Organisations today collect, use and disclose personal data about individuals – whether they are customers, employees or members. These individuals trust organisations like yours to use or disclose their personal data as it is intended for and to keep their personal data safe. Practising good personal data management can increase business efficiency and effectiveness, boost customer confidence, and enhance your organisation’s public image.

Organisations in general are required to comply with the entire Personal Data Protection Act 2012 (PDPA). If your organisation has been contracted to process personal data on behalf of another organisation, your organisation may be considered a “data intermediary”. As a data intermediary processing personal data pursuant to a written contract, your organisation may be exempted from certain obligations in the PDPA and simply be responsible for protecting the personal data in your care and ensuring that the personal data is not kept by your organisation when there is no longer a business or legal need to do so.

Organisations' Obligations

Appointment of Data Protection Officer

Organisations, including sole proprietorships, are required to appoint at least one person to be responsible for ensuring that the organisation complies with the PDPA.

• For personal data that organisations collect before the personal data protection rules come into effect, organisations may continue to use such personal data for the purposes for which it was collected, unless the individual indicates that he or she does not consent to the use.
• For personal data that organisations collect after the personal data protection rules come into effect, organisations have to get the individual’s consent to the collection, use and disclosure of such personal data. To obtain consent, organisations will inform the individual of the purpose(s) for the collection, use or disclosure of his or her personal data. On request, organisations will also provide the business contact of a representative that can answer, on behalf of the organisation, the individual’s questions about the collection, use or disclosure of the personal data.
• Organisations should not, as a condition of supplying a product or service, require an individual to consent to the collection, use or disclosure of personal data beyond what is reasonable to provide that product or service to the individual.
• Organisations that receive a request from an individual to withdraw the collection, use or disclosure of all or some of his personal data for certain purposes must inform him or her of the likely consequences the withdrawal. If the individual understands the consequences and prefers to proceed, organisations should cease the collection, use or disclosure of his or her personal data for the specified purpose.

• On request of an individual, an organisation is required to provide him or her with access to his or her personal data that it possesses or controls. The organisation should also provide information about the ways in which the individual’s personal data has been or may have been used or disclosed by the organisation within a year before the request. However, organisations are prohibited from providing an individual access if the provision of the data could reasonably be expected to:
  • cause immediate or grave harm to the individual’s safety or physical or mental health;
  • threaten the safety or physical or mental health of another individual;
  • reveal personal data about another individual;
  • reveal the identity of another individual who has provided the personal data, and the individual has not consented to the disclosure of his or her identity; or
  • be contrary to national interest.
• An individual may request an organisation to correct an error or omission in the personal data that the organisation has about him or her. If a correction is made, the organisation is to send the corrected data to other organisations to which the data has been disclosed within a year the correction is made (or, with the individual's consent, only to selected organisations). Unless the organisation is satisfied on reasonable grounds that the correction should not be made, it should correct the personal data as soon as practicable.

Care of Personal Data

• Organisations are required to make reasonable effort to ensure that the personal data collected by or on behalf of them is accurate and complete, if the personal data is likely to be used to make a decision about the individual, or is likely to be disclosed to another organisation.
• Organisations are required to make reasonable security arrangements to protect personal data they possess or control, to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks. 
• Organisations should stop retaining personal data when the retention is no longer necessary for legal or business purposes.
• Organisations may only transfer personal data outside of Singapore only if the organisations put in place measures to ensure that the protection provided to the personal data transferred is comparable to the protection under the PDPA, unless exempted by the Personal Data Protection Commission (PDPC). The measures to be put in place will be prescribed in due course. 

There are, however, exceptions to these rules and they are generally purpose-based. For example, some of these exceptions relate to emergency situations, investigations, publicly available data or where the personal data is used for evaluative purposes. For more exceptions, please refer to the Second to Sixth Schedules of the PDPA.

The above is a summary of some highlights from the PDPA. You may wish to refer to the PDPA for more details.