Use the Lexology Navigator tool to compare the answers in this article with those from 20+ other jurisdictions.

Collection and storage of data

Collection and management
In what circumstances can personal data be collected, stored and processed?

Section 13 of the Personal Data Protection Act provides that an organisation may collect, use or disclose an individual’s personal data only with an individual’s express or deemed consent.

Section 20 of the Personal Data Protection Act requires organisations to inform individuals of the purposes for which their personal data will be collected, used and disclosed on or before collecting such data.

Section 18 of the Personal Data Protection Act provides that an organisation’s collection, use or disclosure of personal data is limited to purposes:

  • that a reasonable person would consider appropriate in the circumstances; and
  • for which notification has been made to the individual concerned.

Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?

Yes, Section 25 of the Personal Data Protection Act provides that an organisation must cease to retain documents containing personal data, or remove the means by which the personal data can be associated with particular individuals as soon as it is reasonable to assume that:

  • the purpose for which that data was collected is no longer being served; and
  • retention is no longer necessary for legal or business purposes.

Do individuals have a right to access personal information about them that is held by an organisation?

Yes, individuals have a qualified right to access personal information under Section 21(1) of the Personal Data Protection Act. Access to personal data is limited to:

  • personal data that is within the possession and control of the organisation; and
  • any information about the ways in which such data has been used one year before the request.

Exceptions to the access obligation under Section 21(3) and the Fifth Schedule of the Personal Data Protection Act exist.

Do individuals have a right to request deletion of their data?

Individuals can request deletion of their data if necessary to correct an error or omission in personal data held by or under the control of an organisation (Section 22(1) of the Personal Data Protection Act).

Otherwise, individuals may withdraw their consent to the collection, use and disclosure of their personal data under Section 16 of the act. Under such circumstances, organisations must cease collecting, using or disclosing the personal data but they are not required to delete it.

Consent obligations
Is consent required before processing personal data?

Yes, consent is required under Section 13 of the Personal Data Protection Act.

If consent is not provided, are there other circumstances in which data processing is permitted?

The Second through Fourth Schedules of the Personal Data Protection Act provides for circumstances in which personal data may be collected, used or disclosed. 

What information must be provided to individuals when personal data is collected?

Section 20 of the Personal Data Protection Act provides that an organisation must inform the individual of:

  • the purposes for which the personal data is being collected, used or disclosed when or before it is collected;
  • any other purpose for which the data is being used or disclosed of which an individual has not been informed under Section 20(1)(a), before the use or disclosure of the data for that purpose; and
  • on request by the individual, the business contact information of a person who can answer on behalf of the organisation the individual’s questions about the collection, use or disclosure of personal data. 

Data transfer and third parties

Cross-border data transfer
What rules govern the transfer of data outside your jurisdiction?

Section 26(1) of the Personal Data Protection Act provides that an organisation may not transfer any personal data to a country or territory outside Singapore, except in accordance with requirements prescribed under the Personal Data Protection Act, to ensure that the recipient organisation is bound by legally enforceable obligations to provide a standard of protection that is comparable to that under the Personal Data Protection Act.

In other words, if the recipient organisation is not already bound by comparable data privacy laws in their jurisdiction, the transferring organisation may impose these obligations contractually, via any binding corporate rules or any other legally binding instrument.

Are there restrictions on the geographic transfer of data?

No.

Third parties
Do any specific requirements apply to data owners where personal data is transferred to a third party for processing?

Section 26(1) of the Personal Data Protection Act provides that if the third party is in another jurisdiction, it must be able to provide a standard of protection that is comparable to the protection under the Personal Data Protection Act. However, a third party that is a data intermediary which processes personal data on behalf of an organisation is bound only by the obligations set out under Section 24 (protection of personal data) and Section 25 (retention of personal data) of the Personal Data Protection Act.

Click here to view the full article.