Application of the Personal Data Protection Act
The PDPA covers personal data stored in electronic and non-electronic forms.
The data protection provisions in the PDPA (parts III to VI) generally do not apply to:
- Any individual acting in a personal or domestic basis.
- Any employee acting in the course of his or her employment with an organisation.
- Any public agency or an organisation in the course of acting on behalf of a public agency in relation to the collection, use or disclosure of the personal data. You may wish to refer to the Personal Data Protection (Statutory Bodies) Notification 2013 for the list of specified public agencies.
- Business contact information. This refers to an individual’s name, position name or title, business telephone number, business address, business electronic mail address or business fax number and any other similar information about the individual, not provided by the individual solely for his or her personal purposes.
These rules are intended to be the baseline law which operates as part of the law of Singapore. It does not supersede existing statutes, such as the Banking Act and Insurance Act but will work in conjunction with them and the common law.
Learn more about PDPA in Singapore here!
Regulations & Exemption Order
- Personal Data Protection (Composition of Offences) Regulations 2013
- Personal Data Protection (Do Not Call Registry) Regulations 2013
- Personal Data Protection (Enforcement) Regulations 2014
- Personal Data Protection Regulations 2014
- Personal Data Protection (Appeal) Regulations 2015
Legislation & Compliance
Other Subsidiary Legislation
- Personal Data Protection (Statutory Bodies) Notification 2013
- Personal Data Protection Act 2012 (Commencement) Notification 2014
- Personal Data Protection (Prescribed Law Enforcement Agencies) Notification 2014
- Personal Data Protection (Prescribed Healthcare Bodies) Notification 2015
- Personal Data Protection (Amendment) Regulations 2020
Parties to civil proceedings relating to the PDPA may also wish to refer to the Rules of Court, Order 105.
Data Protection in Asia
Legislations on personal data are not limited to Singapore. Malaysia, Thailand and Indonesia also have a law that protects personal data, and coincidentally, it is also called PDPA. In Philippines, it is known as the Data Privacy Act.
The General Data Protection Regulations (GDPR) of the European Union (EU) is by far one of the most stringent legislation on personal data protection in the world. Other notable legislations around the world are the California Consumer Protection Act and The Privacy Act of Australia.
Data Protection and Cyber Security
As the world progresses into the digital age where there is greater use and even dependency on the Internet to work and perform several daily tasks like ordering food, book air tickets, and even watch the kids while at work, it is imperative that organisations and even individuals remain safe while online and not fall prey to cyber criminals.
Several data and personal data of organisations sit on several devices and online platforms. Organisations need to beware of the digital and cyber threats because any breach of personal data will result in breach of PDPA. Thus, cyber security and PDPA cannot be dichotomized.