Personal Data Protection Act (PDPA): Introduction to PDPA

In recent years, the Personal Data Protection Act 2012 (“PDPA”) of Singapore has been a trending topic for discussion, especially due to the trend of storing valuable personal data online. The PDPA is crucial as it protects the personal data for individuals while recognising the need for organisations to “collect, use and disclose” personal data for reasonable purposes.

This allows for a delicate balance between the need for data protection and the general handling of data. To achieve that, the PDPA sets out guidelines and obligations that we will be discussing in this series of articles. We will also be discussing the recent restrictions to the collection of NRIC/NRIC numbers on PDPA.

In this introduction which will be first of a series of articles on the PDPA, we will mainly focus on the main requirements set out by the PDPA such as the key duties and obligations required of individuals or organisations when they handle the personal data of individuals. These obligations and guidelines have to be adhered to in order to avoid being liable under the PDPA.

Who the Personal Data Protection Act applies to (Section 4)

For the purposes of our discussion, it is important to firstly understand who the PDPA applies to as it determines who may be found liable under the Act if their conduct is contrary to what is required. Parts III to VI of the PDPA will not apply to you or to any individual who is acting in a personal or domestic capacity, these parts also do not apply to employees acting in the course of their employment with an organisation. What this essentially means is that even if the employee’s conduct has contravened the obligations set out by the PDPA, the employee will not be liable but instead the company or the individual as the employer will be liable.

There are also other exceptions for which the PDPA does not apply to such as the public agencies and organisations that are acting on behalf of a public agency.

Thus, if an individual, company or organisation does not fall under one of these exceptions, they will have to adhere to the PDPA obligations and guidelines to avoid being liable under the Act.

This article will go into detail to discuss the first of four obligations set out by the PDPA as well as by the Personal Data Protection Commission (“PDPC”), the authority in charge of the administration of the PDPA. The PDPC has also termed these obligations the “9 Main Data Protection Obligations of the PDPA”. Subsequently, we will be elaborating on the other five main data protection obligations in a separate article.

The First Data Protection Obligation – The Consent Obligation

The first of the main data protection obligations would be the consent obligation. In general, the consent obligation requires an individual or an organisation to first obtain consent before they are allowed to collect, use or disclosure the personal data of individuals. Apart from actual consent given directly (i.e. verbally agreeing or agreement in writing) by the individual, the PDPA also provides for other forms of consent such as deemed consent. An example of deemed consent would be when an individual is repeatedly given the option to opt out of giving consent, however whether the failure to opt out is considered deemed consent is also dependent on the unique circumstances of each case. Examples of such circumstances would include how apparent and obvious the option to opt out was.

Consent may be deemed invalid consent if an individual was not notified of the purposes for which the organisation is collecting his personal data. An individual must also be allowed to withdraw the consent given for the collection, use and disclosure of his personal data. If an individual chooses to withdraw consent, the organisation or individual that has his information is required to inform him about the likely consequences of him withdrawing his consent. This gives the individual the opportunity to consider his options and decide accordingly.

It is also stated that withdrawal of consent cannot be prohibited, however this does not negate any legal consequences that may arise due to the withdrawal of consent. For example, if within the terms of your agreement with the individual, a term stated that consent is essential and if evidence is withdrawn at any point of time, the organisation may stop providing the individual with the services that were contractually agreed upon without it being considered a contractual breach of the agreement.

The next article will look at the next 3 main Data Protection Obligations (Purpose Limitation, Notification and Access & Correction).

Please note that this article does not constitute express or implied legal advice, whether in whole or in part.