does not need the corrected personal data for any legal or business purpose. For example, the organisation may have disclosed a customer’s name and address to a delivery company it engaged on a once-off basis to deliver a product that the customer has purchased. Since the delivery has been completed, the organisation will not be required to send the corrected personal data to the delivery company.

The corrected data may be sent only to specific organisations to which the data was disclosed by the organisation, if the individual consents to it.

An organisation need not make a correction where it is satisfied on reasonable grounds that a correction should not be made. In this case, the organisation shall annotate the personal data in its possession or under its control with the correction that is requested but not made.

An organisation is also not required to alter an opinion, including a professional or expert opinion.

Exceptions from correction requirement may be found in the Sixth Schedule of the PDPA.

Care of Personal Data

1. How long can an organisation retain its customers' personal data for?

The PDPA does not prescribe the retention period. However, an organisation shall cease to retain personal data as soon as the purpose of collection is no longer served by the retention; and retention is no longer necessary for business or legal purposes.

2. What must an organisation do to ensure the personal data collected is protected?

An organisation shall make reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.

3. What are the rules on cross-border transfer of personal data?

The PDPA will apply to all personal data collected, used or disclosed in Singapore. As such, organisations that collect personal data overseas and host and/or process it in Singapore will still be subject to relevant obligations under the PDPA from the point that such personal data is brought into Singapore.

For organisations that collect personal data here and transfer such data overseas, the PDPA requires that measures be put in place by the organisation here transferring the personal data, to provide a comparable standard of protection overseas. These measures will be prescribed and are envisioned to include the use of contractual agreements among the organisations involved in the transfer.

Do Not Call Registry

1. What does an organisation need to do in order to send out marketing messages to Singapore telephone numbers?

Before an organisation starts to send any marketing message to a Singapore telephone number, it should check that:

the number it is sending/calling to is not registered with the DNC registry;
the messages it is sending contain clear and accurate information identifying the organisation, as well as its contact details; and
if making a phone call, the telephone number it is making the call from is not concealed.

The DNC registry will contain three separate Registers of Singapore telephone numbers for voice calls, text messages (SMS/MMS/text) and faxes, which the organisation can check against.

To check, the organisation shall submit a list of the telephone numbers that it is planning to send the messages to. The DNC registry will then indicate on the list, whether each number is in each of the Registers. The organisation may then send its marketing messages to the numbers that are not in the relevant Registers.

The organisation may rely on the information given by the DNC registry on whether any number is registered on any of the Registers for up to 30 days. If the organisation intends to send the marketing message after the 30 days has lapsed, it must submit its list of numbers to the DNC registry again. To allow organisations to familiarise themselves with the requirements relating to the DNC registry, the prescribed duration (i.e. the 30 days referred to above) will be 60 days instead of 30 days for the first six months of the DNC registry’s operations.

2. When will the DNC registry be ready?

To allow time for organisations to adjust to the new law, the PDPA will be implemented in phases, with the provisions for the DNC registry rules coming into force in early 2014.

3. Is the DNC registry only open to Singapore telephone numbers?

The DNC registry accepts registration of Singapore telephone numbers, including mobile, fixed-line, residential and business numbers. Overseas telephone numbers may not be registered.

Although the DNC registry allows the registration of all eight-digit Singapore telephone numbers, in general, only the account-holder or subscriber of the telephone line should register the telephone number on the DNC registry. Where the account-holder of subscriber of the telephone line is the organisation and not the employee, employees should seek permission of the organisation if they wish to register their business numbers. In any case, the sending of Business-to-Business (B2B) marketing messages is not currently covered by the requirements relating to the DNC registry.

4. Will telephone numbers registered with the DNC registry expire?

Registrations of telephone numbers with the DNC registry do not expire. The individual’s registration with the DNC registry will only be removed when the telecommunication service linked to his or her telephone number is terminated, or upon his or her withdrawal of the registration on the DNC registry.

5. How much will it cost organisations to check the DNC registry?

The fees for checking the DNC registry will be determined at a later stage but are expected to be based on the volume of telephone numbers checked by an organisation. To cater for organisations which may only need to check a few telephone numbers, the DNC registry will enable organisations to check a small quantity of telephone numbers for free each month. Details on the fees will be made available at a later date.

6. When must an organisation check with the DNC registry?

Organisations need to check the DNC registry before sending marketing messages to a Singapore telephone number.

7. Will the DNC registry rules cover overseas telemarketers?

The PDPA shall apply to a marketing message addressed to a Singapore telephone number where:

the sender is present in Singapore when the message is sent; or
the recipient of the message is present in Singapore when the message is accessed.

If a Singapore organisation outsources the telemarketing function overseas, the Singapore organisation that authorised the sending of the message will need to comply with the DNC registry rules and will be responsible for the sending of the message.

If both the telemarketing organisation and the organisation which outsourced its telemarketing function are overseas organisations, and the recipient is overseas, the DNC registry rules will not apply. For example, an overseas telecom service operator sending messages promoting their cheaper IDD service to Singapore subscribers roaming on the overseas telecom network will not need to check the DNC registry.

8. Are business-to-business (B2B) marketing calls or messages covered under the DNC registry?

B2B marketing calls, SMS/MMS and fax messages are not within the scope of the DNC registry. The PDPC recognises that B2B marketing calls or messages may be essential to the day-to-day operations between businesses and note that consumers will not be affected by the exclusion of B2B marketing calls or messages as they are targeted at organisations.

However, organisations may register their Singapore telephone numbers with the DNC registry, and telemarketers that call or send a message to these registered numbers may not market to the individual. In general, only the account-holder or subscriber of the telephone line should register the telephone number on the DNC registry. Where the account-holder of subscriber of the telephone line is the organisation and not the employee, employees should seek permission of the organisation if they wish to register their business numbers.

9. Are emails and mail delivered by post covered under the DNC registry?

The DNC registry covers marketing messages sent to Singapore telephone numbers. Emails and mails delivered by post are not included within the scope of the DNC registry.

Emails are not included within the scope of the DNC registry as unsolicited emails can be blocked through email filters. They also cause less of a nuisance to delete when received, as compared to telephone calls, SMS and fax messages, which are more difficult for the individual to filter.

Furthermore, the Spam Control Act also helps to complete the framework by setting out requirements in relation to the sending of unsolicited commercial electronic messages in bulk.

As for junk mail, there are existing ways for individuals to reduce the volume of such mail, such as through the use of letterboxes with anti-junk mail features. Junk mail may also be less of a nuisance than telephone calls, SMS or MMS messages, or faxes, which are more likely to inconvenience an individual or interrupt his activities.

10. If an organisation has obtained consent from an individual who is registered with the DNC registry, can the organisation send telemarketing messages to him or her?

An organisation that has been given clear and unambiguous consent by the individual, in written or other accessible form, to send him or her marketing messages, may do so regardless of when he or she registers with the DNC registry.

The individual, however, shall be allowed to withdraw the consent given but this shall not affect the legal consequences arising from the withdrawal.

Last updated on 18 December 2012