As of 1st September 2019, all private sector organisations in Singapore will be prohibited from collecting, using or disclosing all national identity cards, their copies and numbers, unless they are required to do so under law, or if it is necessary to verify individuals’ identities to a high degree of fidelity. Failure to comply with Singapore’s Personal Data Protection Act 2012 (PDPA) could lead to an organisation facing a financial penalty of up to S$1 million.
The Singapore PDPA was enacted on October 15, 2012 that took effect in three phases:
The Act also consists of various general or sector / industry-specific guidelines issued by the Commission. While the guidelines are advisory in nature and not legally binding, they indicate the manner in which the Commission will interpret the Act. Therefore, it is best for business leaders to carefully observe and follow these guidelines.
Moreover, the objective of the Act is not only to secure confidential information of employees but also to protect the fundamental rights and freedoms related to personal information and privacy. Failure of such protection can result in serious harm, for example, criminals are able to extract money from a person’s bank account, blackmail a person by threatening to expose embarrassing sexual secrets, or harm someone by manipulating their health information. Once employees fall into this kind of harmful effect of failing to protect one’s data could result in overall company productivity.
Under the PDPA clauses, personal data might include but not limited to the following:
The organisation that collects, uses or discloses personal data in Singapore must adhere to some obligations, including as follows:
Please visit PDPC Singapore for more information about the PDPA and how your organisation can be fully integrated with its law.