Singapore’s Personal Data Protection Act, or PDPA, is a major information security legislation governing the collection, usage, and disclosure of an individual’s data within an organization. The PDPA was passed by the Parliament of Singapore on 15 October 2012 and was executed in 3 phases. The rules and regulations regarding data security were implemented on 2 January 2013.
On 2 November 2020, the Parliament passed an amended bill that affected the PDPA previously established in 2012. The changes went into effect immediately, and many businesses were requred to redefine their privacy policies.
Let's dive into the entire Singapore’s Personal Data Protection Act so you can succefully comply with its requirements!
What Does PDPA Do?
The PDPA sets a baseline requirement for personal information protection throughout Singapore’s economic sector, while also corresponding with other existing legislation and policies. The PDPA particularly outlines information regarding the security structure under the PDPA that works to protect the privacy rights of individuals. PDPA protects personal information acquired by various organizations by requiring organizations to follow strict rules regarding the collection, retention, and sharing of personal information. For instance, the banking privacy laws under Financial Act (Phase 19) 1971 (as changed) regulate consumer details acquired by financial institutions.
Multiple radical privacy standards are set by the Government of Singapore and their implementation is part of PDPA.
All consultatory standards and overviews are accessible using the PDPC's website.
Key regulator for data security - PDPC
The Personal Data Protection Commission (PDPC) is the regulating authority that is in charge of administering and applying the PDPA.
The PDPC is part of the converged telecommunications and media regulatory authority, also known as the Infocomm Media Growth Authority (IMDA), which remains under the supervision of a statutory board under the province of the Ministry of Communications.
Key powers, duties and obligations
The main powers, duties, and obligations of the PDPC are as follows:
- To promote understanding of information defense in Singapore
- To offer consultancy, advisory, technical, managerial, or various other expert services pertaining to information security
- To advise the Federal Government of Singapore on all matters associated with information protection
- To represent the Federal Government globally on matters relating to data security
- To research, study and promote all information related to data safety as well as to include organizing and carrying out of seminars, workshops and assist various organizations that performe such activities
- To administer and implement the PDPA
- To execute functions specified by the PDPC under any other written law
- To participate in all activities and carry out all features that might be permitted or assigned by the PDPC
INFORMATION SUBJECT CIVIL LIBERTIES
Here is what you need to know about the rights characteristic for the Singapore’s Personal Data Protection Act. This data law is mainly focused on ensuring the availability of data rights for people who reside in Singapore.
Here are the key data rights discussed in the Singapore’s Personal Data Protection Act:
1. Right to be educated
While there is no standalone right to be educated under the PDPA, organizations undergo several data security responsibilities under the PD. These responsibilities require the organizations to offer notification to an individual if their personal information is being used under certain scenarios.
Initially, under the Notification Commitment, an organization is required to alert the person if the organization intends to gather, use, or disclose his/her personal data during or before such collection, usage, or storage.
Furthermore, the organization is additionally obliged to supply specific information about how the personal information might have been utilized or revealed during the past year.
Under the Responsibility Commitment, an organization should develop and implement plans and practices that are necessary for compliance with discussed data privacy commitments.
Organizations should also make information regarding such plans and practices openly and readily available, either via an online personal information channel and/or company privacy plan.
Lastly, under the Information Violation Notification Commitment, an organization that experiences a data breach is required to inform any affected individuals of an information violation that results in or could lead to significant damage to them, unless specific exceptions apply.
2. Right to gain access
Organizations are responsible for granting access to an individual’s personal information under the PDPA. An organization should enable an individual access to his/her data upon request.
Under the 5th article of the PDPA, it is mandated that the authorized company should respond to candidates' demands to access their data, if applicable. After receiving a request from an individual, the organization is obliged to give the individual, as soon as reasonably possible, personal data about them that is in the ownership or under the control of the organization. The released information should also include details concerning how that individual information has been or might have been utilized or disclosed by the organization within a year before the day of the request.
An organization needs to provide a copy of each applicant's individual information in PDF form or any other form requested by the private party. If it is impracticable to do so, the organization might allow the person the possibility to check out the personal information using another available format.
Under the Accessibility Commitment, organizations may bill applicants a reasonable charge to respond to access requests. Imagine that everyone can send such requests for fun, that wouldn't be fair, right?
In doing so, an organization must provide the applicant with a created price quote. If the organization wishes to charge a fee that is greater than the written quote, it will need to inform the applicant in a handwritten notice of the higher cost. An organization doesn't need to respond to an applicant's gain access request unless the candidate consents to pay the charge.
There are certain exemptions wherein organizations are allowed to hold back access to a person's individual information. For instance, these exemptions consist of:
- When such accessibility would certainly expose individual information concerning an additional individual or would be contrary to the nationwide rate of interest
- If the concern or expense of giving accessibility would be determined as unreasonable to the organization or out of proportion to the person's interest; or if the request is otherwise pointless or vexatious
- Along with the Fifth Set Up to the PDPA, more detailed regulations concerning the Access Obligation might be found partially in two of the Personal Data Security Laws
Furthermore, an organization that declines to grant accessibility to personal information asked by a specific person under the Access Commitment must deliver an exact copy of requested personal data for no less than the proposed period, which is typically thirty days after the date of refusal.
3. Right to rectification
Organizations operating in Singapoore are subject to the Improvement Commitment. An organization needs to permit a specific person to correct personal data that belong to them or are under their control upon demand.
People deserve the right to ask an organization to remedy any inaccurate information that remains in the organization's control, subject to the exemptions in the Sixth Article of the PDPA. An organization may refuse to make the correction if it is satisfied with its data collection or storage on sensible premises. If no modification is made, the organization must annotate the document containing specific individual information that is in its possession or under its control with detailed description of the requested adjustments.
Moreover, businesses are required to send out the corrected or updated personal data to third-parties to which the personal information was disclosed within a year before the adjustment was made, unless those organizations don't need to utilize that information for any type of legal or company objectives.
In contrast to access demands, organizations are not qualified to impose a fee for the correction requests.
Upon invoice of an accessibility or modification request, if the organization can not abide by the request within 30 days, it must notify the individual via handwritten notice.
4. Right to erasure
The PDPA doesn't provide individuals with a standalone right to ask an organization to anonymize or delete the individual data in the organization's belongings or control. Nonetheless, under the Retention Limitation Responsibility, organizations are required to discontinue processing personal data if retention of such individual information is no longer essential for lawful or service objectives.
5. Right to object/opt-out
People can withdraw their consent to the collection, use, or disclosure of their personal information at any moment by providing reasonable explanation for such request. However, the withdrawal of permission will not affect any legal consequences arising from such withdrawal.
When it comes to the withdrawal of consent, data subjects should be aware that the withdrawal of specific kinds of approval might impact the ability of the organization to continue providing them with the requested solutions.
5. Right to data mobility
Presently, people don't have the right to information portability under the PDPA. However, once the adjustments relating to data portability introduced in the Change Act come to effect, an individual can make an information portability request. Upon obtaining the data portability request, the autorized organization should (unless using an exemption) send the relevant information defined in the data portability demand to the receiving organization. According to any prescribed demands, such as requirements relating to technical information, user experience, and customer protection issues, such request should be completed in a timely manner.