Singapore has established data privacy laws to safeguard personal data and ensure big data’s responsible and ethical use. The primary legislation governing data protection in Singapore is the Personal Data Protection Act (PDPA).
Enacted in 2012 and amended in 2020, the PDPA aims to balance facilitating data-driven innovation and protecting individuals’ privacy rights.
The PDPA in Singapore adopts a principles-based approach, focusing on collecting, using, and disclosing personal data. It sets out the obligations of organisations and individuals handling personal information, emphasising consent, purpose limitation, and data accuracy.
The law applies to public and private sector organisations, ensuring that personal data is protected across various industries.
How the Singapore Government Defines Personal Data
The Singapore government defines personal data under the Personal Data Protection Act (PDPA), which sets out the country’s legal framework for data protection. The definition of personal data is outlined in Section 2 of the PDPA and provides a comprehensive understanding of what constitutes personal data under Singaporean law.
According to the PDPA, personal data means any data, whether true or not, regarding an individual who can be identified from data.
This definition includes factual and subjective information regarding an individual and can be used to check or distinguish that person.
The definition of personal data covers a wide range of information that relates to an individual, either directly or indirectly. It is not limited to the following types of data:
Personal Data Protection Act 2012
Personal Data Protection Act 2012 (PDPA 2012) is a data privacy laws enacted in Singapore to regulate organisations’ personal data collection, use, and disclosure. It aims to protect the privacy rights of individuals and ensure the proper handling of personal data in the country.
The PDPA 2012 has undergone certain amendments to enhance its effectiveness and address evolving challenges in data protection, cyber security, and data privacy laws.
The Amendments to PDPA 2012
The PDPA 2012 has been subject to several amendments to keep pace with technological advancements and strengthen data protection measures. Some notable amendments include:
- Enhanced Consent Provisions
The amendments introduced stricter requirements for obtaining consent from people before collecting, using, or disclosing their data. Organisations must now provide detailed information about the purpose and consequences of data collection, ensuring individuals can make informed decisions.
- Data Breach Notifications
The amended PDPA 2012 mandates organisations to notify affected individuals and the Personal Data Protection Commission (PDPC) in case of a data breach that poses a risk of significant harm or impact. It promotes transparency and empowers individuals to take necessary measures to protect themselves.
- Stricter Do-Not-Call Provisions
The amendments strengthened the regulations related to telemarketing and the sending of unsolicited marketing messages. Organisations are required to check the Do-Not-Call Registry before sending any such communications to individuals, reducing unwanted spam messages.
Enforcement
The PDPC, which operates under the PDPA 2012, is responsible for enforcing and regulating the Act. The commission investigates complaints, mediates disputes, and inquires about data protection breaches.
It has the authority to impose penalties, issue warnings, and require organisations to implement corrective measures to ensure compliance with the PDPA 2012.
Rights of Citizens
The PDPA 2012 grants individuals various rights concerning their data. These rights include:
- Right to Access
Individuals can request access to their data held by organisations and be informed of how their data is used.
- Right to Correction
Individuals can request organisations to correct any inaccuracies or errors in their data.
- Right to Withdraw Consent
Individuals can withdraw their consent for collecting, using, or disclosing their data at any time, subject to legal or contractual restrictions.
- Right to Data Portability
Individuals may request organisations to transmit their data to another organisation in a commonly used and machine-readable format.
Corporate Rules
Under the PDPA 2012, organisations must establish policies and practices to comply with data privacy laws. These policies should cover areas such as data retention, accuracy, security, and the handling of data access requests. Organisations may develop internal “corporate rules” mechanisms to ensure consistent compliance with the PDPA 2012.
National Legislation
The PDPA 2012 is the primary legislation governing data protection in Singapore. It aligns with international data privacy laws and frameworks like the European Union’s General Data Protection Regulation (GDPR) to facilitate cross-border data transfers.
It also encourages organisations to implement rob cyber security ways to protect personal data from unauthorised access, disclosure, or loss.
Summarising
The PDPA 2012 serves as a comprehensive framework for data privacy laws in Singapore. The amendments introduced over time have strengthened the rights of individuals, enhanced consent requirements, and bolstered enforcement measures.
By complying with the PDPA 2012, organisations can ensure the responsible and secure handling of personal data, fostering trust between businesses and individuals in the digital age.
