Data protection

Personal Data Protection Act 2012 - "An Act to govern the collection, use and disclosure of personal data by organisations, and to establish the Do Not Call Register and to provide for its administration, and for matters connected therewith."

Personal Data Protection Act (PDPA) was passed by Parliament on 15th October 2012 and assented to by the then President, Dr. Tony Tan on 20th November 2012. Generally, organisations are responsible for personal data in their possession or under their control. The PDPA stipulated the data protection requirements which contain the following eleven main obligations that organisation would need to fulfill while carrying out their business activities related to the collection, use or disclosure of personal data. 

PDPA is the overarching and primary legislation (acka Mother Act) governing the protection of personal data. In addition, following subsidiary legislations were enacted to specify certain requirement for implementation:

  • Personal Data Protection (Appeal) Regulations 2021 - S 65/2021

  • Personal Data Protection (Composition of Offences) Regulations 2021 - S 70/2021

  • Personal Data Protection (Do Not Call Registry) Regulations 2013 - S 709/2013

  • Personal Data Protection (Enforcement) Regulations 2021 - S 62/2021

  • Personal Data Protection (Notification of Data Breaches) Regulations 2021 - S 64/2021

  • Personal Data Protection (Prescribed Healthcare Bodies) Notification 2015 - S 90/2015

  • Personal Data Protection (Prescribed Law Enforcement Agencies) Notification 2014 - S 368/2014

  • Personal Data Protection (Prescribed Law Enforcement Agency) Notification 2020 - S 272/2020

  • Personal Data Protection (Statutory Bodies) Notification 2013 - S 149/2013

  • Personal Data Protection Regulations 2021 - S 63/2021

It is important to note that PDPA  does not affect any right or obligation under the law with other laws. In the event of any inconsistency, the provisions of other written laws will prevail. For example, the banking secrecy laws under Banking Act governing customer information obtained by banks prevails over the PDPA in the event of any inconsistency with the PDPA.

To assist and encourage organisations to establish processes or systems for data protection, Infocomm Media Development Agency (IMDA) initiated two programmes, namely Data Protection Trustmark (DPTM) and Data Protection-as-a-Service for SMEs (DPaaS@SMEs) for organisations to adopt.

QuESH is one of the registered service provider in assisting organisation to start off their data protection process. To know more about the programmes, just email us!


Data Protection Trustmark (DPTM)

This is a voluntary certification for organisations to demonstrate that they have robust and sound data protection processes and practices in place as part of their business process. DPTM also assist businesses to elevate their image, increasing their competitive advantage and build trust with their customers and stakeholders.

Organisation will need to fulfill the following 4 Principles DPTM criteria before it will be awarded with the Trustmark. 

  1. Principle 1: Governance and Transparency

  2. Principle 2: Management of Personal Data

  3. Principle 3: Care of Personal Data

  4. Principle 4: Individuals’ Rights

To know more about the 4 Principles​, you can refer to this link for the DPTM Certification Checklist

To know more about DPTM Application Process, you can refer to IMDA's DPTM webpage, under "Who can Apply?" section. Or click here for the direct link to online application form.

QuESH has assisted more than 10 clients in attaining DPTM.

The journey of attainment was not easy but  was definitely rewarding to our clients.

Congrats to those Certified Organisations!


Data Protection-as-a-Service for SMEs (DPaaS@SMEs)

DPaaS@SMEs was developed to assist Small and Medium Enterprises (SMEs) to outsource their data protection functions so as to strengthen their data protection capabilities. Adopting this programme will enable SMEs to have basic data protection practices in place which will foster stronger consumer trust and confidence. 

SMEs could seek professionals' assistance in developing necessary policies and practices to protect their data and at the same time build up their data protection capabilities by sending their staff for relevant training.

QuESH is proud to be one of the IMDA-registered DPaaS@SMEs Provider who could assist SMEs. Our approach will be first to understand client's organisation set up, existing resources and data protection risks. Subsequently, practical measures will be proposed to client accordingly. The approach will be closely aligned with the DPaaS@SME Programme as follows:

  1. Data Protection Management

    • Provide guidance on the appointment of a DPO and ensuring business contact information are available to the public.

    • Assist client to identify risks and gaps using PDPA Assessment Tool for Organisations (PATO)

    • Draft a Data Protection (DP) Policy

    • Propose and draft embed data protection as part of corporate governance and establish a reporting structure for data protection matters

    •  Propose and draft embed regular monitoring and reporting mechanisms within Enterprise Risk Management (ERM) Framework

    •  Draft data assets and flows using a Data Inventory Map

  2. Data Breach Management

    • Propose the establishment of a data breach management team

    •  Develop and draft a complaint handling procedure

    •  Develop and draft a 4-step action plan for data breach response (using C.A.R.E model)

  3. Training and Communications

    • Develop and draft a staff training and communications plan

    •  Advice to mandate all staff to complete the PDPA E-Learning Programme

    •  Assist to identify key personnel to attend the 2 PDPC courses if they do not possess any prior data protection certifications listed in the DPO Competency Framework and Training Roadmap (Note: The carrying out of the training will not be part of this consultancy. The client will need to arrange separately for staff to attend the proposed 2 PDPC courses.)

  4. Annual Retainer​

    • Upon completing the above one-time setup, QuESH will carry out the following (known as Annual Retainer) on the subsequent year.

    • Carry out desktop review of data protection policies.

    • Conduct one session of table-top exercise to test the data breach response plan.

    • Provide one session of half-day refresher training for key employees of RT Advisory on handling personal data.


Although DPaaS@SMEs may not be as comprehensive as DPTM programme, it still provide a basic foundation for organisation to ensure data collected / obtained are properly managed / controlled to prevent potential data breaches.