The PDPA was implemented in phases to allow time for organisations to adjust to the new law. The Do Not Call (DNC) Registry provisions came into force on 2 January 2014 and the personal data protection provisions came into force on 2 July 2014.
The data protection provisions govern the collection, use and disclosure of personal data by organisations. In brief, the PDPA contains three main sets of data protection obligations:
- Obligations relating to notification, consent and purpose
Organisations must notify their purposes and obtain consent from individuals for the collection, use and disclosure of individuals’ personal data.
- Obligations relating to compliance, accountability and access and correction
Organisations must make information available about their data protection policies, appoint a data protection officer, give individuals access to their personal data (upon request) and allow individuals to correct their personal data (also upon request).
- Obligations relating to safeguarding personal data
Organisation must: (i) comply with prescribed requirements when transferring personal data outside Singapore; (ii) use reasonable measures to protect personal data; (iii) make reasonable effort to ensure the accuracy of personal data; and (iv) cease to retain personal data when no longer required.
The PDPA also provides for the establishment of a DNC Registry. The DNC Registry allows individuals to register their Singapore telephone numbers to opt out of receiving marketing phone calls, mobile text messages such as SMS or MMS, and faxes from organisations. You may refer to our website for more information on the data protection and DNC provisions.