Personal Data Protection Act (PDPA) was passed by Parliament on 15th October 2012 and assented to by the then President, Dr. Tony Tan on 20th November 2012. The Act was enacted to govern the collection, use and disclosure of personal data by organisations. Moreover, it also establishes the administration of Do Not Call Register.
As defined in the PDPA, “Personal data” means data, whether true or not, about an individual who can be identified from that data; or from that data and other information to which the organisation has or is likely to have access.
Generally, organisations are responsible for personal data in their possession or under their control. The PDPA stipulated the data protection requirements which contain the following nine main obligations that organisation would need to fulfill while carrying out their business activities related to the collection, use or disclosure of personal data.
PDPA also prescribes the provisions relating to the “Do Not Call” (DNC) Registry to reduce the number of unwanted telemarketing calls, marketing text messages and faxes. Before sending out a telemarketing message to a Singapore telephone number, there must be a check with the DNC Registers established by the Personal Data Protection Commission to confirm that the number is not listed on a DNC Register. This however, does not apply when there is a clear and unambiguous consent in evidential form being obtained from the user or subscriber of the number.
In addition to the PDPA, the following subsidiary legislations were also enacted to provide specific technical requirement supporting the effective implementation of personal data protection in Singapore.
Personal Data Protection (Appeal) Regulations 2015
Personal Data Protection (Composition of Offences) Regulations 2013
Personal Data Protection (Do Not Call Registry) Regulations 2013
Personal Data Protection (Enforcement) Regulations 2014
Personal Data Protection (Exemption from section 43) Order 2013
Personal Data Protection (Prescribed Healthcare Bodies) Notification 2015
Personal Data Protection (Prescribed Law Enforcement Agencies) Notification 2014
Personal Data Protection (Statutory Bodies) Notification 2013
Personal Data Protection Regulations 2014
The administration and enforcement of PDPA is by Personal Data Protection Commission (PDPC). It was established in January 2013 and serves as the main authority in matters relating to personal data protection. In addition to the formulation of personal data protection legislations, PDPC also publish Advisory Guidelines for organisations to have a better understand on the compliance of PDPA. PDPC also review organisational actions in relation to data protection rules and issue decisions or directions for compliance where necessary.
According to PDPC’s website (https://www.pdpc.gov.sg/Commissions-Decisions/Data-Protection-Enforcement-Cases), there were 29 Data Protection Enforcement Cases in the year of 2018. Comparing to this year from Jan 2019 to September 2019, there were already 31 Data Protection Enforcement Cases.
What can you do to comply with PDPA? There is no one size fits all solution. However, logically, the following are the steps that organisation can consider to take up accordingly.
QuESH have successfully assisted numerous clients in setting up necessary PD protection policies / procedures meeting the PDPA. Moreover, some of such clients have also successfully attained Data Protection Trustmark (DPTM) certification which is a scheme administered by the Info-communications Media Development Authority (IMDA). You can find more information about DPTM through IMDA website.
For more information, feel free to contact us!