Support Centre
Singapore - Data Protection Overview
Back

Singapore - Data Protection Overview

April 2021

INTRODUCTION

The Personal Data Protection Act 2012 (No. 26 of 2012) ('PDPA') governs the collection, use, and disclosure of individuals' personal data by organisations in a manner that recognises both the right of individuals to protect their personal data, and the need of organisations to collect, use, and disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances.

Apart from the obligations imposed on organisations under the PDPA, there has been a general push towards a culture of accountability by the Personal Data Protection Commission ('PDPC'), the regulator for data protection. For example, the PDPC implemented the Data Protection Trustmark Certification in 2019, which is a voluntary enterprise-wide certification program for organisations to demonstrate accountable data protection practices.

The PDPA has recently undergone its first comprehensive revision since its enactment in 2012 under the Personal Data Protection (Amendment) Bill 2020 ('the Amendment Bill') which was passed on 2 November 2020 and which was formally enacted as the Personal Data Protection (Amendment) Act 2020 ('the Amendment Act'). Most provisions under the Amendment Act came into effect on 1 February 2021. Most prominently, a mandatory data breach notification regime was introduced, which requires organisations which suffer a data breach to notify the PDPC and affected individuals of that data breach unless an exception applies.

Notably, not all provisions under the Amendment Act have come into effect. For example, the enhanced financial penalty regime which enables the PDPC to impose financial penalties of up to 10% of an organisation's annual turnover in Singapore (if the organisation's annual turnover in Singapore exceeds SGD 10 million (approx. €6,258,500), or SGD 1 million (approx. €625,850), whichever is higher, will take effect on a further date to be notified. The PDPC has stated, in its Advisory Guidelines on Enforcement of Data Protection Provisions, that the enhanced financial penalty regime will come into effect no earlier than 1 February 2022. Similarly, the provisions on the new data portability obligation will also take effect on a later date.

1. GOVERNING TEXTS

1.1. Key acts, regulations, directives, bills

The PDPA is the principal data protection legislation in Singapore governing the collection, use, and disclosure of individuals' personal data by organisations. Prior to the enactment of the PDPA, Singapore did not have an overarching law governing the protection of personal data. Rather, the processing of personal data in Singapore was regulated to a certain extent by a patchwork of laws including common law, sector-specific legislation, and various self-regulatory or co-regulatory codes. These existing sector-specific data protection frameworks will continue to operate alongside the PDPA.

The PDPA was passed by the Parliament of Singapore ('the Parliament') on 15 October 2012, and was implemented in three phases. The first phase of general provisions came into effect on 2 January 2013. These provisions relate to the scope and interpretation of the PDPA; the establishment of the PDPC, the authority that administers and enforces the PDPA; the establishment of the Data Protection Advisory Committee; the establishment of the Do-Not-Call ('DNC') Registers by the PDPC, and other general provisions of the PDPA. The second phase, on 2 January 2014, saw the provisions relating to the DNC Registry come into force. The third and final phase saw the main provisions relating to the protection of personal data ('Data Protection Provisions') –  specifically Parts III to IV of the PDPA – come into effect on 2 July 2014.

On 2 November 2020, the Parliament passed the Amendment Bill, which is the culmination of the first comprehensive review of the PDPA since its enactment in 2012. The majority of the changes under the Amendment Act came into effect on 1 February 2021, while several other provisions will only come into force at a later date. Certain provisions, specifically provisions relating to the increasing of the prescribed maximum financial penalty under the PDPA, will come into force no earlier than 1 February 2022.

In addition to the PDPA, the following subsidiary legislation has been issued to date:

The PDPA sets a baseline standard for personal data protection across the private sector, and will operate alongside (and not override) other existing laws and regulations. The PDPA specifically provides that the data protection framework under the PDPA does not affect any right or obligation under the law, and that in the event of any inconsistency, the provisions of other written laws will prevail. For example, the banking secrecy laws under Banking Act (Chapter 19) 1971 (as revised) govern customer information obtained by banks, and will prevail over the PDPA in the event of any inconsistency with the PDPA.

1.2. Guidelines

The PDPC has issued a number of advisory guidelines which, while not legally binding on any party, provide greater clarity on how the PDPC may interpret the provisions of the PDPA. Some examples include:

All advisory guidelines and guides are accessible via the PDPC's website.

1.3. Case law

In addition to enforcement decisions issued by the PDPC (see section 9.1. below), the PDPA has also been considered by the Singapore courts. On 19 February 2019, the State Court of Singapore dismissed a claim brought against the Singapore Swimming Club for defamation and breach of the PDPA. Although written grounds of judgment are not available, this case is significant as it appears to be the first time where the Singapore courts were asked to consider whether there was a breach of the PDPA, even though the PDPC had not made any decision in respect of any purported contravention of the PDPA.

Additionally, in IP Investment Management Pte Ltd and others v Alex Bellingham [2019] SGDC 207, a judgment of the District Court delivered on 3 October 2019, the Court had to decide on a claim pursuant to the right of private action available to individuals under the previous Section 32 of the PDPA (now Section 48O of the PDPA). The Court found that there had been a breach of certain Data Protection Provisions and that the third plaintiff had suffered loss and damage through the defendant's misuse of his personal information. Accordingly, the Court granted an injunction restraining the defendant from using, disclosing, or communicating any personal data of the third plaintiff, and ordered the defendant to undertake the destruction of all personal data of the third plaintiff. However, the Court did not elaborate on the type of damage or loss required for an actionable claim under the previous Section 32 of the PDPA.

2. SCOPE OF APPLICATION

2.1. Personal scope

The PDPA generally applies to all private organisations in respect of the personal data of individuals that they collect, use, and/or disclose.

However, the following categories of organisations are exempted from the application of the PDPA:

  • individuals acting in a personal or domestic capacity;
  • employees acting in the course of their employment with an organisation;
  • public agencies; or
  • any other organisation or personal data, or classes of organisations or personal data as may be prescribed.

Government agencies are not subject to the requirements of the PDPA, as they have their own set of data protection rules which all public officers must comply with. That said, this exemption does not extend to private-sector organisations working on behalf of government agencies.

'Data intermediaries' are partially excluded from the application of the Data Protection Provisions if they are processing personal data on behalf of and for the purposes of another organisation pursuant to a contract which is evidenced or made in writing, and only have obligations under the PDPA in relation to:

  • the protection of personal data in their possession or under their control, by making reasonable security arrangements to prevent the unauthorised access, collection, use, disclosure, copying, modification, disposal, or similar risks;
  • the retention of personal data, by ceasing to retain documents containing personal data, or removing the means by which the personal data can be associated with particular individuals (e.g. destruction or anonymisation of personal data) as soon as it is reasonable to assume that the purpose for which the personal data was collected is no longer served by its retention, and retention is no longer necessary for legal or business purposes; and
  • the notification of a data breach, by notifying the organisation or the public agency that it is processing personal data on behalf of, of the occurrence of the data breach without undue delay, where the data intermediary in question has reason to believe that a data breach affecting personal data has occurred.

2.2. Territorial scope

The PDPA also applies to organisations with no physical presence in Singapore, as long as these organisations collect, use, or disclose data within Singapore. For example, organisations located overseas which collect data from individuals in Singapore via online channels or platforms will be subject to the Data Protection Provisions under the PDPA.

It is worth noting that related organisations are not excluded from the application of the PDPA; an organisation which transfers personal data to its parent company or subsidiary will be subject to the Data Protection Provisions. Furthermore, organisations involved in the cross-border transfer of personal data from Singapore to locations overseas are also subject to the Data Protection Provisions.

2.3. Material scope

The PDPA regulates the collection, use, and disclosure of personal data by organisations. The PDPA expressly excludes the following categories of personal data from its application:

  • 'business contact information', which is defined as 'an individual's name, position name or title, business electronic mail address or business fax number and any other similar information about the individual, not provided by the individual solely for his personal purposes', unless expressly referred to in the PDPA;
  • personal data that is contained in a record that has been in existence for at least 100 years; and
  • personal data about a deceased individual who has been dead for more than ten years.

3. DATA PROTECTION AUTHORITY | REGULATORY AUTHORITY

3.1. Main regulator for data protection

The PDPC is the regulatory authority that is responsible for administering and enforcing the PDPA. It is part of the converged telecommunications and media regulator, the Infocomm Media Development Authority ('IMDA'), which is in turn a statutory board under the purview of the Ministry of Communications and Information.

3.2. Main powers, duties and responsibilities

The main powers, duties, and responsibilities of the PDPC are as follows:

  • to promote awareness of data protection in Singapore;
  • to provide consultancy, advisory, technical, managerial, or other specialist services relating to data protection;
  • to advise the Government of Singapore ('the Government') on all matters relating to data protection;
  • to represent the Government internationally on matters relating to data protection;
  • to conduct research and studies, promote educational activities relating to data protection, including organising and conducting seminars, workshops and symposia relating thereto, and support other organisations conducting such activities;
  • to manage technical co-operation and exchange in the area of data protection with other organisations, including foreign data protection authorities and international or inter governmental organisations, on its own behalf or on behalf of the Government;
  • to administer and enforce the PDPA;
  • to carry out functions conferred on the PDPC under any other written law; and
  • to engage in such other activities and perform such functions as the Minister may permit or assign to the PDPC by order published in the Gazette.

4. KEY DEFINITIONS

Data controller: The PDPA does not use the term 'data controller'. Instead, it uses the more general term of 'organisation' to refer to the entities that are required to comply with the obligations prescribed under the PDPA. The term 'organisation' broadly covers natural persons, corporate bodies (such as companies) and unincorporated bodies of persons (such as associations), regardless of whether they are formed or recognised under the law of Singapore, or are resident or have an office or place of business in Singapore.

Data processor: The term 'data processor' is not used in the PDPA, but an equivalent term 'data intermediary' is used. A 'data intermediary' is defined as an organisation which processes personal data on behalf of another organisation but does not include an employee of that other organisation. See also section 2.1 above for more information on the obligations of data intermediaries.

Personal data: 'Personal data' under the PDPA refers to all 'data, whether true or not, about an individual who can be identified from that data, or from that data and other information to which the organisation has or is likely to have access.' This applies regardless of whether such data is in electronic or another form, and regardless of the degree of sensitivity. However, the PDPA expressly excludes the following categories of personal data from its application:

  • 'business contact information,' which is defined as 'an individual's name, position name or title, business electronic mail address or business fax number and any other similar information about the individual, not provided by the individual solely for his personal purposes', unless expressly referred to in the PDPA;
  • personal data that is contained in a record that has been in existence for at least 100 years; and
  • personal data about a deceased individual who has been dead for more than ten years.

Sensitive data: Even though there is no special category for sensitive personal data in the PDPA, the PDPC takes the view that personal data of a more sensitive nature should be safeguarded by a higher level of protection. The types of personal data that would typically be more sensitive in nature include an individual's national identification numbers (e.g. National Registration Identity Card and passport numbers); personal data of a financial nature (e.g. bank account details, Central Depository account details, securities holdings, transaction and payment summaries); insurance information (e.g. names of the policyholder's dependents or beneficiaries, sum insured under the insurance policy, the premium amount and type of coverage); an individual's personal history involving drug use and infidelity; sensitive medical conditions; and personal data of minors. (See Re Aviva Ltd [2017] SGPDPC 14). Additionally, in the Breach Notification Regulations, the PDPC prescribes a list of data that, if subject to a data breach, would be deemed to result in significant harm to individuals. These include the following broad categories of personal data:

  • financial information which is not publicly disclosed;
  • personal data which would lead to the identification of vulnerable individuals (e.g., leading to identification of a minor who has been arrested for an offence);
  • life, accident, and health insurance information which is not publicly disclosed;
  • specified medical information, including the assessment and diagnosis of HIV infections;
  • information related to adoption matters;
  • a private key used to authenticate any or digitally sign an electronic record or transaction; and
  • an individual's account identifier and data for access into the individual's account.

Health data: The term 'health data' is not used in the PDPA. Rather health data would be considered a type of personal data, and therefore be covered under the PDPA. Depending on the particular factual context, the handling of health data could also be covered under other laws such as the Health Products (Clinical Trials) Regulations 2016, or the Medicines (Clinical Trials) Regulations 2016 in Singapore.

Biometric data: The term 'biometric data' is not used in the PDPA. Rather, similar to health data, biometric data would be considered as a type of personal data, and therefore would be covered under the PDPA.

Pseudonymisation: There is no specific reference to pseudonymisation in the PDPA. However, in Selected Topics Guidelines, the PDPC describes pseudonymisation as an anonymisation technique involving 'replacing personal identifiers with other references', and has also stated that the anonymisation of personal data may be carried out to render the anonymised data suitable for more uses than its original state (i.e. the original personal data) would permit under data protection regimes, since anonymised data would not allow the identification of an individual and is thus not personal data.

Additionally, in its Guide to Basic Data Anonymisation Techniques, the PDPC has also set out recommended best practices for pseudonymisation, and has recognised the distinction between irreversible pseudonymisation (i.e. where the original values are properly disposed and the pseudonymisation was done in a non-repeatable fashion) and reversible pseudonymisation (i.e. where the original values are securely kept but can be retrieved and linked back to the pseudonym).

5. LEGAL BASES

5.1. Consent

Under the Consent Obligation, organisations are required to obtain individuals' consent to collect, use, or disclose their personal data unless such collection, use, or disclosure is required or authorised under the PDPA or any other written law.

Consent is not required for the collection, use, and disclosure of personal data where the specific exceptions in the First Schedule and the Second Schedule to the PDPA apply, for example where the collection, use, or disclosure of personal data about an individual:

  • is necessary for any purpose which is clearly in the interests of the individual, and:
    • consent for the collection, use, or disclosure cannot be obtained in a timely way; or
    • the individual would not reasonably be expected to withhold consent;
  • is publicly available;
  • is in the national interest;
  • is in the legitimate interests of the organisation or another person and the legitimate interests of the organisation or other person outweigh any adverse effect on the individual.

An organisation is further required to state the purposes for which it is collecting, using, or disclosing the data under the Notification Obligation. Where the supply of a product or service is conditional upon consent being given by an individual, such consent must not extend beyond what is reasonable to provide that product or service.

Individuals can be deemed to have given consent when they voluntarily provide their personal data for a purpose, and it is reasonable that they would voluntarily provide such data. The PDPA provides for three different forms of deemed consent:

  • deemed consent by conduct;
  • deemed consent by contractual necessity; and
  • deemed consent by notification.

According to the PDPC's Key Concepts Guidelines deemed consent by conduct applies to situations where the individual voluntarily provides his personal data to the organisation. The purposes are limited to those that are objectively obvious and reasonably appropriate from the surrounding circumstances. Consent is deemed to be given to the extent that the individual intended to provide his personal data and had taken the action required for the data to be collected by the organisation. The onus is on the organisation to ensure that individuals are aware of the purposes for which their personal data is being collected, used, or disclosed.

Deemed consent by contractual necessity is where the disclosure of personal data from one organisation A to another organisation B is necessary for the conclusion or performance of a contract or transaction between the individual and organisation A. Deemed consent by contractual necessity extends to disclosure by organisation B to another downstream organisation C where the disclosure by organisation B (and collection by organisation C) is reasonably necessary to fulfil the contract between the individual and A.

Under deemed consent by notification, an individual may be deemed to have consented to the collection, use, or disclosure of personal data for a purpose that the individual had been notified of, and where that individual has not taken any action to opt out of the collection, use, or disclosure of his/her personal data. The Key Concepts Guidelines provide that deemed consent by notification is useful where the organisation wishes to use or disclose existing data for secondary purposes that are different from the primary purposes for which it had originally collected the personal data for, and it is unable to rely on any of the exceptions to consent for the intended secondary use.

Reliance on deemed consent by notification is subject to the organisation assessing and determining whether certain prior conditions are met. First, an organisation must conduct an assessment to determine that the proposed collection, use, or disclosure of personal data is not likely to have an adverse effect on the individual. Second, an organisation must take reasonable steps to notify the individual of the organisation's intention to collect, use, or disclose the personal data and the purpose of such collection, use, or disclosure. Third, the organisation must provide a reasonable period for the individual to opt out before it proceeds to collect, use, or disclose the personal data. Consent for the collection, use, or disclosure of personal data is deemed to be given only after the opt-out period has lapsed. According to the Key Concepts Guidelines, deemed consent by notification should not be relied on where individuals would not have a reasonable opportunity and period to opt out (e.g. security monitoring of premises using video cameras).

Individuals can generally withdraw consent at any time by giving reasonable notice. On receipt of notice that an individual wishes to withdraw consent, the organisation must inform the individual of the likely consequences of such a withdrawal of consent. While the organisation may not prohibit an individual from withdrawing his/her consent, such withdrawal will not affect any legal consequences arising from such withdrawal (e.g., cessation of services provided by the organisation). Withdrawal of consent applies prospectively and will only affect an organisation's continued or future use of the personal data concerned. Organisations are also required to cause its agents and data intermediaries to cease collection, use, or disclosure of the individual's personal data when consent is withdrawn.

An organisation collecting personal data from a third-party source is required to notify the source of the purposes for which it will be collecting, using, and disclosing the personal data. Moreover, the organisation should exercise the appropriate due diligence to check and ensure that the third-party source can validly give consent for the collection, use, and disclosure of personal data on behalf of the individuals or that the source had obtained consent for the disclosure of the personal data.

5.2. Contract with the data subject

Where an organisation enters into a contract with an individual, the individual may be deemed to have given his consent for the collection, use, or disclosure of personal data (as the case may be). An individual gives deemed consent if the individual, without actually giving consent, voluntarily provides the personal data to the organisation for that purpose, and it is reasonable that the individual would voluntarily provide the data.

5.3. Legal obligations

An organisation is able to collect, use, and disclose personal data without consent where it is required or permitted under law. For example, under paragraph 4 of Part 3 of the Second Schedule to the PDPA, disclosure of personal data without consent is permitted where it is to any officer of a prescribed law enforcement agency, upon production of written authorisation signed by the head or director of that law enforcement agency or a person of a similar rank, certifying that the personal data is necessary for the purposes of the functions or duties of the officer.

5.4. Interests of the data subject

An organisation is able to collect, use, and disclose personal data where it is in the interests of the individual in question. Under Part 1 of the First Schedule to the PDPA, the collection, use, or disclosure of personal data is permitted without the consent of the individual where (amongst others):

  • the disclosure is necessary for any purpose which is clearly in the interests of the individual, if consent for its disclosure cannot be obtained in a timely way; or
  • the disclosure is necessary to respond to an emergency that threatens the life, health, or safety of the individual or another individual.

5.5. Public interest

An organisation is able to collect, use, and disclose personal data without consent where it is in the public interest. For example, under paragraph 2 of Part 2 of the First Schedule to the PDPA, the collection, use, or disclosure of personal data is permitted without the consent of the individual where the collection, use, or disclosure is necessary in the national interest.

5.6. Legitimate interests of the data controller

An organisation is able to collect, use, and disclose personal data without consent where it is in the legitimate interests of the organisation. Under Part 3 of the First Schedule to the PDPA, subject to certain requirements, organisations will be able to collect, use, and disclose (as the case may be) personal data about an individual if:

  • it is in the legitimate interests of the organisation or another person; and
  • the legitimate interests of the organisation or other person outweigh any adverse effect on the individual.

Before relying on the legitimate interests exception, an organisation must conduct an assessment, i.e. a Data Protection Impact Assessment ('DPIA') in accordance with the prescribed requirements. The organisation must, in respect of the DPIA, be able to:

  • identify and be able to clearly articulate the situation or purpose that qualifies as a legitimate interest;
  • identify and implement reasonable measures to eliminate and reduce the likelihood of the occurrence of, or mitigate the adverse effect of the processing of personal data on the individual; and
  • comply with any prescribed requirements.

An organisation relying on the legitimate interests exception to collect, use, or disclose personal data without consent must take reasonable steps to provide the individual with reasonable access to information that the organisation is relying on the exception.

The legitimate interests exception does not apply to the processing of personal data for the purposes of sending an individual a message for an 'applicable purpose' as prescribed in the Tenth Schedule of the PDPA.

5.7. Legal bases in other instances

In general, organisations may collect, use, or disclose personal data as long as an exception under the First Schedule or Second Schedule to the PDPA applies.

6. PRINCIPLES

The PDPA imposes the following data protection obligations on organisations in respect of their data activities:

  • Consent Obligation: An organisation must obtain an individual's consent before collecting, using, or disclosing his/her personal data for a purpose (Section 13 to 17 of the PDPA).
  • Purpose Limitation Obligation: An organisation may only collect, use, or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances (Section 18 of the PDPA).
  • Notification Obligation: An organisation must notify the individual of the purpose(s) for which it intends to collect, use, or disclose his/her personal data on or before such collection, use, or disclosure, and may only collect, use, and disclose personal data for such purposes (Sections 18 and 20 of the PDPA).
  • Access and Correction Obligation: An organisation must, upon request, allow an individual to access and/or correct his/her personal data in its possession or under its control. In addition, the organisation is obliged to provide the individual with information about the ways in which personal data may have been used or disclosed during the past year (Sections 21 and 22 of the PDPA).
  • Accuracy Obligation: An organisation must make a reasonable effort to ensure that personal data collected by it is accurate and complete, if it is likely to use such personal data to make a decision that affects the individual concerned, or disclose such personal data to another organisation (Section 23 of the PDPA).
  • Protection Obligation: An organisation must protect personal data in its possession or under its control by making reasonable security arrangements to prevent (a) unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks, and (b) the loss of any storage medium or device on which personal data is stored (Section 24 of the PDPA).
  • Retention Limitation Obligation: An organisation must cease to retain documents containing personal data, or remove the means by which the personal data can be associated with particular individuals, as soon as it is reasonable to assume that the retention of such personal data no longer serves the purpose for which it was collected and is no longer necessary for legal or business purposes (Section 25 of the PDPA).
  • Transfer Limitation Obligation: An organisation must not transfer personal data to a country or territory outside Singapore except in accordance with requirements prescribed under the PDPA to ensure that the transferred personal data will be accorded a standard of protection that is comparable to that under the PDPA (Section 26 of the PDPA).
  • Accountability Obligation: An organisation must appoint a person to be responsible for ensuring that it complies with the PDPA, typically referred to as a data protection officer ('DPO'), and develop and implement policies and practices that are necessary to meet its obligations under the PDPA, including a process to receive complaints. In addition, the organisation is required to communicate to its staff information about such policies and practices and make information available upon request to individuals about such policies and practices (Sections 11 and 12 of the PDPA).
  • Data Breach Notification Obligation: An organisation must assess data breaches that have occurred affecting personal data in their possession or under their control, and are required to notify the PDPC, as well as affected individuals, of the occurrence of certain data breaches (notifiable data breaches) (Sections 26A to 26E of the PDPA).

In addition, the Amendment Act will also further introduce one more data protection obligation (which has yet to come into effect):

  • Data Portability Obligation: Upon an organisation's receipt of a data porting request from an individual, the porting organisation must transmit the applicable data specified in the data porting request to the receiving organisation in accordance with any prescribed requirements, such as requirements relating to technical, user experience, and consumer protection matters.

7. CONTROLLER AND PROCESSOR OBLIGATIONS

7.1. Data processing notification

There is no obligation imposed on an organisation to notify or register with the PDPC before collecting, using, or disclosing any personal data in Singapore.

7.2. Data transfers

Organisations are subject to the Transfer Limitation Obligation. An organisation must not transfer personal data to a country or territory outside Singapore except in accordance with the requirements prescribed under the PDPA to ensure that the transferred personal data will be accorded a standard of protection that is comparable to that under the PDPA.

To do so, the organisation must generally ensure that the recipients of such personal data are bound by legally enforceable obligations to provide to the transferred personal data a standard of protection that is at least comparable to the protection under the PDPA. These 'legally enforceable obligations' include those imposed under law, contract or Binding Corporate Rules ('BCRs'), or any other legally binding instrument.

In addition, organisations that hold a 'specified certification' that is granted or recognised under the law of the country or territory to which personal data is transferred will be taken to be bound by such legally enforceable obligations. Under the Personal Data Protection Regulations, a 'specified certification' refers to certifications under the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules ('APEC CBPR') System, and the Asia Pacific Economic Cooperation Privacy Recognition for Processors ('APEC PRP') System. A recipient is taken to have satisfied the requirements under the Transfer Limitation Obligation if:

  • it is receiving the personal data as an organisation and it holds a valid APEC CBPR certification; or
  • it is receiving the personal data as a data intermediary and it holds either a valid APEC PRP or CBPR certification, or both.

A contract that is relied on as a legally enforceable obligation for the cross-border transfer of personal data must:

  • require the recipient to provide a standard of protection for the personal data transferred to the recipient that is at least comparable to the protection under the PDPA; and
  • specify the countries and territories to which the personal data may be transferred under the contract.

Similarly, BCRs that are relied on as legally enforceable obligations for the cross-border transfer of personal data must:

  • require every recipient of the transferred personal data to provide to the personal data a standard of protection that is at least comparable to the protection under the PDPA;
  • specify the recipients of the transferred personal data to which the BCRs apply;
  • specify the countries and territories to which the personal data may be transferred under the BCRs; and
  • specify the rights and obligations provided by the BCRs.

BCRs may only be used for recipients that are related to the transferring organisation. A recipient of personal data is considered 'related' to the transferring organisation if:

  • the recipient, directly or indirectly, controls the transferring organisation;
  • the recipient is, directly or indirectly, controlled by the transferring organisation; or
  • the recipient and the transferring organisation are, directly or indirectly, under the control of a common person.

There are a few express situations whereby an organisation can be taken to have satisfied the requirement of taking appropriate steps to ensure that the recipient outside Singapore is bound by legally enforceable obligations to protect personal data in accordance with comparable standards. These include:

  • where the individual consents to, or is deemed to have consented to, the transfer of the personal data to the recipient in that country;
  • where the transfer of the personal data to the recipient is necessary for the performance of a contract between the individual and the transferring organisation, or to do anything at the individual's request with a view to the individual entering into a contract with the transferring organisation;
  • where the transfer of personal data to the recipient is necessary for the conclusion or performance of a contract between the transferring organisation and a third party which is entered into at the individual's request, or which a reasonable person would consider to be in the individual's interest;
  • where the transfer is necessary for a use or disclosure in certain situations where the consent of the individual is not required under the PDPA, subject to the transferring organisation taking reasonable steps to ensure that the personal data will not be used or disclosed by the recipient for any other purpose; and
  • where the personal data is data in transit or publicly available in Singapore.

7.3. Data processing records

There is no obligation imposed on an organisation to maintain any data processing records. However, all organisations should ensure that they comply with the Data Protection Provisions of the PDPA in carrying out their data activities.

7.4. Data protection impact assessment

Whilst there is no standalone obligation to conduct a Data Protection Impact Assessment ('DPIA') under the PDPA, there are provisions in the PDPA which require organisations to conduct 'assessments' (which may be narrower in scope than a full DPIA) under certain circumstances. For example, if an organisation intends to rely the legitimate interests exception under Part 3 of the First Schedule to the PDPA, in the collection, use or disclosure of personal data about an individual without that individual's consent, the organisation must conduct an 'assessment', before collecting, using or disclosing the personal data (as the case may be), to:

  • identify any adverse effect that the proposed collection, use, or disclosure (as the case may be) of personal data about an individual is likely to have on the individual;
  • identify and implement reasonable measures to:
    • eliminate the adverse effect;
    • reduce the likelihood that the adverse effect will occur; or
    • mitigate the adverse effect; and
  • comply with any other prescribed requirements.

In relation to the above, we highlight that the PDPC has also published a Guide to Data Protection Impact Assessments. In this guide, the PDPC states that a DPIA is a tool that allows organisations to 'be better positioned to assess if their handling of personal data complies with the PDPA or data protection best practices, and implement appropriate technical or organisational measures to safeguard against data protection risks to individuals'.

7.5. Data protection officer appointment

As part of the Accountability Obligation, it is mandatory for organisations to appoint a data protection officer ('DPO'), or a panel of individuals designated as the DPO, to be responsible for ensuring that the organisation complies with the PDPA. The organisation must make the business contact information of the DPO publicly available. The appointed DPO may delegate the responsibility conferred by this appointment to appropriate individuals, although, as mentioned previously, the organisation remains ultimately responsible for complying with the PDPA. Organisations that have not appointed a DPO are in breach of the Accountability Obligation and may be subject to a financial penalty. The PDPC may also issue directions to that organisation to appoint a DPO.

Additionally, the PDPC has stated that recognition of the importance of data protection and the central role performed by a DPO has to come from the very top of an organisation and ought to be part of enterprise risk management frameworks. This would allow the board of directors and C-level executives to be made cognisant of the risks of a data breach. (See Re M Stars Movers & Logistics Specialist Pte Ltd [2017] SGPDPC 15).

The organisation is also required to make available the business contact information of a person who is able to respond to questions relating to the collection, use, or disclosure of personal data on behalf of the organisation under the Notification Obligation. This person may also be the designated DPO. While there is no requirement that such a person must be located in Singapore, to facilitate prompt responses to queries or complaints, the PDPC recommends as good practice that the business contact information of this person should be readily accessible from Singapore, operational during Singapore business hours and if telephone numbers are used, they should be Singapore telephone numbers.

In terms of the choice of DPO, the PDPC has stated that the DPO ought to be appointed from the ranks of senior management and be amply empowered to perform the tasks that are assigned to him or her. If the DPO is not one of the C-level executives, the DPO should have at least a direct line of communication to them. This level of access and empowerment will provide the DPO with the necessary wherewithal to perform his/her role and accomplish his/her functions. (See Re M Stars Movers & Logistics Specialist Pte Ltd).

7.6. Data breach notification

The Amendment Act introduced a new Data Breach Notification Obligation under Part VIA of the PDPA, which came into effect on 1 February 2021. Under this Data Breach Notification Obligation, organisations are required to assess data breaches that have occurred affecting personal data in their possession or under their control, and to notify the PDPC, as well as affected individuals, of the occurrence of data breaches that meet certain thresholds (i.e. notifiable data breaches), unless an exception applies.

A 'data breach', in relation to personal data, is defined as:

  • the unauthorised access, collection, use, disclosure, copying, modification, or disposal of personal data; or
  • the loss of any storage medium or device on which personal data is stored in circumstances where the unauthorised access, collection, use, disclosure, copying, modification, or disposal of the personal data is likely to occur.

A notifiable data breach is a data breach that:

  • in, or is likely to result in, significant harm to any individual to whom any personal data affected by a data breach relates; or
  • is, or is likely to be, of a significant scale (i.e. 500 or more individuals).

Section 26C of the PDPA provides for a duty to assess, which requires organisations to conduct, in a reasonable and expeditious manner, an assessment of whether the data breach is a notifiable data breach, if it has reason to believe that a data breach has occurred affecting personal data in its possession or under its control.

Under Section 26D of the PDPA, where an organisation assesses that a data breach is a notifiable data breach, the organisation must notify the PDPC as soon as is practicable, but in any case no later than three calendar days after it makes the assessment.

Furthermore, unless an exception applies, organisations must, on or after notifying the PDPC, notify the individuals affected by a notifiable data breach, if the data breach results in, or is likely to result in, significant harm to an affected individual. The notification should be in the form and manner as prescribed and contain information to the best of the knowledge and belief of the organisation at the time.

Under the Breach Notification Regulations, a data breach is deemed to result in significant harm to an individual if the data breach relates to:

  • the individual's full name or alias or identification number, and any of the personal data or classes of personal data relating to the individual set out in Part 1 of the Schedule, subject to Part 2 of the Schedule; or
  • all of the following personal data relating to an individual's account with an organisation:
    • the individual's account identifier such as an account name or number;
    • any password, security code, access code, response to a security question, biometric data or other data that is used, or required to allow access to or use of the individual's account.

The categories under Part 1 of the Schedule to the Breach Notification Regulations broadly include personal data in the following categories:

  • financial information which is not publicly disclosed;
  • personal data which would lead to the identification of vulnerable individuals (e.g., leading to identification of a minor who has been arrested for an offence),
  • life, accident, and health insurance information which is not publicly disclosed;
  • specified medical information, including the assessment and diagnosis of HIV infections;
  • information related to adoption matters; and
  • a private key used to authenticate any or digitally sign an electronic record or transaction.

One notable exception to the duty to notify is where a data breach takes place within an organisation. A data breach that relates to the unauthorised access, collection, use, disclosure, copying, or modification of personal data only within an organisation is deemed not to be a notifiable data breach (Section 26B(4) of the PDPA). The PDPC provides an example in the Key Concepts Guidelines of the HR department of an organisation mistakenly sending an email attachment containing personal data to another department within the same organisation that is not authorised to receive it. Since the data breach is contained within the organisation, it is not a notifiable data breach and the data breach is not subject to the Data Breach Notification Obligation.

The PDPC has also reminded organisations of their general duty to preserve evidence, including but not limited to documents and records, in relation to an investigation by the PDPC. (See Re NTUC Income Insurance Co-operative [2018] SGPDPC 10).

Where a data intermediary has reason to believe that a data breach has occurred in relation to personal data that the data intermediary is processing on behalf of and for the purposes of another organisation, the data intermediary must, without undue delay, notify that other organisation of the occurrence of the data breach. The PDPC provides that, as a good practice, organisations should establish clear procedures for complying with the Data Breach Notification Obligation when entering into service agreements or contractual arrangements with their data intermediaries.

Additionally, organisations are also subject to the Protection Obligation. An organisation must protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal, or similar risks. In this regard, the PDPC has published the Guide to Securing Personal Data in Electronic Medium, which aims to aid organisations in the management of electronic personal data (including a checklist of good practices), and its revised Guide to Managing and Notifying Data Breaches (revised 15 March 2021), which is intended to help organisations to identify, prepare for, and manage data breaches.

Sectoral obligations

In relation to financial institutions ('FIs'), the Guidelines on Outsourcing and Technology Risk Management Guidelines ('the Risk Management Guidelines'), both issued by the Monetary Authority of Singapore ('MAS'), require FIs to notify the MAS of, amongst others, breaches of security and confidentiality of the FI's customer information within the following timeframes:

  • within an hour of the discovery of a 'Relevant Incident,' which is defined in the Risk Management Guidelines as 'a system malfunction or IT security incident, which has a severe and widespread impact on the financial institution's operations or materially impacts the financial institution's service to its customers'; and
  • 'as soon as possible of any adverse development arising from [their] outsourcing arrangements that could impact the institution' as well as any 'such adverse development encountered within the institution's group'.

7.7. Data retention

The Retention Limitation Obligation in the PDPA requires an organisation to cease to retain its documents containing personal data, or remove the means by which the personal data can be associated with particular individuals, as soon as it is reasonable to assume that the purpose for which that personal data was collected is no longer being served by retention of the personal data, and such retention is no longer necessary for legal or business purposes.

The PDPA does not prescribe a specific retention period for personal data, and the duration of time whereby an organisation can retain personal data is assessed on a standard of reasonableness, having regard to the purposes for which the personal data was collected and retained. Accordingly, legal or specific industry-standard requirements in relation to the retention of personal data may apply.

Where there is no longer a need for an organisation to retain personal data, the organisation should cease to do so. An organisation will be deemed to have ceased to retain personal data when it no longer has access to the documents and the personal data they contain, or when the personal data is otherwise inaccessible to or irretrievable by the organisation. In considering whether an organisation has ceased to retain personal data the PDPC will consider the following factors in relation to the personal data:

  • whether the organisation has any intention to use or access the personal data;
  • how much effort and resources the organisation would need to expend in order to use or access the personal data again;
  • whether any third parties have been given access to that personal data; and
  • whether the organisation has made a reasonable attempt to destroy, dispose of, or delete the personal data in a permanent and complete manner.

7.8. Children's data

There are no specific provisions regulating the processing of children's data. However, see the definition of 'sensitive data' under section 4.

Additionally, we also highlight that the PDPC has stated, in its Selected Topics Guidelines,  that organisations should generally consider whether a minor has sufficient understanding of the nature and consequences of giving consent in determining if the minor can effectively provide consent on his/her own behalf of the purposes of the PDPA.

The PDPC has also stated in the Selected Topics Guidelines that it would adopt the practical rule of thumb that a minor who is at least 13 years of age would typically have sufficient understanding to be able to consent on his own behalf. However, it also states that where an organisation has reason to believe or it can be shown that a minor does not have sufficient understanding of the nature and consequences of giving consent, the organisation should obtain consent from an individual who is legally able to provide consent on the minor's behalf, such as the minor's parent or guardian.

7.9. Special categories of personal data

See the definition of 'sensitive data' under section 4.

7.10. Controller and processor contracts

The PDPA draws a distinction between an 'organisation' and a 'data intermediary' in relation to the processing of personal data. The relevant definitions as set out in Section 2(1) of the PDPA are as follows:

An 'organisation' is defined as any individual, company, association or body of persons, corporate or unincorporated, whether or not:

  • formed or recognised under the law of Singapore; or
  • resident, or having an office or a place of business, in Singapore.

A 'data intermediary' is defined as an organisation which processes personal data on behalf of another organisation but does not include an employee of that other organisation.

'Processing' is defined as the carrying out of any operations or set of operations in relation to the personal data, and includes any of the following:

  • recording;
  • holding;
  • organisation, adaptation or alteration;
  • retrieval;
  • combination;
  • transmission; and
  • erasure or destruction.

If an organisation is not a data intermediary, it is subject to the full set of data protection obligations under the PDPA. In contrast, as elaborated on in section 2.1 above, other than the Protection Obligation, the Retention Limitation Obligation, and the duty to notify the organisation/public agency it is processing data on behalf of of a data breach under the Data Breach Notification Obligation, no other data protection obligations are imposed on a data intermediary, with respect to its processing of personal data for or on behalf of an organisation pursuant to a contract in writing. Therefore, to avoid both parties having to answer to the data protection obligations to the full extent, the contract should state clearly the relationship and the rights and obligations of both parties.

Even if an organisation engages a data intermediary to process personal data on its behalf and for its purposes, Section 4(3) of the PDPA provides that it shall have the same obligations as if the personal data were processed by the organisation itself. Therefore, effectively, the organisation will remain liable for the actions and omissions of the data intermediary for personal data that the data intermediary is processing on the organisation's behalf.

In this regard, data intermediaries are typically subject to contractual obligations which necessitate compliance with the other obligations of the PDPA. According to the Key Concept Guidelines, it is expected that organisations engaging data intermediaries would generally have imposed obligations that ensure protection in the relevant areas in the service agreement between the organisation and the data intermediary.

On 1 February 2021, the PDPC released a revised version of its non-legally binding Guide on Data Protection Clauses for Agreements Relating to the Processing of Personal Data, which provides sample data protection clauses that an organisation purchasing services relating to the processing of personal data may include in the service agreements with the data intermediaries.

If the organisation fails to put in place data protection clauses in such service agreements, the organisation runs the risk of being held to have breached its Protection Obligation by failing to take necessary actions and precautionary measures to protect such personal data.

8. DATA SUBJECT RIGHTS

8.1. Right to be informed

While there is no standalone right to be informed under the PDPA, organisations are subject to several data protection obligations under the PDPA which require them to provide notification to the individual data subject under certain circumstances.

First, under the Notification Obligation, organisation must notify the individual of the purpose(s) for which it intends to collect, use, or disclose his personal data on or before such collection, use, or disclosure. In addition, the organisation is also obliged to provide the individual with information about the ways in which the personal data may have been used or disclosed during the past year.

Second, under the Accountability Obligation, and an organisation must develop and implement policies and practices that are necessary for it to meet its key obligations under the PDPA, and to make information about such policies and practices publicly available, such as via an online personal data protection and/or privacy policy.

Finally, under the Data Breach Notification Obligation, an organisation that suffers a data breach is required to notify affected individuals of a data breach that results or is likely to result in significant harm to them, unless certain prescribed exceptions apply.

8.2. Right to access

Organisations are subject to the Access Obligation under the PDPA. An organisation must allow an individual to access his personal data in its possession or under its control upon request.

The organisation has a duty to respond to applicants' requests to access their personal data as accurately and completely as necessary and reasonably possible, subject to the exceptions in the Fifth Schedule of the PDPA. On receipt of individuals' requests, the organisation is obliged to provide the individuals, as soon as reasonably possible, with:

  • personal data about them that is in the possession or under the control of the organisation; and
  • information about the ways in which that personal data has been or may have been used or disclosed by the organisation within a year before the date of the request.

An organisation should provide a copy of each applicant's personal data in documentary form or any other form requested by the individual as is acceptable by the organisation. If it is impracticable to do so, the organisation may allow the individual a reasonable opportunity to examine the personal data.

Under the Access Obligation, organisations may charge applicants a reasonable fee to respond to access requests. In doing so, an organisation must provide the applicant with a written estimate of the fee. If the organisation wishes to charge a fee that is higher than the written estimate, it will need to notify the applicant in writing of the higher fee. An organisation does not have to respond to an applicant's access request unless the applicant agrees to pay the fee.

There are certain exceptions whereby organisations are allowed to withhold access to an individual's personal data. For example, these exceptions include:

  • when such access will reveal personal data about another individual or will be contrary to the national interest;
  • if the burden or expense of providing access would be unreasonable to the organisation or disproportionate to the individual's interest; or
  • if the request is otherwise frivolous or vexatious.

In addition to the Fifth Schedule to the PDPA, more specific rules concerning the Access Obligation may be found in Part 2 of the Personal Data Protection Regulations.

Additionally, an organisation which refuses to provide access to personal data requested by an individual under the Access Obligation must preserve a complete and accurate copy of the personal data concerned for not less than the prescribed period, which is generally 30 days after the date of refusal.

8.3. Right to rectification

Organisations are subject to the Correction Obligation. An organisation must allow an individual to correct his personal data in its possession or under its control upon request.

Individuals have the right to request an organisation to correct any inaccurate data that is in the organisation's control, subject to the exceptions in the Sixth Schedule of the PDPA. An organisation may not make a requested correction if it is satisfied on reasonable grounds that a correction should not be made. If no correction is made, the organisation shall annotate the personal data in its possession or under its control with the correction that was requested but not made. Furthermore, organisations are required to send the corrected or updated personal data to specific organisations to which the personal data was disclosed within a year before the correction was made, unless those organisations do not need the corrected data for any legal or business purposes.

In contrast to access requests, organisations are not entitled to impose a fee for correction requests.

Upon receipt of an access or correction request, if the organisation cannot comply within 30 days, it must inform the individual in writing of the time by which it will respond to the request.

In addition to the Sixth Schedule to the PDPA, more specific rules concerning the Correction Obligation may be found in Part 2 of the Personal Data Protection Regulations.

8.4. Right to erasure

The PDPA does not provide individuals with a standalone right to request for an organisation to destroy or delete the personal data in the organisation's possession or control. However, under the Retention Limitation Obligation, organisations are required to cease to retain personal data if retention of such personal data is no longer necessary for legal or business purposes.

8.5. Right to object/opt-out

Individuals have the right to withdraw their consent to the collection, use, or disclosure of their personal data at any time by giving reasonable notice. However, the withdrawal of consent will not affect any legal consequences arising from such withdrawal.

With regard to the withdrawal of consent, data subjects should be cognisant of the fact that the withdrawal of certain types of consent may affect the ability of the organisation to continue providing them with the requested services.

8.6. Right to data portability

At present, individuals do not have a right to data portability under the PDPA. However, once the changes relating to data portability introduced in the Amendment Act come into force, an individual may make a data porting request to a porting organisation. Upon receiving the data porting request, the porting organisation must (unless an exception applies) transmit the applicable data specified in the data porting request to the receiving organisation in accordance with any prescribed requirements, such as requirements relating to technical, user experience and consumer protection matters.

8.7. Right not to be subject to automated decision-making

The PDPA does not provide individuals with a right not to be subject to a decision based solely on automated processing.

8.8. Other rights

Not applicable.

9. PENALTIES

The PDPC is responsible for enforcing the PDPA. Where the PDPC is satisfied that an organisation has breached the Data Protection Provisions under the PDPA, the PDPC is empowered with a wide discretion to issue such remedial directions as it thinks fit. These include directions requiring the organisation to:

  • stop collecting, using, or disclosing personal data in contravention of the PDPA;
  • destroy personal data collected in contravention of the PDPA;
  • provide access to or correct personal data; or
  • pay a financial penalty of up to SGD 1 million (approx. €625,735).

The changes that will come into force at a later date under the Amendment Act will empower the PDPC to impose higher financial penalties. In particular, the PDPC will be empowered to impose a financial penalty on organisations in breach of the data protection provisions in the PDPA, of up to a maximum of 10% of the organisation's annual turnover in Singapore (if its annual turnover in Singapore exceeds SGD 10 million (approx. €6,257,210) or up to SGD 1 million (approx. €625,735) in any other case. An organisation's annual turnover in Singapore will be ascertained from the most recent audited accounts of the organisation that is available at the time the financial penalty is imposed. The PDPC has stated that the enhanced financial penalty provisions will take effect on a further date to be notified, which will be no earlier than 1 February 2022.

In the course of its investigation, the PDPC may:

  • by notice in writing, require an organisation to produce any specified document or specified information;
  • by giving at least two working days' advance notice of intended entry, enter into an organisation's premises without a warrant; and
  • obtain a search warrant to enter an organisation's premises and take possession of, or remove, any document.

Non-compliance with certain provisions under the PDPA may also constitute an offence, for which a fine or a term of imprisonment may be imposed. The quantum of the fine and the length of imprisonment (if any) vary, depending on which provisions are breached.

For instance, a person found guilty of making requests to obtain access to or correct the personal data of another without authority may be liable on conviction to a fine not exceeding SGD 5,000 (approx. €3,128) or to imprisonment for a term not exceeding 12 months, or both (Section 51(2) of the PDPA).

The Amendment Act has also introduced further offences under the PDPA. Under the new section 48F, an individual commits an offence if he takes any action to re-identify or cause re-identification of a person to whom anonymised information in the possession or under the control of an organisation or a public agency relates, where the re-identification is not authorised by the organisation or public agency, and the individual either knows that the re-identification is not authorised or is reckless as to whether the re-identification is or is not authorised. The penalty is a fine not exceeding SGD 5,000 (approx. €3,128) or to imprisonment for a term not exceeding two years, or both.

An organisation or person who obstructs or impedes the PDPC or an authorised officer, or knowingly or recklessly makes a false statement to the PDPC, or knowingly misleads or attempts to mislead the PDPC in the exercise of their powers or performance of their duties under the PDPA, commits an offence for which that person would be liable upon conviction to a fine of up to SGD 10,000 (approx. €6,256) and/or to imprisonment for a term of up to 12 months (in the case of an individual), or a fine of up to SGD 100,000 (approx. €62,571) (in any other case). Additionally, any person who neglects or refuses to comply with an order to appear before the PDPC, or without reasonable excuse neglects or refuses to furnish any information or produce any document specified in a written notice to produce information, will be guilty of an offence punishable by a fine not exceeding SGD 5,000 (approx. €3,128) or to imprisonment for a term not exceeding 12 months, or both.

An aggrieved individual or organisation may make a written application to the PDPC to reconsider its direction or decision. Thereafter, any individual or organisation aggrieved by the PDPC's reconsideration decision may lodge an appeal to the Data Protection Appeal Panel. Alternatively, an aggrieved individual or organisation may appeal directly to the Data Protection Appeal Panel without first submitting a reconsideration request. A direction or decision of the Data Protection Appeal Panel (via the Data Protection Appeal Committee) may be appealed to the High Court on a point of law or where such decision relates to the amount of a financial penalty. The decision of the High Court may be further appealed to the Court of Appeal.

An individual who suffers loss or damage directly as a result of a contravention of the provisions of the PDPA may also commence a private civil action. However, such a right of private action is only exercisable after all avenues of appeal, in respect of the relevant infringement decision issued by the PDPC, have been exhausted.

9.1 Enforcement decisions

Since 2016, the PDPC has released a series of enforcement decisions that are helpful in clarifying the requirements under the PDPA in respect of personal data protection. These enforcement decisions are generally accessible via the PDPC's website.

As of 7 April 2021, the PDPC has published a total of 173 grounds of decisions or summaries of grounds of decisions, with a significant majority of these cases relating to breaches of the Protection Obligation, under Section 24 of the PDPA. The most common types of breaches of the Protection Obligation involve the deliberate disclosure of personal data, poor technical security arrangements, poor physical security arrangements, errors in mass email and/or post, and insufficient data protection policies.

To date, the highest financial penalties that the PDPC has imposed on organisations are SGD 250,000 (approx. €156,428) and SGD 750,000 (approx. €469,306) on SingHealth Services Pte Ltd and Integrated Health Information Systems Pte Ltd respectively, for breaching their data protection obligations under the PDPA. (See Re Singapore Health Services Pte Ltd and another [2019] SGPDPC 3). This unprecedented data breach which arose from a cyber-attack on SingHealth's patient database system, caused the personal data of some 1.5 million individuals to be compromised.

In addition to these enforcement decisions, the PDPC also publishes an annual Personal Data Protection Digest, which is a compendium comprising the PDPC's grounds of decisions, summaries of unpublished cases where a finding of no-breach was found, and a collection of data protection-related articles contributed by data protection practitioners.