Personal Data Protection Act 2012
The Personal Data Protection Act 2012 (the "Act") sets out the law on data protection in Singapore. Apart from establishing a general data protection regime, the Act also regulates telemarketing practices.
| Personal Data Protection Act 2012 | |
|---|---|
 | |
| Parliament of Singapore | |
| |
| Citation | No. 26 of 2012 |
| Enacted by | Parliament of Singapore |
| Passed | 15 October 2012 |
| Assented to | 20 November 2012 |
| Legislative history | |
| Bill | Personal Data Protection Bill |
| Introduced by | Assoc Prof Dr Yaacob Ibrahim |
| Status: In force | |
Structure of the Act
The Act is arranged into ten Parts:
- Part I: Preliminary
- Part II: Personal Data Protection Commission and administration
- Part III: General rules with respect to protection of personal data
- Part IV: Collection, use and disclosure of personal data
- Part V: Access to and correction of personal data
- Part VI: Care of personal data
- Part VII: Enforcement of Parts III to VI
- Part VIII: Appeals to Data Protection Appeal Committee, High Court and Court of Appeal
- Part IX: Do Not Call Registry
- Part X: General
Personal Data Protection Commission
The Act establishes the Personal Data Protection Commission ("PDPC"). The PDPC is Singapore's primary data protection authority, and also administers the Do Not Call Registry. Among other matters, the PDPC issues advisory guidelines on the Act, and also enforces the Act.[1]
Advisory guidelines
The PDPC publishes a comprehensive set of guidelines. The guidelines provide guidance on how the PDPC interprets the Act. They are advisory in nature, and are not legally binding. The guidelines serve as accessible reference material for organisations seeking to comply with the Act.[2]
Data protection
The Act establishes a general data protection regime, comprising nine data protection obligations which are imposed on organisations.[3]
- Consent Obligation
- Purpose Limitation Obligation
- Notification Obligation
- Access and Correction Obligation
- Accuracy Obligation
- Protection Obligation
- Retention Limitation Obligation
- Transfer Limitation Obligation
- Openness Obligation
The PDPC's Advisory Guidelines on Key Concepts in the Personal Data Protection Act[4] gives detailed guidance on each of these obligations.
Consent Obligation
The Consent Obligation is the first data protection obligation in the Act. According to the PDPC:[4]
An organisation must obtain the consent of the individual before collecting, using or disclosing his personal data for a purpose.
Purpose Limitation Obligation
The Purpose Limitation Obligation is the second data protection obligation in the Act. According to the PDPC:[4]
An organisation may collect, use or disclose personal data about an individual only for purposes that a reasonable person would consider appropriate in the circumstances and, if applicable, have been notified to the individual concerned.
Notification Obligation
The Notification Obligation is the third data protection obligation in the Act. According to the PDPC:[4]
An organisation must notify the individual of the purpose(s) for which it intends to collect, use or disclose the individual's personal data on or before such collection, use or disclosure of the personal data.
Access and Correction Obligation
The Access and Correction Obligation is the fourth data protection obligation in the Act. According to the PDPC:[4]
An organisation must, upon request, (i) provide an individual with his or her personal data in the possession or under the control of the organisation and information about the ways in which the personal data may have been used or disclosed during the past year; and (ii) correct an error or omission in an individual's personal data that is in the possession or under the control of the organisation.
Accuracy Obligation
The Accuracy Obligation is the fifth data protection obligation in the Act. According to the PDPC:[4]
An organisation must make a reasonable effort to ensure that personal data collected by or on behalf of the organisation is accurate and complete if the personal data is likely to be used by the organisation to make a decision that affects the individual concerned or disclosed by the organisation to another organisation.
Protection Obligation
The Protection Obligation is the sixth data protection obligation in the Act. According to the PDPC:[4]
An organisation must protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.
Retention Limitation Obligation
The Retention Limitation Obligation is the seventh data protection obligation in the Act. According to the PDPC:[4]
An organisation must cease to retain documents containing personal data, or remove the means by which the personal data can be associated with particular individuals as soon as it is reasonable to assume that (i) the purpose for which the personal data was collected is no longer being served by retention of the personal data, and (ii) retention is no longer necessary for legal or business purposes.
Transfer Limitation Obligation
The Transfer Limitation Obligation is the eighth data protection obligation in the Act. According to the PDPC:[4]
An organisation must not transfer personal data to a country or territory outside Singapore except in accordance with the requirements prescribed under the PDPA.
Openness Obligation
The Openness Obligation is the ninth data protection obligation in the Act. According to the PDPC:[4]
An organisation must implement the necessary policies and procedures in order to meet its obligations under the PDPA and shall make information about its policies and procedures publicly available
Telemarketing
The Act also regulates telemarketing practices in Singapore.
First, the Act establishes the Do Not Call Registers, on which telephone numbers may be registered. As of 30 April 2017, there are three Do Not Call Registers: (i) the No Fax Message Register; (ii) the No Text Message Register; and (iii) the No Voice Call Register. Generally, if a telephone number is listed on a Do Not Call Register (e.g. the No Text Message Register), then it is not permitted to send a marketing message of the relevant kind (e.g. text message) to that telephone number.[5]
Second, the Act imposes duties to provide information on, and to not conceal, the identities of the senders of marketing messages.[6]
The PDPC's Advisory Guidelines on the Do Not Call Provisions[7] gives detailed guidance on the Do Not Call provisions of the Act.
References
- "Who We Are". Personal Data Protection Commission. Retrieved 30 April 2017.
- "Guidelines". Personal Data Protection Commission. Retrieved 1 May 2017.
- "Overview". Personal Data Protection Commission. Retrieved 30 April 2017.
- "Advisory Guidelines On Key Concepts In The Personal Data Protection Act". Personal Data Protection Commission. Retrieved 1 May 2017.
- "Do Not Call Registry & You". Personal Data Protection Commission. Retrieved 30 April 2017.
- "Do Not Call Registry & Your Business". Personal Data Protection Commission. Retrieved 30 April 2017.
- "Advisory Guidelines On The Do Not Call Provisions". Personal Data Protection Commission. Retrieved 1 May 2017.
External links
| Constitutional law |
|  | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Administrative law |
| |||||||||
| Alternative dispute resolution | ||||||||||
| Criminal law | ||||||||||
| Family law | ||||||||||
| Religious law | ||||||||||
| Other | ||||||||||
| Procedure | ||||||||||