Review your content’s performance and reach.
Become your target audience’s go-to resource for today’s hottest topics.
Understand your clients’ strategies and the most pressing issues they are facing.
Keep a step ahead of your key competitors and benchmark against them.
add to folder:
Questions? Please contact [email protected] 
Law and the regulatory authority
Summarise the legislative framework for the protection of personal information (PI). Does your jurisdiction have a dedicated data protection law? Is the data protection law in your jurisdiction based on any international instruments or laws of other jurisdictions on privacy or data protection?
The main data protection legislation in Singapore is the Personal Data Protection Act 2012 (No. 26 of 2012) (PDPA).
The PDPA applies to all organisations that collect, use or disclose personal data in Singapore unless one of the exclusions under section 4 of the PDPA applies. The main data protection obligations imposed on organisations concerning the collection, use, disclosure, access to, correction and care of personal data are set out in Parts III to VIB of the PDPA (the Data Protection Provisions).
The PDPA also provides for the establishment of the Personal Data Protection Commission (PDPC), the data protection authority.
The PDPA recently underwent its first comprehensive review since its enactment in 2012. The Personal Data Protection (Amendment) Act 2020 (the Amendment Act), which was passed in Parliament on 2 November 2020, sets out extensive changes, the majority of which came into effect on 1 February 2021.
There are various regulations and advisory guidelines under the PDPA that deal with specific issues in greater detail. For example, the Personal Data Protection Regulations 2021 (the PDP Regulations) supplement the PDPA in four key areas:
The other regulations issued under the PDPA include:
Also, the PDPC has issued several advisory guidelines and guides to provide greater clarity on the interpretation of the PDPA. The PDPC has also developed sector-specific advisory guidelines for:
On 20 February 2018, Singapore became the sixth Asia-Pacific Economic Cooperation (APEC) economy to participate in the APEC Cross-Border Privacy Rules (CBPR) system. Singapore also became the second APEC economy to participate in the APEC Privacy Recognition for Processors (PRP) system. Collectively, the CBPR and PRP systems allow a smoother exchange of personal data among certified organisations in participating economies and ensure that data protection standards are maintained for consumers in the Asia-Pacific region.
The formulation of the PDPA framework has taken into account international best practices on data protection. As indicated during the second reading of the PDPA in Parliament, the then Minister of Information, Communications and the Arts had referred to the data protection frameworks in key jurisdictions such as Canada, New Zealand, Hong Kong and the European Union, as well as the Organization for Economic Cooperation and Development Guidelines on the Protection of Privacy and Transborder Flows of Personal Data and the APEC Privacy Framework, in developing the PDPA framework.
Which authority is responsible for overseeing the data protection law? What is the extent of its investigative powers?
The PDPA is administered and enforced by the PDPC. With effect from 1 October 2016, the PDPC has been subsumed as a department under the Info-communications Media Development Authority (IMDA).
The PDPC may initiate an investigation to determine whether an organisation complies with the PDPA, upon receipt of a complaint or on its own motion.
According to the Advisory Guidelines on Enforcement of Data Protection Provisions, the factors that the PDPC may consider in deciding whether to commence an investigation include:
In the course of its investigation, the PDPC’s powers include:
The PDPC is also empowered to review complaints concerning access, correction and data porting requests.
The PDPA also establishes the Data Protection Advisory Committee, which advises the PDPC on matters relating to the review and administration of the personal data protection framework, such as key policy and enforcement issues.
Are there legal obligations on the data protection authority to cooperate with other data protection authorities, or is there a mechanism to resolve different approaches?
The PDPC may enter into a cooperation agreement with a foreign data protection authority for data protection matters such as cross-border cooperation. Cooperation may take the form of information exchange or any other assistance as necessary to assist in the enforcement or administration of data protection laws.
Specifically, section 10 of the PDPA provides that the cooperation agreement has to be entered into for the purposes of:
In this regard, the cooperation agreement may include provisions to:
Under the PDPA, the PDPC may only furnish information to a foreign data protection authority pursuant to a cooperation agreement if it requires of and obtains from that authority an undertaking in writing by it that it will comply with terms specified in that agreement, including terms that correspond to the provisions of any written law concerning the disclosure of that information by the PDPC.
Where the information requested contains personal data that is treated as confidential under the PDPA, the PDPC may only disclose the information to the foreign data protection authority if the following conditions are specified:
The PDPC is also a participant in the Asia Pacific Economic Corporation Cross-border Privacy Enforcement Arrangement (APEC CPEA), which creates a framework for the voluntary sharing of information and provision of assistance for privacy enforcement-related activities.
Can breaches of data protection law lead to administrative sanctions or orders, or criminal penalties? How would such breaches be handled?
Generally, the powers of the PDPC in the enforcement of any breach of data protection law include:
Any individual affected by an organisation’s non-compliance with any of the Data Protection Provisions may lodge a complaint with the PDPC. Upon receipt of a complaint, the PDPC may investigate or review the matter, or direct the parties as to the appropriate mode of dispute resolution.
Concerning ADR, under section 48G(1) of the PDPA, the PDPC is provided with the power to establish or approve one or more dispute resolution schemes, and direct complainants to resolve disputes via mediation, without the need to secure the consent of both parties.
As to the type of enforcement action it may take, the PDPC may choose to do any one of the following:
The PDPC may discontinue investigations and simply issue an advisory notice where the impact is assessed to be low. Section 50 of the PDPA sets out circumstances in which the PDPC may do so, including where a complainant has not complied with a direction, the parties involved have mutually agreed to settle, or any party has commenced legal proceedings in respect of any contravention of the PDPA.
The PDPC may accept a voluntary undertaking from any organisation, which includes a written agreement between the organisation and the PDPC in which the organisation voluntarily commits to remedy the breaches and take steps to prevent a recurrence. The organisation’s request to invoke the undertaking process must be made very soon after the incident is known. The PDPC is unlikely to accept an undertaking request in certain cases (eg, where the organisation refutes responsibility for the data breach incident, or where it is a repeat incident entailing a similar cause of the breach).
Section 48L of the PDPA empowers the PDPC to accept statutory undertakings from an organisation when the PDPC has reasonable grounds to believe that an organisation has not complied, is not complying or is likely not to comply with the PDPA.
Where an organisation is found not to have complied with any term of the voluntary undertaking, the PDPC may take action that it thinks fit in the circumstances, which may include issuing directions and imposing available enforcement remedies.
The PDPC may issue an expedited breach decision at its discretion in certain circumstances where there is an upfront, voluntary admission of liability for breaching relevant obligations under the PDPA. The expedited breach decision will achieve the same enforcement outcome as a full investigation. Where financial penalties are involved, the organisation’s admission of its role in the incident could be taken as a mitigating factor. However, admissions are unlikely to be considered as a strong mitigating factor for repeated data breaches. The organisation must make a written request to the PDPC for an expedited decision very soon after the incident is known to the organisation.
For incidents with high impact, and where facilitation or mediation is inappropriate in the circumstances (eg, where there is a disclosure of personal data on a large scale or where the personal data disclosed could cause significant harm), the PDPC may initiate a full investigation.
Where the PDPC is satisfied that an organisation has intentionally or negligently contravened any of the Data Protection Provisions under the PDPA, it is empowered with wide discretion to issue such remedial directions as it thinks fit. These include directions requiring the organisation to:
Concerning the quantum of financial penalty, the Amendment Act will empower the PDPC to impose higher financial penalties (ie, up to a maximum of 10 per cent of the organisation’s annual turnover in Singapore, or S$1 million, whichever is higher). However, this provision will only come into effect from 1 October 2022.
In assessing the seriousness of a data breach, the PDPC may consider several factors, including the following:
To date, the PDPC has issued more than 100 published grounds of decisions, with a significant majority of these cases relating to breaches of the Protection Obligation (ie, section 24 of the PDPA). On 15 January 2019, the PDPC imposed its highest financial penalties to date of S$250,000 and S$750,000 respectively on SingHealth Services Pte Ltd (SingHealth) and Integrated Health Information Systems Pte Ltd, for breaching their data protection obligations under the PDPA. This unprecedented data breach, which arose from a cyberattack on SingHealth’s patient database system, caused the personal data of some 1.5 million patients to be compromised.
Any person who suffers loss or damage directly as a result of a contravention of any of the Data Protection Provisions may also commence a private civil action in respect of such loss or damage suffered.
Part IXB of the PDPA sets out offences relating to the egregious mishandling, by individuals, of personal data in the possession of or under the control of an organisation or a public agency:
Under section 48F, if an individual takes any action to reidentify or cause reidentification of anonymised information in possession or control of an organisation or a public agency, which is not authorised, and the individual does so knowingly, or is reckless to the re-identification not being authorised, that individual shall be guilty of an offence.
The penalty for these offences is a fine not exceeding S$5,000 or imprisonment for a term not exceeding two years, or both. However, certain defences are provided for in respect of these offences, for example, where the accused used, disclosed or reidentified the data in the reasonable belief that the accused had the legal right to do so, and was not reckless as to whether this was so.
Section 51 of the PDPA also sets out certain offences relating to, among others, obstructing or hindering the PDPC in the performance of any function or duty, or the exercise of any power, under the PDPA. It is also an offence for an organisation or a person, without reasonable excuse, to neglect or refuse to either provide any information or produce any document that the organisation or person is required to provide or produce to the PDPC or an inspector or attend before the PDPC or inspector as required.
Scope
Does the data protection law cover all sectors and types of organisation or are some areas of activity outside its scope?
The Personal Data Protection Act 2012 (No. 26 of 2012) (PDPA) applies to all organisations in Singapore, regardless of their scale or size.
An ‘organisation’ is defined broadly under the PDPA as including any individual, company, association or body of persons, corporate or unincorporated, and whether or not formed or recognised under the law of Singapore, or resident or having an office or place of business in Singapore.
Certain categories of organisations are carved out of the application of the Data Protection Provisions of the PDPA, such as:
The PDPA is intended to set a baseline standard for personal data protection across the private sector, and will operate alongside (and not override) existing laws and regulations. The PDPA provides that the general data protection framework does not affect any right or obligation under the law and that in the event of any inconsistency, the provisions of other written laws will prevail.
Does the data protection law cover interception of communications, electronic marketing or monitoring and surveillance of individuals?
To the extent that personal data is collected, used or disclosed in the interception of communications and in the monitoring and surveillance of individuals, the PDPA applies to the organisation collecting, using or disclosing such data. As such, the individual’s prior consent is required before any collection takes place unless an exception to consent applies or the collection is otherwise authorised under law.
Also, where an organisation collecting such personal data via the interception of communications or the performance of surveillance or monitoring activities is a public agency (eg, the Singapore Police Force or the Info-communications Media Development Authority (IMDA)), such collection is excluded from the application of the PDPA.
Apart from the PDPA, there are provisions in other laws or regulations that allow for the interception of communications and the monitoring and surveillance of individuals. Below is a non-exhaustive list of such provisions:
Generally, where the personal data of an individual is collected, used and disclosed for marketing purposes, the consent of the individual concerned must be obtained and such consent must not have been obtained as a condition for the provision of a product or service where it would not be reasonably required to provide that product or service. The Personal Data Protection Commission (PDPC) has noted in its Advisory Guidelines on Key Concepts in the Personal Data Protection Act (revised 1 February 2021) (Key Concepts Guidelines) that a failure to opt out will not be regarded as consent in all situations, and recommended that organisations obtain consent from an individual through a positive action of the individual (eg, opt-in consent).
Concerning the sending of marketing communications by telephone call or text messaging (or fax) to a Singapore telephone number, Part IX of the PDPA (ie, the Do Not Call (DNC) Provisions) requires an organisation to:
A limited exception exists concerning sending messages to individuals with whom the organisation has an ongoing relationship.
Concerning the duty to check the DNC Registry, section 43A of the PDPA imposes obligations on third-party checkers to communicate accurate DNC Register query results to the organisations that they are checking the DNC Register on behalf of.
Further, Part IXA of the PDPA contains a prohibition concerning the sending of applicable messages to telephone numbers generated or obtained through the use of dictionary attacks and address harvesting software.
The DNC Provisions (which used to be enforced as criminal offences) are now enforced under the same administrative regime as the Data Protection Provisions. If the organisation is found to have intentionally or negligently contravened any provision, the PDPC may require the organisation to pay a financial penalty not exceeding:
For a contravention of the prohibition on the use of dictionary attacks and address-harvesting software under the DNC Provisions, the maximum financial penalty will increase to 5 per cent of the organisation’s annual turnover in Singapore, where the organisation’s annual turnover in Singapore exceeds S$20 million. However, this enhanced financial penalty will only come into effect on 1 October 2022.
Complementing the DNC Provisions of the PDPA, the Spam Control Act (Cap 311A) (the Spam Control Act) regulates the bulk sending of unsolicited commercial electronic messages to email addresses or mobile telephone numbers.
Section 11 read with the Second Schedule of the Spam Control Act requires any person who ‘sends, causes to be sent or authorises the sending of unsolicited commercial electronic messages (which includes emails, instant messages (on platforms such as Telegram and WeChat) and short message service or multimedia message service) in bulk’ to comply with certain obligations. These include, among others, requirements that unsolicited commercial electronic messages must contain:
Section 9 of the Spam Control Act also prohibits electronic messages from being sent to electronic addresses generated or obtained through the use of a dictionary attack or address-harvesting software.
The Spam Control Act provides for civil liability (including the grant of an injunction or the award of damages) against parties in breach of these requirements. Statutory damages of up to S$25 per message may be awarded, up to an aggregate of S$1 million (unless the plaintiff proves that his or her actual loss is higher).
Are there any further laws or regulations that provide specific data protection rules for related areas?
Before the enactment of the PDPA, Singapore did not have an overarching law governing the protection of PI, or personal data. The collection, use, disclosure and care of personal data in Singapore were regulated to a certain extent by a patchwork of laws including common law, sector-specific legislation and various self-regulatory or co-regulatory codes. These existing sector-specific data protection frameworks continue to operate alongside the PDPA.
Various other laws and regulations in Singapore set out specific data protection rules, some of which are sector-specific. For instance:
Concerning the financial sector, the Monetary Authority of Singapore (MAS) is empowered under the Monetary Authority of Singapore Act (Cap 186) and other sectoral legislation to issue directives and notices. Examples of MAS-issued regulatory instruments which are relevant to data protection include the Notices on Cyber Hygiene, Notices and Guidelines on Technology Risk Management, Notices and Guidelines on Prevention of Money Laundering and Countering the Financing of Terrorism, and the Guidelines on Outsourcing. These regulations operate alongside the PDPA and prevail to the extent of any inconsistency.
What categories and types of PI are covered by the law?
All formats of PI are covered under the PDPA, whether electronic or non-electronic and regardless of the degree of sensitivity. ‘Personal data’ is broadly defined under the PDPA as data, whether true or not, about an individual who can be identified from that data, or from that data and other information to which the organisation has or is likely to have access.
Nonetheless, the PDPA provides for certain exceptions and limitations for the applicability of the Data Protection Provisions for certain types of personal data, such as personal data that is contained in a record that has been in existence for at least 100 years, or ‘business contact information’ as defined under the PDPA.
Is the reach of the law limited to PI owners and processors physically established or operating in your jurisdiction, or does the law have extraterritorial effect?
The Data Protection Provisions apply to all organisations that collect, use or disclose personal data in Singapore, regardless of whether they are formed or recognised under Singapore law or whether they are resident or have an office or place of business in Singapore. As such, organisations that are located overseas are still subject to the Data Protection Provisions as long as they collect, use or disclose personal data in Singapore. Also, organisations that collect personal data overseas and host or process it in Singapore will be subject to the relevant obligations under the PDPA from the point that such data is brought into Singapore.
Is all processing or use of PI covered? Is a distinction made between those who control or own PI and those who provide PI processing services to owners? Do owners’, controllers’ and processors’ duties differ?
Yes, the PDPA regulates the collection, use and disclosure of personal data by an organisation. An organisation that collects, uses or discloses personal data is accordingly required to comply with the Data Protection Provisions under the PDPA.
A ‘data intermediary’, however, is exempt from the majority of the Data Protection Provisions under the PDPA. A data intermediary refers to an organisation that processes personal data on behalf of and for the purposes of another organisation (the primary organisation) pursuant to a written contract.
A data intermediary is only required to comply with the rules relating to:
A data intermediary that processes personal data in a manner that goes beyond the processing required under the written contract would not be considered a data intermediary and is subject to the full suite of Data Protection Provisions under the PDPA in respect of that processing.
Law stated date
Give the date on which the information above is accurate.
10 May 2021
add to folder:
If you would like to learn how Lexology can drive your content marketing strategy forward, please email [email protected].
© Copyright 2006 – 2022 Law Business Research