What is PDPA?
The Personal Data Protection Act 2012 (PDPA) governs the collection, use and disclosure of personal data. The PDPA was passed by Parliament in October 2012 and came into force in 4 stages between January 2013 and July 2014.
The PDPA recognises both:
1. The right of individuals (natural persons, whether living or dead) to protect their personal data; and
2. The need of organisations (all corporate bodies – e.g. companies – and unincorporated bodies, including those formed or resident outside of Singapore) to collect, use or disclose personal data for purposes that a reasonable person would consider appropriate.
What is Personal Data?
What is Personal Data?
Personal data means:
- Data about an individual who can be identified from that data itself; or
- Data about an individual who can be identified from that data and other information to which your business has or is likely to have access
Examples of personal data that can, on its own, identify an individual include:
- Biometric identifiers (face geometry or fingerprints)
- Name and NRIC number
- Photograph or video image of an individual
- Voice of an individual
- DNA profile
Note that the PDPA also protects, to a limited extent, the personal data of individuals who have been dead for less than 10 years. For such personal data, only the provisions relating to the disclosure and protection of personal data will apply.
Do You know your Business Obligations under PDPA?
1. Consent Obligation: your business can only collect, use and/or disclose the personal data of individuals who have consented to such collection, use and/or disclosure.
2. Purpose Limitation Obligation: your business can only collect, use and/or disclose personal data of individuals for the purpose(s) for which consent have been given by these individuals.
3. Notification Obligation: your business must inform individuals of the purpose(s) for which their personal data is being collected, used and/or disclosed.
4. Access and Correction Obligation: your business is obliged to provide information to individuals, upon request and as soon as reasonably possible, on:
- What personal data of theirs is in your business’s possession or under its control; and
- How such personal data has been used or disclosed within 1 year before the date of the request
Your business must also correct errors or omissions in the personal data that is in its possession upon request, unless it is reasonable to not make the correction.
5. Accuracy Obligation: your business must make a reasonable effort to ensure that the personal data collected by the business is accurate and complete, if the personal data is likely to be:
- Used by your business to make a decision that affects the individual to whom the personal data relates; or
- Disclosed by your business to another organisation
6. Protection Obligation: your business must put in place reasonable security measures to protect the personal data in its possession or control. This is to prevent risks such as the unauthorised access, collection, use and/or disclosure of such data.
7. Retention Limitation Obligation: your business should retain the personal data for only as long as is necessary for business or legal purposes.
8. Transfer Limitation Obligation: if your business is transferring the personal data overseas, such as storing the data in the cloud, ensure that the transfer meets the PDPA’s data protection requirements. This is to ensure that the data being transferred is offered a comparable level of data protection as is provided by the PDPA.
9. Openness Obligation: your business must implement the necessary policies and procedures to fulfil its PDPA obligations. It must make information about such policies and procedures publicly available.
If your business regularly collects personal data, it is important to keep track of:
- What personal data is being collected
- For compliance with the Protection Obligation
- Being aware of the types of personal data being collected will allow you to have a better picture of the type of protective measures needed and evaluate if the purposes for which such data is being collected are best served by the data collection.
- For what purposes the personal data is being collected
- For compliance with the Purpose Limitation Obligation and the Retention Limitation Obligation
- Who is collecting the personal data
- For compliance with the Consent Obligation and Notification Obligation
- Only authorised personnel who have received appropriate training in PDPA compliance should be involved in the collection process
- Where the personal data is stored
- For compliance with the Protection Obligation
- To whom the personal data is disclosed
- For compliance with the Access and Correction Obligation and Protection Obligation
- While your business has to provide access to the personal data of an individual who requests for it, you should verify the identity of the individual. For example, by requesting for appropriate identification documents before providing such access. This would in turn prevent inadvertent leaks of personal data.
The Importance of PDPA Compliance
These are the following reasons why compliance to the PDPA is important.
- A business that is able to demonstrate compliance will certainly be able to gain better customer loyalty.
- Builds trust among stakeholders that include customers, employees, shareholders and in the case of non-profit organisations, volunteers, donors and beneficiaries too.
- Eliminates time wasted in re-aligning processes and procedures to react and comply with legislative requirements of data protection by starting out with the objective to comply with the PDPA.
- Compliance to PDPA can help to reduce the probably of a data breach and lower the impact in the event a breach really occurs.
- Prevents or minimize regulatory penalties in the unlikely event of a breach
The PDPA Singapore Checklist Revealed!!
Is there such a thing as a PDPA Singapore checklist?
There are several considerations that companies and businesses should consider when accessing on whether are they PDPA complaint or not and these can be broadly classified to be uder the following:
- Collection, Management, Retention & Disposal of Personal Data.
- Update & Maintenance of Personal Data
- An Individual Rights to Personal Data Access & Deletion
- PDPA Compliance Governance & Process Transparency
Collection, Management, Retention & Disposal of Personal Data
- Does your organisation ensure that the personal data collected is necessary for the purpose alone and not some other hidden agenda or purpose?
- Are the individuals that are involved in this data collection process be made fully aware of the data collection purpose on or before the collection of their personal data?
- Organisations should also ensure collection of sensitive data is limited and necessary only if needed and should not be unnecessarily be collected.
- Is the consent sought and obtained by your organisation for the collection, use and disclosure of personal data?
- Does your organisation also ensure that third party involved in data collection is clear on their PDPA obligations as well as adhere to the strict guidelines set by PDPC with regards to the handling and collection of personal data by third party?
- Does your organisation ensure proper use and disclosure of personal data collected?
- Does your organisation know how to handle transfer of personal data and ensure that the transfer of data overseas is in compliance with PDPA?
- Does your organisation know and understand the fulfilment of the PDPA obligations when it comes to working with 3rd party (eg data intermediary, agent) of the company handling the personal information data transfer.
Security, Update & Maintenance of Personal Data
- Does your organisation have appropriate security measures in place to prevent unauthorised access, collection and use of its personal data in its possession or under its control?
- These security measures must be developed based on relevant risk assessments, type and sensitivity of personal data and likelihood and harm of unauthorised access, erasure or other use.
- Organisations should ensure these security measures are regularly updated and communicated to relevant stakeholders.
- Organisations should also ensure processes are in place for 3rd parties to make reasonable arrangements to protect personal data.
- Does your organisation have appropriate data retention policies for different types of personal data? This also applies to 3rd parties in possession of its personal data.
- Does your organisation have processes in place to handle unsolicited personal data?
- Does your organisation have processes in place to dispose of personal data? This also applies to 3rd parties in possession of its personal data.
- Does your organisation ensure that its personal data is accurate and that personal data disclosed to other organisation is accurate and complete?
- How does your organisation deal with inaccurate data?
An Individual Rights to Personal Data Access & Deletion
- Does your organisation have a system or process in place and provide information on how individuals may withdraw consent on the use of their personal data and the consequences of withdrawing the consent?
- Does your organisation have a system or process in place and provide information on how individuals can request access to their personal data. Is there a process in place to respond to the individual’s request
- Does your organisation have a system or process in place and provide information on how individuals can correct their personal data under its possession?
PDPA Compliance Implementation, Governance & Process Transparency
- Does your organisation have policies and practices in place to manage personal data?
- Does your organisation communicate its data protection policies and practises to relevant internal and external stakeholders?
- Does your organisation regularly review and update data protection policies and practices, and monitor compliance of practices with these policies?
- Does your organisation receive and respond to queries on the collection, use and disclosure of personal data by your organisation?
- Does your organisation conduct risk and impact assessments to identify, assess and address data protection risks?
- Does your organisation take into account Data Protection by Design in the development of a product, service, system or process?
- Does your organisation have a data breach management plan? The plan should include the following:
Personnel on management of data breach incident
Timeline for reporting data breach incident
Processes for notifying affected individuals/organisations and relevant regulators/enforcement authorities - Does your organisation have a Data Protection Officer (DPO) who is well versed in your data protection policies and PDPA?
- Is the business contact information of the DPO made available to the public?
- Is the DPO Properly trained? DPO should also have received formal training on data protection compliance with the PDPA.
- Does your organisation conduct regular training to employees on company’s data protection policies and practices?
Come Speak with Us! Schedule Your Visit
Do you need to speak to our experienced Advisory Team for PDPA Implementation advise?
