Personal data refers to data, whether true or not, about an individual who can be identified from that data; or from that data and other information to which the organisation has or is likely to have access.This includes unique identifiers (e.g. NRIC number, passport number); photographs or video images of an individual (e.g. CCTV images); as well as any set of data (e.g. name, age, address, telephone number, occupation, etc), which when taken together would be able to identify the individual. For example, Jack Lim, 36 years old, civil servant, lives at Blk 123 Bishan St 23.
The PDPA was implemented in phases to allow time for organisations to adjust to the new law. The Do Not Call (DNC) Registry provisions came into force on 2 January 2014 and the personal data protection provisions came into force on 2 July 2014.
The data protection provisions govern the collection, use and disclosure of personal data by organisations. In brief, the PDPA contains three main sets of data protection obligations:
The PDPA also provides for the establishment of a DNC Registry. The DNC Registry allows individuals to register their Singapore telephone numbers to opt out of receiving marketing phone calls, mobile text messages such as SMS or MMS, and faxes from organisations. You may refer to our website for more information on the data protection and DNC provisions.
The PDPA aims to safeguard individuals’ personal data against misuse by regulating the proper management of personal data. Generally, individuals have the right to be informed of the purposes for which organisations are collecting, using or disclosing their personal data, giving them more control over how their personal data is used.The PDPA also aims to enhance Singapore’s competitive advantages as a location for data hosting and management activities by strengthening Singapore’s reputation as a secure location for data and giving assurance to businesses looking for safeguards to protect sensitive data sets.
‘Publicly available’ in relation to personal data about an individual, means personal data that is generally available to the public. This includes personal data which can be observed by reasonably expected means at a location or an event – (a) at which the individual appears; and (b) that is open to the public.An organisation need not obtain consent for the collection, use or disclosure of personal data that is publicly available but may still have to comply with other obligations under the PDPA.
While an organisation may not obtain consent for the collection, use or disclosure of personal data that is publicly available, it may still have to comply with all other obligations under the PDPA.
In particular, the PDPA provides that an organisation may collect, use or disclose personal data about an individual only for purposes that a reasonable person would consider appropriate in the circumstances. In this regard, the circumstances would need to be taken into account in determining whether the purpose is appropriate.
Given that publicly available personal data is already made available to the public, the PDPC recognises that for the purposes of the PDPA, it would not be practical nor useful to unduly limit the purposes for which such data can be collected, used or disclosed, unless it is for clearly unreasonable purposes, for example, the purpose is in violation of a law or would be harmful to the individual concerned. In any case, organisations should note that their collection, use or disclosure of personal data from publicly available sources may be bound by terms and conditions imposed and enforceable by the data source.
Publicly available personal data refers to personal data about an individual that is generally available to the public. In some situations, the existence of restrictions or conditions for access to the database may not prevent the data from being publicly available.
For example, where a database is made accessible to the public, the personal data contained in such a database would generally be considered publicly available, even if a nominal fee is payable in order to access the data.
However, whilst the PDPA does not require consent to be obtained for the collection, use or disclosure of publicly available personal data, organisations are reminded to comply with all other obligations of the PDPA.
Personal data is defined under the PDPA as "data, whether true or not, about an individual who can be identified from that data; or from that data and other information to which the organisation has or is likely to have access".
At the point of generation, the randomly generated data, on their own, may not be considered personal data to the organisation if the randomly generated data does not relate to any individual and is unlikely to lead to the identification of any individual. However, the randomly generated data may become personal data if the organisation obtains further information such that the individual can be identified from that data (by itself or in combination with other information that the organisation has or is likely to have access to).
For example, while the randomly generated 8 digit number beginning with '8' or '9', without more information, is not personal data, it may become personal data if the organisation calls the 8 digit number and ascertains that it is a mobile telephone number that is in use.
Similarly, an organisation that randomly generates a NRIC number (e.g. by applying an algorithm or using a validator to ascertain that the randomly generated number is a valid NRIC number) will be considered as having collected the NRIC number. The collection, use or disclosure of such numbers is subject to the treatment set out in the Advisory Guidelines on the PDPA for NRIC and other National Identification Numbers, i.e. organisations may not collect, use or disclose such numbers unless it is required by law or necessary to accurately establish or verify the identity of an individual to a high degree of fidelity.
The PDPA applies to the collection, use or disclosure of personal data of individuals who can be identified from that data, even if that data was randomly generated in the first instance.
Sellers of databases comprising randomly generated numbers beginning with '8' or '9' which have been ascertained to be in use would be considered to be disclosing personal data, and the PDPA would apply. Similarly, those who purchase and use such databases would be considered to be collecting and using personal data, and the PDPA would apply. Among other things, consent of the individual is required for the collection, use or disclosure of the personal data, unless any exception applies.
are a number of requirements that both individuals and organisations need to
take note of. Some of these are:
· The individual must
give reasonable notice of the withdrawal to the organisation. As a general rule of
thumb, ten business days is considered to be reasonable notice.
· On receipt of the
notice, the organisation must inform the individual of the likely consequences
of withdrawing consent. Consequences for withdrawal of consent could simply be
that the organisation would cease to collect, use or disclose the individual’s
personal data for the purpose specified by the individuals. However, if there
are other likely consequences, the organisation must also inform the individual
· An organisation must
not prohibit an individual from withdrawing consent, although this does not
affect any legal consequences arising from such withdrawal.
· Upon withdrawal of
consent, the organisation must cease (and cause its data intermediaries and agents
to cease) collecting, using or disclosing the personal data, as the case may
be, unless the collection, use or disclosure of the personal data without
consent is required or authorised under the PDPA or any other written law.
may provide in their marketing messages a facility for individuals to withdraw
their consent (e.g. by clicking on an “unsubscribe” link within an e-mail).
Organisations are encouraged to clearly indicate the scope of the withdrawal in
such instances. Organisations are also encouraged to inform individuals of how
they may withdraw consent for matters outside the scope of such withdrawal.
some cases, individuals may provide organisations a general withdrawal notice
for marketing, i.e. it is not clear as to the channel of receiving marketing
messages for which consent is withdrawn. In such cases, the PDPC would consider
that any withdrawal of consent for marketing sent via a particular channel will
be considered to only apply to all messages relating to the withdrawal sent via
Where can I obtain legal advice on PDPA matters for my organisation?
If your organisation is a Small and Medium Enterprise (SME), you may wish to consider the Legal Aid Scheme for a one-hour consultation with a qualified legal practitioner from a panel appointed by the Law Society of Singapore (LawSoc) for an initial assessment on the organisation's level of compliance with the PDPA. Please refer to out webpage Help for Organisations or LawSoc's webpage PDPA Legal Advice Scheme for further details.
The PDPC does not provide legal advice. You may refer to our Advisory Guidelines which provide guidance on the manner in which the PDPC will interpret provisions of the PDPA. The guidelines are advisory in nature and do not constitute legal advice. They are legally not binding on the PDPC or any other party. You may wish to engage independent legal advice if you are in doubt.
The PDPC provides only general information and clarification to enquiries. It is important to note that the PDPC does not provide legal or specific advice to your enquiry that may require a certain standard or decision from the PDPC to be made. Our response to your query is not a substitute for legal advice, and is not legally binding on the PDPC or any other party. You may wish to engage independent legal advice if you are in doubt.
© 2019 Government of Singapore.
Best supported by IE 9 and above, Firefox and Chrome.