Personal Data Protection Act

What is Personal Data?

Personal data refers to data, whether true or not, about an individual who can be identified from that data; or from that data and other information to which the organization has or is likely to have access. Personal data in Singapore is protected under the Personal Data Protection Act 2012 (PDPA).

The PDPA establishes a data protection law that comprises various rules governing the collection, use, disclosure and care of personal data. It recognizes both the rights of individuals to protect their personal data, including rights of access and correction and the needs of organizations to collect, use or disclose personal data for legitimate and reasonable purposes.

The PDPA provides for the establishment of a national Do Not Call (DNC) Registry. The DNC Registry allows individuals to register their Singapore telephone numbers to opt out of receiving marketing phone calls, mobile text messages such as SMS or MMS, and faxes from organizations.

Objectives of the Personal Data Protection Act

Today, vast amounts of personal data are collected, used and even transferred to third-party organizations for a variety of reasons. This trend is expected to grow exponentially as the processing and analysis of large amounts of personal data becomes possible with increasingly sophisticated technology.

With such a trend comes growing concerns from individuals about how their personal data is being used. Hence, a data protection regime to govern the collection, use, and disclosure of personal data are necessary to address these concerns and to maintain individuals’ trust in organizations that manage data.

By regulating the flow of personal data among organizations, the PDPA also aims to strengthen and entrench Singapore’s competitiveness and position as a trusted, world-class hub for businesses.

What you need to know about the PDPA's data protection rules:

The collection, Use, and Disclosure

  • For personal data that organizations collect before the personal data protection provisions come into effect, organizations may continue to use such personal data for the purposes for which it was collected unless you inform the organizations that you do not consent to their use of your personal data.

  • For personal data that organizations collect after the personal data protection provisions come into effect, organizations have to get your consent to the collection, use, and disclosure of your personal data. To obtain your consent, the organizations should inform you of the purpose(s) for the collection, use or disclosure of your personal data. Feel free to ask the organizations to provide the contact of a person who can answer, on behalf of the organization, your questions about the collection, use or disclosure of the personal data.

  • Organizations should not, as a condition of supplying a product or service, require you to consent to the collection, use or disclosure of personal data beyond what is reasonable to provide that product or service to you.

  • If you voluntarily provide your personal data to an organization for a purpose, you may be deemed to have consented to the use of your personal data for that specific purpose.

  • You may withdraw your consent for the collection, use or disclosure of your personal data by an organization at any time, with reasonable notice. The organization should inform you of the likely consequences of your withdrawal, and cease collecting, using or disclosing your personal data.

Access and Correction

  • You can request to access your personal data that an organization possesses or controls. You can also request to be provided with information about the ways in which such personal data has or may have been used or disclosed within the year before the request. However, in certain circumstances or in respect of certain types of personal data, organizations are prohibited from granting such access or may choose whether or not to provide such access.

  • You can request an organization to correct an error or omission in your personal data. The organization should also send the corrected data to other organizations (or, with your consent, only to specific organizations) to which your data has been disclosed within a year the correction is made. Unless there are reasonable grounds for correction not to be made, the organization should correct your data as soon as practicable. 

Care of Personal Data

  • Organizations should make reasonable effort to ensure that your personal data with them is accurate and complete, if your personal data is likely to be used to make a decision that affects you, or is likely to be disclosed to another organization.

  • Organizations should make reasonable security arrangements to protect personal data they possess or control, to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal or similar risks.

  • Organizations should stop keeping your personal data when it is no longer necessary for legal or business purposes.

  • Organizations may only transfer your personal data outside of Singapore if the organizations put in place measures to ensure that the protection provided to the personal data transferred is comparable to the protection under the PDPA unless exempted by the PDPC. The measures to be put in place will be prescribed in due course.

There are, however, exceptions to these rules and they are generally purpose-based. For example, some of these exceptions relate to emergency situations, investigations, publicly available data or where the personal data is used for evaluative purposes. For more information, please refer to the Second to Sixth Schedules of the PDPA