What is Personal Data Protection Act (PDPA) Singapore?
The Personal Data Protection Commission (PDPC) was officially established on 2 January 2013. The commission serves as Singapore’s authority in all matters related to personal data protection.
There are heavy penalties for breach of Personal Data Protection Act (PDPA). Fines can be up to SGD$1 million and companies may suffer loss in reputation.
What is Personal Data?
The definition of Personal Data is any information relating to a person that enables him/her to be identified, whether directly or indirectly.
PDPA was implemented as a Singapore law to prevent the misuse of personal data.
It covers any personal data which are stored both in electronic and non-electronic formats.
Some examples of Personal Data includes:
- Names
- NRIC details
- Images of an individual
- Voice recordings of an individual
- Passport details
- Personal contact number (DNC Registry)
- DNA Profile
What are my Data Protection Obligations?
The following are the obligations of any organisations under the Personal Data Protection Act (PDPA):
-
Collection of Personal Data
Informing individuals the purposes of collecting & using their personal data. Using them for purposes that they have given consent to and allow withdrawal with reasonable notice.
-
Care of Personal Data
Ensure that personal data collected is accurate and complete and make reasonable security measures to ensure the personal data are not disclosed while in your possession.
Do not keep personal data once it is no longer required and to dispose of them the correct way.
-
Individual’s Autonomy
Provide individuals with access and information on how Personal Data was used upon request.
In any cases of data breach which might result in significant harm to individuals, to notify PDPC as well as affected individual.
*Information from https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Resource-for-Organisation/Data-Protection-Obligations-under-the-PDPA.ashx?la=en
Who Must Comply With PDPA?
PDPA compliance is mandated for organisations operating in Singapore with respect to using, collecting, and disclosing of personal data.
Employees of any organisations must also adhere to their organisation’s policies to ensure compliance with PDPA.
How do I comply with PDPA?
- Appoint a Data Protection Officer – Privacy Ninja is Singapore’s leading PDPA & data protection company that provides DPO services at reasonable rates.
- Check Do Not Call Registry first
- Inform purpose of collecting Personal Data and always seek consent
- Ensure Personal Data collected is accurate and allow correction if requested
- Secure & prevent unauthorised access to Personal Data
- Communicate your policies, practices, and processes for data protection
- Closely monitor or manage service providers that are engaged to handle Personal Data
- Dispose of Personal Data by shredding paper documents, or use specialized software for electronic data
Companies in Singapore like Arkiva will be able to help with securely destroying paper documents or electronics like hard disks and flash drives that contain personal data.
By physically destroying the confidential personal data, companies can have a peace of mind that the personal data has been fully erased and safe from data leak.
A certificate of destruction issued upon completion of service also acts as a “black & white” proof that data has been destroyed for future audit purposes.
*Reference
https://www.pdpc.gov.sg/Overview-of-PDPA/The-Legislation/Personal-Data-Protection-Act