Singapore: Personal Data Protection Act (PDPA) to be enacted

30 March 2012

Sheena Jacob


The Singapore government will be introducing a Personal Data Protection (“DP”) Bill for Singapore to protect consumers’ personal data against misuse. On March 19 2012, the Ministry of Information, Communication and the Arts (“MICA”) released a public consultation paper ( on the proposed Bill. MICA is inviting submissions of comments by 30 April 2012, 5pm (Singapore time).The proposed DP legislation is to be named the Personal Data Protection Act (“PDPA”) 2012.

This is the third public consultation for the data protection regime. MICA had previously conducted two public consultation exercises from September to December 2011 to seek feedback on the proposed consumer data protection framework and Do Not Call (“DNC”) Registry.

Comments from the earlier consultations have been reviewed and taken into consideration in drafting the proposed Personal Data Protection Bill.

Scope of coverage of Data Protection law

i. Types of data covered – The Bill defines personal data as data, whether true or not, about an individual who can be identified – (a) from that data, or (b) from that data and other information to which the organization is likely to have access. The proposed definition applies to all types of data, whether electronic or not. The definition also does not differentiate between true and false personal data. The PDPA will be consistently applied across all types of personal data - including health, employment and financial standing data - as a baseline and for ease of compliance.

ii. Who the DP regime applies to – The PDPA applies to all private sector organisations, including small companies that have low annual turnover.

iii. Who the DP regime does not apply to - The PDPA will not apply to public agencies or organisations in the course of acting as an agent of a public agency. The rules on data protection also do not apply to individuals acting in a personal capacity or as employees of an organisation.

iv. Both Singapore & overseas organisations covered - The PDPA will cover organisations that are engaged in data collection, processing or disclosure within Singapore, even if the organisation may not be physically located in Singapore.

The PDPA will apply to organisations that collect data with a Singapore link. Such a link exists where the organisation collects PD from an individual physically present in Singapore or if the PD is located in Singapore at the time of collection, uses the PD in Singapore or discloses it in Singapore. Thus, the proposed legislation would for instance,cover overseas organisations engaged in collection of Singapore linked data activities online.

Exclusions of Data Protection regime

i. General exclusions - The DP law will not apply to activities or will only apply in limited circumstances to:

a. Data in existence for at least 100 years.
b. Data intermediaries, or organisations which process PD on behalf of another organization. These organisations will only have to comply with the requirements pertaining to the safeguarding of PD. A data intermediary is an organisation which processes person data on behalf of another organisation, but does not include an employee of that other organisation. In contrast, data controllers, which are organisations with control of the data will have to comply with all provisions.
c. PD pertaining to deceased individuals shall be protected only in the areas of disclosure and security arrangement, up to 10 years from the date of death.
d. Business contact information - Business contact information is defined as an individual’s name, position name or title, business telephone number, address, e-mail or fax number and other similar information. The exclusion applies to business contact information for the purposes of contacting an individual for business, and access to the business contact information where the information is kept or used solely in relation to an individual’s employment, business or profession.

ii. Accountability–Organisations will designate individuals to be responsible for compliance with the DP law and to answer individuals’ queries on DP practices. Organisations may identify officers designated by their positions, instead of names.

iii. Rules on the collection, use and disclosure of personal data

a. Collection of PD necessary for supply of services – Under the DP law, organisations are prohibited from requiring an individual to consent to the collection, use or disclosure of personal data as a condition of supplying the product or service, beyond what is reasonable to provide that product or service.

b. Consent – An organisation is required to obtain an individual’s consent for the collection, use or disclosure of that individual’s personal data. The DP law does not prescribe the manner in which consent may be given. Organisations seeking consent would need to state the purposes for the collection, use or disclosure of PD. These purposes should be reasonably scoped and not overly broad.

An individual is deemed to have given consent if that person voluntarily provides that personal data for a purpose. On the other hand, individuals are not deemed to have given consent if they are notified of the organisation’s intention to collect, use or disclose PD but do not object within a reasonable timeframe.

Individuals have a right to withdraw consent at any time. However, in relation to PD already in an organisation’s possession, withdrawal of consent would only apply to the organisation’s prospective use or disclosure of the PD.

Organisations will have to get consent to collect, use and disclose an individual’s personal data for identifying that individual as member or for internal circulation.

c. Collection, use and disclosure of personal data without consent –

The draft Bill allows for the collection, use and disclosure of PD about an individual without consent only in specific circumstances.

These circumstances include, but are not limited to, collection, use and disclosure of PD for:

(a) beneficiaries of insurance policies and trusts, and for investigative purposes;
(b) artistic or literary purposes;
(c) news activities;
(d) research purposes;
(e) publicly available information;
(f)  business contact information;
(g) evaluative purposes; and
(h) creating a credit report, if the collection is done by a credit bureau or bank.

d. Purpose – The collection of PD must be for reasonable purposes and which fulfills the purposes that the organization discloses. MICA is of the opinion that it would be good practice for organisations to explain why it is reasonable to collect the PD, specify details of how it will be shared or obtain written consent, but this is not mandatory.

Organisations are required to seek fresh consent if the PD is used for different purposes.

e. Specific data and transfer of data out of Singapore– The DP law is a baseline regulation, and sectoral agencies that determine specific types of data, such as children’s PD, will be able to put into place stronger protection.

For PD transferred outside Singapore, for instance, if an organization transfers data outside Singapore to related entities within a group, the DP laws apply equally.

iv. Rules on access and correction

Access – Generally, upon the request of an individual, the organisation should take steps to assist the individual in obtaining his PD, provide the individual with information about the ways in which the PD has been used and provide the individual with the names of the individuals and organisations to whom the PD has been disclosed. Credit bureaus should provide the sources from which they received the personal data.

Correction – Organisations should take steps to correct any inaccurate data at the request of the individual, if the data is under the organisation’s control. Such corrected data should also be sent to any other organisations to which the PD was disclosed within a year before the date the correction was made.

Organisations will be allowed to charge a reasonable fee to recover any costs incurred in allowing individuals to access and correct data on a cost recovery basis.

There are circumstances where organisations would not be required to provide individuals access to certain PD:

- where the PD would reveal confidential commercial information, which could harm the competitive position of an organisation;
- PD subject to legal professional privilege; and
- PD collected or created by a mediator or arbitrator

Organisations can also refuse requests for personal data where the requests would unreasonably interfere with operations because of repetitious or systematic requests, or which are frivolous or vexatious.

v. Rules on accuracy, protection and retention of personal data

Accuracy - Organisations will be required to make a reasonable effort to ensure that personal data collected by or on behalf of the organisation is reasonably accurate and complete, if the personal data is likely to be used by the organisation to make a decision that affects the individual to whom the personal data relates, or is likely to be disclosed by the organisation to another organisation.

Protection - Organisations will be required to protect personal data in their custody or under their control, by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or other similar risks.

Retention - If an organisation uses an individual’s personal data to make a decision that directly affects the individual, the organisation shall retain that information for a sufficient period of time after using it so that the individual has a reasonable opportunity to obtain access to it. Following that, an organisation shall destroy its documents containing personal data, or anonymise such data, when retention is no longer necessary for legal or business purposes, and as soon as it is reasonable to assume that the purpose for which that personal data was collected is no longer being served by retention. MICA will not require organisations to specify retention periods upfront.

Implementation Framework

i. Transitional arrangements

a. “Sunrise” Period - It is proposed that there be a sunrise period of no less than 18 months for all organisations from the time the PDPA is enacted to the time the provisions will take effect.

b. Guidelines – The DPC will issue guidelines following the enactment of the DP law, to assist organisations’ efforts to comply with the PDPA.

c. Existing personal data – Organisations are allowed to use PD collected before the day of commencement of the PDPA for purposes for which the data was collected. The PDPA would not invalidate existing contractual agreements on use of customers’ PD. However, fresh consent would need to be obtained for new uses of existing PD. Where consent was not previously obtained, individuals may require organisations to stop using the PD by indicating that they do not consent to such use.

National Do Not Call Registry

Introduction - The DNC Registry will allow individuals to register to opt-out of receiving messages in the form of phone calls, text messages, including Short Messaging Service (“SMS”) and Multimedia Messaging Service (“MMS”), and fax messages. Messages sent to e-mail address or home address would not be included. Specified messages sent without the use of telephone numbers (such as messages sent through cell broadcast) will be excluded from the ambit of the DNC Registry.

Marketing messages - MICA proposed for the DNC Registry to allow individuals to opt-out of marketing messages by registering their phone numbers. Where one of the purposes of a message is to offer to supply, advertise or promote goods or services, the suppliers or prospective suppliers of goods and services, that message would be considered a marketing message. At this juncture, MICA proposes the DNC Registry apply to marketing messages.

Non-marketing messages - Messages without marketing elements, such as messages promoting political or charitable causes, messages soliciting donations, market research and messages that promote national programmes of a non-commercial nature, would not be covered by the DNC Registry at this juncture, but may be included when MICA evaluates that there is such a need.

Business numbers – Business numbers can be registered under the DNC Registry, but several safeguards will be put in place to mitigate the impact on business-to-business transactions.

Explicit consent – Organisations can send specified messages to individuals who have registered their numbers on the DNC Registry if the organisation has obtained explicit consent from the individuals.

The DNC Registry obligations will apply to organisations that outsource their promotion or advertising functions to other organisations.

“Filtering” of DNC lists – Under the “filtering” approach, MICA will require organisations to send their lists to the DNC Registry for “filtering” at least once every 30 days, in order to confirm whether any Singapore telephone number is listed in the registers.

Penalty and enforcement regime – Penalties will be capped at $10,000 per breach and up to $1,000 in composition fines. The DPC will also have the power to require the cooperation of telecommunication licensees in the investigation of whether an organisation has breached the rules.

The DNC Registry is scheduled to be implemented at least 12 months from the time the PDPA is enacted.

For more information, please contact Sheena Jacob at