Deciphering the Personal Data Protection Act (PDPA)
Simply put, Singapore’s Personal Data Protection Act or PDPA regulates how organizations collect, apply, and reveal personal data. This piece of legislation swung into action on 2 July 2014 and is managed by an organization known as the Personal Data Protection Commission (PDPC). Instituted on 2 January 2013, the PDPC ensures the Act’s compliance. Failing to meet its requirements could cost a company a fine as steep as S$1 million along with a potential blow to its reputation.
PDPA’s Mandatory Obligations
Both digital and physical forms of personal data fall under the purview of the PDPA.
If a company collects such data, it needs to stick to certain rules outlined in the PDPA:
- It should use the data exclusively for the purpose it collected it for.
- It needs to notify the individual why it’s collecting the data, how and who is going to use it.
- It must gain the necessary permission from the individual before using their data.
- It’s crucial to ensure the information is up-to-date and accurate before making any decisions based on it.
- It can transfer the data to another country only in line with the standards established by the PDPC.
- It needs to protect the data from unauthorized access and leaks.
- When the data is no longer necessary, it must be securely destroyed.
- In the event of a data breach, it must report promptly to both the PDPC and the individual involved.
The Responsibilities of the PDPC
Acting as the prime authority in Singapore for all matters concerning personal data protection, the PDPC also represents the country internationally on data protection-related issues.
As well as enforcing the PDPA, the PDPC creates and carries out policies related to personal data protection. These include regulations and guidelines that help organizations understand and comply with the PDPA. The PDPC also supervises how businesses interact with data protection rules and gives directions or decisions where necessary to ensure compliance.
In addition, the PDPC governs the operation of the Do Not Call (DNC) Registry. This facility allows individuals and companies to register their Singapore phone numbers to block unwanted telemarketing calls, messages, and faxes.