
IMPLEMENTATION: Implementation timeframe
The interpretation of the PDPA in Part II of these Guidelines clarifies the applicable standard for the permissible collection...
The interpretation of the PDPA in Part II of these Guidelines clarifies the applicable standard for the permissible collection...
PDPC does not prescribe the types of identifiers that organisations should adopt in place of NRIC numbers...
Given the importance of the NRIC as a national identification document that is issued to all citizens and permanent residents of Singapore...
Organisations are generally not allowed to collect, use or disclose NRIC numbers (or copies of NRIC)...
Organisations are generally not allowed to collect, use or disclose NRIC numbers (or copies of NRIC)...
These Guidelines should be read in conjunction with the document titled “Introduction to the Guidelines"...
The Do Not Call Provisions under the PDPA generally apply to marketing messages sent to a Singapore telephone number...
The Data Protection Provisions contain a number of obligations in various sections which require organisations to develop and implement policies...
A political party and election candidate must cease to retain documents containing personal data, or anonymise it...
A political party or election candidate must protect all personal data in its possession or under its control by making reasonable security arrangements...
A political party or election candidate must make a reasonable effort to ensure that personal data collected by or on behalf of the political party...
A political party or election candidate must, upon request, (a) provide an individual with his or her personal data in the possession...
A political party or election candidate must notify the individual of the purposes for which it intends to collect...
A political party or election candidate may collect, use or disclose personal data about an individual only for purposes that a reasonable person...
A political party or election candidate must obtain the consent of the individual before collecting, using or disclosing his or her personal data for a purpose...
The Data Protection Provisions contain nine key obligations which political parties and election candidates are required to comply with...
Section 4(6) of the PDPA states that unless otherwise provided in the PDPA, nothing in Parts III to VI of the PDPA shall affect any authority...
A data intermediary is defined under the PDPA as an organisation that processes personal data on behalf of another organisation...
Under the PDPA, political parties and election candidates that conduct election activities involving the collection...
Personal data is defined in the PDPA as “data, whether true or not, about an individual who can be identified...
The Personal Data Protection Act 2012 (No. 26 of 2012) (“PDPA”) governs the collection...
Section 32(1) of the PDPA provides that any person who suffers loss or damage directly as a result of a contravention of any provision in Parts IV, V or VI of the PDPA...
Section 35(1) of the PDPA provides that an appeal against, or with respect to, a decision or direction of a Data Protection Appeal Committee may be made to the High Court...
Section 34(4) of the PDPA provides that the Data Protection Appeal Committee hearing an appeal may, after hearing the appeal...
Section 31(4)(b) of the PDPA provides that the Commission may, after reconsidering the contested decision, affirm, revoke or vary the contested decision as the Commission thinks fit...
Section 31(4)(b) of the PDPA provides that the Commission may, after reconsidering the contested decision, affirm, revoke or vary the contested decision as the Commission thinks fit...
The procedures that the Commission will adopt in a reconsideration under section 31(1) of the PDPA are mainly set out in Part III of the Enforcement Regulations...
Section 31(1) of the PDPA provides that an organisation or individual aggrieved by a decision or direction...
Section 30 of the PDPA provides that the Commission may register a direction under section 28(2) or 29 of the PDPA in the District Court...
Regulations 17, 18 and 19 of the Enforcement Regulations provides that the Commission may, where it has made a decision or...
In this section, the Commission sets out a non-exhaustive list of some aggravating and mitigating factors that the Commission may consider when it calculates a financial penalty...
In considering whether to direct an organisation to pay a financial penalty, the Commission will take into account certain factors...
The Commission’s power to issue directions to secure an organisation’s compliance with the Data Protection Provisions is set out in section 29 of the PDPA...
Organisations that intend to issue any media releases or public disclosure of matters related to the alleged breach are advised to consider...
Section 50(3) of the PDPA lists various situations in which the Commission may suspend or discontinue an investigation...
Under paragraph 3 of the Ninth Schedule to the PDPA, the Commission is empowered to enter and search premises without prior notice, upon production of a warrant...
Under paragraph 2 of the Ninth Schedule to the PDPA, the Commission is empowered to enter premises without a warrant in connection with an investigation...
Under paragraph 1 of the Ninth Schedule to the PDPA, the Commission may, by notice in writing to any organisation...
The Commission’s powers of investigation are set out in the Ninth Schedule to the PDPA. In brief, these include...
A complaint concerning a contravention or possible contravention of the PDPA may be made to the Commission by providing the relevant information...
Section 50 of the PDPA sets out the Commission’s powers of investigation in respect of contraventions of the PDPA...
The Commission may, in certain situations, commence an investigation in relation to an organisation’s compliance with section 21 or 22 of the PDPA prior to or during a review...
Section 28(2) of the PDPA provides that the Commission may, upon the completion of a review...
An applicant may withdraw his application for a review at any time before the Commission gives notice of its decision or direction...
The Commission may suspend a review at any stage of the review in the circumstances set out in regulation 9 of the Enforcement Regulations...
The Commission may exercise the following powers under the Enforcement Regulations when conducting a review...
The Commission may, at any time, dismiss a review application in the circumstances set out in Regulation 5 of the Enforcement Regulations...
The Commission may, at any stage of the review, seek further information, clarifications or documents from either the applicant or the respondent...
Where the respondent submits a response, the Commission may, where it considers it appropriate...
In most cases, respondents will be required to submit a response within 14 days of the date of the notice of review application...
The following describes in brief the procedure for a review set out in the Enforcement Regulations...
The procedures that the Commission will adopt in a review under section 28(1) of the PDPA are mainly set out in Part II of the Enforcement Regulations...
When submitting a review application to the Commission, the review application should include the following information...
Before applying to the Commission for a review, individuals should note and, if necessary, clarify the following with the organisation concerned as...
An individual who has made an access request or a correction request to an organisation may apply to the Commission under section 28(1) of the PDPA...
Section 28 of the PDPA sets out the Commission’s powers in relation to the conduct of a review...
Where appropriate, the Commission may, take any or all of the following measures when seeking to facilitate the resolution of a complaint...
Upon receiving a complaint, the Commission will first consider whether it may be more appropriately resolved by adopting some or...
Section 27 of the PDPA sets out the Commission’s powers in relation to the resolution of complaints. These include...
The PDPA confers various powers on the Commission to enforce the Data Protection Provisions. Broadly, these powers may be categorised as follows...
The Personal Data Protection Act 2012 (the “PDPA”) establishes a general data protection law in Singapore that governs the collection...
This portion of the Guidelines seeks to illustrate the principles articulated in the above paragraphs through the use of common scenarios...
If organisations wish to obtain consent for marketing purposes, they should generally provide the individuals the option whether or not to give consent...
These Guidelines will focus on the application of sections 14(2)(a) and 46(1) to situations where organisations wish to require an individual’s consent for...
The effect of section 14(2)(a) (read with section 14(3)) and section 46(1) is that organisations cannot refuse to provide an individual an item because...
For the purposes of the discussion in the subsequent paragraphs, we shall refer to “product or service”...
An organisation that wishes to send a “specified message” (as defined in the PDPA) to a Singapore telephone number must comply with the Do Not Call Provisions...
Section 13 of the PDPA, on the requirement to obtain consent, states that...
These Guidelines should be read in conjunction with the document titled “Introduction to the Guidelines” and are subject to the disclaimers set out therein...
When establishing measures to comply with the Accuracy Obligation under the Data Protection Provisions...
The PDPA does not contain provisions that specifically address the collection, use or disclosure of personal data about minors...
Under section 15(1) of the PDPA, an individual may be deemed to have consented to the collection...
Section 14(4) of the PDPA provides that consent given or deemed to have been given by an individual for the collection...
The PDPA does not specify the situations in which a minor (that is, an individual who is less than 21 years of age)...
Where behavioural targeting involves the collection and use of personal data, the individual’s consent is required...
Cookies are text files created on a client computer when its web browser loads a website or web application...
IP addresses of networked devices are automatically captured whenever a connection is made over the Internet...
The exception relating to “managing or terminating an employment relationship” only apply when there is an employment relationship...
Under the PDPA, an organisation is responsible for the personal data in its possession or under its control...
Section 25 of the PDPA requires an organisation to cease to retain its documents containing personal data...
There are instances where employers have to collect the same set of personal data for both the purposes of (i) managing or terminating the employment relationship and (ii) evaluation...
Under the PDPA, the collection by organisations of personal data from their employees that is reasonable for the purpose of managing or terminating their employment relationships...
Organisations may collect, use and disclose personal data without consent where this is necessary for evaluative purposes...
Most organisations maintain some form of employment records on their current employees...
Recruitment companies, employment agencies, head-hunters and other similar organisations...
Under the PDPA, individuals have the right to obtain access and request corrections to their personal data held by organisations...
After an organisation has decided which job applicant to hire, the personal data that the organisation had collected from the other job applicants should...
The Data Protection Provisions in the PDPA do not apply to “business contact information”, which is defined in the PDPA as...
The PDPA does not require organisations to obtain the consent of the individual when collecting or using personal data that is publicly available...
The PDPA does not require organisations to obtain the consent of the individual when collecting personal data that is publicly available...
Organisations may receive personal data from job applicants who provide it voluntarily through a job application, either in response to a recruitment advertisement or otherwise...
The Commission would encourage organisations to ensure that they adhere to the pre-determined flight path of drones and adopt policies...
Among other obligations, the Data Protection Provisions require organisations to inform individuals of the purposes for which their personal data will be collected...
Organisations will need to consider whether the drones they deploy are likely to capture personal data of individuals...
Increasingly, organisations are making use of drones that may be equipped with photography, video and/or audio recording capabilities...
“Video masking” of images refers to the process of concealing parts of the video from view...
The PDPA does not specify the format of the personal data to be provided in relation to an access request made by an individual...
The PDPA does not prohibit this. However, such a contract would not override any rights or obligations under the PDPA...
The PDPA does not prescribe any minimum resolution...
No. The PDPA does not require an organisation to delete personal data upon request from an individual...
Yes. It would be reasonable for certain groups of individuals...
The Commission’s view is that, depending on the specific facts and circumstances, compromising an organisation’s security arrangements or harming an organisation’s...
Organisations should provide a copy of the CCTV footage and have the option of charging the individual a reasonable fee for providing the copy...
Generally, an organisation is required to provide for access requests...
Generally, an organisation is required to provide the individual access to personal data requested, unless the request falls within one of the prohibitions...
The PDPA requires that an organisation consider what a reasonable person would consider appropriate under the circumstances in meeting its obligations under the PDPA...
The Commission does not require the placement or content of notifications to reveal the exact location of the CCTVs...
The PDPA does not prescribe the content of notifications...
Notices or other forms of notifications should generally be placed so as to enable individuals to have sufficient awareness that CCTVs have been deployed for a particular purpose...
The PDPA requires organisations to inform individuals of the purposes for which their personal data will be collected, used or disclosed in order to obtain their consent...
CCTVs are commonly used to capture video recordings, and some of them may also be equipped with audio recording capabilities...
The Data Protection Provisions do not affect any right conferred or obligation imposed by or under other laws, including the Copyright Act...
The PDPA provides that individuals may at any time withdraw any consent given or deemed to have been given under the PDPA for the collection...
An individual’s submission of a photograph or video recording for a competition is, on its own, insufficient to determine whether he is acting in a personal or domestic capacity...
In accordance with paragraph 1(g) of the Second Schedule, an organisation is permitted to collect personal data about an individual...
The PDPA does not prescribe the contractual arrangements that organisations may wish to enter into in order to ensure that they comply with their obligations under the PDPA...
As noted above, consent will generally be required for taking a photograph or video recording of an identifiable individual although consent may be deemed to have been given...
The Data Protection Provisions do not prescribe the ways in which consent may be obtained for photo-taking or video recording...
The PDPA sets out various exceptions to the Consent Obligation...
Among other obligations, the Data Protection Provisions require consent from the individual to be obtained for the purposes of the collection, use or disclosure of his personal data...
Photography, video and audio recordings are increasingly ubiquitous with such capabilities being included in more devices...
Before using or disclosing anonymised data, the organisation should apply the appropriate anonymisation techniques to ensure robust anonymisation of the data...
As a general test for assessing the risks of re-identification and the robustness of the anonymisation, a useful starting point is the ‘motivated intruder’ test highlighted...
Re-identification can occur as a result of combining separate datasets...
When deciding whether to anonymise data for use or disclosure, organisations should keep in mind that not all datasets can be effectively or meaningfully anonymised...
The following is a non-exhaustive list of commonly used anonymisation techniques, and examples of how each technique can be used...
In general, anonymisation refers to the process of removing identifying information such that the remaining data cannot be used to identify any particular individual...
The Personal Data Protection Act 2012 (the “PDPA”) establishes a general data protection law in Singapore which governs the collection...
The Personal Data Protection Act 2012 (the “PDPA”) establishes a general data protection law in Singapore which governs the collection...
The Data Protection Provisions in the PDPA have taken effect from the appointed day. Section 19 of the PDPA provides that notwithstanding the other provisions of Part IV...
Section 4(6)(a) of the PDPA provides that the Data Protection Provisions will not affect any authority, right, privilege or immunity conferred...
Although not expressly provided for in the PDPA, organisations may wish to consider conducting Data Protection Impact Assessments...
Although not expressly provided for in the PDPA, organisations may wish to consider conducting Data Protection Impact Assessments...
The Data Protection Provisions also provide for specific circumstances where organisations have to be answerable to individuals and the PDPC...
Section 12 of the PDPA sets out four additional key requirements which form part of the Accountability Obligation...
Section 11(3) of the PDPA requires an organisation to designate one or more individuals to be responsible for ensuring that the organisation...
In data protection, the concept of accountability refers to how an organisation discharges its responsibility for personal data which it has collected or obtained for processing...
Data in transit refers to personal data transferred through Singapore in the course of onward transportation to a country or territory outside Singapore...
In setting out contractual clauses that require the recipient to comply with a standard of protection in relation to the personal data transferred to him...
Regulations issued under the PDPA will specify the conditions under which an organisation may transfer personal data overseas...
Section 26 of the PDPA limits the ability of an organisation to transfer personal data outside Singapore...
An organisation will be considered to have ceased to retain personal data when it no longer has the means to associate the personal data with particular individuals...
In considering whether an organisation has ceased to retain personal data the Commission will consider the following factors in relation to the personal data in question...
Where there is no longer a need for an organisation to retain personal data, it must take prompt action to ensure it does not hold such personal data...
The Retention Limitation Obligation prevents organisations from retaining personal data in perpetuity where it does not have legal or business reasons to do so...
Section 25 of the PDPA requires an organisation to cease to retain its documents containing personal data, or remove the means by which the personal data...
Security arrangements may take various forms such as administrative measures, physical measures, technical measures or a combination of these...
Section 24 of the PDPA requires an organisation to make reasonable security arrangements to protect personal data in its possession or under its control...
An organisation should also be more careful when collecting personal data about an individual from a source other than the individual in question...
Organisations may presume that personal data provided directly by the individual concerned is accurate in most circumstances...
The Accuracy Obligation requires organisations to make a reasonable effort to ensure the accuracy and completeness of personal data...
Section 23 of the PDPA requires an organisation to make a reasonable effort to ensure that personal data collected by or on behalf of the organisation is accurate and complete...
While organisations may provide standard forms or procedures for individuals to submit access and/or correction requests...
Subject to exceptions as described above, an organisation is required to correct the personal data as soon as practicable from the time the correction request is made...
Section 22(6) provides that an organisation is not required to correct or otherwise alter an opinion, including a professional or an expert opinion...
Section 22(1) of the PDPA provides that an individual may submit a request for an organisation to correct an error or omission in the individual’s personal data..
If an organisation determines that it is appropriate under section 21 of the PDPA and Part II of the Personal Data Protection Regulations...
If an organisation has scheduled periodic disposal or deletion of personal data...
Subject to the PDPA and the Personal Data Protection Regulations, an organisation is to provide a reply to the individual even if the organisation is not providing access to...
In the event an individual who is engaged in legal proceedings with an organisation makes an access request to obtain relevant personal data or other information...
Section 21(4) of the PDPA contains an additional obligation of organisations in relation to the Access and Correction Obligations...
One of the prohibitions, section 21(3)(c), requires that an organisation must not provide access to the personal data or other information...
Section 21(5) of the PDPA provides that if an organisation is able to provide the individual with his personal data and other information requested under 21(1) without...
The obligation in section 21(1) is subject to a number of exceptions in sections 21(2) to 21(4) including some mandatory exceptions relating...
Organisations may charge an individual a reasonable fee for access to personal data about the individual...
Subject to the PDPA and the Personal Data Protection Regulations, an organisation is required to comply with section 21(1) of the PDPA...
As stated in section 21(1) of the PDPA, if an individual requests for information relating to the use or disclosure of his personal data by the organisation...
Section 21(1) of the PDPA provides that, upon request by an individual, an organisation shall provide the individual with the following as soon as reasonably possible...
Sections 21 and 22 of the PDPA set out the rights of individuals to request for access to their personal data and for correction of their personal data that is in the possession or...
The Data Protection Provisions recognise that there will be circumstances in which an organisation would like to use or disclose an individual’s personal data...
Informing the individual of the purposes for which his personal data will be collected, used or disclosed is an important aspect of obtaining consent for the purposes...
An organisation should state its purposes at an appropriate level of detail for the individual to determine the reasons and manner in which the organisation will be collecting...
The PDPA requires organisations to develop and implement policies and procedures that are necessary for the organisation to meet its obligations under the PDPA...
The PDPA does not specify a specific manner or form in which an organisation is to inform an individual of the purposes for which it is collecting...
Under section 20 (1) and (4) of the PDPA, an organisation must inform the individual of the purposes for which his personal data will be collected...
As noted in the previous sections on the Consent Obligation and the Purpose Limitation Obligation, organisations must inform individuals...
Section 18 of the PDPA limits the purposes for which and the extent to which an organisation may collect, use or disclose personal data...
One significant exception in the Second, Third and Fourth Schedules to the PDPA relates to personal data that is publicly available...
Section 17 of the PDPA permits the collection, use and disclosure of personal data without consent (and, in the case of collection, from a source other than the individual)...
Once an organisation has received from an individual a notice to withdraw consent, the organisation should inform the individual...
In determining the effect of any notice to withdraw consent, the Commission will consider all relevant facts of the situation...
In general, organisations must allow an individual who has previously given (or is deemed to have given) his consent to the organisation for collection...
Section 16 of the PDPA provides that individuals may at any time withdraw any consent given or deemed to have been given under the PDPA...
An organisation (“A”) may collect personal data from a third party source (“B”) (as described in the previous section) without the consent of the individual...
Organisations obtaining personal data from third party sources should exercise the appropriate due diligence to check and ensure that the third party source can validly give consent for...
As noted above, there are two situations in which organisations may obtain personal data about an individual with the consent of...
Section 15 of the PDPA addresses two situations in which an individual may be deemed to consent even if he has not actually given consent...
Section 14(2) of the PDPA sets out additional obligations that organisations must comply with when obtaining consent...
Section 14(4) of the PDPA provides that consent may be given, or deemed to have been given, by any person validly acting on behalf of the individual for the collection...
The Commission notes that there are various means of obtaining an individual’s consent to the collection, use and disclosure of his personal data for a specified purpose...
In situations where the organisation cannot conveniently obtain consent from an individual in writing, it may choose to obtain verbal consent...
Section 14(1) of the PDPA states how an individual gives consent under the PDPA...
Section 13 of the PDPA prohibits organisations from collecting, using or disclosing an individual’s personal data unless the individual gives...
The Data Protection Provisions apply to organisations carrying out activities involving personal data in Singapore...
Organisations are required to comply with the Data Protection Provisions in Parts III to VI of the PDPA...
A number of provisions in the PDPA make reference to the concept of reasonableness...
The PDPA does not define the term “purpose”. As will be seen later, a number of Data Protection Provisions refer to the purposes for which an organisation collects...
Part IV of the PDPA sets out the obligations of organisations relating to the collection, use and disclosure of personal data...
Generally, the legal relationship of agency refers to a relationship that exists between two persons, an agent and a principal...
There is a diverse range of scenarios in which organisations may be considered data intermediaries for another organisation...
Section 4(3) provides that an organisation has the same obligations under the PDPA in respect of personal data processed on its behalf by a data intermediary...
The PDPA provides that a data intermediary that processes personal data on behalf of and for the purposes of another organisation pursuant to a contract...
The PDPA defines a data intermediary as “an organisation that processes personal data on behalf of another organisation but does not include an employee of that other organisation”...
The PDPA defines a public agency to include the following...
The second significant exclusion for individuals in the PDPA relates to employees who are acting in the course of their employment with an organisation...
Although individuals are included in the definition of an organisation, they benefit from two significant exclusions in the PDPA...
The PDPA provides that the Data Protection Provisions do not impose any obligations on the following entities...
The PDPA defines an organisation as “any individual, company, association or body of persons, corporate or unincorporated whether or not formed or recognised under the law of Singapore...
Personal data, as used in the PDPA, refers to the information comprised in the personal data and not the physical form or medium in which it is stored, such as a database or a book...
As noted earlier, the term “individual” includes both living and deceased individuals. Hence, the provisions of the PDPA will apply to protect the personal data of deceased individuals...
The Data Protection Provisions do not apply to business contact information. Business contact information is defined in the PDPA as “an individual’s name...
The PDPA does not apply to, or applies to a limited extent to, certain categories of personal data...
Information about one individual may contain information about another individual...
It should be noted that the PDPA’s definition of personal data does not depend on whether the data is true or false. If organisations collect personal data which is false...
Data constitutes personal data if it is data about an individual who can be identified from that data on its own...
The most basic requirement for data to constitute personal data is that it is data about an individual...
Personal data is defined in the PDPA as “data, whether true or not, about an individual who can be identified...
The PDPA defines an individual as “a natural person, whether living or deceased”...
Before considering the various Data Protection Provisions, it is important to take note of some terms which are used throughout the Data Protection Provisions...
The PDPA governs the collection, use and disclosure of individuals’ personal data by organisations in a manner that recognises both the right of individuals...
The Personal Data Protection Act 2012 (the “PDPA”) establishes a general data protection law in Singapore which governs the collection, use and disclosure of individuals’ personal data...