Support Centre



Law: Personal Data Protection Act 2012 (No. 26 of 2012) ('PDPA')

Regulator: Personal Data Protection Commission ('PDPC')

Summary: The PDPA provides for general personal data protection requirements and contains provisions on data subject rights, the appointment of a data protection officer, as well as obligations for organisations and data intermediaries. Furthermore, amendments to the PDPA entered into force on 1 February 2021, introducing a number of key reforms, including mandatory data breach notification requirements, amendments to the consent obligation, offences for egregious mishandling of personal data, prohibitions relating to the use of dictionary attacks and address-harvesting software, and the PDPC's power to accept voluntary undertakings as part of its enforcement regime.

In addition to the PDPA, the Cybersecurity Act 2018 (No. 9 of 2018) sets out the regulatory framework governing cybersecurity in Singapore and stipulates requirements for operators of critical information infrastructure. The PDPC has also released a number of advisory guidelines which provide clarification on its interpretation of the PDPA and is active in its enforcement activities.


In a time when competing approaches to artificial intelligence (AI) governance develop in different parts of the world, Singapore is charting a path that emphasizes pragmatism and enablement.

The National AI Strategy, a high-level strategy statement by the Singaporean government, envisions Singapore as a global hub for developing, test-bedding, deploying, and scaling solutions, with an additional focus on strengthening the country's AI ecosystem enablers. Since its publication four years ago, developments in Singapore's landscape of AI governance have been consistent with this approach, employing a decidedly 'light touch' in regulation and emphasizing the provision of practical tools and frameworks for responsible development and adoption. In this Insight article, Jeffrey Lim, Director at Joyce A. Tan & Partners LLC, will summarize Singapore's approach to AI governance in this context.

In this report, OneTrust DataGuidance and Rajah & Tann LLP provide a means of analyzing and comparing data protection requirements and recommendations under the General Data Protection Regulation (GDPR) and the Personal Data Protection Act 2012 (PDPA). 

The report, which was last updated in July 2022, examines and compares the scope, main definitions, legal bases, data controller and processor obligations, data subject rights, and enforcement capacities of the PDPA with the  GDPR. 

You can access the latest version of the report here.

In the aftermath of the now ebbing COVID-19 pandemic, the importance of technology and the need for digitalisation has been thrown into sharp relief. To ensure Singapore remains competitive and able to capitalise on the surging digital wave, Singapore's Parliament unveiled a slew of measures, policy plans, and updates to legislation in its Committee of Supply ('COS') speech on 4 March 2022. Charmian Aw, Adrian Aw, and Leon Goh, from Reed Smith LLP and Resource Law LLC, provide insight into the contents of the speech and the proposed changes to Singapore's digital future.

The processing of children's personal data, from collection to destruction, generally carries with it special considerations. Indeed, the level of protection afforded to children is often higher, due to in part their capacity to understand the consequences of providing their information and the potential risks associated with their use or misuse. In part two of this series, OneTrust DataGuidance considers the rules in the APAC region which govern children's personal data, featuring perspectives from New Zealand, the Philippines, and Singapore.

For insight into handling children's personal data in Australia, China, India, and Japan, please see part one here.

Diversity and inclusion programmes are becoming increasingly popular across the globe due to a growth in awareness and a demand for organisations to support values, such as equity and inclusion. While actively engaging in diversity and inclusion initiatives may help organisations to better understand, manage, and develop the business, it is not always clear what data can, and cannot, be included in diversity monitoring surveys or what the rules are for such data collection.

The legal requirements surrounding information relating to an individual's race, gender, ethnicity, sexuality, and health differ from country to country, with some classifying such data as 'sensitive data', while others view it under the umbrella of 'personal information'.

OneTrust DataGuidance Research has consulted with a number of legal experts operating within the Asia Pacific region in order to uncover the requirements for the collection and use of employee data for diversity and inclusion surveys. The countries covered in this Insight article include Australia, China, Singapore, Japan, Hong Kong, and India.