Law and the regulatory authorityLegislative framework
Summarise the legislative framework for the protection of personal information (PI). Does your jurisdiction have a dedicated data protection law? Is the data protection law in your jurisdiction based on any international instruments or laws of other jurisdictions on privacy or data protection?
The main data protection legislation in Singapore is the Personal Data Protection Act 2012 (No. 26 of 2012) (PDPA).
The PDPA applies to all organisations that collect, use or disclose personal data in Singapore unless one of the exclusions under section 4 of the PDPA applies. The main data protection obligations imposed on organisations concerning the collection, use, disclosure, access to, correction and care of personal data are set out in Parts III to VIB of the PDPA (the Data Protection Provisions).
The PDPA also provides for the establishment of the Personal Data Protection Commission (PDPC), the data protection authority.
The PDPA recently underwent its first comprehensive review since its enactment in 2012. The Personal Data Protection (Amendment) Act 2020 (the Amendment Act), which was passed in Parliament on 2 November 2020, sets out extensive changes, the majority of which came into effect on 1 February 2021.
There are various regulations and advisory guidelines under the PDPA that deal with specific issues in greater detail. For example, the Personal Data Protection Regulations 2021 (the PDP Regulations) supplement the PDPA in four key areas:
- the requirements for transfers of personal data out of Singapore;
- the assessment relating to the processing of personal data in reliance of the grounds of deemed consent by notification and legitimate interests;
- the form, manner and procedures for making and responding to requests for access to or correction of personal data; and
- persons who may exercise rights concerning disclosure of personal data of deceased individuals.
The other regulations issued under the PDPA include:
- the Personal Data Protection (Composition of Offences) Regulations 2021;
- the Personal Data Protection (Do Not Call Registry) Regulations 2013;
- the Personal Data Protection (Enforcement) Regulations 2021;
- the Personal Data Protection (Appeal) Regulations 2021; and
- the Personal Data Protection (Notification of Data Breaches) Regulations 2021.
Also, the PDPC has issued several advisory guidelines and guides to provide greater clarity on the interpretation of the PDPA. The PDPC has also developed sector-specific advisory guidelines for:
- the telecommunications sector;
- the real estate agency sector;
- the education sector;
- the healthcare sector;
- the social services sector;
- transport services for hire (specifically concerning in-vehicle recordings); and
- for management corporations.
On 20 February 2018, Singapore became the sixth Asia-Pacific Economic Cooperation (APEC) economy to participate in the APEC Cross-Border Privacy Rules (CBPR) system. Singapore also became the second APEC economy to participate in the APEC Privacy Recognition for Processors (PRP) system. Collectively, the CBPR and PRP systems allow a smoother exchange of personal data among certified organisations in participating economies and ensure that data protection standards are maintained for consumers in the Asia-Pacific region.
The formulation of the PDPA framework has taken into account international best practices on data protection. As indicated during the second reading of the PDPA in Parliament, the then Minister of Information, Communications and the Arts had referred to the data protection frameworks in key jurisdictions such as Canada, New Zealand, Hong Kong and the European Union, as well as the Organization for Economic Cooperation and Development Guidelines on the Protection of Privacy and Transborder Flows of Personal Data and the APEC Privacy Framework, in developing the PDPA framework.Data protection authority
Which authority is responsible for overseeing the data protection law? What is the extent of its investigative powers?
The PDPA is administered and enforced by the PDPC. With effect from 1 October 2016, the PDPC has been subsumed as a department under the Info-communications Media Development Authority (IMDA).
The PDPC may initiate an investigation to determine whether an organisation complies with the PDPA, upon receipt of a complaint or on its own motion.
According to the Advisory Guidelines on Enforcement of Data Protection Provisions, the factors that the PDPC may consider in deciding whether to commence an investigation include:
- whether the organisation may have failed to comply, whether intentionally, negligently, or for any other reason or cause, with all or a significant part of its obligations under the PDPA;
- whether the organisation’s conduct indicates a systemic failure by the organisation to comply with the PDPA or to establish and maintain the necessary policies and procedures to ensure its compliance;
- the number of individuals who are, or may be, affected by the organisation’s conduct;
- the impact of the organisation’s conduct on the complainant or any individual who may be affected;
- whether the organisation had previously contravened the PDPA or may have failed to implement the necessary corrective measures to prevent the recurrence of a previous contravention; and
- public interest considerations.
In the course of its investigation, the PDPC’s powers include:
- requiring any organisation to produce any specified document or to provide any specified information;
- compelling the attendance of witnesses, the provision of information and the production of documents;
- entering an organisation’s premises without a warrant (by giving at least two working days’ advance notice of intended entry); and
- obtaining a search warrant to enter an organisation’s premises and search the premises or any person on the premises (the latter, if there are reasonable grounds for believing that he or she has in his or her possession any document, equipment or article relevant to the investigation), and take possession of, or remove, any document and equipment or article relevant to an investigation.
The PDPC is also empowered to review complaints concerning access, correction and data porting requests.
The PDPA also establishes the Data Protection Advisory Committee, which advises the PDPC on matters relating to the review and administration of the personal data protection framework, such as key policy and enforcement issues.Cooperation with other data protection authorities
Are there legal obligations on the data protection authority to cooperate with other data protection authorities, or is there a mechanism to resolve different approaches?
The PDPC may enter into a cooperation agreement with a foreign data protection authority for data protection matters such as cross-border cooperation. Cooperation may take the form of information exchange or any other assistance as necessary to assist in the enforcement or administration of data protection laws.
Specifically, section 10 of the PDPA provides that the cooperation agreement has to be entered into for the purposes of:
- facilitating cooperation between the PDPC and another foreign data protection authority in the performance of their respective functions insofar as those functions relate to data protection; and
- avoiding duplication of activities by the PDPC and another foreign data protection authority, being activities involving the enforcement of data protection laws.
In this regard, the cooperation agreement may include provisions to:
- enable the PDPC and the other foreign data protection authority to furnish to each other information in their respective possession if the information is required by the other for the purpose of performance by it of any of its functions;
- provide such other assistance to each other as will facilitate the performance by the other of any of its functions; and
- enable the PDPC and the other foreign data protection authority to forbear to perform any of their respective functions concerning a matter in circumstances where it is satisfied that the other is performing functions concerning that matter.
Under the PDPA, the PDPC may only furnish information to a foreign data protection authority pursuant to a cooperation agreement if it requires of and obtains from that authority an undertaking in writing by it that it will comply with terms specified in that agreement, including terms that correspond to the provisions of any written law concerning the disclosure of that information by the PDPC.
Where the information requested contains personal data that is treated as confidential under the PDPA, the PDPC may only disclose the information to the foreign data protection authority if the following conditions are specified:
- the information or documents requested by the foreign data protection authority are in the possession of the PDPC;
- unless the government otherwise allows, the foreign data protection authority undertakes to keep the information confidential at all times; and
- the disclosure of the information is not likely to be contrary to the public interest.
The PDPC is also a participant in the Asia Pacific Economic Corporation Cross-border Privacy Enforcement Arrangement (APEC CPEA), which creates a framework for the voluntary sharing of information and provision of assistance for privacy enforcement-related activities.Breaches of data protection law
Can breaches of data protection law lead to administrative sanctions or orders, or criminal penalties? How would such breaches be handled?
Generally, the powers of the PDPC in the enforcement of any breach of data protection law include:
- powers relating to alternative dispute resolution (ADR);
- powers relating to review applications; and
- powers of investigation.
Any individual affected by an organisation’s non-compliance with any of the Data Protection Provisions may lodge a complaint with the PDPC. Upon receipt of a complaint, the PDPC may investigate or review the matter, or direct the parties as to the appropriate mode of dispute resolution.
Concerning ADR, under section 48G(1) of the PDPA, the PDPC is provided with the power to establish or approve one or more dispute resolution schemes, and direct complainants to resolve disputes via mediation, without the need to secure the consent of both parties.
As to the type of enforcement action it may take, the PDPC may choose to do any one of the following:
- suspend or discontinue an investigation;
- initiate an undertaking process;
- issue an expedited breach decision;
- initiate a full investigation; or
- impose criminal penalties.
Suspend or discontinue an investigation
The PDPC may discontinue investigations and simply issue an advisory notice where the impact is assessed to be low. Section 50 of the PDPA sets out circumstances in which the PDPC may do so, including where a complainant has not complied with a direction, the parties involved have mutually agreed to settle, or any party has commenced legal proceedings in respect of any contravention of the PDPA.
The PDPC may accept a voluntary undertaking from any organisation, which includes a written agreement between the organisation and the PDPC in which the organisation voluntarily commits to remedy the breaches and take steps to prevent a recurrence. The organisation’s request to invoke the undertaking process must be made very soon after the incident is known. The PDPC is unlikely to accept an undertaking request in certain cases (eg, where the organisation refutes responsibility for the data breach incident, or where it is a repeat incident entailing a similar cause of the breach).
Section 48L of the PDPA empowers the PDPC to accept statutory undertakings from an organisation when the PDPC has reasonable grounds to believe that an organisation has not complied, is not complying or is likely not to comply with the PDPA.
Where an organisation is found not to have complied with any term of the voluntary undertaking, the PDPC may take action that it thinks fit in the circumstances, which may include issuing directions and imposing available enforcement remedies.
Expedited breach decision
The PDPC may issue an expedited breach decision at its discretion in certain circumstances where there is an upfront, voluntary admission of liability for breaching relevant obligations under the PDPA. The expedited breach decision will achieve the same enforcement outcome as a full investigation. Where financial penalties are involved, the organisation’s admission of its role in the incident could be taken as a mitigating factor. However, admissions are unlikely to be considered as a strong mitigating factor for repeated data breaches. The organisation must make a written request to the PDPC for an expedited decision very soon after the incident is known to the organisation.
Full investigation process
For incidents with high impact, and where facilitation or mediation is inappropriate in the circumstances (eg, where there is a disclosure of personal data on a large scale or where the personal data disclosed could cause significant harm), the PDPC may initiate a full investigation.
Where the PDPC is satisfied that an organisation has intentionally or negligently contravened any of the Data Protection Provisions under the PDPA, it is empowered with wide discretion to issue such remedial directions as it thinks fit. These include directions requiring the organisation to:
- stop collecting, using or disclosing personal data in contravention of the PDPA;
- destroy personal data collected in contravention of the PDPA;
- provide access to, correct or port personal data, or reduce or make a refund of any fee charged for any access, porting or correction request; or
- pay a financial penalty of up to S$1 million.
Concerning the quantum of financial penalty, the Amendment Act will empower the PDPC to impose higher financial penalties (ie, up to a maximum of 10 per cent of the organisation’s annual turnover in Singapore, or S$1 million, whichever is higher). However, this provision will only come into effect from 1 October 2022.
In assessing the seriousness of a data breach, the PDPC may consider several factors, including the following:
- impact of the organisation’s breach;
- whether the organisation actively took reasonable steps to resolve the matter effectively and promptly;
- whether the organisation had known or ought to have known the risk of a serious contravention and failed to minimise the risk;
- whether the organisation obstructed the PDPC during investigations;
- whether the organisation failed to comply with a warning or direction from PDPC;
- whether the organisation, which handles a large volume of sensitive personal data, failed to put in place adequate safeguards proportional to the harm that might be caused by disclosure of such data;
- whether the organisation took immediate steps to notify affected individuals of the breach and reduce the damage caused by a breach; and
- whether the organisation voluntarily notified the PDPC of the breach as soon as it learned of the breach and cooperated with the PDPC in its investigations.
To date, the PDPC has issued more than 100 published grounds of decisions, with a significant majority of these cases relating to breaches of the Protection Obligation (ie, section 24 of the PDPA). On 15 January 2019, the PDPC imposed its highest financial penalties to date of S$250,000 and S$750,000 respectively on SingHealth Services Pte Ltd (SingHealth) and Integrated Health Information Systems Pte Ltd, for breaching their data protection obligations under the PDPA. This unprecedented data breach, which arose from a cyberattack on SingHealth’s patient database system, caused the personal data of some 1.5 million patients to be compromised.
Any person who suffers loss or damage directly as a result of a contravention of any of the Data Protection Provisions may also commence a private civil action in respect of such loss or damage suffered.
Part IXB of the PDPA sets out offences relating to the egregious mishandling, by individuals, of personal data in the possession of or under the control of an organisation or a public agency:
- under section 48D, if an individual discloses, or causes the disclosure of, personal data in the possession or control of an organisation or a public agency to another person, which is not authorised, and the individual does so knowingly, or is reckless to the disclosure not being authorised, the individual shall be guilty of an offence; and
- under section 48E, if an individual makes use of personal data in the possession or control of an organisation or a public agency which is not authorised, the individual does so knowingly, or is reckless to the use not being authorised, and as a result of the use of the personal data, the individual:
- obtains a gain;
- causes harm to another individual; or
- causes loss to another person, that individual shall be guilty of an offence.
Under section 48F, if an individual takes any action to reidentify or cause reidentification of anonymised information in possession or control of an organisation or a public agency, which is not authorised, and the individual does so knowingly, or is reckless to the re-identification not being authorised, that individual shall be guilty of an offence.
The penalty for these offences is a fine not exceeding S$5,000 or imprisonment for a term not exceeding two years, or both. However, certain defences are provided for in respect of these offences, for example, where the accused used, disclosed or reidentified the data in the reasonable belief that the accused had the legal right to do so, and was not reckless as to whether this was so.
Section 51 of the PDPA also sets out certain offences relating to, among others, obstructing or hindering the PDPC in the performance of any function or duty, or the exercise of any power, under the PDPA. It is also an offence for an organisation or a person, without reasonable excuse, to neglect or refuse to either provide any information or produce any document that the organisation or person is required to provide or produce to the PDPC or an inspector or attend before the PDPC or inspector as required.
ScopeExempt sectors and institutions
Does the data protection law cover all sectors and types of organisation or are some areas of activity outside its scope?
The Personal Data Protection Act 2012 (No. 26 of 2012) (PDPA) applies to all organisations in Singapore, regardless of their scale or size.
An ‘organisation’ is defined broadly under the PDPA as including any individual, company, association or body of persons, corporate or unincorporated, and whether or not formed or recognised under the law of Singapore, or resident or having an office or place of business in Singapore.
Certain categories of organisations are carved out of the application of the Data Protection Provisions of the PDPA, such as:
- individuals acting in a personal or domestic capacity;
- employees acting in the course of their employment with an organisation (although employees may be liable for the egregious mishandling of personal data in the possession of or under the control of an organisation or a public agency); and
- public agencies.
The PDPA is intended to set a baseline standard for personal data protection across the private sector, and will operate alongside (and not override) existing laws and regulations. The PDPA provides that the general data protection framework does not affect any right or obligation under the law and that in the event of any inconsistency, the provisions of other written laws will prevail.Interception of communications and surveillance laws
Does the data protection law cover interception of communications, electronic marketing or monitoring and surveillance of individuals?
To the extent that personal data is collected, used or disclosed in the interception of communications and in the monitoring and surveillance of individuals, the PDPA applies to the organisation collecting, using or disclosing such data. As such, the individual’s prior consent is required before any collection takes place unless an exception to consent applies or the collection is otherwise authorised under law.
Also, where an organisation collecting such personal data via the interception of communications or the performance of surveillance or monitoring activities is a public agency (eg, the Singapore Police Force or the Info-communications Media Development Authority (IMDA)), such collection is excluded from the application of the PDPA.
Apart from the PDPA, there are provisions in other laws or regulations that allow for the interception of communications and the monitoring and surveillance of individuals. Below is a non-exhaustive list of such provisions:
- Organisations providing telecommunications services and holding services-based operations licences may have to comply with interception requests by the IMDA and other authorities. Specifically, condition 16.2 of the IMDA’s standard Services-Based Operator (Individual) (SBO (I)) licence conditions expressly permit disclosure of subscriber information where the disclosure of subscriber information is deemed necessary to the IMDA or such other relevant law enforcement or security agencies in the exercise of their functions or duties. Condition 26.1 of the IMDA’s standard SBO (I) licence conditions also requires licensees to ‘provide the [IMDA] with any document and information within its knowledge, custody or control, which the [IMDA] may, by notice or direction require’.
- Section 20 of the Criminal Procedure Code (Cap 68) empowers the police to require the production of a ‘document or other thing’ (which is necessary or desirable for any investigation, inquiry, trial or another proceeding under the Code) by issuing a written order to ‘the person in whose possession or power the document or thing is believed to be’.
- Section 10 of the Kidnapping Act (Cap 151) states that the Public Prosecutor may authorise any police officer to, amongst others, ‘intercept any message transmitted or received by telecommunication’ or ‘intercept or listen to any conversation by telephone’.
- Section 19 of the Cybersecurity Act 2018 (No. 9 of 2018) (the Cybersecurity Act) states that where information regarding a cybersecurity threat or incident has been received by the Commissioner, he or she may exercise certain powers as are necessary to investigate the cybersecurity threat or incident, including the power to require the provision of any document in a person’s possession or information considered to be related to the matter.
Generally, where the personal data of an individual is collected, used and disclosed for marketing purposes, the consent of the individual concerned must be obtained and such consent must not have been obtained as a condition for the provision of a product or service where it would not be reasonably required to provide that product or service. The Personal Data Protection Commission (PDPC) has noted in its Advisory Guidelines on Key Concepts in the Personal Data Protection Act (revised 1 February 2021) (Key Concepts Guidelines) that a failure to opt out will not be regarded as consent in all situations, and recommended that organisations obtain consent from an individual through a positive action of the individual (eg, opt-in consent).
Concerning the sending of marketing communications by telephone call or text messaging (or fax) to a Singapore telephone number, Part IX of the PDPA (ie, the Do Not Call (DNC) Provisions) requires an organisation to:
- obtain valid confirmation that the telephone number is not listed on the relevant DNC Register before sending the message or call unless clear and unambiguous consent to the sending of the specified message to that number is obtained in evidential form;
- be identified as a marketing message, and include information identifying the sender for messages and details on how the sender can be readily contacted, and such details and contact information should be reasonably likely to be valid for at least 30 days after the sending of the message; and
- for voice calls, not conceal or withhold the calling line identity from the recipient.
A limited exception exists concerning sending messages to individuals with whom the organisation has an ongoing relationship.
Concerning the duty to check the DNC Registry, section 43A of the PDPA imposes obligations on third-party checkers to communicate accurate DNC Register query results to the organisations that they are checking the DNC Register on behalf of.
Further, Part IXA of the PDPA contains a prohibition concerning the sending of applicable messages to telephone numbers generated or obtained through the use of dictionary attacks and address harvesting software.
The DNC Provisions (which used to be enforced as criminal offences) are now enforced under the same administrative regime as the Data Protection Provisions. If the organisation is found to have intentionally or negligently contravened any provision, the PDPC may require the organisation to pay a financial penalty not exceeding:
- S$200,000, in the case of an individual; or
- S$1 million, in any other case.
For a contravention of the prohibition on the use of dictionary attacks and address-harvesting software under the DNC Provisions, the maximum financial penalty will increase to 5 per cent of the organisation’s annual turnover in Singapore, where the organisation’s annual turnover in Singapore exceeds S$20 million. However, this enhanced financial penalty will only come into effect on 1 October 2022.
Complementing the DNC Provisions of the PDPA, the Spam Control Act (Cap 311A) (the Spam Control Act) regulates the bulk sending of unsolicited commercial electronic messages to email addresses or mobile telephone numbers.
Section 11 read with the Second Schedule of the Spam Control Act requires any person who ‘sends, causes to be sent or authorises the sending of unsolicited commercial electronic messages (which includes emails, instant messages (on platforms such as Telegram and WeChat) and short message service or multimedia message service) in bulk’ to comply with certain obligations. These include, among others, requirements that unsolicited commercial electronic messages must contain:
- an unsubscribe facility;
- the label ‘<ADV>‘ to indicate that the message is an advertisement; and
- the message must not contain header information that is false or misleading.
Section 9 of the Spam Control Act also prohibits electronic messages from being sent to electronic addresses generated or obtained through the use of a dictionary attack or address-harvesting software.
The Spam Control Act provides for civil liability (including the grant of an injunction or the award of damages) against parties in breach of these requirements. Statutory damages of up to S$25 per message may be awarded, up to an aggregate of S$1 million (unless the plaintiff proves that his or her actual loss is higher).Other laws
Are there any further laws or regulations that provide specific data protection rules for related areas?
Before the enactment of the PDPA, Singapore did not have an overarching law governing the protection of PI, or personal data. The collection, use, disclosure and care of personal data in Singapore were regulated to a certain extent by a patchwork of laws including common law, sector-specific legislation and various self-regulatory or co-regulatory codes. These existing sector-specific data protection frameworks continue to operate alongside the PDPA.
Various other laws and regulations in Singapore set out specific data protection rules, some of which are sector-specific. For instance:
- the Banking Act (Cap 19) prescribes the disclosure of customer information by a bank or its officers;
- the Computer Misuse Act (Cap 50A) deals with computer system hackers and other similar forms of unauthorised access or modification to computer systems;
- the Cybersecurity Act establishes a legal framework for the oversight and maintenance of national cybersecurity in Singapore to ensure that computers, systems and data are better protected;
- the Private Hospitals and Medical Clinics Act (Cap 248) contains provisions relating to the confidentiality of information held by private hospitals, medical clinics, clinical laboratories and healthcare establishments licensed under the Act;
- the Official Secrets Act (Cap 213) contains provisions relating to the prevention of disclosure of official documents and information;
- the Public Sector (Governance) Act 2018 (No. 5 of 2018) sets out directions for data sharing among government agencies and imposes criminal penalties on public officers who recklessly or intentionally disclose data without authorisation, misuse data for a gain or re-identify anonymised data; and
- the Telecom Competition Code issued under the Telecommunications Act (Cap 323) contains certain provisions pertaining to the safeguarding of end-user service information.
Concerning the financial sector, the Monetary Authority of Singapore (MAS) is empowered under the Monetary Authority of Singapore Act (Cap 186) and other sectoral legislation to issue directives and notices. Examples of MAS-issued regulatory instruments which are relevant to data protection include the Notices on Cyber Hygiene, Notices and Guidelines on Technology Risk Management, Notices and Guidelines on Prevention of Money Laundering and Countering the Financing of Terrorism, and the Guidelines on Outsourcing. These regulations operate alongside the PDPA and prevail to the extent of any inconsistency.PI formats
What categories and types of PI are covered by the law?
All formats of PI are covered under the PDPA, whether electronic or non-electronic and regardless of the degree of sensitivity. ‘Personal data’ is broadly defined under the PDPA as data, whether true or not, about an individual who can be identified from that data, or from that data and other information to which the organisation has or is likely to have access.
Nonetheless, the PDPA provides for certain exceptions and limitations for the applicability of the Data Protection Provisions for certain types of personal data, such as personal data that is contained in a record that has been in existence for at least 100 years, or ‘business contact information’ as defined under the PDPA.Extraterritoriality
Is the reach of the law limited to PI owners and processors physically established or operating in your jurisdiction, or does the law have extraterritorial effect?
The Data Protection Provisions apply to all organisations that collect, use or disclose personal data in Singapore, regardless of whether they are formed or recognised under Singapore law or whether they are resident or have an office or place of business in Singapore. As such, organisations that are located overseas are still subject to the Data Protection Provisions as long as they collect, use or disclose personal data in Singapore. Also, organisations that collect personal data overseas and host or process it in Singapore will be subject to the relevant obligations under the PDPA from the point that such data is brought into Singapore.Covered uses of PI
Is all processing or use of PI covered? Is a distinction made between those who control or own PI and those who provide PI processing services to owners? Do owners’, controllers’ and processors’ duties differ?
Yes, the PDPA regulates the collection, use and disclosure of personal data by an organisation. An organisation that collects, uses or discloses personal data is accordingly required to comply with the Data Protection Provisions under the PDPA.
A ‘data intermediary’, however, is exempt from the majority of the Data Protection Provisions under the PDPA. A data intermediary refers to an organisation that processes personal data on behalf of and for the purposes of another organisation (the primary organisation) pursuant to a written contract.
A data intermediary is only required to comply with the rules relating to:
- the protection of personal data (section 24);
- the retention of personal data (section 25); and
- the duty to notify the primary organisation without undue delay where it has reason to believe that a data breach has occurred concerning personal data that it is processing on the primary organisation’s behalf (sections 26C(3)(a) and 26E).
A data intermediary that processes personal data in a manner that goes beyond the processing required under the written contract would not be considered a data intermediary and is subject to the full suite of Data Protection Provisions under the PDPA in respect of that processing.
Law stated dateCorrect on
Give the date on which the information above is accurate.
10 May 2021