The Personal Data Protection Act (PDPA) is Singapore’s main data privacy regulation law. It was enacted in 2012 and has since been amended in 2014 and 2020. The PDPA establishes a framework that governs the collection, use, and disclosure of personal data by organizations in Singapore.
Under the PDPA, personal data refers to any data that can be used to identify an individual, either on its own or when combined with other data. This includes names, addresses, phone numbers, email addresses, photographs, and national identification numbers.
Organizations that collect, use, or disclose personal data in Singapore are required to comply with the PDPA. This includes both private sector and public sector organizations, as well as non-profit organizations. The PDPA applies to organizations regardless of whether they are based in Singapore or overseas.
One of the key requirements of the PDPA is that organizations must obtain consent from individuals before collecting, using, or disclosing their personal data. The consent must be given voluntarily and based on an understanding of the purpose for which the personal data will be collected, used, or disclosed. Organizations must also provide individuals with information about the purposes for which their personal data will be used, and must take reasonable steps to ensure that the data is accurate and complete.
The PDPA also establishes requirements for the protection of personal data. Organizations must take reasonable security measures to protect personal data from unauthorized access, collection, use, disclosure, copying, modification, disposal, or similar risks. They must also appoint a data protection officer (DPO) to oversee data protection matters within the organization.
In addition to the above requirements, the PDPA establishes rules for the transfer of personal data outside of Singapore. Organizations must ensure that the recipient of the personal data provides a standard of protection that is comparable to that provided by the PDPA. If the recipient is not in a jurisdiction that provides a comparable standard of protection, the organization must take additional measures to protect the personal data before transferring it.
The PDPA also establishes a number of enforcement mechanisms to ensure compliance with the law. The Personal Data Protection Commission (PDPC) is responsible for administering and enforcing the PDPA. The PDPC has the power to investigate and take enforcement action against organizations that violate the PDPA. Penalties for non-compliance can include fines of up to S$1 million or 10% of an organization’s annual turnover, whichever is higher.
In conclusion, the PDPA is Singapore’s main data privacy regulation law. It establishes a framework that governs the collection, use, and disclosure of personal data by organizations in Singapore. Organizations that collect, use, or disclose personal data in Singapore must comply with the PDPA’s requirements, including obtaining consent, protecting personal data, appointing a DPO, and complying with transfer requirements. Failure to comply with the PDPA can result in significant penalties.