Personal Data Protection Act Overview

In this article, we will be covering the basic things you need to know about the Personal Data Protection Act (PDPA):

How Personal Data is Defined

According to the Personal Data Protection Commission of Singapore, personal data refers to any information whether recorded in a material form or not, from which the identity of a person is distinguishable or will be reasonably verified by the entity holding the information or when put along with other information would directly and positively identify a person or individual.

Commonly known types of personal data include:

• Email address
• Phone Number
• Birthdates
• Social Security Number

The PDPA and What Is It For

Personal data in Singapore is secured under the PDPA 2012. As Singapore moves into data-driven innovation, the PDPA was born. It constitutes an information protection law that is made up of different rules involving the gathering, use, disclosure and care of personal, private data. It ensures both the rights of people to protect their personal data, including the authorization of access and correction and also the needs of organizations to gather, use or expose personal data for lawful and reasonable purposes.

Today, massive quantities of personal data are gathered, used and even transferred to third party organizations for various purposes. Because of technological advancements, this trend is anticipated to escalate exponentially and therefore, a data protection system to control the collection, use, and exposure of personal data is significantly important to maintain and uphold the trust of the people in organizations that access and handle their personal data. The PDPA also aims to strengthen and develop Singapore’s competitiveness and position as a reliable, world-class hub for businesses.

PDPA and its Scope

The PDPA ensures a comprehensive and strict standard of protection and security for private data for all its citizens. This suggests that business organizations should comply with the PDPA as well as the common law and other related laws that are associated with the particular industry that they belong to when handling personal data within their possession. The PDPA puts under consideration things such as: 

1. Consent- Organizations may collect, use or disclose private information only with the person’s knowledge and free consent (with some exceptions). 
2. Purpose– Organizations may collect, use or disclose personal data depending on the circumstances, provided that the individuals involved are fully informed of what his or her personal data is being used for.
3. Reasonableness– Organizations to gather, use or disclose private and personal data just for purposes and motives that might be considered appropriate to a reasonable person within the given circumstances.

The PDPA encompasses personal data obtained in electronic and non-electronic forms. The data protection provisions along the PDPA (parts III to VI) generally do not relate to anyone acting in a personal or domestic basis, within the course of his or her employment with an organization or corporation, or an organization in the course of working on behalf of a public agency in connection to the gathering, use or exposure of the private personal data and business contact information. This information pertains to a person’s name, position or title, business contact number, business’ address, business email address or business fax number and other similar information about the person, not provided by the person mainly for his or her personal motives.

The PDPA took effect on 02 January 2013 along with the establishment of the Personal Data Protection Commission, or the agency governing PDPA. PDPC has provided time for organizations to review and adopt internal personal data protection policies and practices. They also published a technical guide to assist organizations and businesses on how they can get started in complying with the PDPA.