The Singapore government enacted the Personal Data Protection Act 2012 (PDPA) to protect individuals’ personal data from being misused or mismanaged by private organisations.
The PDPA places restrictions on how companies can reasonably collect, use, and disclose personal data. The Do Not Call (DNC) registry, for example, allows individuals to opt out of receiving telemarketing messages from organisations.
The PDPA also places a burden of care on companies to safeguard the security and regulate the flow of data within their organisation. The SingHealth data breach in 2018, which saw the personal particulars of over 1.5 million patients stolen, was considered one of the most serious breaches in the country, further highlighting the need for companies to strengthen their internal data protection protocols.
What is considered personal data in Singapore?
According to the PDPA, personal data is defined as any data, whether true or not, about an individual that allows them to be identified:
- a) from that data alone; or
- b) from that data and other information to which the organisation has or is likely to have access to.
Certain data types alone can be used to identify you. These “unique identifiers” include your:
- Full name
- NRIC number
- Passport number
- Personal mobile telephone number
- Facial image or recording
- Voice recording
- Iris image
- DNA profile
Other data types must be combined with additional information to identify you, and are not considered “unique identifiers”. These include your residential or business address, your occupation, and even your email and text messages. To prove that these data types constitute personal data, you would need to show that they fulfil requirement b).
What are my rights to data privacy as an individual?
You are allowed to deny or withdraw consent to use your personal data
Organisations have to inform you of why they are collecting your personal data and how they intend to use or disclose your data. Only upon obtaining your consent can they proceed.
Even if you have provided consent before, you are allowed to withdraw that consent later. However, the organisation is not required to delete or destroy any existing records of your personal data, and they are allowed to retain it for as long as there is a legal or business need.
You can request access to your personal data
You may ask to see all the personal data an organisation has about you, including information on how your data has been used or disclosed in the past year.
However, the organisation has the right to levy an administration fee or reject the request if it will cause harm to the safety of yourself or others, if it will reveal someone else’s personal data, or if it will be contrary to national interest.
You can request to correct your personal data
If you are aware of an error or omission in your personal data, you can request that the organisation corrects it and that they send the corrected information to any 3rd party organisation(s) they have shared or disclosed your personal data to within the past year.
Help! My personal information has been leaked
If you believe that your personal information has been leaked or disclosed without your consent, it is important to record any evidence such as screenshots or correspondence to build your case.
The Personal Data Protection Commission Singapore (PDPC) encourages you to first raise concerns directly with the organisation so that they may clarify their actions or remedy the situation.
Should that not work, you can get in touch with a corporate lawyer in Singapore for further advice. If an organisation is found to have tampered with your personal data or hidden information concerning its collection, use, or disclosure, they may be fined up to S$50,000.
Private organisations and PDPA compliance
Private organisations have a responsibility to ensure that any personal data under their care complies with the PDPA. Companies are expected to:
- Appoint at least one Data Protection Officer (DPO) and have their business contact information made available to the public.
- Inform their clients of the purposes of collecting personal data and seek consent.
- Make reasonable efforts to ensure their records of personal data are accurate and complete, and allow corrections.
- Respond to client requests for access to their personal data, including information on how their data has been used and disclosed in the past year.
- Maintain the security of any personal data held by the organisation.
Companies are liable for their employees’ actions, whether they are aware of them or not. Under the PDPA, organisations may be fined 10 percent of their annual turnover or S$1 million, whichever is higher, in the event of a data breach or failure to report a data breach.
At Tembusu Law, our team of corporate lawyers in Singapore are widely experienced in issues related to PDPA. Contact us today to discuss how we can help you ensure data and privacy compliance for long-term risk management.