Jurisdiction - Singapore
Reports and Analysis
Singapore – Developments: Personal Data Protection.

18 August, 2014





In today’s interconnected environment, a huge amount of personal data is being collected, used and disclosed to third parties for any number of reasons. The Singapore government believes that this trend will only grow exponentially as more sophisticated technology is developed. Many governments, including those in the EU, UK, Canada, Hong Kong, Australia and New Zealand, have in place laws and regulations to govern the collection, use and disclosure of personal data.


Through both references to other countries’ data protection acts and three extensive public consultations, Singapore developed the Personal Data Protection Act 2012 (No. 26 of 2012) (the “Act“). The Act aims to establish data protection laws that govern the collection, disclosure and care of personal data, while also balancing the rights of the individual to protect their personal data and the needs of organizations to use the same personal data for legitimate and reasonable purposes.


The Act was passed by the Singapore Parliament on 15 October 2012. The provisions relating to the DNC registry came into force on 2 January 2014, and the remainder of the data protection rules came into force on 2 July 2014.


With enforcement of the Act having already begun, it is vital that organizations take immediate action to be compliant with the Act if they have not already done so.


The Personal Data Protection Act 2012


The Act applies to private organizations or individuals who are not using the personal data for personal use. Personal data is data which by itself or together with other obtainable information may be used to identify that individual. While the Act does not apply to business contact information, the personal data of both employees as well as customers or clients of organizations are subject to the Act. The key highlights of the personal data protection provisions are as follows:


Collection, Use And Disclosure


  • To collect personal data only when reasonably necessary
  • To notify individuals of the purpose of such collection
  • To obtain consent from individuals prior to the collection of personal data


Access And Correction


  • Make available personal data upon request
  • Make corrections to personal data upon request


Accuracy, Protection And Retention


  • To use reasonable efforts to ensure accuracy of personal data
  • To make reasonable security arrangements to protect personal data
  • Not retain personal data longer than necessary


DNC Registry


Organizations are prohibited from sending certain marketing messages to Singapore telephone numbers registered in a DNC register.


Enforcment And Potential Liability


  • Complaints may be lodged against organizations to the Personal Data Protection Commission (PDPC)
  • The PDPC has the power to investigate and/or issue directions to the organization
  • The PDPC is empowered to direct organizations to:
    If individuals within an investigated organization are found to have obstructed the investigation, criminal sanctions of fines of up to SGD 100k and 12 months’ imprisonment may be brought

      1. Stop collecting, using or disclosing personal data
      2. Destroy personal data collected
      3. Provide access to or correct personal data
      4. Pay financial penalties of up to SGD 1m
  • If individuals within an investigated organization are found to have obstructed the investigation, criminal sanctions of fines of up to SGD 100k and 12 months’ imprisonment may be brought
  • Organizations can also be liable for its employees’ breaches in the course of their employment, regardless of consent and/or knowledge


Compliance With The Act


While organizations in different industries will be affected by the Act in differing degrees, the organizations that deal directly with consumers, and thus have their personal data, generally have a greater burden under the Act. Nonetheless, all organizations will have to take action in order to comply with the Act, including:


  • Developing systems and processes to ensure compliance with the Act when collecting personal data
  • Tracking personal data that is transferred across organizations within the same group outside of Singapore
  • Ensuring that personal data is kept secure
  • Regular housekeeping of collected personal data
  • Putting into place processes to allow individuals to access and change collected personal data
  • Putting into place processes to allow input and complaints from the public on an organization’s data protection polices
  • Developing system for complying with the DNC registry (if necessary)
  • Examining past collected personal data for compliance with the Act
  • Updating compliance manuals and procedures
  • Having ongoing communications with and periodic training for employees


The content of this briefing note is of general interest and is not intended to apply to specific circumstances.


The content should not therefore, be regarded as constituting legal advice and should not be relied on as such.


Duane Morris Selvam LLP


For further information, please contact:


Derrick Boo, Duane Morris & Selvam

[email protected]


Homegrown TMT Firms in Singapore

Comments are closed.