to the
personal data
protection act
2012
All enquiries may be addressed to:
Charmian Aw
Director, Telecommunications, Media and Technology Practice Group
10 Collyer Quay #10-01 Ocean Financial Centre
Singapore 049315
Tel: +65 6531 2235
Fax: +65 6535 4864
Email: charmian.aw@drewnapier.com
COPYRIGHT
All rights reserved. No part of this publication may be reproduced, stored in any retrieval system, or transmitted, in any form or by
any means, whether electronic or mechanical, including photocopying and recording, without the permission of the copyright holder.
IMPORTANT DISCLAIMER: We have sought to state the law as at 7 December 2015. Drew & Napier LLC accepts no liability for, and
does not guarantee the accuracy of, information or opinion contained in this document. This document covers a wide range of topics
and is not intended to be a comprehensive study of the subjects covered, nor is it intended to provide legal advice. It should not be
treated as a substitute for specific advice on specific situations.
Published by
Printed in Singapore
introduction
to the Personal Data Protection Act 2012
The Personal Data Protection Act 2012 (PDPA) lays out a framework
regarding personal data protection for private organisations. With the
vast amount of personal data that organisations collect daily, it is
important that organisations comply with the PDPA. Organisations
may choose to engage external legal advice to ensure compliance
with PDPA obligations.1
introduction
1
Refer to list of resources below for the link to the Legal Advice Scheme by the Law Society of Singapore
2
Further materials can be found in the list of resources below
Page 1
personal data
protection
obligations
personal data protection
1. Consent Obligation
Prior consent must be obtained from the individual and allowed to withdraw such consent
3. Notification Obligation
Notify individuals of purpose for collecting personal data on or before collection
5. Accuracy Obligation
Ensure that personal data is accurate and complete
obligations
6. Protection Obligation
Make reasonable security arrangements to protect personal data
7. Retention Obligation
Cease retention of personal data when there is no legal or business purpose
9. Openness Obligation
Make personal data protection policies and complaint process publicly available
Page 2
1, 2, & 3. consent, purpose
limitation and notification
obligations
personal data protection obligations
These include:
o NRIC or FIN number Best Practice Standards
o Passport number
Prepare and regularly maintain an
o Photograph or video image of an
inventory map. It should include:
individual
o What personal data is collected
o Mobile telephone number
and why
o Personal email address
o Who collects it
o Thumbprint
o Where it is stored
o DNA profile
o Who it is disclosed to
o Name and residential address
o Name and residential telephone Personal data should only be
number collected, used or disclosed for
Page 3
purposes consented to by relevant Where personal data is to be
individuals. disclosed without consent of
individual, organisation should first
Data collection form should indicate
refer to the Fourth Schedule and
fields that are compulsory and those
ensure that it is permitted to do so.
that are optional.
Where a data intermediary is
Where verbal consent is given,
involved, organisation should ensure
organisation should subsequently
that the intermediary engaged
personal data protection obligations
Page 4
4. Access & Correction
Obligation
personal data protection obligations
Page 5
5. Accuracy
Obligation
personal data protection obligations
Page 6
6. Protection
Obligation
personal data protection obligations
4
Refer to Appendix 1 for what constitutes data
intermediaries and the relevant obligations
Page 8
7. Retention Limitation
Obligation
personal data protection obligations
Page 9
Ensure that data intermediaries5
comply with the PDPA:
o Review the contract with data
intermediaries and ensure that
they destroy personal data in
accordance with the organisation
policy.
personal data protection obligations
5
Refer to Appendix 1 for what constitutes data
intermediaries and the relevant obligations
Page 10
8. Transfer Limitation
Obligation
personal data protection obligations
Page 11
9. The Openness
Obligation
personal data protection obligations
Page 12
o Ensure that top management are Formulate a compliance manual to
also aware of their obligations. assist employees in abiding with the
PDPA.
personal data protection obligations
Page 13
do not call
(DNC) provisions
do not call provisions
Page 14
The Do-Not-Call Obligation
Page 15
DNC Flowchart
no
1. Is message sent or received in Singapore?
yes
no
yes
no
no
yes
yes DNC
provisions
do not apply
yes no
Page 16
appendix
appendix
Page 17
Appendix
Page 18
5. The personal data of employees 7. All employees should keep the data
should only be accessed by protection officer updated if there
authorised personnel. Request for are any changes to their personal
access must be justified. data, and are responsible for ensuring
that the personal data is complete
6. Employees personal data should not
and accurate.
be disclosed to third parties.
a. If the disclosure to a third party is 8. Regularly review personal data and
necessary, ensure that the third ensure timely destruction of personal
party has signed a non-disclosure data that is no longer necessary.
agreement of the personal data. a. Employ proper methods of
disposing employees personal
data.
appendix
Page 19
resources
resources
Page 20
List of Resources
personal-data-safe-with-your-organisation-v1-0.pdf?sfvrsn=2
7. Personal Data Protection Commission Singapore, Personal Data Protection
Checklist for Organisations http://www.pdpc.gov.sg/docs/default-
source/publications-edu-materials/pdpc-checklist-for-orgs-v2-0.pdf?sfvrsn=2
8. Personal Data Protection Commission Singapore, Personal Data Protection Toolkit
in dual languages https://www.pdpc.gov.sg/docs/default-source/publications-edu-
materials/pdp_toolkit.pdf?sfvrsn=8
9. Do-Not-Call Registry http://www.dnc.gov.sg/index.html
10. PDPA Legal Advice Scheme by the Law Society of Singapore
http://www.lawsociety.org.sg/forPublic/PDPALegalAdviceScheme.aspx
11. DPO Connect Newsletter https://www.pdpc.gov.sg/resources/dpo-connect
Page 21