Key statutes, regulations and adopted international standards
The Personal Data Protection Act 2012 (No. 26 of 2012) (PDPA) is the key data protection legislation in Singapore. It governs the collection, use and disclosure of individuals’ personal data by all private sector organisations.
The PDPA comprises two main parts: Parts III to VI (the Data Protection Provisions) set out the general obligations of organisations with regard to their management of personal data, while Part IX of the PDPA (the DNC Provisions) contains provisions establishing the Do Not Call (DNC) Registry and obligations of organisations that send marketing messages to Singapore telephone numbers.
Several regulations have been issued under the PDPA, including:
- the Personal Data Protection (PDP) Regulations 2014;
- the Personal Data Protection (Composition of Offences) Regulations 2013;
- the Personal Data Protection (DNC Registry) Regulations 2013;
- the Personal Data Protection (Enforcement) Regulations 2014; and
- the Personal Data Protection (Appeal) Regulations 2015.
The Singapore data protection authority, the Personal Data Protection Commission (PDPC), has also issued a number of advisory guidelines detailing how it will interpret the provisions of the PDPA. This guidance ranges from general advisory guidelines on key concepts in the PDPA and selected topics, to sector-specific advisory guidelines in the telecommunications, real estate, education, healthcare and social services sectors, and to industry-led guidelines for the insurance industry.
Aside from the PDPA, a number of other legislation and regulatory requirements in Singapore contain sector-specific data protection requirements. For example, in the financial sector, provisions governing customer information obtained by banks are set out in the Banking Act (Chapter 19). The Monetary Authority of Singapore (MAS) also issues directives and notices concerning data protection for the financial sector, such as the Notices and Guidelines on Technology Risk Management, and the Guidelines on Outsourcing.
Other examples include the healthcare sector, where the confidentiality of medical information and the retention of medical records are governed by the Private Hospitals and Medical Clinics Act (Chapter 248). In the telecommunications sector, the Telecoms Competition Code issued under the Telecommunications Act (Chapter 323) regulates the telecommunications licensees’ use of end-user service information.
Other legislation that may have an indirect impact on data protection include the Computer Misuse Act (Chapter 50A), which contains offences for the unauthorised access or modification of computer material and the unauthorised use or interception of computer services. The Cybersecurity Act (No. 9 of 2018) also requires owners and operators of critical information infrastructure to comply with cybersecurity codes of practices and standards of performance, conduct regular audits and risk assessments, and report on cybersecurity incidents.
However, the rights or obligations under specific legislation are not affected by the general data protection framework under the PDPA. As provided under section 4(6) of the PDPA, in the event of any inconsistency, the provisions of other written laws will prevail.
Adopted international standards
Singapore participates in the Asia-Pacific Economic Cooperation (APEC)’s Cross-Border Privacy Rules (CBPR) and Privacy Recognition for Processors (PRP) systems. The APEC CBPR and PRP are multilateral certification schemes that allow participating businesses and other organisations to develop their own internal rules and policies consistent with the specific CBPR and PRP programme requirements to facilitate cross-border data transfers across the participating economies.
The PDPA establishes the PDPC, which is the data protection authority responsible for administering and enforcing the PDPA. The PDPC is under the purview of the telecommunications and media regulator, the Info-communications Media Development Authority (IMDA). Sectoral regulators separately enforce the data protection obligations within their relevant sectors.
With respect to enforcement of the PDPA, the PDPC may direct organisations to:
- stop collecting, using or disclosing personal data in contravention of the PDPA;
- destroy personal data collected in contravention of the PDPA;
- provide access to or correct personal data, or reduce or make a refund of any fee charged for any access or correction request; or
- pay a financial penalty not exceeding S$1 million.
In carrying out its investigative functions, the PDPC is empowered to:
- require any organisation to produce any specified document or to provide any specified information;
- enter an organisation’s premises without a warrant; and
- obtain a search warrant to enter an organisation’s premises and search the premises or any person on the premises, and take possession of, or remove, any document and equipment or article relevant to an investigation.
Although a breach of the Data Protection Provisions does not attract criminal charges, criminal sanctions may be imposed on individuals and organisations that obstruct or hinder the investigations of the PDPC. In particular, individuals may be liable to a fine of up to S$10,000 and imprisonment for a term of up to 12 months, or both; while organisations may be liable to a fine of up to S$100,000 for the offence of providing any false or misleading statements or information to the PDPC.
The PDPC also has the power to discontinue investigations and simply issue an advisory notice where the impact is assessed to be low; initiate an undertaking process, which includes a written agreement between the organisation and the PDPC in which the organisation voluntarily commits to remedy the breaches and take steps to prevent recurrence; or issue an expedited breach decision in certain circumstances where there is an upfront, voluntary admission of liability for breaching relevant obligations under the PDPA.
The PDPC has been active in its enforcement of the PDPA. As at 2 August 2019, the PDPC has issued a total of 98 decisions, with a significant majority relating to breaches of the protection obligation. Out of all these decisions, some of the most common breaches of the PDPA have arisen from inadequate technical security arrangements, human error, technical faults and insufficient data protection policies.
The effect of local laws on foreign businesses
The PDPA applies to all organisations regardless of whether they were formed or are recognised under Singapore law, or are resident or with an office or place of business in Singapore. As such, the applicability of the PDPA can extend to foreign businesses. For example, in Re Cigna Europe Insurance Company SA-NV  SGPDPC 18, the PDPC investigated a Belgium-based company, which was offering health insurance solutions and coverage in Singapore through a registered branch office, for two data breach incidents in 2017 and 2018. Ultimately, however, the PDPC found that the organisation was not in breach of its data protection obligations.
The PDPC is also a participant of the APEC Cross-border Privacy Enforcement Arrangement, which is a framework for the voluntary sharing of information and provision of assistance for privacy enforcement-related activities among privacy enforcement authorities.
Core principles on personal data
Definition of personal data
‘Personal data’ is broadly defined under the PDPA as ‘data, whether true or not, about an individual who can be identified from that data, or from that data and other information to which the organisation has or is likely to have access’.
In addition, the PDPC refers to certain types of personal data that, on its own, can identify an individual, as ‘unique identifiers’. Examples would include full names; National Registration Identity Card (NRIC) and passport numbers; personal mobile phone numbers; facial image of an individual; voice of an individual; fingerprint; DNA profile; and iris image.
While the PDPA does not distinguish between specific categories of personal data, the PDPC has taken the position in several enforcement decisions that a higher standard of protection is required for personal data that is more sensitive in nature. These types of personal data include NRIC numbers, insurance data, medical data, financial data and children’s data.
Data protection obligations
The Data Protection Provisions contain nine main obligations that organisations are required to comply with if they undertake activities relating to the collection, use or disclosure of personal data.
An organisation must obtain the consent of an individual before collecting, using or disclosing his personal data for a purpose, unless an exception in the Second, Third or Fourth Schedule to the PDPA applies. Some examples of exceptions to consent would be where the personal data is publicly available; or the collection, use or disclosure is necessary to respond to an emergency that threatens the life, health or safety of the individual.
For consent to be considered validly given, the organisation must first inform the individual of the purposes for which his or her personal data will be collected, used or disclosed, and these purposes have to be what a reasonable person would consider appropriate in the circumstances. Fresh consent would need to be obtained where personal data collected is to be used for a different purpose to which the individual originally consented.
Consent may also be deemed to have been given where an individual has voluntarily provided his or her data to an organisation for a purpose, and it is reasonable that the individual do so. The onus is on the organisation to establish that the individual was aware of the purposes for which the personal data was provided.
Consent obtained via the following ways does not constitute valid consent for the purpose of the PDPA: where consent is obtained as a condition of providing a product or service, and such consent is beyond what is reasonable to provide the product or service to the individual; and where false or misleading information is provided, or deceptive or misleading practices are used, in order to obtain or attempt to obtain the individual’s consent for collecting, using or disclosing personal data.
Individuals may also withdraw any consent given or deemed to have been given at any time upon giving reasonable notice to the organisation.
Organisations are obliged to inform individuals of the purposes for the collection, use or disclosure of his or her personal data, on or before collecting the personal data; and any other purpose for the use or disclosure of personal data that has not been notified to the individual, before such use or disclosure of personal data. The PDPA does not prescribe the manner or form in which individuals have to be notified.
Purpose limitation obligation
An organisation may collect, use or disclose personal data about an individual only for purposes that a reasonable person would consider appropriate in the circumstances and, if applicable, have been notified to the individual concerned.
Access and correction obligations
Under the access obligation, an organisation must allow an individual to access his or her personal data in its possession or under its control upon request as soon as reasonably possible, subject to the exceptions in section 21(3) of the PDPA and in the Fifth Schedule to the PDPA . The organisation is also obliged to provide the individual with information about the ways in which the personal data may have been used or disclosed during the past year.
Under the correction obligation, individuals also have the right to request an organisation to correct any inaccurate data that is in the organisation’s control, subject to the exceptions in section 22 of the PDPA and the Sixth Schedule to the PDPA. The organisation, if satisfied on reasonable grounds that a correction must be made, is required to correct the individual’s personal data as soon as practicable and send the corrected or updated personal data to specific organisations to which the data was disclosed within a year before the correction was made.
The PDP Regulations 2014 set out further details on the access and correction obligations, for example, how an access or correction request may be made, the time frame for providing a response, and whether a fee may be charged for responding to a request.
Organisations must make a reasonable effort to ensure that the personal data they collect is accurate and complete, if the personal data is likely to be used by the organisation to make a decision that affects the individual or is likely to be disclosed by the organisation to another organisation.
An organisation must make reasonable security arrangements to protect personal data in its possession or under its control, in order to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.
Retention limitation obligation
An organisation must cease to retain documents containing personal data, or remove the means by which the personal data can be associated with particular individuals as soon as it is reasonable to assume that: the purpose for which the personal data was collected is no longer being served by retention of the personal data, and the retention is no longer necessary for legal or business purposes.
Transfer limitation obligation
An organisation must not transfer personal data to a country or territory outside Singapore except in accordance with the requirements prescribed under the PDPA to ensure that the transferred personal data will be accorded a standard of protection that is comparable to that under the PDPA.
Organisations must ensure that the recipients of that personal data are bound by legally enforceable obligations to provide to the transferred personal data a standard of protection that is at least comparable to the protection under the PDPA. These ‘legally enforceable obligations’ include obligations imposed under law, contract or binding corporate rules, or any other legally binding instrument.
Organisations must undertake and demonstrate responsibility for the personal data in its possession or control. This includes developing and implementing data protection policies; communicating to and informing their staff of these policies; implementing processes and practices that are necessary to meet their obligations under the PDPA; making information about its data protection policies and practices available to consumers; and appointing a data protection officer (DPO) to be responsible for ensuring that organisations are in compliance with the PDPA.
The PDPC also recommends that organisations conduct a data protection impact assessment (DPIA) to assess if their handling of personal data is in compliance with the PDPA. A DPIA would involve identifying, assessing and addressing personal data protection risks based on the organisation’s functions, needs and processes.
The PDPA also makes provision for the processing of personal data by data intermediaries, defined as an organisation that processes personal data on behalf of and for the purposes of another organisation pursuant to a contract that is evidenced or made in writing. Data intermediaries are only subject to the protection and retention limitation obligations. When an organisation employs a data intermediary to process personal data on its behalf and for its purposes, organisations have the same obligation under the PDPA as if the personal data were processed by the organisation itself.
Automated processing, profiling and data analytics
While the PDPC does not have express provisions on automated individual decision-making and profiling, insofar as an organisation wishes to carry out automated processes, it will need to ensure that it complies with the Data Protection Provisions and obtain the necessary consent from the individuals in question unless an exception under the PDPA applies.
Similarly, for the conduct of data analytics and research activities, individuals have to be informed of and consent to the purposes for which their personal data is collected, used, and disclosed by organisations carrying out data analytics and research, unless any exception under the PDPA applies.
Communications and marketing
Sending specified messages
The DNC Provisions under the PDPA prohibit organisations from sending specified messages to Singapore telephone numbers registered in the DNC Registry. Individuals may choose to opt out of receiving specified messages via voice calls (No Voice Call Register); specified text messages, including any text, sound or visual message, such as SMS, MMS or WhatsApp (No Text Message Register); and specified fax messages (No Fax Register).
A message constitutes a ‘specified message’ under section 37 of the PDPA if one of the purposes of the message is to advertise, promote, or offer to supply or provide:
- goods or services;
- land or an interest in land; or
- a business or investment opportunity; to advertise or promote a supplier or provider, or prospective supplier or provider for the above or any other prescribed purpose.
In most instances, a marketing message of a commercial nature sent to an individual would be classified as a specified message under the PDPA.
Under section 43 of the PDPA, an organisation that intends to send a specified message to a user or subscriber of a Singapore telephone number must check with the relevant DNC register to confirm that the telephone number is not listed in the register, unless the organisation has obtained clear and unambiguous consent from the user or subscriber of the telephone number, evidenced in writing or other forms accessible for future reference.
When sending marketing communications to a Singapore telephone number, organisations must comply with the following requirements:
- for messages, organisations must include information identifying the sender and how the sender can be readily contacted in the message. Such information has to be reasonably likely to be valid for at least 30 days after the message is sent; and
- for voice calls, not conceal or withhold from the recipient the identity of the caller.
Certain senders that are in an ongoing relationship with individuals may be exempted from the obligation to check the DNC Registry before sending specified text or fax messages related to the subject of the ongoing relationship under the Personal Data Protection (Exemption from section 43) Order 2013 (Exemption Order). Conversely, one-off transactions are insufficient to establish an ongoing relationship, and organisations may not rely on the Exemption Order once the ongoing relationship has ceased.
Spam Control Act
Aside from the DNC Provisions, the Spam Control Act (Chapter 311A) (SCA) governs the control of spam, namely unsolicited commercial communications sent in bulk by electronic mail or by text or multimedia messaging to mobile telephone numbers. The SCA applies as long as the electronic message has a Singapore link.
Under section 11 of the SCA, any sender of unsolicited commercial electronic messages in bulk must comply with the requirements in the Second Schedule to the SCA, which include providing:
- the contact information of the sender through which the recipient can submit an unsubscribe request;
- a clear statement in English informing the recipient of his or her right to make an unsubscribe request;
- if the message has a subject field, a correct and accurate title in the subject field that reflects the message’s content;
- the tag <ADV> before the title of the message or, where there is no title, before the first word of the actual message;
- header information that is true and not misleading; and
- an accurate and functional email address or telephone number by which the sender can be readily contacted.
Individuals have the right to request an organisation to give them access to or correct the personal data in the organisation’s possession or control under the access and correction obligations.
Individuals also have the right to give and withdraw consent at any time by giving reasonable notice, unless it would frustrate the performance of a legal obligation. Upon withdrawal of consent, the organisation must cease (and cause its data intermediaries and agents to cease) collecting, using or disclosing the personal data, as the case may be, unless the collection, use or disclosure of the personal data without consent is required or authorised under the PDPA or any other written law.
An individual may lodge a complaint against an organisation with the PDPC at any time. Individuals also have a right of private action for loss or damage in respect of an organisation’s breach of the PDPA, but may only commence an action after the PDPC’s decision has become final and the organisation has no further right of appeal. 
The role of the data protection officer
As part of the accountability obligation, it is mandatory for organisations to appoint a DPO. The responsibility of the DPO is to ensure that the organisation complies with the PDPA by developing and implementing policies and processes for handling personal data and managing data protection-related queries and complaints, among other things. The DPO also plays an essential role in fostering a data protection culture among employees and communicating personal data protection policies to the various stakeholders. However, the legal responsibility for complying with the PDPA remains with the organisation and cannot be delegated to the DPO.
Organisations are also required to make available the business contact information of a person who is able to respond to questions relating to the collection, use or disclosure of personal data on behalf of the organisation under the notification obligation. This person may also be the DPO. While there is no requirement that such a person must be located in Singapore, to facilitate prompt responses to queries or complaints, the PDPC recommends that the business contact information of this person should be readily accessible from Singapore, operational during Singapore business hours and if telephone numbers are used, be Singapore telephone numbers.
Data protection breaches
There is currently no mandatory data breach notification requirement or procedure under the PDPA.
However, the PDPC has publicly announced its intention to introduce a mandatory breach notification requirement as part of its proposed amendments to the PDPA. In particular, the PDPC has issued a public consultation on Approaches to Managing Personal Data in the Digital Economy (July 2017) and its response to the feedback received in February 2018. Moreover, in the recently issued Guide to Managing Data Breaches 2.0 (22 May 2019), organisations are encouraged to notify the PDPC when ‘significant harm or impact is likely’ or where ‘500 or more individuals are affected’. The time frame for notification is ‘as soon as practicable, no later than 72 hours from the time the organisation has made its assessment’.
At the time of writing, the mandatory data breach notification requirement is not yet in effect, though it is expected to be implemented in due course.
Updates and trends
Data Protection Trustmark
On 2 January 2019, the IMDA launched the Data Protection Trustmark (DPTM). The DPTM is a voluntary enterprise-wide certification scheme that incorporates elements of the PDPA, international benchmarks such as the CBPR and PRP requirements and best practices. The DPTM certification scheme aims to help organisations increase their competitive advantage, build consumer trust, and demonstrate sound and accountable data protection practices. An independent assessment body will assess whether an organisation’s data protection policies are aligned with the DPTM requirements.
NRIC Advisory Guidelines
The PDPC has imposed more stringent guidelines with respect to NRIC numbers and other national identification numbers under the Advisory Guidelines on the PDPA for NRIC and other National Identification Numbers, which took effect on 1 September 2019. Organisations are not generally allowed to collect, use or disclose such numbers unless such collection, use or disclosure is required under law (or an exception under the PDPA applies); or necessary to accurately establish or verify the identity of the individual to a high degree of fidelity.
Proposed changes to legislation
The PDPC has issued public consultations proposing the following changes:
- streamlining the DNC Provisions and SCA into a single legislation governing all unsolicited commercial messages;
- introducing a mandatory data breach notification scheme under which organisations would be required to notify the PDPC and affected individuals of data breaches that are likely to result in significant harm or impact to said individuals;
- proposing two new bases for organisations to collect, use and disclose personal data without the need for consent, namely ‘notification of purpose’ and ‘legitimate interests’;
- introducing a data portability obligation under the PDPA, which would require organisations to, at the request of the individual, provide the individual’s data that is in the organisation’s possession or under its control, to be transmitted to another organisation in a commonly used machine-readable format; and
- introducing data innovation provisions in the PDPA that would clarify that an organisation can use personal data (collected in compliance with the Data Protection Provisions of the PDPA) for the purposes of operational efficiency and service improvements, product and service development, or knowing customers better.
However, the PDPC has not indicated when the above proposed changes will be implemented.
While the PDPA does not have any express provisions on surveillance, organisations may generally collect, use and disclose personal data without an individual’s consent, if required or authorised to do so under the PDPA or other written law or if any exception in the PDPA applies.
Singapore also has other piecemeal legislation relating to state interception of communications and the monitoring and surveillance of individuals for national security purposes.
In terms of surveillance via closed-circuit television (CCTV) cameras, organisations are required to inform individuals of the purposes for which their personal data will be collected, used or disclosed in order to obtain their consent. As such, organisations that install CCTV cameras in their premises are required to put up notices indicating that CCTV cameras are operating in the premises, state the purpose of such surveillance if such purpose may not be obvious to the individual, and also if both audio and video recordings are taking place in order to obtain consent for the collection, use, or disclosure of personal data from the CCTV footage. In addition, organisations that operate unmanned aircraft and aerial vehicles (ie, drones) equipped with photography, video or audio recording capabilities will need to comply with the PDPA insofar as the drones are likely to capture the personal data of individuals.
Since 2016, the PDPC has released 98 enforcement decisions that are helpful in illustrating how the PDPA is to be interpreted. We have selected several case studies below.
Breach of notification, consent and purpose limitation obligations by Spring College International
On 24 May 2018, the PDPC issued remedial directions to Spring College International, a private educational institution, which was found have breached the notification, consent and purpose limitation obligations under the PDPA when it uploaded posts containing its students’ personal data on its social media pages for marketing purposes without the consent of the parents or guardians of its students (who were minors) for such disclosure. The PDPC also found that the consent forms used to obtain the student’s consent for the use of their personal data for marketing purposes were overly broad and did not comply with the notification obligation.
Breach of consent obligation by Skinny’s Lounge
On 11 June 2019, the PDPC issued a warning to a karaoke television bar for failing to obtain consent from its patrons to replay the recorded CCTV footage in its public lounge, and failed to notify patrons on the full purposes of the CCTV footage recorded at its premises.
Breach of protection obligation by Singapore Taekwondo Federation
On 22 June 2018, the PDPC imposed a financial penalty of S$30,000 on the Singapore Taekwondo Federation for failing to make reasonable security arrangements to prevent the unauthorised disclosure of minors’ NRIC numbers on its website. The PDPC also issued directions for the organisation to appoint a DPO and put in place data protection policies. In coming to its decision, the PDPC considered the fact that the organisation had caused the disclosure of the NRIC numbers of minors to be an aggravating factor.
SingHealth Services Pte Ltd
The PDPC imposed its highest financial penalties to date of S$250,000 and S$750,000 respectively on Singapore Health Services Pte Ltd (SingHealth) and Integrated Health Information Systems Pte Ltd, for breaching their data protection obligations under the PDPA in a decision on 15 January 2019. This unprecedented data breach, which arose from a cyber attack on SingHealth’s patient database system, caused the sensitive personal data of almost 1.5 million patients to be compromised.
Singapore Swimming Club
The PDPA has also been considered in the Singapore courts. On 19 February 2019, the State Court dismissed a claim brought by an individual against the Singapore Swimming Club for breach of the PDPA. This case is significant as it appears to be the first time where the Singapore courts were asked to consider whether there has been a purported contravention of the PDPA.