What is PDPA? Who is PDPC? Why should co-operatives should be kept to date with the latest development on data governance and PDPA? 

By Sng Ler Jun

Singapore’s Personal Data Protection Act (PDPA) is a comprehensive legislative framework designed to safeguard the privacy and protect the personal data of individuals. Fully enacted since July 2014, the PDPA governs the collection, use, and disclosure of personal data by organisations operating in Singapore. Its primary goal is to strike a balance between promoting business innovation and ensuring individuals' rights to control their personal information.

Under the PDPA, individuals have the right to access their personal data held by organisations and request corrections if necessary. They also have the right to withdraw consent for data usage and opt-out of marketing communications. The Act establishes a national Do Not Call (DNC) Registry, allowing individuals to opt out of unsolicited marketing messages.

The PDPC enforces the PDPA by investigating and addressing complaints, conducting audits, and imposing penalties for non-compliance. Penalties can range from warnings to fines, depending on the severity of the breach. In more serious cases, criminal charges may be filed.

Over the years, the PDPA has evolved to keep pace with technological advancements and changing data protection landscape. It has implications for a wide range of sectors, from financial services to healthcare, influencing how organizations manage, handle, and protect personal data. As digital interactions become increasingly integral to daily life, the PDPA plays a pivotal role in safeguarding individuals' privacy while promoting responsible data usage by businesses in Singapore.

Here, read on some of the most frequently asked questions on PDPA and data governance.

FAQ 1:  What is Personal Data?

Personal data refers to data, whether true or not, about an individual who can be identified from that data; or from that data and other information to which the organisation has or is likely to have access.

When it comes to personal data, organisations should consider (i) whether the purpose of the information about or relates to an individual (e.g., information about an individual’s health, educational, employment background, activities); and (ii) whether the individual is identifiable from that data. In the latter, photographs of individuals, home addresses, fingerprints, personal identification number, personal email addresses are amongst the many items that constitute personal data.

In general, there should be at least two data elements in the dataset before individuals can be identified. The nature of data will also affect identifiability.

FAQ 2: Must a small organisation appoint a Personal Data Protection Officer (DPO)?

Under PDPA, organisations are required to designate a DPO to oversee data protection responsibilities and ensure compliance with the PDPA. The DPO may consider delegating some responsibilities to other officers.

The responsibilities of a DPO include, but are not limited to: 

• Ensuring compliance with PDPA when developing and implementing policies and processes for handling personal data;
• Fostering a data protection culture among employees and communicating personal data protection policies to stakeholders;
• Managing personal data protection-related queries and complaints;
• Alerting management to any risks that might arise with regard to personal data; and
• Liaising with the PDPC on data protection matters, if necessary.

FAQ 3: What are the different PDPA obligations?

The PDPC sets out various obligations for organisations that handle personal data, including obtaining consent from individuals before collecting, using, or disclosing their data. Organisations are required to inform individuals about the purposes of data collection and obtain their consent explicitly and fairly. Additionally, they must ensure that personal data is accurate and secure, taking necessary measures to prevent unauthorized access or disclosure.

The full list of PDPA obligations include:

1. Accountability Obligation
2. Notification Obligation
3. Consent Obligation
4. Purpose Limit Obligation
5. Accuracy Obligation
6. Protection Obligation
7. Retention Limitation Obligation
8. Transfer Limitation Obligation
9. Access and Correction Obligation
10. Data Breach Notification Obligation
11. Data Portability Obligation (new)

FAQ 4: How can I dispose personal data?  

It is common for organisations to collect, use and disclose personal data for myriad reasons today. However, it is equally salient to note not to keep personal data longer than necessary. Organisations, too, should have in place policies to regularly review and dispose personal data, when needed. In other words, do consider setting in place clear retention periods for various types of personal data.

Some of the disposal means include:

Physical Destruction:

Shredding, Pulping, Incineration

Electronic Destruction:

Use dedicated software that we can overwrite selected files or the entire storage drive, use specialised hardware appliances that cater for destruction, or physically destroy the storage device (by crushing, drilling, or shredding)

FAQ 5: What are ‘data intermediaries’? How are they different from other ‘organisations’?

Singapore’s PDPA draws a distinction between two categories of entities: ‘data intermediaries’ and ‘organisations’. Under other laws, the former has been termed as “processors” and the latter as “controllers”. Given their distinct roles in managing an individual's personal data, these entities bear varying responsibilities for data protection.

Within the framework of the PDPA, a ‘data intermediary’ is defined as an entity that conducts personal data processing on behalf of another organisation. Examples would include an entity providing letter shopping services or any external vendors tasked to process work involving personal data. Data intermediaries usually lack direct interaction with individuals and instead adhere to contractual data protection commitments, including restrictions on accessing and processing personal data.

FAQ 6: How does PDPA benefit businesses?

The aim of the PDPA is to strike a balance between encouraging business innovation and ensuring ethical utilisation of personal data, thereby safeguarding consumer interests. This dual focus serves to bolster Singapore's economic competitiveness and solidify its reputation as a reliable and favoured hub for worldwide data management and processing services.

Finally, adhering to PDPA helps promote and improve customer experience. Knowing that they are working with an organisation that pays heed to data governance, customers’ confidence for the brand will improve too.