What is Personal Data?
Personal data refers to data about an individual who can be identified from that data, or from that data and other information to which the organisation has or is likely to have access.
What is the PDPA?
The Personal Data Protection Act (PDPA) provides a baseline standard of protection for personal data in Singapore. It complements sector-specific legislative and regulatory frameworks such as the Banking Act and Insurance Act.
It comprises various requirements governing the collection, use, disclosure and care of personal data in Singapore.
It also provides for the establishment of a national Do Not Call (DNC) Registry. Individuals may register their Singapore telephone numbers with the DNC Registry to opt out of receiving unwanted telemarketing messages from organisations.
Objectives of the PDPA
The PDPA recognises both the need to protect individuals’ personal data and the need of organisations to collect, use or disclose personal data for legitimate and reasonable purposes.
A data protection regime is necessary to safeguard personal data from misuse and to maintain individuals’ trust in organisations that manage their data.
By regulating the flow of personal data among organisations, the PDPA also aims to strengthen Singapore’s position as a trusted hub for businesses.
Scope of the PDPA
The PDPA covers personal data stored in electronic and non-electronic formats.
It generally does not apply to:
- Any individual acting on a personal or domestic basis.
- Any individual acting in his/her capacity as an employee with an organisation.
- Any public agency in relation to the collection, use or disclosure of personal data.
- Business contact information such as an individual’s name, position or title, business telephone number, business address, business email, business fax number and similar information.
Data Protection Obligations
Organisations are required to comply with the various data protection obligations if they undertake activities relating to the collection, use or disclosure of personal data. Learn more about the obligations here.
Development of the PDPA
Establishment of the PDPC on 2 January.
The DNC Registry provisions came into force on 2 January and the main data protection rules on 2 July.
Amendments to the PDPA passed on 2 November.
Amendments to the PDPA took effect in phases from 1 February.
- Personal Data Protection (Composition of Offences) Regulations 2021
- Personal Data Protection (Do Not Call Registry) Regulations 2013
- Personal Data Protection (Enforcement) Regulations 2021
- Personal Data Protection Regulations 2021
- Personal Data Protection (Appeal) Regulations 2021
- Personal Data Protection (Notification of Data Breaches) Regulations 2021
Other Subsidiary Legislation
- Personal Data Protection (Statutory Bodies) Notification 2013
- Personal Data Protection (Prescribed Law Enforcement Agencies) Notification 2014
- Personal Data Protection (Prescribed Law Enforcement Agency) Notification 2020
- Personal Data Protection (Prescribed Healthcare Bodies) Notification 2015
Parties to civil proceedings relating to the PDPA may also wish to refer to the Rules of Court, Order 105.