How to Comply with PDPA in Singapore: Secure Disposal of Personal Data

The Personal Data Protection Act, or PDPA, is Singapore’s main law governing the collection, use, disclosure and care of personal data by organisations.

For companies in Singapore, PDPA compliance is not only about collecting consent. It also includes how personal data is stored, protected, retained and disposed of when it is no longer needed.

This matters because personal data is often found in many places, including paper documents, laptops, hard drives, USB drives, emails, customer forms, HR files, invoices and archived records.

If these records are not handled properly, they may lead to data leaks, complaints, regulatory action and reputational damage.

This guide explains the basic PDPA obligations and how companies can reduce risk through proper data protection and secure disposal.

What is the PDPA in Singapore?

The PDPA sets out rules for how organisations in Singapore collect, use, disclose and protect personal data.

The Personal Data Protection Commission, or PDPC, is Singapore’s authority for personal data protection. It administers and enforces the PDPA.

The PDPA applies to organisations that collect, use or disclose personal data in Singapore, unless an exception applies.

For businesses, this means personal data should not be treated casually. It should be collected for proper purposes, protected while it is being used and disposed of securely when it is no longer required.

What is personal data?

Personal data refers to data about an individual who can be identified from that data, or from that data together with other information that the organisation has or is likely to have access to.

Common examples of personal data include:

  • full name
  • NRIC or FIN number
  • passport number
  • mobile number
  • email address
  • home address
  • photograph of an individual
  • voice recording
  • CCTV footage showing identifiable individuals
  • medical information
  • employment records
  • salary records
  • customer account information
  • signatures
  • application forms
  • resumes and job applications

Personal data can exist in both digital and physical form.

For example, a customer database stored on a laptop contains personal data. A printed HR file stored in a filing cabinet can also contain personal data.

Why PDPA compliance matters

PDPA compliance is important because organisations are expected to handle personal data responsibly.

A breach may cause harm to individuals and damage trust in the organisation. It may also lead to investigations, enforcement action, financial penalties and loss of reputation.

For larger organisations, the maximum financial penalty for serious PDPA breaches can be significant. This is why companies should not only focus on collection and consent, but also on secure storage, access control, retention and disposal.

Key PDPA obligations for companies

The PDPA contains several obligations. For most companies, the following are especially important.

1. Appoint a Data Protection Officer

Organisations are required to appoint at least one person to be responsible for ensuring PDPA compliance.

This person is commonly known as the Data Protection Officer, or DPO.

The DPO does not need to do everything alone, but there should be clear responsibility within the company for data protection matters.

2. Notify individuals of the purpose

Before collecting personal data, organisations should inform individuals why the data is being collected, how it will be used and who it may be disclosed to.

For example, if a company collects customer contact details for service scheduling, the customer should understand that the data is being used for that purpose.

3. Obtain consent where required

Organisations should collect, use or disclose personal data only with consent, unless an exception applies.

Consent should be linked to a clear purpose. Companies should avoid collecting personal data “just in case” without a proper business reason.

4. Allow withdrawal of consent

Individuals should be allowed to withdraw consent by giving reasonable notice.

When consent is withdrawn, the organisation should assess whether it must stop collecting, using or disclosing the personal data, unless there is a legal or business reason to continue.

5. Ensure accuracy of personal data

Organisations should make reasonable efforts to ensure that personal data is accurate and complete if it is likely to be used to make a decision affecting the individual, or disclosed to another organisation.

This is especially important for customer records, employee records, financial information and official documents.

6. Protect personal data

Organisations must make reasonable security arrangements to protect personal data in their possession or under their control.

This applies to both digital and physical records.

Examples of protection measures include:

  • limiting access to authorised staff
  • using passwords and access controls
  • keeping physical documents in locked cabinets or secure rooms
  • sealing boxes, bins or bags during transport
  • avoiding unattended confidential documents
  • using secure disposal methods
  • training staff who handle personal data
  • monitoring service providers who process personal data

7. Do not keep personal data longer than necessary

Companies should not keep personal data indefinitely.

If the personal data is no longer needed for any legal or business purpose, the company should cease retaining it, anonymise it, or dispose of it securely. For business records, companies should also understand how long different documents need to be kept before disposal.

This is known as the retention limitation obligation.

In simple terms, if there is no valid reason to keep the personal data, it should not remain in the company’s possession in an identifiable form.

8. Notify serious data breaches where required

If a data breach occurs, the organisation must assess whether it is notifiable.

A breach may need to be reported if it is likely to result in significant harm to individuals, or if it affects a significant number of individuals.

This is why companies should have a basic data breach response process and know who is responsible for handling incidents.

PDPA applies to both paper and digital records

A common mistake is thinking that PDPA only applies to computer systems.

This is not correct.

Personal data may be stored in:

  • paper forms
  • HR files
  • contracts
  • invoices
  • customer records
  • delivery orders
  • medical records
  • job applications
  • visitor logs
  • CCTV records
  • laptops
  • hard drives
  • SSDs
  • USB drives
  • servers
  • mobile phones

Both paper documents and electronic devices need to be handled securely.

Secure disposal is part of PDPA compliance

When personal data is no longer needed, companies should dispose of it properly.

Throwing documents into a normal rubbish bin or recycling bin is not secure. Old laptops, hard drives and USB drives should also not be discarded or resold without proper data erasure or destruction.

Poor disposal can expose customer data, employee records, financial information and other confidential information.

Secure disposal methods include:

How to dispose of paper documents containing personal data

Paper documents containing personal data should be shredded securely before recycling or disposal.

Examples include:

  • HR files
  • customer forms
  • invoices
  • medical records
  • bank statements
  • contracts
  • payroll documents
  • application forms
  • delivery records
  • expired business records

For small amounts, an office shredder may be enough.

For large volumes, archive boxes or confidential business records, a professional document shredding service is usually more practical. It helps ensure proper handling, secure collection, controlled destruction and documentation.

How to dispose of IT equipment containing personal data

Old IT equipment may still contain recoverable data even after files are deleted.

This includes:

  • laptops
  • desktop computers
  • servers
  • hard drives
  • SSDs
  • USB drives
  • memory cards
  • mobile phones

Companies should use proper data erasure or physical destruction before recycling, resale or disposal.

For working devices, certified data erasure may allow the equipment to be reused or resold.

For failed drives, highly sensitive media or devices that cannot be securely erased, physical destruction may be more suitable.

Working with vendors who handle personal data

Many companies engage external vendors for IT support, payroll, storage, shredding, recycling, marketing or other services.

If a vendor handles personal data on behalf of your company, you should manage the vendor carefully.

Basic checks include:

  • what personal data the vendor will handle
  • how the vendor protects the data
  • whether staff are trained
  • how documents or devices are transported
  • how data is destroyed after use
  • whether certificates or reports are provided
  • whether there is a clear service agreement

The company remains responsible for how personal data is handled, even when an external vendor is involved.

Simple PDPA compliance checklist for companies

Here is a simple checklist for Singapore businesses:

  1. Appoint a Data Protection Officer.
  2. Keep a record of what personal data your company collects.
  3. Inform individuals why their personal data is collected.
  4. Obtain consent where required.
  5. Limit access to personal data.
  6. Keep paper records secure.
  7. Secure laptops, hard drives and storage devices.
  8. Do not keep personal data longer than necessary.
  9. Review old files and archived records regularly.
  10. Shred confidential paper documents securely.
  11. Erase or destroy IT equipment before disposal.
  12. Keep disposal certificates or records where possible.
  13. Train employees who handle personal data.
  14. Have a basic data breach response process.

Common PDPA mistakes to avoid

Companies should avoid these common mistakes:

  • keeping old customer forms indefinitely
  • throwing personal data into normal recycling bins
  • leaving archive boxes unattended during office clearance
  • selling or disposing of laptops without data erasure
  • allowing too many staff to access personal data
  • failing to track where confidential documents are stored
  • keeping HR records longer than necessary without review
  • using vendors without checking their data handling process
  • not having a clear person responsible for PDPA matters

Frequently asked questions

Does PDPA apply to paper documents?

Yes. PDPA can apply to personal data in both physical and electronic form. Paper documents such as HR files, customer forms, invoices and contracts may contain personal data and should be protected.

Can companies throw old documents into recycling bins?

No. If the documents contain personal data or confidential information, they should not be thrown into normal recycling bins. They should be securely shredded or otherwise destroyed before recycling.

Is deleting files enough before disposing of a laptop?

No. Deleting files is not enough because data may still be recoverable. Companies should use proper data erasure, sanitisation or physical destruction before disposing of IT equipment.

Does every company need a Data Protection Officer?

Yes. Organisations are required to appoint at least one person responsible for ensuring PDPA compliance.

When should personal data be destroyed?

Personal data should be destroyed, anonymised or no longer retained when it is no longer needed for any legal or business purpose.

Can Arkiva help with PDPA compliance?

Arkiva is not a legal or PDPA consultancy. However, Arkiva can support the secure disposal part of PDPA compliance through document shredding, data destruction, data erasure, hard drive destruction and IT asset disposal services.

 

 

Secure document shredding and data destruction in Singapore

Arkiva provides secure document shredding, data destruction, data erasure, hard drive destruction and ITAD services for businesses in Singapore.

We help companies dispose of confidential paper records and IT equipment securely, with proper handling and documentation.

Our services include:

  • secure document shredding
  • archive box disposal
  • hard drive destruction
  • data erasure
  • degaussing
  • IT asset disposition
  • e-waste recycling
  • certificate of destruction

Need help disposing of documents or IT equipment containing personal data?

Contact Arkiva for a quotation.

Email: sales@arkiva.com.sg
Phone: 6871 8789

Disclaimer

This article is for general informational purposes only and does not constitute legal, compliance or PDPA consultancy advice. PDPA obligations may vary depending on your organisation’s situation. For specific advice, consult your Data Protection Officer, legal adviser or PDPA consultant.