What is a data breach under PDPA?

A data breach involves unauthorized access, collection, use, disclosure, or loss of personal data. Organizations must assess breaches, notify the PDPC within 3 days if it’s notifiable, inform affected individuals if significant harm is likely, and take remedial actions.

When does PDPA not apply?

PDPA does not apply in personal or domestic settings, nor does it affect public agencies with separate rules. Some exceptions also include publicly available data, certain vital or public interests, and data collected before PDPA took effect.

What are the PDPA's nine obligations for organisations?

They include the Consent, Purpose Limitation, Notification, Access and Correction, Accuracy, Protection, Retention Limitation, Transfer Limitation, and Accountability Obligations. Each obligation sets requirements for handling personal data responsibly under PDPA.

How does PDPA handle cross-border data transfers?

Organizations must ensure comparable data protection standards are upheld overseas. Acceptable methods include contractual clauses, binding corporate rules, APEC CBPR/PRP certifications, explicit consent, or transfers that are necessary for contract performance.

PDPA FAQ | Singapore's Personal Data Protection Act

Q: What is PDPA and why should you care?

The Personal Data Protection Act (PDPA) is Singapore’s data protection framework, originally enacted in 2012 and enhanced in 2020. It governs how organizations collect, use, disclose, and safeguard personal data, ensuring individuals’ information is properly protected.

Q: Who does PDPA apply to?

PDPA applies to all organizations operating in Singapore or collecting data from Singapore residents, including data intermediaries processing personal data on behalf of others. Both private and public sector entities are subject to the act, with specific exemptions for certain government bodies.

Q: What are the consequences for non-compliance with PDPA?

Penalties include fines of up to S$1 million or 10% of annual turnover for larger organizations, plus potential directions to stop data collection and destroy improperly collected data. Individuals suffering harm may also pursue private actions for compensation.

Q: How can organisations comply with PDPA?

Compliance typically involves implementing a Data Protection Management Programme, appointing a DPO, creating and enforcing data protection policies, conducting staff training and risk assessments, documenting consent, and planning for data breach responses.

Q: What is the role of a Data Protection Officer (DPO)?

A DPO oversees an organization’s compliance with PDPA. Responsibilities include developing data protection policies, managing breaches, liaising with regulators, training staff, and ensuring best practices in data handling.

Q: What information does PDPA protect?

PDPA protects personal data that can identify an individual, including names, NRIC numbers, contact details, photos, financial data, and biometric information. While business contact info used purely for business purposes often has exemptions, sensitive categories like health or biometric data typically require extra safeguards.

What is PDPA and Why Should You Care?

The Personal Data Protection Act (PDPA) is Singapore's comprehensive data protection framework designed to safeguard your personal information in today's interconnected world. Established in 2012 and significantly enhanced through amendments in 2020 (effective 1 February 2021), it governs how organisations collect, use, disclose, and care for personal data. The PDPA balances organisations' legitimate needs to use personal data with individuals' rights to protect their personal information.

Your Rights Under PDPA

Core Rights

1. Right to Access:

Request access to your personal data held by organisations.
Know how your data has been used or disclosed in the past year.
Receive this information within 30 days.

2. Right to Correction:

Request correction of errors or omissions in your personal data.
Have organisations inform third parties who received incorrect data about these corrections.
Receive response within 30 days.

3. Right to Data Portability:

Receive your data in a commonly used electronic format.
Transmit this data to another organisation.
Applies to user-provided and user activity data.
(Introduced in 2020 amendments, implementation date to be announced)

4. Right to Withdraw Consent:

Withdraw consent for the collection, use, or disclosure of your personal data.
Be informed about the consequences of withdrawal.
Have organisations respect this withdrawal within reasonable notice.

Do Not Call (DNC) Registry Rights

The PDPA includes specific provisions for the Do Not Call (DNC) Registry, which has been operational since 2 January 2014 and gives you control over marketing messages sent to your Singapore telephone numbers:

1. Right to Register:

List your Singapore phone numbers on the DNC Registry.
Choose which types of messages to block (calls, texts, faxes).
Registration is permanent until you change it.

2. Right to Not Receive Marketing:

Organisations must check the registry before sending marketing messages.
No marketing calls, texts, or faxes to registered numbers.
Right to file complaints if organisations violate your registration.

3. Right to Business Relationship Messages:

Still receive service-related messages even when registered.
Continue to receive messages from organisations you've given explicit consent to.

Who does PDPA apply to?

The PDPA applies to:

All organisations operating in Singapore.
Organisations collecting data from Singapore residents.
Data intermediaries acting for other organisations.
Both private and public sector organisations (with specific exemptions).

What are the consequences for non-compliance with PDPA?

Organisation can face:

Financial Penalties up to 10% of Annual Turnover: For organisations with turnover exceeding S$10 million, maximum financial penalties of 10% of annual turnover (Enhanced penalties introduced in the 2020amendments, effective 1 October 2022).‍
Fines up to S$1 Million: For other cases, penalties up to S$1 million.‍
Directions to Stop Collection, Use, or Disclosure: Orders to cease specific data processing activities.
‍Directions to Destroy Data: Requirements to delete data collected in contravention of the PDPA.‍
Private Right of Action: Individuals who suffer loss or damage can sue for compensatio

How can organisations comply with PDPA?

Organisations can comply by implementing a Data Protection Management Programme that includes:

Appointment of a Data Protection Office.
Development of policies and procedures.
Regular risk assessments and staff training.
Documentation of consent processes and data flows.
Data breach response planning.

What is the role of a Data Protection Officer (DPO)?

A DPO is responsible for ensuring PDPA compliance within an organisation by:

Developing and implementing data protection policies.
Handling data protection queries from the public and authorities.
Managing data breaches and notification processes.
Conducting training and assessments.
Advising the organisation on data protection matters.

What information does PDPA protect?

The PDPA protects personal data, which is data aboutan individual who can be identified from that data or in combination with other information.

‍Personal Information:

Basic Details: Name, identification numbers, contact information.
‍ID Numbers: NRIC, Passport numbers, and other official identifiers.
‍Location Data: Information about your physical location.
Device Identifiers: Mobile device IDs, IP addresses.
‍Photos and Videos: Visual content that could identify an individual.
‍Employment Information: Work history, performance records

Business Contact Information:

Under PDPA, business contact information (name, position, business contact details) is generally exempted from some requirements when used solely for business purposes.

Special Categories of Personal Data

While the PDPA does not explicitly define "special categories" as in some other jurisdictions like the EU GDPR, the PDPC recognises certain types of personal data as being more sensitive in nature and requiring additional safeguards. These include:

‍Biometric Data:

Fingerprints and facial recognition data
Iris and retinal scans
Voice recognition identifiers
DNA profiles
Hand geometry

Financial Information:

Bank account details
Credit card information
Income and tax records
Credit scores and loan information
Investment and insurance portfolios

‍Health and Medical Information:

Electronic medical records
Medical history and diagnoses
Prescription information
Mental health records
Genetic test results
Insurance claims information

‍NRIC and Government-Issued Identifiers

National Registration Identity Card (NRIC) numbers
Foreign Identification Numbers (FIN)
Passport numbers
Driver's licence numbers
Work permit numbers

‍Children's Personal Data:

Educational records
Medical information
Family details
Online activities
Location data

‍Other Sensitive Data:

Political opinions
Religious beliefs
Trade union membership
Sexual orientation
Criminal convictions and offences

Additional Protection Requirements for Sensitive Data

For these sensitive categories of personal data, organisations are generally expected to implement:

‍Enhanced Consent Mechanisms:

More explicit consent processes
Clearer explanation of purposes
Separate consent for sensitive data elements
Age-appropriate consent mechanisms for children's data

Stronger Security Measures:

Encryption of sensitive data at rest and in transit
More stringent access controls
Regular security testing and audits
Specialised staff training for handling sensitive data
Enhanced authentication for access

‍More Detailed Risk Assessments:

Data Protection Impact Assessments (DPIAs) for sensitive data processing
Regular review of risk mitigation measures
Documentation of safeguards implemented
Consideration of alternatives to collecting sensitive data

‍Stricter Limitations on Processing:

Tighter purpose limitation
More restricted retention periods
Greater limitations on internal access
Enhanced oversight for third-party processors
More rigorous anonymisation when used for research

Handling Specific Sensitive Data Types

Biometric Data Guidelines

The PDPC's Advisory Guidelines on the use of biometric data (updated in January 2022) recommend:

More explicit consent processes
Obtaining clear consent before collecting biometric data
Providing alternatives where feasible
Securing biometric data with strong encryption
Ensuring accuracy of biometric matching systems
Limiting retention of raw biometric data
Implementing specific security measures for biometric databases

NRIC and Other National Identifiers

Since 1 September 2019, under the PDPC's Advisory Guidelines on the NRIC:

Collection, use, or disclosure is prohibited unless required by law or necessary to verify identity to a high degree of fidelity
Alternative identifiers should be used where possible
When collected, enhanced security measures are required
Clear policies on retention and disposal must be maintained
Partial NRIC numbers (last 3-4 digits) may be used as alternatives

Children's Data

When processing children's personal data:

Parental/guardian consent is typically required for children under 13
Information must be provided in age-appropriate language
Privacy by design principles should be embedded in services for children
Regular review of necessity and purposes is recommended
Additional safeguards around profiling and automated decision-making

The Nine Obligations Under PDPA

Organisations must comply with nine key obligations under the PDPA:

1. Consent Obligation:

Organisations must obtain valid consent before collecting, using, or disclosing personal data, unless an exception applies.

2. Purpose Limitation Obligation:

Organisations may collect, use or disclose personal data only for purposes that a reasonable person would consider appropriate and for which the individual has given consent.

3. Notification Obligation:

Organisations must inform individuals of the purpose for which their personal data is being collected, used, or disclosed.

4. Access and Correction Obligation:

Organisations must, upon request, provide individuals with access to their personal data and information about how it has been used or disclosed, and allow them to correct errors or omissions.

5. Accuracy Obligation:

Organisations must make reasonable efforts to ensure that personal data collected is accurate and complete, especially if it will be used to make decisions affecting the individual or disclosed to another organisation.

6. Protection Obligation:

Organisations must implement reasonable security arrangements to protect personal data from unauthorised access, collection, use, disclosure, copying, modification, disposal, or similar risks.

7. Retention Limitation Obligation:

Organisations must cease retention of personal data or remove the means by which it can be associated with individuals when it is no longer necessary for legal or business purposes.

8. Transfer Limitation Obligation:

Organisations must not transfer personal data to countries or territories outside Singapore except in accordance with requirements prescribed under the PDPA to ensure a comparable standard of protection.

9. Accountability Obligation:

Organisations must implement policies and procedures necessary to meet their obligations under the PDPA and make information about these available upon request.

Understanding Consent

What Makes Consent Valid?

Consent must be:

‍Informed and clear
Given voluntarily
Collected from the individual or authorised representative
Able to be withdrawn

Consent is considered invalid if:

It was obtained through the provision of false or misleading information
It was obtained through deceptive or misleading practices
The individual was not provided sufficient information to make an informed decision

Types of Consent

1. Express Consent:

‍Actively agreeing through affirmative action
Verbal or written confirmation
Clicking "agree" (when properly designed)
Signing a consent form

2. Deemed Consent:

By Action: When an individual voluntarily provides data for a purpose (e.g., providing your address for delivery)‍
By Notification: When properly notified and given reasonable opportunity to opt out (introduced in February 2021)‍
By Contractual Necessity: When necessary to fulfil a contract (e.g., sharing information with a delivery company)

Managing Consent

You can:

‍Withdraw consent at any time
Be informed about consequences of withdrawal
Expect organisations to stop using your data within reasonable time
Choose specific purposes to consent to
Request information about consent previously given

When Consent is Not Required

Consent is not required in situations including:

‍When the data is publicly available
When it's necessary for national interests
For responding to emergencies
When authorised under other laws
For investigations and proceedings
Under legitimate interests exception (as of February 2021)
For business improvement purposes (as of February 2021)

Notification Requirements

What Organisations Must Tell You

When collecting personal data, organisations must inform you about:

‍The purposes for which your data will be collected, used, or disclosed
Any additional purposes for which your data might be used beyond what would be reasonably expected
How to withdraw consent
Who to contact with queries
This information must be provided before or at the time of data collection

Layered Notice Approach

The PDPC recommends a layered approach to notification:

‍Summary of key points at the first layer
More detailed information at subsequent layers
Use of clear language and appropriate presentation
Consideration of context and medium

Just-in-Time Notices

Organisations are encouraged to provide notifications:

‍At appropriate points in the user journey
When collecting different types of personal data
When enabling optional features that collect data
Before initiating new or unexpected data uses

NRIC Advisory Guidelines

Restrictions on Collection of NRIC Numbers

Since 1 September 2019, organisations face specific restrictions regarding National Registration Identity Card (NRIC) numbers:

General Prohibition: Organisations cannot collect, use or disclose NRIC numbers or copies of the NRIC unless:

Required by law (e.g., hotel registration, healthcare services)
Necessary to establish or verify identity to a high degree of fidelity

Alternative Identifiers: Organisations should use:

Organisation-issued identifiers
Partial NRICs (last 3 or 4 digits)
Other identifiers such as phone numbers, email addresses

Physical NRIC: Organisations should not retain physical NRICs and should instead:

Implement processes to view NRICs without collecting them
Use visitor management systems that don't require NRIC retention
Consider alternative authentication methods

Understanding Data Breaches

What is a Data Breach?

A data breach occurs when your personal information is:

Unauthorised Access: Personal data is accessed without permission.
Loss: Data is lost accidentally.
Unauthorised Collection: Data is collected without proper authorisation.
Unauthorised Use: Data is used for unauthorised purposes.
Unauthorised Disclosure: Data is shared with unauthorised parties.‍

What Organisations Must Do

When a notifiable breach happens, organisations must:

‍Assess the Breach Within 30 Days: Evaluate the breach and its potential impact.‍
Notify PDPC Within 3 Days: For notifiable breaches, inform the Personal Data Protection Commission within 3 calendar days.‍
Notify Affected Individuals: If significant harm is likely, inform affected individuals.‍
Document All Breaches: Keep records of all breaches and responses.‍
Take Remedial Action: Implement measures to address the breach and prevent recurrence.

(Mandatory data breach notification came into effect on 1 February 2021)

What Makes a Breach Notifiable

A data breach is notifiable if it:

‍‍Results in, or is likely to result in, significant harm to affected individuals
Is of a significant scale (affecting 500 or more individuals)

Data Breach Assessment Factors

When assessing a breach, organisations should consider:

‍‍Types of personal data affected
Potential consequences to individuals
Likelihood of actual harm occurring
Ability to mitigate potential harm
Context and scope of the breach

What You Should Expect

If your data is breached:

Clear Information: Details about what happened and what data was affected.‍
Potential Impact: Information about possible consequences.‍
Protective Measures: Guidance on steps to protect yourself.‍
Organisation Response: Information about the organisation's remedial actions.

Legitimate Interests and Business Improvement

Legitimate Interests Exception

Introduced in February 2021, this exception allows organisations to use personal data without consent if:

‍It is in the legitimate interests of the organisation or another person
These interests outweigh any adverse effects on the individual
The organisation has:
- Conducted an assessment to identify and mitigate risks
- Determined that benefits outweigh adverse effects
- Implemented reasonable measures to mitigate risks
- Provided clear notice to individuals

Legitimate interests may include:

‍Fraud detection and prevention
Network and system security
Business operations and improvement
Ensuring physical security

Business Improvement Exception

Also introduced in February 2021, this exception allows organisations to use personal data without consent for:

‍Improving or enhancing products/services
Developing new products/services
Understanding customer behaviour and preferences
Operational efficiency and service improvements

Key conditions:

‍Data must be reasonably necessary
Purpose cannot be achieved without using the data
Cannot be used for direct marketing
No adverse effects expected on the individual
Benefit to the public or a specific commercial relationship
Data relates to a current or former customer, employee, or beneficiary

Retention Limitation

Key Requirements

Organisations must:

‍Cease to retain personal data when purpose is no longer served
Anonymise data when identifiability is no longer required
Establish clear retention periods for different data types
Document the basis for retention periods
Implement secure disposal methods

Recommended Practices

The PDPC recommends:

‍Data must be reasonably necessary
Establishing a data retention policy
Implementing a data deletion schedule
Conducting regular reviews of retained data
Using secure deletion methods
Maintaining destruction logs

Considerations for Retention Periods

Factors influencing appropriate retention periods:

‍Legal and regulatory requirements
Business and operational needs
Potential for future disputes
Industry standards and best practices
Data sensitivity and risks

International Data Transfers

Transfer Limitation Obligation

The PDPA requires organisations to ensure that data transferred overseas remains protected:

Comparable Protection: Ensure recipient provides comparable protection to PDPA.‍
Contractual Arrangements: Use binding corporate rules or contractual clauses.
‍Consent Requirements: Obtain consent for transfers in some cases.
‍Ongoing Obligations:Ensure continued protection after transfer.

Common Examples:

Cloud storage providers.
Overseas service providers.
Global company databases.
International marketing programmes.

Acceptable Transfer Mechanisms

Permissible methods include:

Contractual Arrangements: Using legally binding contracts‍
Corporate Rules for Related Companies: Implementing binding corporate rules‍
APEC CBPR and PRP Certifications: Using recognised certification systems‍
Consent with Clear Information: Obtaining specific informed consent‍
Necessary for Contract Performance: Transfers essential to fulfil contractual obligations‍
ASEAN Model Contractual Clauses: Using regionally standardised safeguards (since January 2021)

Key Considerations for Overseas Transfers

Organisations should:

‍Conduct due diligence on overseas recipients
Document transfer arrangements
Implement monitoring mechanisms
Address cross-border transfers in privacy policies
Consider data localisation where appropriate

AI Governance Framework and Updates

Singapore's AI Governance Framework

Singapore has introduced a comprehensive framework for AI governance that complements the PDPA. The latest developments include:

1. Model AI Governance Framework:

‍First edition released in January 2019, second edition in January 2020
A voluntary framework with implementable measures
Emphasises internal governance structures and processes
Focuses on risk management and human involvement in AI decision-making
Provides guidance on data management and stakeholder interaction

2. AI Verify Foundation:

‍Launched in May 2022
An AI testing framework and toolkit
Helps organisations verify AI systems for fairness, explainability, robustness, and transparency
Provides technical validation for AI systems

3. AI and Data Regulatory Sandbox:

‍First edition released in January 2019, second edition in January 2020
Introduced in 2019, expanded in 2022
Allows testing of innovative products and services
Provides regulatory clarity for novel AI applications
Enables controlled experimentation with regulatory exemptions

Recent AI-Specific Requirements

For AI systems processing personal data, organisations must:

1. Transparency Obligations:

‍Inform individuals when AI is used for decision-making
Provide clear explanations about the logic involved
Explain potential consequences of AI-driven decisions

2. Decision Review Mechanisms:

‍Implement processes for reviewing AI decisions
Provide human intervention for significant decisions
Maintain appeal pathways for challenging automated decisions

3. Risk Management:

‍Conduct AI impact assessments before deployment
Document potential risks and mitigation measures
Implement ongoing monitoring for AI systems

4. Data Quality Controls:

‍Ensure training data is representative and accurate
Monitor for bias in AI systems
Regularly test and validate AI performance

Facial Recognition Technology Guidelines

The PDPC published specific guidelines for facial recognition technology in January 2022:

‍Enhanced consent requirements for facial recognition data
Implementation of privacy by design principles
Specific security requirements for biometric data
Limitations on retention and use of facial templates
Transparency requirements for area monitoring systems

When PDPA Does not apply

Exceptions to Know About

PDPA does not cover:

Personal/Domestic Activities:Private, family, or household purposes.
Business Contact Information: When used solely for business purposes.
‍Public Agencies: Government agencies follow different rules.
Data Before PDPA:In some cases, data collected before PDPA came into force.
‍Publicly Available Data: Information legally available from public sources.‍

Special Circumstances

Organisations can use data without consent in certain situations under exceptions such as:

Vital Interests: Necessary to respond to an emergency.‍
Public Interest: Required for public benefit.
‍Legitimate Interests: After assessment proves benefits outweigh adverse effects (introduced in February2021).
‍Business Improvement: For specified internal business improvement purposes (introduced in February 2021).‍
Research: For research purposes with safeguards.

Legitimate Interests

When Consent Isn't Needed

Organisations can use data without consent if:

They Have a Legitimate Reason: The organisation has a valid interest in processing the data.‍
They've Assessed the Impact on You: The organisation has evaluated the potential impact on the individual.‍
Your Rights Don't Override Their Interests: The organisation's interests are not overridden by the individual's rights.

Common Examples:

‍Fraud prevention.
Network security.
Employee data management.
Direct marketing (with opt-out).
Client relationship management.

Industry-Specific Applications

Healthcare

Special considerations for healthcare include:

‍Medical records protection
Health research consent requirements
Insurance data handling
Healthcare provider communications
Telehealth service requirements

Financial Services

Banks and financial institutions must:

‍Protect transaction data
Handle credit information securely
Manage investment details carefully
Secure payment information
Follow Monetary Authority of Singapore (MAS) guidelines

Education

Educational institutions need to:

‍Protect student records
Handle academic data appropriately
Manage parent/guardian information
Secure special needs data
Control access to educational history

Online Services

Digital businesses must:

‍Handle user profiles properly
Protect browsing data
Obtain consent for cookies
Secure payment details
Protect communication data

Data Processors and Intermediary

What are Data Controllers and Data Intermediaries?

Under PDPA, an organisation determines the purposes for which and the means by which personal data is processed.

If your company/organisation decides 'why' and 'how' the personal data should be processed, it is the organisation responsible for data protection. Employees processing personal data within your organisation do so to fulfil your organisation's purposes.

If your organisation does not determine the 'why' or 'how' of the data processing, but processes data on behalf of another organisation, it is considered a data intermediary.

PDPA defines a data intermediary as an organisation that processes personal data on behalf of another organisation. Typical activities of data intermediaries include offering IT solutions, including cloud storage services.

A data intermediary cannot pass the data on to another organisation without authorisation from the organisation it processes data for. It must handle the data in accordance with the instructions of the organisation it's processing for, which controls and specifies the use, access, retention and processing of said data.

It's important to note that an organisation can be both a data controller and a data intermediary, depending on its role in different data processing activities.

Understanding the Roles

Data Controllers (Organisations):

Determine the purpose and manner of processing
Bear primary responsibility for compliance
Establish policies and practices
Respond to access and correction requests
Handle data breaches

Data Intermediaries:

Process data on behalf of and for the purposes of another organisation
Have limited obligations focused on protection and retention
Must follow controller instructions
Cannot use data for their own purposes
Have obligations to maintain security

Examples in Daily Life:

A company (controller) using a payroll processor (intermediary)
A retailer (controller) using a delivery service (intermediary)
A hospital (controller) using cloud storage (intermediary)

Joint Controllers and Multiple Data Intermediaries

For complex data processing scenarios:

Organisations should clearly document responsibilities
Allocation of obligations should be transparent
Individuals should know who to approach for access/correction
Data processing agreements should define roles and responsibilities
Breach notification procedures should be coordinated

Recent PDPA Updates and Developments

Enhanced Enforcement Framework

The PDPC has strengthened its enforcement approach:

Adoption of an undertaking approach for minor breaches (introduced in 2019)
Expanded use of expedited breach decisions (implemented in 2021)
Introduction of a voluntary mediation programme for data protection disputes (launched in April 2021)
Publication of enforcement case details for transparency and guidance

Cross-Border Data Flow Initiatives

Singapore has taken steps to enhance cross-border data flows:

ASEAN Model Contractual Clauses for data transfers within ASEAN (launched in January 2021)
Participation in the APEC Cross-Border Privacy Rules (CBPR) and Privacy Recognition for Processors (PRP) systems (since March 2018)
Expanded bilateral digital economy agreements with trading partners (ongoing since 2020)
Recognition of CBPR certification as a valid transfer mechanism under PDPA (effective February 2021)

Data Innovation Provisions

New guidance has been released for:

Anonymisation techniques and best practices (updated guidance published in 2018)
Regulatory treatment of derived personal data (clarified in 2020 amendments)
Data innovation projects and analytics (guidance issued in 2019)
Data sharing arrangements between organisations (advisory guidelines updated in 2021)

Singapore PDPA ‍

Singapore PDPA
‍