Newsletter
December 2021 Issue: Co-operator Newsletter Quarterly Issue

What Are The 10 Obligations Under Personal Data Protection Act (PDPA)?

What Are The 10 Obligations Under Personal Data Protection Act (PDPA)?
Caption: What Are The 10 Obligations Under Personal Data Protection Act (PDPA)?


With cyber-attacks — the likes of data breaches where hackers take possession of various personal data — taking place frequently, Personal Data Protection Act (PDPA) has been the talk of the town in the recent years. As Singapore’s baseline standard of protection for personal data, PDPA encourages organisations to demonstrate accountability for personal data, whether it’s their employees’ or customers’, in their care.

Between June 2020 and July 2021, there were significant developments pertaining to PDPA as well as its regulatory body Personal Data Protection Commission (PDPC). By now, each organisation would have employed a data protection officer to enforce personal data protection and corresponding measures in the workplace. In case you are lost trying to make sense of everything, you may find this article useful.

Read on to find out a summarised version of all 10 data protection obligations under PDPA.

1. ACCOUNTABILITY OBLIGATION

Every company is obliged to be accountable when it comes to managing clients’ or customers’ personal data. You should have in place data protection policies, assign a data protection officer, as well as standard operating procedures (SOPs) on personal data complaints. Information on how you handle one’s personal data should be made available.

Learn more about Accountability Obligation here.

WHEN YOU COLLECT OF PERSONAL DATA …

 2. NOTIFICATION OBLIGATION

Companies should let customers and clients know how they are using the personal data collected. Individuals should be informed of how the data is being collected, when it is disclosed and how the data is to be used. 

3. CONSENT OBLIGATION

Individuals must consent before you can collect their personal data or use them. In fact, they should also be given an opportunity to withdraw their consent (with reasonable) too. Companies should cease using, disclosing and collecting the data shortly thereafter.   

4. PURPOSE LIMIT OBLIGATION

Companies should only collect, use and disclose personal data for the purposes for which your clients or customers have given consent to. Your customers or clients should not be required to give consent beyond what is reasonable for the organisation to provide a particular service or product.    

 

WHEN YOU POSSESS OTHER INDIVIDUALS’ PERSONAL DATA …

 5. ACCURACY OBLIGATION

Companies should make reasonable effort to ensure that personal data collected is accurate and complete.

 6. PROTECTION OBLIGATION

Companies ought to deploy required security measures to protect personal data they are in possession of. This is to prevent third parties to have unauthorised access, collection, use and disclosure of personal data.   

7. RETENTION LIMITATION OBLIGATION

When one’s personal data is no longer needed, companies should take steps to dispose of the individual’s personal data.   

8. TRANSFER LIMITATION OBLIGATION

If your company is looking to transfer one’s personal data overseas (or even storing them on cloud storage services), the onus is on the company to ascertain that the country to which the data is being transferred to offers similar standard of protection.  

 

INDIVIDUALS’ AUTONOMY OVER PERSONAL DATA

 9. ACCESS AND CORRECT OBLIGATION

Companies are obliged to provide information, such as their personal data and how it is used or disclosed within the year, to individuals, when requested. Companies must also rectify any error or omissions as soon as possible. 

10. DATA BREACH NOTIFICATION OBLIGATION

In the case of a data breach that is likely to cause or has caused significant harm (or have at least 500 individuals have been impacted), companies must inform PDPC and affected individuals of the breach.  

Check out this infographic on the 10 personal data obligations: 

Sources:

Personal Data Protection Commission. (n.d.) Data Protection Obligations.  https://www.pdpc.gov.sg/overview-of-pdpa/the-legislation/personal-data-protection-act/data-protection-obligations

Singapore Legal Advice (n.d.) Summary: Your Organisation’s 10 Main PDPA Obligations https://singaporelegaladvice.com/law-articles/personal-data-protection-act-obligations

Previous Next
If you haven't already, follow SNCF at Click here to sign up to be a co-operative in Singapore or sign up for our newsletter.
Next Article
Highlights from the 33rd World Co-operative Congress In Seoul, South Korea
Highlights from the 33rd World Co-operative Congress In Seoul, South Korea
Delegates from around the world finally got the chance to gather for the 33rd World Co-operative Congress, which took place in Seoul, South Korea, in early December.
NTUC Health's newest Day Centre for Seniors
NTUC Health's newest Day Centre for Seniors
Located in western Singapore, NTUC Health's newest Day Centre for Seniors (Jurong Spring) is a sight to behold.
View Latest Issue
Singapore National Co-operative Federation

510 Thomson Road #12-02

SLF Building, Singapore 298135

Email: contactus@sncf.org.sg

Tel: 9820 5730

Copyright © 2024
Singapore National Co-operative Federation

Who we are

SNCF is the apex body of Singapore’s Co-operative Movement, and secretariat of the Central Co-operative Fund (CCF). Formed in 1980 with the aim of championing Singapore’s Co-operative Movement, the apex body represents majority of co-operative members in Singapore through its affiliated co-operatives.