PDPC Guidelines and its Coverage
What is PDPC?
The PDPC provides only general information and clarification to inquiries. It is important to note that the PDPC does not provide legal or specific advice to your inquiry that may require a certain standard or decision from the PDPC guidelines to be made. Our response to your query is not a substitute for legal advice and is not legally binding on the PDPC or any other party. You may wish to engage independent legal advice if you are in doubt.
Prior to the enactment of the Personal Data Protection Act 2012 (No. 26 of 2012) (PDPA), Singapore did not have an overarching law governing the protection of personally identifiable information. The collection, use, disclosure and care of personal data in Singapore were regulated to a certain extent by a patchwork of laws including common law, sector-specific legislation, and various self-regulatory or co-regulatory codes. These existing sector-specific data protection frameworks will continue to operate alongside the PDPA.
The PDPA was implemented in three phases. On 2 January 2013, selected provisions of the PDPA came into operation. These include provisions that:
- set out the scope and interpretation of the PDPA;
- provide for the establishment of the Personal Data Protection Commission (PDPC) and the Data Protection Advisory Committee (DPAC); and
- provide for the establishment of Do-Not-Call (DNC) registers by the PDPC and other general provisions of the PDPA.
On 2 January 2014, provisions relating to the DNC registry came into force; and the main data protection provisions underparts III to VI of the PDPA came into effect on 2 July 2014. The main data protection provisions set out the obligations of organizations with respect to the collection, use, disclosure, access to, correction and care of personal data.
There are various regulations and advisory guidelines under the PDPA which deal with specific issues in greater detail.
The Personal Data Protection Regulations 2014 (the PDP Regulations) were gazetted on 19 May 2014. The PDP Regulations supplement the PDPA in three key areas as follows:
- the requirements for transfers of personal data out of Singapore;
- the form, manner, and procedures for making and responding to requests for access to or correction of personal data; and
- persons who may exercise rights in relation to the disclosure of personal data of deceased individuals.
The other regulations issued under the PDPA are:
- Personal Data Protection (Composition of Offences) Regulations 2013;
- Personal Data Protection (Do Not Call Registry) Regulations 2013;
- Personal Data Protection (Enforcement) Regulations 2014; and
- Personal Data Protection (Appeal) Regulations 2015.
In addition, the PDPC has issued a number of advisory or PDPC guidelines, and guides to provide greater clarity on the interpretation of the PDPA. The PDPC has also developed sector-specific advisory guidelines for the telecommunication sector, the real estate agency sector, the education sector, the healthcare sector, the social service sector, for transport services for hire (specifically in relation to in-vehicle recordings) and for management corporations. The PDPC also publishes an annual Personal Data Protection Digest (PDP Digest), which is a compendium comprising the PDPC’s grounds of decisions, summaries of unpublished cases where a finding of no-breach was found and a collection of data protection-related articles contributed by data protection practitioners.
The formulation of the PDPA framework has taken into account international best practices on data protection. As indicated during the second reading of the PDPA in Parliament, the then Minister of Information, Communications and the Arts had referred to the data protection frameworks in key jurisdictions such as Canada, New Zealand, Hong Kong and the European Union, as well as the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data and the APEC Privacy Framework, in developing the PDPA framework.
The PDPC is currently undertaking a review of the PDPA, and has held three public consultations in this regard. First, the Public Consultation for Approaches to Managing Personal Data in the Digital Economy (issued 27 July 2017) sought the public’s views on introducing:
- a Proposed Enhanced Framework for the Collection, Use and Disclosure of Personal Data; and
- a Proposed Mandatory Data Breach Notification Requirement.
- The consultation closed on 5 October 2017, and the PDPC issued a response to the feedback received on 1 February 2018.
Second, the Public Consultation for Managing Unsolicited Commercial Messages and the Provision of Guidance to Support Innovation in the Digital Economy (issued 27 April 2018) sought the public’s views on:
- streamlining the DNC provisions in Part IX of the PDPA and the Spam Control Act into a single legislation governing all unsolicited commercial messages;
- introducing an Enhanced Practical Guidance framework under the PDPA, which allows the PDPC to provide guidance to organisations with greater clarity and certainty; and
- streamlining the exceptions to obtaining consent for the collection, use and disclosure of personal data, found in the Second, Third and Fourth Schedules to the PDPA.
The consultation closed on 12 June 2018, and the PDPC issued a response to the feedback received on 8 November 2018.
Third, the Public Consultation on Review of the Personal Data Protection Act 2012 – Proposed Data Portability and Data Innovation Provisions (Data Portability and Data Innovation Public Consultation) (issued 22 May 2019) in which the PDPC sought the public’s views on:
- introducing a Data Portability Obligation, which requires organisations to, at the request of the individual, provide the individual’s data that is in the organisation’s possession or under its control, to be transmitted to another organisation in a commonly used machine-readable format; and
- introducing provisions in the PDPA to clarify that organisations can use personal data (collected in compliance with the Data Protection Provisions of the PDPA) for the purposes of: (i) operational efficiency and service improvements; (ii) product and service development; or (iii) knowing customers better.
On 20 February 2018, Singapore became the sixth APEC economy to participate in the APEC Cross-Border Privacy Rules (CBPR) system, along with the USA, Mexico, Canada, Japan and the Republic of Korea. Singapore also became the second APEC economy to participate in the APEC Privacy Recognition for Processors (PRP) system. Collectively, the CBPR and PRP systems allow a smoother exchange of personal data among certified organisations in participating economies, and ensure that data protection standards are maintained for consumers in the Asia-Pacific region.