top of page

Data protection

Personal Data Protection Act 2012 - "An Act to govern the collection, use and disclosure of personal data by organisations, and to establish the Do Not Call Register and to provide for its administration, and for matters connected therewith."

Personal Data Protection Act (PDPA) was passed by Parliament on 15th October 2012 and assented to by the then President, Dr. Tony Tan on 20th November 2012. Generally, organisations are responsible for personal data in their possession or under their control. The PDPA stipulated the data protection requirements which contain the following eleven main obligations that organisation would need to fulfill while carrying out their business activities related to the collection, use or disclosure of personal data. 

PDPA is the overarching and primary legislation (acka Mother Act) governing the protection of personal data. In addition, following subsidiary legislations were enacted to specify certain requirement for implementation:

  • Personal Data Protection (Appeal) Regulations 2021 - S 65/2021

  • Personal Data Protection (Composition of Offences) Regulations 2021 - S 70/2021

  • Personal Data Protection (Do Not Call Registry) Regulations 2013 - S 709/2013

  • Personal Data Protection (Enforcement) Regulations 2021 - S 62/2021

  • Personal Data Protection (Notification of Data Breaches) Regulations 2021 - S 64/2021

  • Personal Data Protection (Prescribed Healthcare Bodies) Notification 2015 - S 90/2015

  • Personal Data Protection (Prescribed Law Enforcement Agencies) Notification 2014 - S 368/2014

  • Personal Data Protection (Prescribed Law Enforcement Agency) Notification 2020 - S 272/2020

  • Personal Data Protection (Statutory Bodies) Notification 2013 - S 149/2013

  • Personal Data Protection Regulations 2021 - S 63/2021

It is important to note that PDPA  does not affect any right or obligation under the law with other laws. In the event of any inconsistency, the provisions of other written laws will prevail. For example, the banking secrecy laws under Banking Act governing customer information obtained by banks prevails over the PDPA in the event of any inconsistency with the PDPA.

To assist and encourage organisations to establish processes or systems for data protection, Infocomm Media Development Agency (IMDA) initiated a programme, namely Data Protection Trustmark (DPTM) for organisations to adopt.

QuESH is one of the registered service provider in assisting organisation to start off their data protection process. To know more about the programmes, just email us!


Data Protection Trustmark (DPTM)

This is a voluntary certification for organisations to demonstrate that they have robust and sound data protection processes and practices in place as part of their business process. DPTM also assist businesses to elevate their image, increasing their competitive advantage and build trust with their customers and stakeholders.

Organisation will need to fulfill the following 4 Principles DPTM criteria before it will be awarded with the Trustmark. 

  1. Principle 1: Governance and Transparency

  2. Principle 2: Management of Personal Data

  3. Principle 3: Care of Personal Data

  4. Principle 4: Individuals’ Rights

To know more about the 4 Principles​, you can refer to this link for the DPTM Certification Checklist

To know more about DPTM Application Process, you can refer to IMDA's DPTM webpage, under "Who can Apply?" section. Or click here for the direct link to online application form.

QuESH has assisted more than 10 clients in attaining DPTM.

The journey of attainment was not easy but  was definitely rewarding to our clients.

Congrats to those Certified Organisations!

bottom of page