The Personal Data Protection Act (PDPA)
Singapore's Personal Data Protection Act 2012 (PDPA) governs the collection, use, disclosure, and care of personal data. Administered by the Personal Data Protection Commission (PDPC), it applies to virtually every business in Singapore that handles personal data of individuals.
Understanding the PDPA is no longer optional — penalties for breaches reach $1 million for individuals and 10% of annual turnover (up to $1 million) for organisations under the 2021 amendments.
What is Personal Data Under the PDPA?
Personal data is data about an individual who can be identified from that data, or from that data and other information. Examples: - Name, NRIC number, passport number - Email address, phone number, home address - Photographs, biometric data - Financial information, medical records - Location data, IP addresses
The Key PDPA Obligations
1. Consent Obligation You must obtain the individual's consent before collecting, using, or disclosing their personal data. Consent must be voluntary, informed, and for a specific purpose.
2. Purpose Limitation Obligation You can only use personal data for the purpose for which it was collected, unless you obtain fresh consent.
3. Notification Obligation Inform individuals of the purposes for which you are collecting their data before or at the time of collection.
4. Access and Correction Obligation Individuals have the right to access their personal data held by your organisation and to correct inaccuracies.
5. Accuracy Obligation Take reasonable steps to ensure personal data is accurate and complete.
6. Protection Obligation Implement reasonable security arrangements to protect personal data from unauthorised access, collection, use, disclosure, or disposal.
7. Retention Limitation Obligation Do not retain personal data longer than necessary for the purposes for which it was collected.
8. Transfer Limitation Obligation Only transfer personal data overseas to countries with comparable data protection standards, or with the individual's consent.
9. Data Breach Notification Obligation Since 2021: notify the PDPC within 3 business days of discovering a data breach that is likely to result in significant harm, and notify affected individuals as soon as practicable.
Building a PDPA Compliance Programme
Step 1: Data inventory Map what personal data you collect, where it is stored, how it is used, and who has access.
Step 2: Privacy policy Draft a clear, accessible privacy policy explaining your data practices.
Step 3: Consent mechanisms Implement processes to obtain and record consent.
Step 4: Security measures Implement technical and organisational measures to protect data — access controls, encryption, staff training.
Step 5: Breach response plan Have a documented plan for responding to data breaches.
Step 6: Data Protection Officer (DPO) Appoint a DPO responsible for your data protection programme. The DPO must be registered with the PDPC.
PDPC Enforcement: Real Penalties
The PDPC has issued substantial financial penalties: - A financial institution fined $750,000 for failing to protect customer data - A healthcare provider fined $50,000 for a data breach - Multiple companies fined for inadequate consent practices
The 2021 amendments significantly increased maximum penalties. Data protection is now a board-level issue.
*This article provides general legal information, not legal advice. For PDPA compliance advice specific to your organisation, consult a qualified Singapore data protection lawyer.*