Global Data Privacy Guide |
|
Singapore |
|
| (Asia Pacific) Firm Rajah & Tann Singapore LLP Updated 27 Aug 2025 | |
| 1. What is the key legislation? | The Personal Data Protection Act 2012 (“PDPA”) is the key data protection legislation which governs the collection, use and disclosure of individuals’ personal data in Singapore by organisations. The PDPA aims to recognise both the right of individuals to protect their personal data and the need of organisations to collect, use or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances. The PDPA was first enacted in October 2012 and its provisions came into full force in July 2014. The PDPA was subsequently amended in November 2020 after the Personal Data Protection (Amendment) Act 2020 was enacted. The amendments took effect in phases from February 2021. The PDPA established Singapore’s data protection authority, the Personal Data Protection Commission (the “PDPC”), in January 2013. The PDPA contains two main sets of provisions. Parts 3 to 6A of the PDPA cover the core data protection obligations of organisations (the “Data Protection Obligations”). Parts 9 and 9A of the PDPA set out provisions covering the establishment of a national Do Not Call Registry (“DNC Registry”) and the obligations of organisations and individuals when sending certain marketing messages to Singapore telephone numbers (the “DNC Provisions”). Over the years, subsidiary legislation has also been passed to facilitate the implementation and enforcement of the PDPA. Examples of subsidiary legislation include: • The Personal Data Protection Regulations 2021 (the “PDPR”); To facilitate organisations’ compliance with the PDPA, the PDPC has issued non-binding advisory guidelines which provide guidance on the PDPC’s interpretation and enforcement of the PDPA and explain how the PDPA applies to select topics, such as the use of personal data in artificial intelligence (“AI”) systems. Examples of the PDPC’s advisory guidelines include: • Advisory Guidelines on Key Concepts in the Personal Data Protection Act; |
| 2. What are the key decisions applying that legislation? | Re Singapore Health Services Pte Ltd [2019] SGPDPC 3 is a key decision concerning the largest and one of the most significant data breaches in Singapore to date. The data breach in this case arose due to a cyber-attack on Singapore Health Services Pte Ltd’s (“SingHealth”) patient database system. The threat actors behind the cyber-attack managed to exfiltrate the personal data of approximately 1.5 million patients, including the outpatient prescription records of 159,000 patients. Although SingHealth had engaged a data intermediary, Integrated Health Information Systems Pte. Ltd. (“IHIS”), to manage its patient database system, the PDPC held that SingHealth’s responsibility for complying with the PDPA could not be delegated and SingHealth had a duty to ensure that any data intermediary that processed personal data on its behalf complied with the PDPA. Hence, the PDPC found that both SingHealth and IHIS had breached the Protection Obligation under Section 24 of the PDPA by failing to implement sufficient security measures to protect the personal data in SingHealth’s patient database system. SingHealth and IHIS were fined S$250,000 and S$750,000 respectively. Reed, Michael v Bellingham, Alex (Attorney-General, intervener) [2022] SGCA 60 is another landmark decision where an individual exercised his right of private action under the previous Section 32 (and current Section 48O) of the PDPA to seek relief for loss or damage suffered directly as a result of another party’s breach of the PDPA. In this case, the appellant, Mr. Michael Reed (“Reed”), claimed that he had suffered emotional distress and loss of control over his personal data as a result of Mr. Alex Bellingham’s (“Bellingham”) breach of the PDPA. The facts of the case are as follows. Reed was an investor in an investment fund known as the Edinburgh Fund. The Edinburgh Fund was managed by Bellingham in the course of his employment with IP Real Estate Investments Pte Ltd (“IP Real Estate”). Bellingham subsequently left IP Real Estate to join a competitor, Q Investment Partners Pte Ltd (“QIP”). However, Bellingham continued to retain Reed’s personal data, namely Reed’s name and details of Reed’s investment holding in the Edinburgh Fund, despite terminating his employment with IP Real Estate. During his employment with QIP, Bellingham used Reed’s name to obtain Reed’s e-mail address from Reed’s LinkedIn account. Bellingham then proceeded to contact Reed via e-mail to market QIP’s services to him. The Singapore High Court in Bellingham, Alex v Reed, Michael [2021] SGHC 125 held that Bellingham breached Sections 13 and 18 of the PDPA by collecting and using Reed’s personal data to market QIP’s services. However, the High Court denied Reed’s right of private action on the basis that emotional distress and loss of control over personal data did not fall within the meaning of “loss or damage” under the PDPA. On appeal, the Singapore Court of Appeal partially overturned the High Court’s decision and notably held that “loss or damage” could be interpreted to include emotional distress. On the facts, the Court of Appeal held that Reed had suffered emotional distress and obtained a right of private action under the PDPA. Bellingham was injuncted from using, disclosing or communicating Reed’s personal data, and ordered to undertake to destroy the personal data. |
| 1. How are “personal data” and “sensitive data” defined? | The PDPA defines “personal data” as “data, whether true or not, about an individual who can be identified (a) from that data; or (b) from that data and other information to which the organisation has or is likely to have access”. Unlike other data protection legislation, the term “sensitive data” is not defined in the PDPA. Nonetheless, the PDPC recognises that certain categories of personal data, such as financial information and medical information, may be more sensitive and require a higher standard of protection under the PDPA. |
| 2. How is the defined data protected? | Under the PDPA, organisations that collect, use or disclose personal data in Singapore are required to comply with the following Data Protection Obligations. (i) The Consent Obligation (Sections 13 to 17 of the PDPA): Subject to certain exceptions under the PDPA, an organisation must obtain the consent of the individual before collecting, using or disclosing his personal data for a purpose. (ii) The Purpose Limitation Obligation (Section 18 of the PDPA): An organisation may collect, use or disclose personal data about an individual only for purposes that a reasonable person would consider appropriate in the circumstances and, if applicable, have been notified to the individual concerned (see the Notification Obligation below). (iii) The Notification Obligation (Section 20 of the PDPA): Subject to certain exceptions under the PDPA, an organisation must notify the individual of the purpose(s) for which it intends to collect, use or disclose the individual’s personal data on or before such collection, use or disclosure of the personal data. (iv) The Access Obligation (Section 21 of the PDPA): Subject to certain exceptions under the PDPA, an organisation must, upon request, provide an individual with (a) his personal data in the possession or under the control of the organisation, and (b) information about the ways in which the personal data may have been used or disclosed during the past year. (v) The Correction Obligation (Section 22 of the PDPA): Subject to certain exceptions under the PDPA, an organisation must, upon request, correct an error or omission in an individual’s personal data that is in the possession or under the control of the organisation. (vi) The Accuracy Obligation (Section 23 of the PDPA): An organisation must make a reasonable effort to ensure that personal data collected by or on behalf of the organisation is accurate and complete if the personal data is likely to be (a) used by the organisation to make a decision that affects the individual concerned, or (b) disclosed by the organisation to another organisation. (vii) The Protection Obligation (Section 24 of the PDPA): An organisation must protect personal data in its possession or under its control by making reasonable security arrangements to prevent (a) unauthorised access, collection, use, disclosure, copying, modification or disposal, or similar risks, and (b) the loss of any storage medium or device on which personal data is stored. (viii) The Retention Limitation Obligation (Section 25 of the PDPA): An organisation must cease to retain documents containing personal data, or remove the means by which the personal data can be associated with particular individuals as soon as it is reasonable to assume that (a) the purpose for which the personal data was collected is no longer being served by retention of the personal data, and (b) retention is no longer necessary for legal or business purposes. (ix) The Transfer Limitation Obligation (Section 26 of the PDPA): An organisation must not transfer personal data to a country or territory outside Singapore except in accordance with the requirements prescribed under the PDPA. (x) The Data Breach Notification Obligation (Sections 26A to 26E of the PDPA): An organisation must assess whether a data breach is notifiable and notify the affected individuals and/or the PDPC where it is assessed to be notifiable. In addition, where a data intermediary has reason to believe that a data breach has occurred in relation to personal data that the data intermediary is processing on behalf of and for the purposes of another organisation, the data intermediary must notify that other organisation of the occurrence of the data breach. (xi) The Accountability Obligation (Sections 11 and 12 of the PDPA): An organisation must implement the necessary policies and procedures in order to meet its obligations under the PDPA and shall make information about its policies and procedures publicly available. (xii) The Data Portability Obligation (Not in Force): An organisation must, upon request, transmit an individual’s data that is in the organisation’s possession or under its control, to another organisation in a commonly used machine-readable format. This obligation is not yet in force and will only take effect when the relevant regulations are issued. |
| 3. Who is subject to privacy obligations? | The Data Protection Obligations under the PDPA are applicable to organisations that collect, use or disclose personal data in Singapore. The PDPA defines “organisation” to include “any individual, company, association or body of persons, corporate or unincorporated, whether or not (a) formed or recognised under Singapore law, or (b) resident, or having an office or place of business, in Singapore”. This definition gives the PDPA extraterritorial effect. While the PDPA defines “organisation” broadly, the Data Protection Obligations under the PDPA are not applicable to the following individuals and entities: (i) Any individual acting in a personal or domestic capacity; |
| 4. How is “data processing” defined? | The PDPA defines “processing” as “the carrying out of any operation or set of operations in relation to the personal data”, which includes the recording, holding, organisation, adaptation, alteration, retrieval, combination, transmission, erasure and destruction of personal data. |
| 5. What are the principles applicable to personal data processing? | The principles/obligations set out at paragraph 2 above regulate the processing of personal data pursuant to requirements of such principles/obligations. |
| 6. How is the processing of personal data regulated? | See paragraph 2 above. |
| 7. How are storage, security and retention of personal data regulated? | The Protection Obligation (Section 24 of the PDPA): There is no “one size fits all” solution for organisations to comply with the Protection Obligation. Organisations may adopt various types of security measures, including administrative measures, physical measures and technical measures. An organisation should adopt security arrangements that are reasonable and appropriate in the circumstances by taking into account factors such as the nature of the personal data held by the organisation and the potential harm that might result from a security breach. Organisations are encouraged to identify reliable and well-trained personnel responsible for ensuring information security, and implement robust policies and procedures for ensuring appropriate levels of security for personal data of varying levels of sensitivity. Organisations are also advised to be prepared and equipped to respond to security breaches promptly and effectively. The Retention Limitation Obligation (Section 25 of the PDPA): Given the varied business needs of organisations, the PDPA does not prescribe a fixed duration of time for personal data retention as it depends on the circumstances including the particular organisation’s legal or business purposes. An organisation’s personal data retention periods are assessed based on a standard of reasonableness. Relevant considerations in such an assessment include the purposes for which the personal data was initially collected and other legal or business purposes which justify the retention of the personal data. Organisations are encouraged to prepare a personal data retention policy which sets out their approach to personal data retention. An organisation ceases to retain documents containing personal data when the organisation, its agents and its data intermediaries no longer have access to those documents and the personal data contained therein. An organisation may comply with the Retention Limitation Obligation through various means, including by anonymising the personal data contained in a document. |
| 8. What are the data subjects' rights under the data legislation? | Individuals have the following rights under the PDPA: (i) The right of access: Pursuant to an organisation’s Access Obligation (Section 21 of the PDPA), an individual may request an organisation for access to (a) his personal data that is in the possession or under the control of the organisation, and (b) information about the ways in which the organisation may have used or disclosed his personal data during the past year. This right is subject to exceptions specified in Section 21 and the Fifth Schedule of the PDPA. (ii) The right of correction: Pursuant to an organisation’s Correction Obligation (Section 22 of the PDPA), an individual may request an organisation to correct an error or omission in his personal data that is in the possession or under the control of the organisation. This right is subject to exceptions specified in Section 22 and the Sixth Schedule of the PDPA. (iii) The right to withdraw consent: Pursuant to an organisation’s Consent Obligation (Section 13 of the PDPA), an individual may withdraw any consent he has given or is deemed to have given to an organisation in respect of that organisation’s collection, use or disclosure of his personal data for any purpose (Section 16 of the PDPA). (iv) The right of private action: Pursuant to Section 48O of the PDPA, an individual who suffers loss or damage directly as a result of a contravention of certain provisions in the PDPA, including an organisation’s contravention of its Data Protection Obligations, has a right of action for relief in civil proceedings in a court. The court may grant an individual any relief it thinks fit, including damages or an injunction or declaration. |
| 9. What are the consent requirements for data subjects? | The PDPA is primarily a consent-based regime. As such, the primary basis for collecting, using and disclosing an individual’s personal data under the PDPA is an individual’s consent. Pursuant to the Consent Obligation (Section 13 of the PDPA), an organisation must obtain the consent of an individual (express or deemed) before collecting, using or disclosing his personal data for any purpose. This obligation is subject to the exceptions set out in the First and Second Schedules of the PDPA and any exceptions provided in other applicable laws. To obtain consent from an individual, an organisation must first notify the individual of the purpose(s) for which it intends to collect, use or disclose the individual’s personal data on or before such collection, use or disclosure of the personal data pursuant to the Notification Obligation (Section 20 of the PDPA). An organisation must seek fresh consent from an individual if it needs to collect, use or disclose personal data for additional purposes which differ from the original purposes notified to the individual. Any consent obtained from an individual would be invalid if an organisation requires the individual to consent to the collection, use or disclosure of his personal data as a condition of providing the organisation’s product or service to that individual and such collection, use or disclosure is beyond what is reasonable to provide the product or service. In addition, an organisation must not obtain or attempt to obtain consent for collecting, using or disclosing personal data by using deceptive or misleading practices, or providing false or misleading information with respect to its collection, use or disclosure of the personal data. Organisations may obtain express or deemed consent from individuals. Express consent (i.e. consent that is obtained in writing or recorded in a manner that is accessible) provides the clearest indication that an individual has consented to the collection, use or disclosure of his personal data for the notified purposes. Deemed consent may be obtained by conduct, contractual necessity or notification pursuant to Sections 15 and 15A of the PDPA. |
| 10. How is authorization for use of data handled? | As the PDPA is primarily a consent-based regime, organisations are generally authorised to use an individual’s personal data if they obtain consent from the individual. Organisations are also authorised to use personal data without consent if an exception under the First or Second Schedule of the PDPA or any exceptions provided in other laws apply. Organisations should obtain consent in writing or record consent in a manner that is accessible for future reference where feasible. Where an organisation has only obtained verbal consent, the PDPC recommends confirming the consent in writing with the individual or making a written note of the fact that the individual has provided verbal consent as a matter of good practice. |
| 11. Are cross-border data transfers regulated? If so, what are the restrictions on cross-border data transfers? | Yes, cross-border data transfers are regulated under the PDPA. However, the PDPA does not impose any data localisation requirements. Pursuant to the Transfer Limitation Obligation (Section 26 of the PDPA), an organisation must not transfer personal data to a country or territory outside Singapore except in accordance with the requirements prescribed under the PDPA. In particular, Regulation 10 of the PDPR provides that an organisation transferring personal data outside Singapore must take appropriate steps to ensure that the overseas recipient of the personal data is bound by legally enforceable obligations to provide the transferred personal data with a standard of protection that is at least comparable to that of the PDPA. Regulation 11 of the PDPR provides that legally enforceable obligations include obligations imposed on an overseas recipient of personal data via the following mechanisms: (i) any law; In addition, an overseas recipient organisation that holds a “specified certification” is taken to be bound by legally enforceable obligations. In particular, an organisation satisfies the Transfer Limitation Obligation if it transfers personal data to: (i) an overseas recipient that is not a data intermediary and has a certification under the Asia Pacific Economic Cooperation Cross Border Privacy Rules (“APEC CBPR”) System; or |
| 12. How are data "incidents" and "breaches" defined? | The PDPA defines a “data breach” as “(a) the unauthorised access, collection, use, disclosure, copying, modification or disposal of personal data; or (b) the loss of any storage medium or device on which personal data is stored in circumstances where the unauthorised access, collection, use, disclosure, copying, modification or disposal of the personal data is likely to occur”. The PDPA does not define the term “data incidents”. |
| 13. Are there any notification requirements for incidents and/or data breaches? | Yes, there are mandatory notification requirements for data breaches under the PDPA. This is triggered when any of the two notification thresholds is met. Duty to Conduct Assessment of Data Breach Thresholds for Notification Pursuant to Section 26B of the PDPA, a data breach constitutes a “notifiable data breach” if the data breach: (i) results in, or is likely to result in, significant harm to an affected individual (“Threshold A”); or With respect to Threshold A, a data breach is deemed to result in significant harm to an individual if the data breach involves any personal data or class of personal data prescribed in the Data Breach Regulations. Duty to Notify the PDPC If the data breach constitutes a notifiable data breach, an organisation must notify the PDPC as soon as is practicable and no later than three calendar days upon determining that the data breach is notifiable (Section 26D(1) of the PDPA). Duty to Notify Affected Individuals If the data breach constitutes a notifiable data breach under Threshold A, an organisation must generally notify the affected individuals as soon as practicable, and in any case either at the same time or after notifying the PDPC (Section 26D(2) of the PDPA), subject to certain exceptions. If the data breach constitutes a notifiable data breach under Threshold B only, an organisation is not required to notify the affected individuals. |
| 14. Who is/are the privacy regulator(s)? | The PDPC is the main data protection regulator in Singapore. It was established in January 2013 for the purpose of administering and enforcing the PDPA. In addition to administering and enforcing the PDPA, the key functions of the PDPC include promoting awareness of data protection in Singapore and representing the Singapore government internationally on matters relating to data protection. |
| 15. What are the consequences of a data breach? | When the PDPC is first notified of a data breach by an organisation or third party, it will first assess the circumstances and severity of the data breach. Depending on the facts of the case, the PDPC may choose to initiate investigations. There are a few possible enforcement outcomes that may follow the PDPC’s investigations which include: (i) Suspension or discontinuation of the investigation; |
| 16. How is electronic marketing regulated? | The DNC Provisions under the PDPA regulate the sending of “specified messages”, including electronic marketing messages, by a person to Singapore telephone numbers. Pursuant to the DNC Provisions, a person is required to comply with a number of obligations to send a specified message to a Singapore telephone number, including the following: (i) The person must have valid confirmation that the Singapore telephone number is not listed in the relevant Do Not Call Register (“Register”) under the national DNC Registry at the time the person sends the specified message. There are three DNC Registers in Singapore – the No Voice Call Register, the No Text Message Register and the No Fax Message Register. A person is not required to obtain valid confirmation if the subscriber or user of the Singapore telephone number gives clear and unambiguous consent to the sending of the specified message in written or other evidential form. In addition, the PDPA generally prohibits a person from sending, causing to be sent or authorising the sending of a message with a Singapore link to a telephone number generated or obtained through the use of a dictionary attack or address-harvesting software. The Spam Control Act 2007 (“SCA”) also regulates the sending of electronic marketing messages. The SCA defines “electronic message” as “a message sent to an electronic address” but excludes messages that are sent by way of a voice call made using a telephone service. The SCA further defines “electronic address” as “an email address, an instant messaging account or a mobile telephone number to which an electronic message can be sent”. Under Section 11 of the SCA, any person who sends, causes to be sent or authorises the sending of unsolicited commercial electronic messages, including electronic marketing messages, in bulk must comply with the requirements set out in the Second Schedule of the SCA. These requirements include specifying an email address or a mobile telephone number, as applicable, to which the recipient may submit an unsubscribe request in the unsolicited commercial electronic message. |
| 17. Are there sector-specific or industry-specific privacy requirements? | In addition to the PDPA which sets out general data protection obligations, there may be sector-specific or industry-specific data protection requirements in Singapore, such as: (i) Healthcare Services Act 2020 (“HSA”) – The HSA regulates the provision of healthcare services in Singapore. Section 27 states that licensees providing certain healthcare services must keep and maintain records for the prescribed period and in the prescribed manner, where the records are relevant to the monitoring or evaluation of any aspect of any licensable healthcare service or the provision of any licensable healthcare service. (ii) Banking Act 1970 (“BA”) and other notices issued by the Monetary Authority of Singapore (“MAS”) – The BA regulates the businesses of banks and other related institutions in Singapore. Section 47 of the BA provides that customer information must not be disclosed by a bank in Singapore or any of its officers to any other person except as expressly provided in the BA. In addition, Clause 7 of the MAS Notice 658 provides that a bank must impose certain confidentiality obligations on a service provider to protect customer information where material outsourced relevant services are concerned. |
| 18. What are the requirements for appointing Data Protection Officers or similar roles? | The PDPA requires an organisation to designate one or more individuals to be responsible for ensuring that the organisation complies with the PDPA. This individual may be referred to as the Data Protection Officer (“DPO”). While the PDPA does not require the DPO to possess certain formal qualifications, the PDPC has stated that the DPO should be sufficiently skilled and knowledgeable, and amply empowered to discharge his duties. The PDPA requires an organisation to make available the business contact information of at least one DPO. |
| 19. What are the record-keeping and documentation obligations? | The PDPA does not generally require organisations to keep a record of or document its data processing activities. Nevertheless, in practice, as part of accountability and evidencing compliance with the PDPA, an organisation should have carried out data mapping and have full information concerning its personal data processing activities including the storage of personal data in its possession or control. Section 50(4) of the PDPA requires an organisation to retain records relating to any investigation conducted by the PDPC pursuant to Section 50. The organisation is required to retain such records for one year after the conclusion of the PDPC’s investigation or any longer period specified by the PDPC in writing. In addition, where an organisation rejects an individual’s request to access his personal data under Section 21 of the PDPA, the organisation must preserve a complete and accurate copy of the withheld personal data for at least 30 calendar days after rejecting the request (Section 22A of the PDPA). |
| 20. What are the requirements for conducting Data Protection Impact Assessments (DPIAs)? | Under the PDPA, it is only mandatory to conduct a DPIA if an organisation intends to rely on an individual’s deemed consent by notification, or the legitimate interests exception to consent, to collect, use or disclose an individual’s personal data. |
| 21. What are the requirements for third-party vendor management and data sharing? | Pursuant to the Consent Obligation (Section 13 of the PDPA), an organisation must obtain the consent of an individual before disclosing his personal data to a third-party vendor, subject to certain exceptions under the PDPA. A third-party vendor may be a data intermediary under the PDPA. The PDPA provides that an organisation has the same obligation under the PDPA in respect of personal data processed on its behalf and for its purposes by a data intermediary as if the personal data were processed by the organisation itself. One of the primary means by which an organisation may ensure adequate protection of the personal data processed by its data intermediary is through a contract. The contract between the organisation and its data intermediary should clearly set out the obligations of all parties, including the data intermediary’s obligations to comply with the applicable Data Protection Obligations under the PDPA. |
| 22. What are the penalties and enforcement mechanisms for non-compliance? | Pursuant to Section 48J of the PDPA, the PDPC is empowered to impose financial penalties for an organisation’s breach of the Data Protection Obligations. The maximum financial penalty is the higher of (a) S$1 million, or (b) 10% of the organisation’s annual turnover in Singapore, where the organisation’s annual turnover in Singapore exceeds S$10 million. In addition to financial penalties, the PDPC may issue directions to an organisation under Section 48I of the PDPA to ensure compliance with the PDPA. For instance, the PDPC may require an organisation to destroy personal data or stop collecting, using or disclosing personal data in contravention of the PDPA. |
| 23. What are the ongoing compliance and audit requirements? | Organisations are required to comply with the applicable Data Protection Obligations under the PDPA on an ongoing basis. |
| 24. Are there any recent developments or expected reforms? | The Personal Data Protection (Amendment) Act 2020 introduced the Data Portability Obligation, which has yet to take effect. Once the Data Portability Obligation takes effect, an organisation will be required to transmit an individual’s data that is in the organisation’s possession or under its control, to another organisation in a commonly used machine-readable format upon the individual’s request. |
Global Data Privacy Guide
The Personal Data Protection Act 2012 (“PDPA”) is the key data protection legislation which governs the collection, use and disclosure of individuals’ personal data in Singapore by organisations. The PDPA aims to recognise both the right of individuals to protect their personal data and the need of organisations to collect, use or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances.
The PDPA was first enacted in October 2012 and its provisions came into full force in July 2014. The PDPA was subsequently amended in November 2020 after the Personal Data Protection (Amendment) Act 2020 was enacted. The amendments took effect in phases from February 2021. The PDPA established Singapore’s data protection authority, the Personal Data Protection Commission (the “PDPC”), in January 2013.
The PDPA contains two main sets of provisions. Parts 3 to 6A of the PDPA cover the core data protection obligations of organisations (the “Data Protection Obligations”). Parts 9 and 9A of the PDPA set out provisions covering the establishment of a national Do Not Call Registry (“DNC Registry”) and the obligations of organisations and individuals when sending certain marketing messages to Singapore telephone numbers (the “DNC Provisions”).
Over the years, subsidiary legislation has also been passed to facilitate the implementation and enforcement of the PDPA. Examples of subsidiary legislation include:
• The Personal Data Protection Regulations 2021 (the “PDPR”);
• The Personal Data Protection (Notification of Data Breaches) Regulations 2021 (the “Data Breach Regulations”); and
• The Personal Data Protection (Do Not Call Registry) Regulations 2013.
To facilitate organisations’ compliance with the PDPA, the PDPC has issued non-binding advisory guidelines which provide guidance on the PDPC’s interpretation and enforcement of the PDPA and explain how the PDPA applies to select topics, such as the use of personal data in artificial intelligence (“AI”) systems. Examples of the PDPC’s advisory guidelines include:
• Advisory Guidelines on Key Concepts in the Personal Data Protection Act;
• Advisory Guidelines on the Personal Data Protection Act for Selected Topics;
• Advisory Guidelines on the Do Not Call Provisions;
• Advisory Guidelines on Enforcement of Data Protection Provisions;
• Advisory Guidelines on use of Personal Data in AI Recommendation and Decision Systems;
• Advisory Guidelines on the PDPA for Children’s Personal Data in the Digital Environment; and
• Advisory Guidelines on the Personal Data Protection Act for NRIC and other National Identification Numbers (the “NRIC Advisory Guidelines”).
Re Singapore Health Services Pte Ltd [2019] SGPDPC 3 is a key decision concerning the largest and one of the most significant data breaches in Singapore to date. The data breach in this case arose due to a cyber-attack on Singapore Health Services Pte Ltd’s (“SingHealth”) patient database system. The threat actors behind the cyber-attack managed to exfiltrate the personal data of approximately 1.5 million patients, including the outpatient prescription records of 159,000 patients. Although SingHealth had engaged a data intermediary, Integrated Health Information Systems Pte. Ltd. (“IHIS”), to manage its patient database system, the PDPC held that SingHealth’s responsibility for complying with the PDPA could not be delegated and SingHealth had a duty to ensure that any data intermediary that processed personal data on its behalf complied with the PDPA. Hence, the PDPC found that both SingHealth and IHIS had breached the Protection Obligation under Section 24 of the PDPA by failing to implement sufficient security measures to protect the personal data in SingHealth’s patient database system. SingHealth and IHIS were fined S$250,000 and S$750,000 respectively.
Reed, Michael v Bellingham, Alex (Attorney-General, intervener) [2022] SGCA 60 is another landmark decision where an individual exercised his right of private action under the previous Section 32 (and current Section 48O) of the PDPA to seek relief for loss or damage suffered directly as a result of another party’s breach of the PDPA. In this case, the appellant, Mr. Michael Reed (“Reed”), claimed that he had suffered emotional distress and loss of control over his personal data as a result of Mr. Alex Bellingham’s (“Bellingham”) breach of the PDPA. The facts of the case are as follows. Reed was an investor in an investment fund known as the Edinburgh Fund. The Edinburgh Fund was managed by Bellingham in the course of his employment with IP Real Estate Investments Pte Ltd (“IP Real Estate”). Bellingham subsequently left IP Real Estate to join a competitor, Q Investment Partners Pte Ltd (“QIP”). However, Bellingham continued to retain Reed’s personal data, namely Reed’s name and details of Reed’s investment holding in the Edinburgh Fund, despite terminating his employment with IP Real Estate. During his employment with QIP, Bellingham used Reed’s name to obtain Reed’s e-mail address from Reed’s LinkedIn account. Bellingham then proceeded to contact Reed via e-mail to market QIP’s services to him. The Singapore High Court in Bellingham, Alex v Reed, Michael [2021] SGHC 125 held that Bellingham breached Sections 13 and 18 of the PDPA by collecting and using Reed’s personal data to market QIP’s services. However, the High Court denied Reed’s right of private action on the basis that emotional distress and loss of control over personal data did not fall within the meaning of “loss or damage” under the PDPA. On appeal, the Singapore Court of Appeal partially overturned the High Court’s decision and notably held that “loss or damage” could be interpreted to include emotional distress. On the facts, the Court of Appeal held that Reed had suffered emotional distress and obtained a right of private action under the PDPA. Bellingham was injuncted from using, disclosing or communicating Reed’s personal data, and ordered to undertake to destroy the personal data.
The PDPA defines “personal data” as “data, whether true or not, about an individual who can be identified (a) from that data; or (b) from that data and other information to which the organisation has or is likely to have access”.
Unlike other data protection legislation, the term “sensitive data” is not defined in the PDPA. Nonetheless, the PDPC recognises that certain categories of personal data, such as financial information and medical information, may be more sensitive and require a higher standard of protection under the PDPA.
Under the PDPA, organisations that collect, use or disclose personal data in Singapore are required to comply with the following Data Protection Obligations.
(i) The Consent Obligation (Sections 13 to 17 of the PDPA): Subject to certain exceptions under the PDPA, an organisation must obtain the consent of the individual before collecting, using or disclosing his personal data for a purpose.
(ii) The Purpose Limitation Obligation (Section 18 of the PDPA): An organisation may collect, use or disclose personal data about an individual only for purposes that a reasonable person would consider appropriate in the circumstances and, if applicable, have been notified to the individual concerned (see the Notification Obligation below).
(iii) The Notification Obligation (Section 20 of the PDPA): Subject to certain exceptions under the PDPA, an organisation must notify the individual of the purpose(s) for which it intends to collect, use or disclose the individual’s personal data on or before such collection, use or disclosure of the personal data.
(iv) The Access Obligation (Section 21 of the PDPA): Subject to certain exceptions under the PDPA, an organisation must, upon request, provide an individual with (a) his personal data in the possession or under the control of the organisation, and (b) information about the ways in which the personal data may have been used or disclosed during the past year.
(v) The Correction Obligation (Section 22 of the PDPA): Subject to certain exceptions under the PDPA, an organisation must, upon request, correct an error or omission in an individual’s personal data that is in the possession or under the control of the organisation.
(vi) The Accuracy Obligation (Section 23 of the PDPA): An organisation must make a reasonable effort to ensure that personal data collected by or on behalf of the organisation is accurate and complete if the personal data is likely to be (a) used by the organisation to make a decision that affects the individual concerned, or (b) disclosed by the organisation to another organisation.
(vii) The Protection Obligation (Section 24 of the PDPA): An organisation must protect personal data in its possession or under its control by making reasonable security arrangements to prevent (a) unauthorised access, collection, use, disclosure, copying, modification or disposal, or similar risks, and (b) the loss of any storage medium or device on which personal data is stored.
(viii) The Retention Limitation Obligation (Section 25 of the PDPA): An organisation must cease to retain documents containing personal data, or remove the means by which the personal data can be associated with particular individuals as soon as it is reasonable to assume that (a) the purpose for which the personal data was collected is no longer being served by retention of the personal data, and (b) retention is no longer necessary for legal or business purposes.
(ix) The Transfer Limitation Obligation (Section 26 of the PDPA): An organisation must not transfer personal data to a country or territory outside Singapore except in accordance with the requirements prescribed under the PDPA.
(x) The Data Breach Notification Obligation (Sections 26A to 26E of the PDPA): An organisation must assess whether a data breach is notifiable and notify the affected individuals and/or the PDPC where it is assessed to be notifiable. In addition, where a data intermediary has reason to believe that a data breach has occurred in relation to personal data that the data intermediary is processing on behalf of and for the purposes of another organisation, the data intermediary must notify that other organisation of the occurrence of the data breach.
(xi) The Accountability Obligation (Sections 11 and 12 of the PDPA): An organisation must implement the necessary policies and procedures in order to meet its obligations under the PDPA and shall make information about its policies and procedures publicly available.
(xii) The Data Portability Obligation (Not in Force): An organisation must, upon request, transmit an individual’s data that is in the organisation’s possession or under its control, to another organisation in a commonly used machine-readable format. This obligation is not yet in force and will only take effect when the relevant regulations are issued.
The Data Protection Obligations under the PDPA are applicable to organisations that collect, use or disclose personal data in Singapore. The PDPA defines “organisation” to include “any individual, company, association or body of persons, corporate or unincorporated, whether or not (a) formed or recognised under Singapore law, or (b) resident, or having an office or place of business, in Singapore”. This definition gives the PDPA extraterritorial effect.
While the PDPA defines “organisation” broadly, the Data Protection Obligations under the PDPA are not applicable to the following individuals and entities:
(i) Any individual acting in a personal or domestic capacity;
(ii) Any employee acting in the course of his or her employment with an organisation; and
(iii) Any public agencies.
The PDPA defines “processing” as “the carrying out of any operation or set of operations in relation to the personal data”, which includes the recording, holding, organisation, adaptation, alteration, retrieval, combination, transmission, erasure and destruction of personal data.
The principles/obligations set out at paragraph 2 above regulate the processing of personal data pursuant to requirements of such principles/obligations.
See paragraph 2 above.
The Protection Obligation (Section 24 of the PDPA):
With respect to the storage and security of personal data, the PDPA provides that an organisation must protect personal data in its possession or under its control by making reasonable security arrangements to prevent (a) unauthorised access, collection, use, disclosure, copying, modification or disposal, or similar risks, and (b) the loss of any storage medium or device on which personal data is stored.
There is no “one size fits all” solution for organisations to comply with the Protection Obligation. Organisations may adopt various types of security measures, including administrative measures, physical measures and technical measures. An organisation should adopt security arrangements that are reasonable and appropriate in the circumstances by taking into account factors such as the nature of the personal data held by the organisation and the potential harm that might result from a security breach. Organisations are encouraged to identify reliable and well-trained personnel responsible for ensuring information security, and implement robust policies and procedures for ensuring appropriate levels of security for personal data of varying levels of sensitivity. Organisations are also advised to be prepared and equipped to respond to security breaches promptly and effectively.
The Retention Limitation Obligation (Section 25 of the PDPA):
An organisation must cease to retain documents containing personal data, or remove the means by which the personal data can be associated with particular individuals as soon as it is reasonable to assume that (a) the purpose for which the personal data was collected is no longer being served by retention of the personal data, and (b) retention is no longer necessary for legal or business purposes.
Given the varied business needs of organisations, the PDPA does not prescribe a fixed duration of time for personal data retention as it depends on the circumstances including the particular organisation’s legal or business purposes.
An organisation’s personal data retention periods are assessed based on a standard of reasonableness. Relevant considerations in such an assessment include the purposes for which the personal data was initially collected and other legal or business purposes which justify the retention of the personal data. Organisations are encouraged to prepare a personal data retention policy which sets out their approach to personal data retention.
An organisation ceases to retain documents containing personal data when the organisation, its agents and its data intermediaries no longer have access to those documents and the personal data contained therein. An organisation may comply with the Retention Limitation Obligation through various means, including by anonymising the personal data contained in a document.
Individuals have the following rights under the PDPA:
(i) The right of access: Pursuant to an organisation’s Access Obligation (Section 21 of the PDPA), an individual may request an organisation for access to (a) his personal data that is in the possession or under the control of the organisation, and (b) information about the ways in which the organisation may have used or disclosed his personal data during the past year. This right is subject to exceptions specified in Section 21 and the Fifth Schedule of the PDPA.
(ii) The right of correction: Pursuant to an organisation’s Correction Obligation (Section 22 of the PDPA), an individual may request an organisation to correct an error or omission in his personal data that is in the possession or under the control of the organisation. This right is subject to exceptions specified in Section 22 and the Sixth Schedule of the PDPA.
(iii) The right to withdraw consent: Pursuant to an organisation’s Consent Obligation (Section 13 of the PDPA), an individual may withdraw any consent he has given or is deemed to have given to an organisation in respect of that organisation’s collection, use or disclosure of his personal data for any purpose (Section 16 of the PDPA).
(iv) The right of private action: Pursuant to Section 48O of the PDPA, an individual who suffers loss or damage directly as a result of a contravention of certain provisions in the PDPA, including an organisation’s contravention of its Data Protection Obligations, has a right of action for relief in civil proceedings in a court. The court may grant an individual any relief it thinks fit, including damages or an injunction or declaration.
The PDPA is primarily a consent-based regime. As such, the primary basis for collecting, using and disclosing an individual’s personal data under the PDPA is an individual’s consent.
Pursuant to the Consent Obligation (Section 13 of the PDPA), an organisation must obtain the consent of an individual (express or deemed) before collecting, using or disclosing his personal data for any purpose. This obligation is subject to the exceptions set out in the First and Second Schedules of the PDPA and any exceptions provided in other applicable laws.
To obtain consent from an individual, an organisation must first notify the individual of the purpose(s) for which it intends to collect, use or disclose the individual’s personal data on or before such collection, use or disclosure of the personal data pursuant to the Notification Obligation (Section 20 of the PDPA). An organisation must seek fresh consent from an individual if it needs to collect, use or disclose personal data for additional purposes which differ from the original purposes notified to the individual.
Any consent obtained from an individual would be invalid if an organisation requires the individual to consent to the collection, use or disclosure of his personal data as a condition of providing the organisation’s product or service to that individual and such collection, use or disclosure is beyond what is reasonable to provide the product or service. In addition, an organisation must not obtain or attempt to obtain consent for collecting, using or disclosing personal data by using deceptive or misleading practices, or providing false or misleading information with respect to its collection, use or disclosure of the personal data.
Organisations may obtain express or deemed consent from individuals. Express consent (i.e. consent that is obtained in writing or recorded in a manner that is accessible) provides the clearest indication that an individual has consented to the collection, use or disclosure of his personal data for the notified purposes. Deemed consent may be obtained by conduct, contractual necessity or notification pursuant to Sections 15 and 15A of the PDPA.
As the PDPA is primarily a consent-based regime, organisations are generally authorised to use an individual’s personal data if they obtain consent from the individual. Organisations are also authorised to use personal data without consent if an exception under the First or Second Schedule of the PDPA or any exceptions provided in other laws apply.
Organisations should obtain consent in writing or record consent in a manner that is accessible for future reference where feasible. Where an organisation has only obtained verbal consent, the PDPC recommends confirming the consent in writing with the individual or making a written note of the fact that the individual has provided verbal consent as a matter of good practice.
Yes, cross-border data transfers are regulated under the PDPA. However, the PDPA does not impose any data localisation requirements.
Pursuant to the Transfer Limitation Obligation (Section 26 of the PDPA), an organisation must not transfer personal data to a country or territory outside Singapore except in accordance with the requirements prescribed under the PDPA. In particular, Regulation 10 of the PDPR provides that an organisation transferring personal data outside Singapore must take appropriate steps to ensure that the overseas recipient of the personal data is bound by legally enforceable obligations to provide the transferred personal data with a standard of protection that is at least comparable to that of the PDPA.
Regulation 11 of the PDPR provides that legally enforceable obligations include obligations imposed on an overseas recipient of personal data via the following mechanisms:
(i) any law;
(ii) any contract that (a) requires the recipient to provide a standard of protection for the transferred personal data that is at least comparable to that of the PDPA, and (b) specifies the countries and territories to which the personal data may be transferred under the contract;
(iii) any binding corporate rules that (a) require every recipient of the transferred personal data to provide a standard of protection for the transferred personal data that is at least comparable to that of the PDPA, and (b) specify the recipients of the transferred personal data to which the binding corporate rules apply; the countries and territories to which the personal data may be transferred under the binding corporate rules; and the rights and obligations provided by the binding corporate rules; and
(iv) any other legally binding instrument.
In addition, an overseas recipient organisation that holds a “specified certification” is taken to be bound by legally enforceable obligations. In particular, an organisation satisfies the Transfer Limitation Obligation if it transfers personal data to:
(i) an overseas recipient that is not a data intermediary and has a certification under the Asia Pacific Economic Cooperation Cross Border Privacy Rules (“APEC CBPR”) System; or
(ii) an overseas recipient that is a data intermediary and has a certification under the APEC CBPR System or the Asia Pacific Economic Cooperation Privacy Recognition for Processors System.
The PDPA defines a “data breach” as “(a) the unauthorised access, collection, use, disclosure, copying, modification or disposal of personal data; or (b) the loss of any storage medium or device on which personal data is stored in circumstances where the unauthorised access, collection, use, disclosure, copying, modification or disposal of the personal data is likely to occur”.
The PDPA does not define the term “data incidents”.
Yes, there are mandatory notification requirements for data breaches under the PDPA. This is triggered when any of the two notification thresholds is met.
Duty to Conduct Assessment of Data Breach
Pursuant to Section 26C of the PDPA, if an organisation has reason to believe that a data breach affecting personal data in its possession or under its control has occurred, the organisation is required to conduct an assessment of whether the date breach is a “notifiable data breach” in a reasonable and expeditious manner, and in any case no longer than 30 days (per the PDPC’s Advisory Guidelines).
Thresholds for Notification
Pursuant to Section 26B of the PDPA, a data breach constitutes a “notifiable data breach” if the data breach:
(i) results in, or is likely to result in, significant harm to an affected individual (“Threshold A”); or
(ii) is, or is likely to be, of a significant scale (i.e. affect 500 or more individuals) (“Threshold B”).
With respect to Threshold A, a data breach is deemed to result in significant harm to an individual if the data breach involves any personal data or class of personal data prescribed in the Data Breach Regulations.
Duty to Notify the PDPC
If the data breach constitutes a notifiable data breach, an organisation must notify the PDPC as soon as is practicable and no later than three calendar days upon determining that the data breach is notifiable (Section 26D(1) of the PDPA).
Duty to Notify Affected Individuals
If the data breach constitutes a notifiable data breach under Threshold A, an organisation must generally notify the affected individuals as soon as practicable, and in any case either at the same time or after notifying the PDPC (Section 26D(2) of the PDPA), subject to certain exceptions.
If the data breach constitutes a notifiable data breach under Threshold B only, an organisation is not required to notify the affected individuals.
The PDPC is the main data protection regulator in Singapore. It was established in January 2013 for the purpose of administering and enforcing the PDPA.
In addition to administering and enforcing the PDPA, the key functions of the PDPC include promoting awareness of data protection in Singapore and representing the Singapore government internationally on matters relating to data protection.
When the PDPC is first notified of a data breach by an organisation or third party, it will first assess the circumstances and severity of the data breach. Depending on the facts of the case, the PDPC may choose to initiate investigations. There are a few possible enforcement outcomes that may follow the PDPC’s investigations which include:
(i) Suspension or discontinuation of the investigation;
(ii) Voluntary undertaking: Under certain circumstances, the PDPC may accept a written voluntary undertaking from the organisation. A voluntary undertaking is intended to allow the organisation to implement a remediation plan in relation to the data breach and address any systemic shortcomings in the organisation to ensure future compliance with the PDPA; and
(iii) Breach finding: A breach finding may result in the PDPC issuing financial penalties and/or directions that the organisation has to comply with.
The DNC Provisions under the PDPA regulate the sending of “specified messages”, including electronic marketing messages, by a person to Singapore telephone numbers. Pursuant to the DNC Provisions, a person is required to comply with a number of obligations to send a specified message to a Singapore telephone number, including the following:
(i) The person must have valid confirmation that the Singapore telephone number is not listed in the relevant Do Not Call Register (“Register”) under the national DNC Registry at the time the person sends the specified message. There are three DNC Registers in Singapore – the No Voice Call Register, the No Text Message Register and the No Fax Message Register. A person is not required to obtain valid confirmation if the subscriber or user of the Singapore telephone number gives clear and unambiguous consent to the sending of the specified message in written or other evidential form.
(ii) The specified message includes clear and accurate information (a) identifying the person that sent or authorised the sending of the specified message, and (b) about how the recipient can readily contact such person.
(iii) For voice calls containing a specified message, the sender must not conceal or withhold from the recipient the sender’s calling line identity.
In addition, the PDPA generally prohibits a person from sending, causing to be sent or authorising the sending of a message with a Singapore link to a telephone number generated or obtained through the use of a dictionary attack or address-harvesting software.
The Spam Control Act 2007 (“SCA”) also regulates the sending of electronic marketing messages. The SCA defines “electronic message” as “a message sent to an electronic address” but excludes messages that are sent by way of a voice call made using a telephone service. The SCA further defines “electronic address” as “an email address, an instant messaging account or a mobile telephone number to which an electronic message can be sent”. Under Section 11 of the SCA, any person who sends, causes to be sent or authorises the sending of unsolicited commercial electronic messages, including electronic marketing messages, in bulk must comply with the requirements set out in the Second Schedule of the SCA. These requirements include specifying an email address or a mobile telephone number, as applicable, to which the recipient may submit an unsubscribe request in the unsolicited commercial electronic message.
In addition to the PDPA which sets out general data protection obligations, there may be sector-specific or industry-specific data protection requirements in Singapore, such as:
(i) Healthcare Services Act 2020 (“HSA”) – The HSA regulates the provision of healthcare services in Singapore. Section 27 states that licensees providing certain healthcare services must keep and maintain records for the prescribed period and in the prescribed manner, where the records are relevant to the monitoring or evaluation of any aspect of any licensable healthcare service or the provision of any licensable healthcare service.
(ii) Banking Act 1970 (“BA”) and other notices issued by the Monetary Authority of Singapore (“MAS”) – The BA regulates the businesses of banks and other related institutions in Singapore. Section 47 of the BA provides that customer information must not be disclosed by a bank in Singapore or any of its officers to any other person except as expressly provided in the BA. In addition, Clause 7 of the MAS Notice 658 provides that a bank must impose certain confidentiality obligations on a service provider to protect customer information where material outsourced relevant services are concerned.
The PDPA requires an organisation to designate one or more individuals to be responsible for ensuring that the organisation complies with the PDPA. This individual may be referred to as the Data Protection Officer (“DPO”). While the PDPA does not require the DPO to possess certain formal qualifications, the PDPC has stated that the DPO should be sufficiently skilled and knowledgeable, and amply empowered to discharge his duties.
The PDPA requires an organisation to make available the business contact information of at least one DPO.
The PDPA does not generally require organisations to keep a record of or document its data processing activities. Nevertheless, in practice, as part of accountability and evidencing compliance with the PDPA, an organisation should have carried out data mapping and have full information concerning its personal data processing activities including the storage of personal data in its possession or control.
Section 50(4) of the PDPA requires an organisation to retain records relating to any investigation conducted by the PDPC pursuant to Section 50. The organisation is required to retain such records for one year after the conclusion of the PDPC’s investigation or any longer period specified by the PDPC in writing.
In addition, where an organisation rejects an individual’s request to access his personal data under Section 21 of the PDPA, the organisation must preserve a complete and accurate copy of the withheld personal data for at least 30 calendar days after rejecting the request (Section 22A of the PDPA).
Under the PDPA, it is only mandatory to conduct a DPIA if an organisation intends to rely on an individual’s deemed consent by notification, or the legitimate interests exception to consent, to collect, use or disclose an individual’s personal data.
Pursuant to the Consent Obligation (Section 13 of the PDPA), an organisation must obtain the consent of an individual before disclosing his personal data to a third-party vendor, subject to certain exceptions under the PDPA.
A third-party vendor may be a data intermediary under the PDPA. The PDPA provides that an organisation has the same obligation under the PDPA in respect of personal data processed on its behalf and for its purposes by a data intermediary as if the personal data were processed by the organisation itself. One of the primary means by which an organisation may ensure adequate protection of the personal data processed by its data intermediary is through a contract. The contract between the organisation and its data intermediary should clearly set out the obligations of all parties, including the data intermediary’s obligations to comply with the applicable Data Protection Obligations under the PDPA.
Pursuant to Section 48J of the PDPA, the PDPC is empowered to impose financial penalties for an organisation’s breach of the Data Protection Obligations. The maximum financial penalty is the higher of (a) S$1 million, or (b) 10% of the organisation’s annual turnover in Singapore, where the organisation’s annual turnover in Singapore exceeds S$10 million.
In addition to financial penalties, the PDPC may issue directions to an organisation under Section 48I of the PDPA to ensure compliance with the PDPA. For instance, the PDPC may require an organisation to destroy personal data or stop collecting, using or disclosing personal data in contravention of the PDPA.
Organisations are required to comply with the applicable Data Protection Obligations under the PDPA on an ongoing basis.
There are no express requirements under the PDPA for organisations to conduct audits internally or on their data intermediaries. Nonetheless, the PDPC has encouraged organisations to conduct periodic audits to manage its data intermediaries and ensure their compliance with the PDPA. Further, having regular audits can assist in showing the PDPC, if an organisation is being investigated, of its culture of seeking to be PDPA compliant, which may go some ways in being mitigatory.
The Personal Data Protection (Amendment) Act 2020 introduced the Data Portability Obligation, which has yet to take effect. Once the Data Portability Obligation takes effect, an organisation will be required to transmit an individual’s data that is in the organisation’s possession or under its control, to another organisation in a commonly used machine-readable format upon the individual’s request.
In addition, the PDPC has recently announced plans to update its NRIC Advisory Guidelines in light of the Singapore government’s revised stance on the collection, use and disclosure of National Registration Identity Cards (“NRIC”) and NRIC numbers.