Data protection in Singapore: overview
A Q&A guide to data protection in Singapore.
This Q&A guide gives a high-level overview of data protection rules and principles, including obligations on the data controller and the consent of data subjects; rights to access personal data or object to its collection; and security requirements. It also covers cookies and spam; data processing by third parties; and the international transfer of data. This article also details the national regulator; its enforcement powers; and sanctions and remedies.
This article is part of the global guide to data protection. For a full list of contents, please visit www.practicallaw.com/dataprotection-guide.
The Personal Data Protection Act (PDPA) regulates both the collection and use of personal data. The PDPA also separately provides for the creation of a "Do Not Call" (DNC) registry, which allows consumers to opt out of receiving marketing material from organisations.
Other statutes also regulate the handling of personal data:
Collection. The Computer Misuse and Cybersecurity Act criminalises unauthorised access to data, but does not regulate or address lawful collection of data.
Use. Legislation includes:
numerous laws relating to the processing of personal data in the public sector that apply to everyone, including secrecy and disclosure laws in the Official Secrets Act, the Statistics Act, the Statutory Bodies and Government Companies (Protection of Secrecy) Act and the Electronic Transactions Act;
some laws that regulate data held by private sector entities including the Banking Act, and the Telecommunications Act;
the law of confidence, which addresses misuse of confidential information, chiefly publication of that information.
This chapter will focus on the PDPA, and where applicable, refer to other subsidiary legislation and the PDPA Advisory Guidelines.
Scope of legislation
The Personal Data Protection Act (PDPA) applies to all organisations. An organisation, for the purposes of the PDPA, is defined as any individual, company, association or body of persons, corporate or unincorporated. More importantly, the PDPA applies if the data was collected, used or disclosed in Singapore. It is immaterial that the organisation in question is not located or formed in Singapore, or that it is not recognised by Singapore law.
However, certain specific organisations/persons are excluded:
Individuals acting in their own personal or domestic capacity.
An employee acting in the course of employment in an organisation.
Public agencies, such as statutory boards or government agencies.
Any organisation as designated by the Minister and notified to the public in the Gazette.
To a limited extent, news organisations are exempt from the requirement to obtain consent for the collection but not the use of personal data for its news activity. News organisation is defined in paragraph 2 of the Second Schedule of the PDPA.
The PDPA also exempts data intermediaries from certain key provisions of the PDPA if they are acting under a contract evidenced or made in writing. Data intermediaries are organisations that process personal data on behalf of another organisation but does not include employees of that other organisation. However, a data intermediary is still subject to limited and specific obligations under the PDPA.
The data protection laws apply to personal data. Personal data is data, whether true or not, about an individual who can be identified either (section 2(1), Personal Data Protection Act (PDPA)):
From that data.
From that data and other information to which the organisation is likely to have access.
An individual is defined as a natural person, whether living or deceased (section 2(1), PDPA). Certain kinds of personal data are excluded, such as:
Business contact information.
Personal data that has been in existence for 100 years.
Personal data about a deceased individual who has been dead for more than ten years.
The provisions of the PDPA do not apply to personal data that is "publicly available".
Personal data collected before 2 July 2014 (the date on which the parts relating to the protection of personal data come into force) can continue to be used for the same purposes that it was collected for without obtaining new consent.
Marketing materials sent by organisations are also regulated by the DNC provisions in the PDPA. These provisions came into force on 2 January 2014.
The Personal Data Protection Act (PDPA) governs the collection, use and disclosure of personal data by organisations. For a definition of "organisation", see Question 2.
The Personal Data Protection Act (PDPA) applies to all data collected, used or disclosed in Singapore.
However, the PDPA also protects cross-border transfer of information. An organisation is under a duty to ensure that data transmitted out of Singapore receives a standard of protection comparable to the protection under the PDPA (see Question 20).
Some acts of collection, use and disclosure of personal data are specifically exempted from the requirements of the Personal Data Protection Act (PDPA) in the Second, Third or Fourth Schedules. These include acts:
That are clearly in the interest of the individual and consent cannot be obtained in a timely way.
In response to an emergency, or necessary for the national interest.
For an investigation or legal proceedings.
For the collection of a debt.
For the provision of legal services.
For a research purpose, including historical or statistical research, if those acts satisfy the conditions set out in the paragraph 1(i) of the Third Schedule of the PDPA.
For evaluative purposes (as defined in section 2(1) of the PDPA).
There is a general duty of notification of the purposes of collecting, usage or disclosure of personal data under section 20(1) of the Personal Data Protection Act (PDPA). Notice is not defined under the PDPA, but presumably includes written and verbal notice. Organisations must provide explanations for the purposes of data collection, and must provide any relevant information regarding those purposes of which the individual did not know.
However, there are two exceptions to the requirement of notification (section 20(3), PDPA):
Notice is not needed where consent is deemed, as per section 15 of the PDPA.
The specific situations referred to in section 17 are also exempted from notification. An organisation can collect personal data without consent of the individual, or from a source other than the individual, only in the circumstances and subject to the conditions in the Second Schedule of the PDPA. It can use or disclose personal data without consent only in the circumstances and subject to any condition in the Third and Fourth Schedules respectively.
Main data protection rules and principles
Main obligations and processing requirements
The main principle underlying the Personal Data Protection Act (PDPA) is that the collection, use and disclosure of personal data by organisations must be done in a manner that recognises both the:
Right of individuals to protect their personal data.
Need of organisations to collect, use or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances.
Such an objective test of reasonableness is used in various contexts throughout the PDPA. What is reasonable in the circumstances is ascertained with regard to:
Societal expectations and practices.
The organisation's role and purposes for which it had collected, used or disclosed the data.
In general, there are nine obligations under the PDPA. These include:
Consent. An organisation must obtain an individual's consent before it collects, uses or discloses his personal data.
Purpose limitation. An organisation can only collect, use, or disclose an individual's personal data for the specific purposes for data collection, usage or disclosure that the individual was informed about. Such a purpose must be what a reasonable person would consider appropriate in the circumstances. An organisation cannot use the data for a different purpose.
Notification. An organisation must notify an individual of the purpose for use or disclosure of his personal data, to obtain his consent. This obligation is subject to exceptions in section 20(3) of the PDPA. Special rules apply in a context where data collection, use or disclosure relates to the management or termination of an employer-employee relationship.
Accuracy. There is a duty to ensure that personal data retained by the organisation is accurate and complete to a reasonable standard (section 23, PDPA). The rationale behind this accuracy obligation is to ensure that decisions that may significantly affect an individual can be made based on accurate and complete data.
This obligation extends to not just retention, but may also include the updating of that information.
Protection. An organisation must protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.
Retention limitation. An organisation must cease to retain personal data where (section 25, PDPA):
the purpose for which the personal data was collected has ceased; or
retention is no longer necessary for legal or business purposes.
There is no prescribed length of time after which data retention will be regarded as illegitimate. Organisations must be mindful of when the legal, business or other purposes for data collection cease to exist, and assess a reasonable timeframe for deleting that data.
Access and correction. Individuals have the right to access to their own personal data held by an organisation. Further, every individual has the right to correct errors or omissions in his personal data in the possession of an organisation (see Question 13).
Transfer limitation. An organisation must not transfer any personal data outside of Singapore unless the recipient provides the same standard of protection as that under the PDPA (see Question 20).
Openness. An organisation must provide information on its data protection practices and procedures, and its complaints process, to members of the public on request.
In general, consent is needed before personal data can be collected, used or disclosed. The Personal Data Protection Act (PDPA) does not define the meaning of consent. There are two kinds of consent (PDPA):
Consent is deemed if both (section 15, PDPA):
An individual, without actually giving consent, voluntarily provides the personal data to the organisation for the relevant purpose.
It is reasonable that the individual would voluntarily provide the data.
Further, section 14(2) of the PDPA addresses situations in which consent, even if given, is not valid. In May 2015, the Personal Data Protection Commission (PDPC) published an “Advisory Guidelines on Requiring Consent for Marketing Purposes” which offers some guidance on such invalid consent under section 14(2). The PDPA does not provide special rules concerning consent by minors. Therefore, in general, whether a minor can give such consent will depend on other legislation and/or the common law. The “Advisory Guidelines for Selected Topics” issued by the PDPC has a chapter on “Data Activities relating to Minors” (Chapter 8).
Consent (both actual or deemed) can be withdrawn by an individual at any time.
Organisations are not permitted to prevent an individual from withdrawing their consent. However, organisations must inform the individual as to the legal and business consequences of the withdrawal. If consent is withdrawn, an organisation and its data intermediaries must stop collecting, using or disclosing personal information unless such collection, use or disclosure without the consent of the individual is required or authorised under the PDPA or other written law.
There are situations in which the need for consent is waived (section 17, Personal Data Protection Act (PDPA)) (see Question 7). The exemptions are set out in the Schedules to the PDPA.
Rights of individuals
Individuals have the right to access their personal data that is held by an organisation. An organisation must provide information on how the data has been handled in the past year up until the date of the access request, as soon as reasonably possible (section 21(1), Personal Data Protection Act (PDPA)). The PDPA does not require the individual to give a reason for making the request. This right is subject to exceptions:
Section 21(2) provides an exception in respect of matters specific in the Fifth Schedule of the PDPA. However, an organisation can decide to ignore the exception and provide the information.
Sections 21(3) and 21(4) set out mandatory exceptions where the organisation must not provide information to an individual:
section 21(3) includes situations where information provided could reasonably be expected to threaten the safety of another individual or be contrary to the national interest, among others;
section 21(4) states that an organisation must not inform any individual under subsection (1) if the organisation had disclosed personal data to a prescribed law enforcement agency without the consent of the individual, under paragraph 1(f) or (n) of the Fourth Schedule of the PDPA.
Individuals also have the right to request corrections of omissions or errors in the personal data which the organisation is in possession or in control of (section 22(1), PDPA). On receipt of a correction request, an organisation must consider whether the correction should reasonably be made. Corrections must be both:
Made as soon as practicable.
Sent to every other organisation to which the personal data was disclosed by the organisation within a year before the date the correction request was made. This is unless the other organisation does not need the corrected personal data for any legal or business purpose. The exceptions to the right to correction are set out in sections 22(6) and 22(7).
An organisation is not required to correct or otherwise alter an opinion, including a professional or an expert opinion (section 22(6), PDPA). Corrections are not required to be made in respect of matters specified in the Sixth Schedule to the PDPA (section 22(7), PDPA).
Finally, organisations must develop policies and practices to meet its obligations under the PDPA and maintain a complaints process. In this regard, data subjects have the right to enquire and gain information on these policies, practices and complaints processes, on request to the organisation.
The Personal Data Protection Act (PDPA) does not give an individual the right to request deletion of his personal data. However, there is a retention limitation obligation (see Question 8).
An organisation must take steps to make reasonable security arrangements to prevent the unauthorised access, collection, use, disclosure, copying, modification or disposal of personal data (or similar risks). What is reasonable in the circumstances depends on, for example, the:
Nature of the personal data.
Form in which the personal data has been collected.
Possible impact to the individual concerned if an unauthorised person obtained, modified or disposed of the personal data.
The “Advisory Guidelines on Key Concepts in the Personal Data Protection Act” issued by the Personal Data Protection Commission (PDPC) provide some guidance on this. In May 2015, the PDPC also published a “Guide to Securing Personal Data in Electronic Medium” and a “Guide to Managing Data Breaches” to offer further guidance.
Processing by third parties
There are no additional requirements applicable when a third party processes the data on behalf of the data controller. The third party that processes data on behalf of and for the purpose of another organisation under a contract evidenced or made in writing is referred to as a "data intermediary" (Personal Data Protection Act (PDPA)).
Only section 24 (Protection of Personal Data) and section 25 (Retention of Personal Data) of the PDPA's data protection obligations (set out in Parts III to VI of the PDPA) apply to a data intermediary in its processing of personal data on behalf of and for the purpose of another organisation under a contract evidenced or made in writing. For other activities that do not constitute processing of personal data on behalf of and for the purpose of another organisation under a contract evidenced or made in writing, the data intermediary remains responsible for complying with the PDPA's data protection obligations.
An organisation has the same obligations under the PDPA in respect of personal data processed on its behalf by a data intermediary as if the personal data were processed by the organisation itself (section 4(3), PDPA).
The purpose of the Personal Data Protection Act (PDPA) is to govern the collection, use and disclosure of personal data by organisations in a manner that recognises both the (section 3, PDPA):
Right of individuals to protect their personal data.
Need of organisations to collect, use or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances.
Therefore, as long as the cookies or any equivalent devices collect, use or disclose personal data, consent is required for the collection, use or disclosure of personal data.
The "Advisory Guidelines on Key Concepts in the Personal Data Protection Act” issued by the Personal Data Protection Commission, sets out certain situations where consent is not required for the collection, use or disclosure of personal data by way of cookies.
The Spam Control Act governs the control of spam sent in bulk by electronic mail or by text or multi-media messaging to mobile telephone numbers and matters connected with them.
Anyone who sends, causes to be sent or authorises the sending of unsolicited commercial electronic messages in bulk must comply with the requirements set out in Schedule 2 of the Spam Control Act. Every unsolicited commercial electronic message must:
Have an unsubscribe facility and a statement to the effect that the recipient can use the electronic mail, internet location address, facsimile number or postal address in the unsubscribe facility to submit an unsubscribe request.
a title in the subject field (if any) which is not false or misleading as to the content of the message;
the letters "<ADV>" (referring to an advertisement) with a space before the title in the subject field, or if there is no subject field, in the words first appearing in the message, to clearly identify that the message is an advertisement;
header information that is not false or misleading; and
an accurate and functional electronic mail address or telephone number by which the sender can be readily contacted.
International transfer of data
Transfer of data outside the jurisdiction
An organisation must not transfer any personal data to a country or territory outside Singapore except in accordance with requirements under the Personal Data Protection Act (PDPA) (section 26(1), PDPA). This is to ensure that organisations provide a standard of protection that is comparable to the protection under the PDPA.
An organisation can transfer personal data overseas if it has taken appropriate steps to ensure that:
It complies with the data protection provisions set out in Parts III to VI of the PDPA in respect of the transferred personal data, if the personal data remains in its possession or under its control.
If the personal data is transferred to a third party recipient in a country or territory outside Singapore, the recipient is bound by legally enforceable obligations to provide a standard of protection that is comparable to that under the PDPA.
"Legally enforceable obligations" include obligations imposed on a recipient of
personal data under:
Any contract in accordance with Regulation 10(2) of the Personal Data Protection Regulations 2014 (PDPR).
Any binding corporate rules in accordance with Regulation 10(3) of the PDPR.
Any other legally binding instrument.
Data transfer agreements
Any contract should include a requirement that the recipient must both (Regulation 10(2), Personal Data Protection Regulations 2014 (PDPR)):
Provide a standard of protection for the personal data transferred to the recipient that is at least comparable to the protection under the Personal Data Protection Act (PDPA).
Specify the countries and territories which the personal data can be transferred to under the agreement.
Where the recipient of the personal data is related to the transferring organisation (as defined in Regulation 10(4) of the PDPR), the data transfer agreement can be in the form of binding corporate rules which must do all of the following (Regulation 10(3), PDPR):
Require every recipient of the transferred personal data to provide a standard of protection for the personal data that is at least comparable to the protection under the PDPA.
Specify the recipients of the transferred personal data to which the binding corporate rules apply.
Specify the countries and territories to which the personal data may be transferred under the binding corporate rules.
Specify the rights and obligations provided by the binding corporate rules.
Enforcement and sanctions
The Personal Data Protection Commission (PDPC) can:
Review complaints in respect of section 21 (access to personal data) and section 22 (correction of personal data) and:
with the consent of the complainant and the organisation, refer the complaint for mediation if the PDPC is of the opinion that any complaint may more appropriately be resolved by mediation;
with or without the consent of the complainant and the organisation, direct the complainant and/or the organisation to attempt to resolve the complaint in the way directed by the PDPC.
Conduct an investigation, on complaint or of its own motion under section 50 of the PDPA. The PDPC can:
require the organisation to produce documents or information;
enter premises with or without a warrant.
Give directions for organisations to comply with to ensure compliance with PDPA provisions.
Apply for directions made by the PDPC under section 28(2) or section 29 to be registered in the State Court for enforcement purposes.
Sanctions for offences under the Personal Data Protection Act (PDPA) are contained in the various sections of the PDPA and may include either or both:
Fines ranging from S$2,000 to S$100,000.
Imprisonment not exceeding 12 months.
Any person guilty of an offence under the PDPA for which no penalty is expressly provided is liable on conviction to either or both:
A fine up to S$10,000. In the case of a continuing offence, the guilty person is liable to a further fine not exceeding S$1,000 for every day or part of the day during which the offence continues after conviction.
Imprisonment for a term not exceeding three years.
The Personal Data Protection Commission (PDPC) has the discretion to collect a sum in lieu of prosecuting the offender in court for a compoundable offence. The sum collected must not exceed the lower of:
One-half of the amount of the maximum fine prescribed for that offence.
A sum of S$5,000.
The PDPC can give an organisation all or any of the following directions to ensure compliance with the data protection provisions set out in Parts III to VI of the PDPA (section 29(2), PDPA):
To stop collecting, using or disclosing personal data in contravention of the PDPA.
To destroy personal data collected in contravention of the PDPA.
To comply with any direction of the PDPC under Section 28(2) (see Question 24).
To pay a financial penalty of an amount the PDPC thinks fit, up to a maximum of S$1 million.
Some enforcements by the PDPC to-date include:
August 2014: A tuition agency and its director were fined a total of S$78,000 (S$39,000 each) for contravening section 43(1) of the PDPA for failing to check the DNC Registry before sending unsolicited telemarketing messages to Singapore telephone numbers which had been registered with the DNC Registry.
September 2014: A media release by the PDPC also stated that two organisations had accepted the Commission's offers to compound their offences (relating to the sending of telemarketing messages to Singapore telephone numbers registered with the DNC Registry) in lieu of prosecution. The composition amounts ranged between S$500 and S$1,000.
October 2014: A property salesperson was fined S$27,000 for sending unsolicited telemarketing messages (which advertised various residential property developments in Singapore and London) contravening section 43(1) of the PDPA.
Personal Data Protection Commission (PDPC)
Main areas of responsibility. The functions of the PDPC are:
- To promote awareness of data protection in Singapore.
- To provide consultancy, advisory, technical, managerial or other specialist services relating to data protection.
- To advise the Singapore government on all matters relating to data protection.
- To represent the Singapore government internationally on matters relating to data protection.
- To conduct research and studies and promote educational activities relating to data protection, including organising and conducting seminars, workshops and meetings in relation to them, and supporting other organisations conducting these activities.
- To manage technical co-operation and exchange in the area of data protection with other organisations, including foreign data protection authorities and international or inter-governmental organisations, on its own behalf or on behalf of the Singapore government.
- To administer and enforce the PDPA.
- To carry out functions conferred on it under any other written laws.
- To engage in any other activities and perform any functions as may be permitted or assigned to it.
Description. This is the official Singapore government website for the online publication of legislation and is provided and maintained by the Attorney-General's Chambers.
The website contains the current version of statutes.
Personal Data Protection Commission's website
Description. This website is owned and operated by the Personal Data Protection Commission with the support of the Info-communications Development Authority of Singapore. The website contains information and updates on the PDPA.
Lee Soo Chye, Senior Partner
Aequitas Law LLP
Professional qualifications. Advocate & Solicitor, Singapore
Areas of practice. Conveyancing and real estate; corporate and commercial law; employment law; estate and succession planning; immigration law; information technology law; intellectual property law; landlord and tenant law; probate and administration of estates.
Non-professional qualifications. LLB (Hons), National University of Singapore
- Represents banks, listed companies, private companies and individuals, both local and overseas. Works extensively with foreign counsel in multi-jurisdictional matters.
- Advised clients in initial public offerings, reverse takeovers and mergers and acquisitions. These include management buy-outs, debt restructuring, shareholder matters and succession planning for businesses. Successfully assisted clients in applications to government agencies for grants and incentives under the various government schemes.
- Acts for both retail and corporate clients in real estate transactions, and advises on the structuring of real estate transactions such as divestment of land through the grant of leasehold estates from freehold estates.
- Advises clients in succession and estate planning and estate administration. This includes advice on wills and trusts and the use of trusts as an instrument to address client-specific needs.
Languages. English, Mandarin, Teochew (dialect)
Professional associations/memberships. Commissioner for Oaths, Singapore; Notary Public, Singapore; Member, Law Society of Singapore; Member, Singapore Academy of Law; Member, Singapore Institute of Directors.
Alvin Cheng, Partner
Aequitas Law LLP
Professional qualifications. Advocate & Solicitor, Singapore; Barrister-at-Law, England and Wales
Areas of practice. Arbitration, litigation and dispute resolution, construction law, corporate and commercial law, employment law, family and matrimonial law, landlord and tenant law, insolvency and bankruptcy law, insurance law.
Non-professional qualifications. LLM, LLB (Hons), University of London
Recent transactions. Advised and acted for private individuals, SMEs, banks, private and listed corporations, and insurance companies in diverse matters, including breach of directors' duties and shareholders' disputes, credit control and risk management, cross border disputes, debt recovery and enforcement, corporate insolvency and bankruptcy, employment disputes, insurance claims and recovery, injunctions to restrain the dissipation of assets, real estate and tenancy disputes.
Languages. English, Mandarin, Cantonese (dialect)
Professional associations/memberships. Accredited Mediator, Singapore Mediation Centre, State Courts of Singapore; Teaching Fellow, Singapore Institute of Legal Education; Senior Associate Trainer, Singapore Academy of Law, Singapore Mediation Centre; Member, Law Society of Singapore; Member, Panel of Lawyers for the Law Society of Singapore’s PDPA Legal Advice Scheme; Member, Singapore Academy of Law; Member, The Honourable Society of Lincoln’s Inn.