Fort Towson

The Personal Data Protection Act 2012 ("PDPA") sets out the law on data protection in Singapore. The PDPA regulates the processing of personal data in the private sector.^[1]

Overview

The PDPA establishes a general data protection regime, originally comprising nine data protection obligations which are imposed on organisations: the Consent Obligation, the Purpose Limitation Obligation, the Notification Obligation, the Access and Correction Obligation, the Accuracy Obligation, the Protection Obligation, the Retention Limitation Obligation, the Transfer Limitation Obligation and the Openness Obligation (now referred to as the Accountability Obligation).^[2]

Major amendments to the PDPA were proposed and passed in 2020.^[3]^[4] Among other changes, a tenth data protection obligation was added, namely, the Data Breach Notification Obligation.^[5]

The PDPA also governs telemarketing in Singapore. It establishes the Do Not Call Registers, on which telephone numbers may be registered. There are three Do Not Call Registers: (i) the No Fax Message Register; (ii) the No Text Message Register; and (iii) the No Voice Call Register. Generally, if a telephone number is listed on a Do Not Call Register (e.g. the No Text Message Register), then it is not permitted to send a marketing message of the relevant kind to that telephone number.^[6]

Personal Data Protection Commission

The PDPA establishes the Personal Data Protection Commission ("PDPC") as the regulatory authority governing data protection in Singapore. The PDPC enforces the PDPA and publishes advisory guidelines on the interpretation of the PDPA.^[7] To date, the PDPC has enforced the PDPA against a number of organisations.^[8]^[9]^[10] Notable cases include SingHealth, which was implicated in the 2018 SingHealth data breach.^[11]

References

^ "Parliament: Public agencies not governed by PDPA because of fundamental differences in how they operate". The Straits Times.
^ Wong, Benjamin (2017). "Data privacy law in Singapore: the Personal Data Protection Act 2012". International Data Privacy Law. 7 (4): 287–302. doi:10.1093/idpl/ipx016.
^ "On protecting data while enabling innovation: 6 highlights from MPs' rigorous debate on PDPA amendments". The Straits Times.
^ "Parliament: Proposed changes to PDPA include stiffer fines for data breaches, mandatory notification when they occur". The Straits Times.
^ Personal Data Protection (Amendment) Act 2020. Singapore. 2 November 2020.
^ "Do Not Call Registry: An easy guide for consumers". The Straits Times.
^ "About Us". Personal Data Protection Commission. Retrieved 6 April 2021.
^ "CDP and two other organisations fined for data privacy breach". The Straits Times.
^ "Courts fined $9,000 for second data breach in two years". The Straits Times.
^ "Grab fined $10k over fourth data privacy breach in two years". The Straits Times.
^ "Singapore health system hit by 'most serious breach of personal data' in cyberattack; PM Lee's data targeted". CNA.

External links

Official text of the Act

[1] "Parliament: Public agencies not governed by PDPA because of fundamental differences in how they operate". The Straits Times.

[2] Wong, Benjamin (2017). "Data privacy law in Singapore: the Personal Data Protection Act 2012". International Data Privacy Law. 7 (4): 287–302. doi:10.1093/idpl/ipx016.

[3] "On protecting data while enabling innovation: 6 highlights from MPs' rigorous debate on PDPA amendments". The Straits Times.

[4] "Parliament: Proposed changes to PDPA include stiffer fines for data breaches, mandatory notification when they occur". The Straits Times.

[5] Personal Data Protection (Amendment) Act 2020. Singapore. 2 November 2020.

[6] "Do Not Call Registry: An easy guide for consumers". The Straits Times.

[7] "About Us". Personal Data Protection Commission. Retrieved 6 April 2021.

[8] "CDP and two other organisations fined for data privacy breach". The Straits Times.

[9] "Courts fined $9,000 for second data breach in two years". The Straits Times.

[10] "Grab fined $10k over fourth data privacy breach in two years". The Straits Times.

[11] "Singapore health system hit by 'most serious breach of personal data' in cyberattack; PM Lee's data targeted". CNA.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

Privacy
Principles	Right of access to personal data Expectation of privacy Right to privacy Right to be forgotten Post-mortem privacy
Privacy laws	Australia Brazil Canada China Denmark England European Union Germany Ghana New Zealand Russia Singapore Switzerland United Kingdom United States California, amended in 2020
Data protection authorities	Australia Denmark European Union France Germany India Indonesia Ireland Isle of Man Netherlands Norway Philippines Poland South Korea Spain Sweden Switzerland Thailand Turkey United Kingdom
Areas	Consumer Digital Education Medical Workplace
Information privacy	Law Financial Internet Facebook Google Twitter Email Personal data Personal identifier Social networking services Privacy-enhancing technologies Privacy engineering Privacy-invasive software Privacy policy Secret ballot Virtual assistant privacy
Advocacy organizations	American Civil Liberties Union Center for Democracy and Technology Computer Professionals for Social Responsibility Data Privacy Lab Electronic Frontier Foundation Electronic Privacy Information Center European Digital Rights Future of Privacy Forum Global Network Initiative International Association of Privacy Professionals NOYB Privacy International
See also	Anonymity Cellphone surveillance Data security Eavesdropping Global surveillance Identity theft Mass surveillance Panopticon PRISM Search warrant Wiretapping Human rights Personality rights
Category