Personal Data Protection Act 2012 (Singapore)

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search
Personal Data Protection Act 2012
Parliament House Singapore.jpg
An Act to govern the collection, use and disclosure of personal data by organisations, and to establish the Do Not Call Register and to provide for its administration, and for matters connected therewith, and to make related and consequential amendments to various other Acts.
CitationNo. 26 of 2012
Enacted byParliament of Singapore
Date passed15 October 2012
Date assented to20 November 2012
Legislative history
BillPersonal Data Protection Bill
Introduced byAssoc Prof Dr Yaacob Ibrahim
Status: In force

The Personal Data Protection Act 2012 (the "Act") sets out the law on data protection in Singapore. Apart from establishing a general data protection regime, the Act also regulates telemarketing practices.

Structure of the Act[edit]

The Act is arranged into ten Parts:

Part I: Preliminary
Part II: Personal Data Protection Commission and administration
Part III: General rules with respect to protection of personal data
Part IV: Collection, use and disclosure of personal data
Part V: Access to and correction of personal data
Part VI: Care of personal data
Part VII: Enforcement of Parts III to VI
Part VIII: Appeals to Data Protection Appeal Committee, High Court and Court of Appeal
Part IX: Do Not Call Registry
Part X: General

Personal Data Protection Commission[edit]

The Act establishes the Personal Data Protection Commission ("PDPC"). The PDPC is Singapore's primary data protection authority, and also administers the Do Not Call Registry. Among other matters, the PDPC issues advisory guidelines on the Act, and also enforces the Act.[1]

Advisory guidelines[edit]

The PDPC publishes a comprehensive set of guidelines. The guidelines provide guidance on how the PDPC interprets the Act. They are advisory in nature, and are not legally binding. The guidelines serve as accessible reference material for organisations seeking to comply with the Act.[2]

Data protection[edit]

The Act establishes a general data protection regime, comprising nine data protection obligations which are imposed on organisations.[3]

  1. Consent Obligation
  2. Purpose Limitation Obligation
  3. Notification Obligation
  4. Access and Correction Obligation
  5. Accuracy Obligation
  6. Protection Obligation
  7. Retention Limitation Obligation
  8. Transfer Limitation Obligation
  9. Openness Obligation

The PDPC's Advisory Guidelines on Key Concepts in the Personal Data Protection Act[4] gives detailed guidance on each of these obligations.

Consent Obligation[edit]

The Consent Obligation is the first data protection obligation in the Act. According to the PDPC:[5]

An organisation must obtain the consent of the individual before collecting, using or disclosing his personal data for a purpose.

Purpose Limitation Obligation[edit]

The Purpose Limitation Obligation is the second data protection obligation in the Act. According to the PDPC:[6]

An organisation may collect, use or disclose personal data about an individual only for purposes that a reasonable person would consider appropriate in the circumstances and, if applicable, have been notified to the individual concerned.

Notification Obligation[edit]

The Notification Obligation is the third data protection obligation in the Act. According to the PDPC:[7]

An organisation must notify the individual of the purpose(s) for which it intends to collect, use or disclose the individual's personal data on or before such collection, use or disclosure of the personal data.

Access and Correction Obligation[edit]

The Access and Correction Obligation is the fourth data protection obligation in the Act. According to the PDPC:[8]

An organisation must, upon request, (i) provide an individual with his or her personal data in the possession or under the control of the organisation and information about the ways in which the personal data may have been used or disclosed during the past year; and (ii) correct an error or omission in an individual's personal data that is in the possession or under the control of the organisation.

Accuracy Obligation[edit]

The Accuracy Obligation is the fifth data protection obligation in the Act. According to the PDPC:[9]

An organisation must make a reasonable effort to ensure that personal data collected by or on behalf of the organisation is accurate and complete if the personal data is likely to be used by the organisation to make a decision that affects the individual concerned or disclosed by the organisation to another organisation.

Protection Obligation[edit]

The Protection Obligation is the sixth data protection obligation in the Act. According to the PDPC:[10]

An organisation must protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.

Retention Limitation Obligation[edit]

The Retention Limitation Obligation is the seventh data protection obligation in the Act. According to the PDPC:[11]

An organisation must cease to retain documents containing personal data, or remove the means by which the personal data can be associated with particular individuals as soon as it is reasonable to assume that (i) the purpose for which the personal data was collected is no longer being served by retention of the personal data, and (ii) retention is no longer necessary for legal or business purposes.

Transfer Limitation Obligation[edit]

The Transfer Limitation Obligation is the eighth data protection obligation in the Act. According to the PDPC:[12]

An organisation must not transfer personal data to a country or territory outside Singapore except in accordance with the requirements prescribed under the PDPA.

Openness Obligation[edit]

The Openness Obligation is the ninth data protection obligation in the Act. According to the PDPC:[13]

An organisation must implement the necessary policies and procedures in order to meet its obligations under the PDPA and shall make information about its policies and procedures publicly available

Telemarketing[edit]

The Act also regulates telemarketing practices in Singapore.

First, the Act establishes the Do Not Call Registers, on which telephone numbers may be registered. As of 30 April 2017, there are three Do Not Call Registers: (i) the No Fax Message Register; (ii) the No Text Message Register; and (iii) the No Voice Call Register. Generally, if a telephone number is listed on a Do Not Call Register (e.g. the No Text Message Register), then it is not permitted to send a marketing message of the relevant kind (e.g. text message) to that telephone number.[14]

Second, the Act imposes duties to provide information on, and to not conceal, the identities of the senders of marketing messages.[15]

The PDPC's Advisory Guidelines on the Do Not Call Provisions[16] gives detailed guidance on the Do Not Call provisions of the Act.

References[edit]

  1. ^ "Who We Are". Personal Data Protection Commission. Retrieved 30 April 2017.
  2. ^ "Guidelines". Personal Data Protection Commission. Retrieved 1 May 2017.
  3. ^ "Overview". Personal Data Protection Commission. Retrieved 30 April 2017.
  4. ^ "Advisory Guidelines On Key Concepts In The Personal Data Protection Act". Personal Data Protection Commission. Retrieved 1 May 2017.
  5. ^ Ibid.
  6. ^ Ibid.
  7. ^ Ibid.
  8. ^ Ibid.
  9. ^ Ibid.
  10. ^ Ibid.
  11. ^ Ibid.
  12. ^ Ibid.
  13. ^ Ibid.
  14. ^ "Do Not Call Registry & You". Personal Data Protection Commission. Retrieved 30 April 2017.
  15. ^ "Do Not Call Registry & Your Business". Personal Data Protection Commission. Retrieved 30 April 2017.
  16. ^ "Advisory Guidelines On The Do Not Call Provisions". Personal Data Protection Commission. Retrieved 1 May 2017.

External links[edit]

Further reading[edit]