Get to know the essentials of the PDPA such as the key terms and organisations' obligations under the PDPA.
What is personal data?
Personal data refers to data, whether true or not, about an individual who can be identified from that data; or from that data and other information to which the organisation has or is likely to have access.
This includes unique identifiers (e.g. NRIC number, passport number); photographs or video images of an individual (e.g. CCTV images); as well as any set of data (e.g. name, age, address, telephone number, occupation, etc.), which when taken together would be able to identify the individual. For example, Jack Lim, 36 years old, civil servant, lives at Blk 123 Bishan St 23.
When did the PDPA come into force and what it is about?
The PDPA was implemented in phases to allow time for organisations to adjust to the new law. The Do Not Call (DNC) Registry provisions came into force on 2 January 2014 and the personal data protection provisions came into force on 2 July 2014.
The data protection provisions govern the collection, use and disclosure of personal data by organisations. In brief, the PDPA contains three main sets of data protection obligations:
Obligations relating to notification, consent and purpose
Organisations must notify their purposes and obtain consent from individuals for the collection, use and disclosure of individuals’ personal data.
Obligations relating to compliance, accountability and access and correction
Organisations must make information available about their data protection policies, appoint a data protection officer, give individuals access to their personal data (upon request) and allow individuals to correct their personal data (also upon request).
Obligations relating to safeguarding personal data
Organisation must: (i) comply with prescribed requirements when transferring personal data outside Singapore; (ii) use reasonable measures to protect personal data; (iii) make reasonable effort to ensure the accuracy of personal data; and (iv) cease to retain personal data when no longer required.
The PDPA also provides for the establishment of a DNC Registry. The DNC Registry allows individuals to register their Singapore telephone numbers to opt out of receiving marketing phone calls, mobile text messages such as SMS or MMS, and faxes from organisations.
You may wish to refer to the PDPA for more details.
How does the PDPA work?
The PDPA will ensure a baseline standard of protection for personal data across the economy by complementing sector-specific legislative and regulatory frameworks. This means that organisations will have to comply with the PDPA as well as the common law and other relevant laws that are applied to the specific industry that they belong to, when handling personal data in their possession.
What should I do with the personal data that are collected before the data protection provisions of the PDPA came into effect on 2 July 2014?
Your organisation may continue to use personal data for the purposes for which the personal data was collected, unless the individual has withdrawn consent. If there is a different purpose for the use of the personal data, consent has to be obtained anew.
For personal data collected after 2 July 2014, your organisation will have to notify and obtain the individual’s consent to the collection, use and disclosure of his or her personal data.
What is expected of me as a Data Protection Officer (DPO)?
The possible responsibilities of a DPO may include, but are not limited to, the following:
- Ensure compliance of PDPA when developing and implementing policies and processes for handling personal data;
- Foster a data protection culture among employees and communicate personal data protection policies to stakeholders;
- Manage personal data protection related queries and complaints;
- Alert management to any risks that might arise with regard to personal data; and
- Liaise with the PDPC on data protection matters, if necessary.
Complete the E-Learning Programme to get to know the essentials of the PDPA.
Sign up for the Fundamentals of the PDPA course with any of the SSG approved training organisations to deepen your understanding of the PDPA by stepping through key concepts under the PDPA and how it may apply to the various common business operations/scenarios.
Refer to “Business Gets Personal: A quick guide to the Personal Data Protection Act” for an overview of the PDPA and how it applies to your organisation.
Read up on “Personal Data Protection is Everybody's Business - A Collection of Stories” to learn about the varying journeys that some organisations have gone through to better protect personal data, whether it is those of customers or employees.