As of 1st September 2019, all private sector organisations in Singapore will be prohibited from collecting, using or disclosing all national identity cards, their copies and numbers, unless they are required to do so under law, or if it is necessary to verify individuals’ identities to a high degree of fidelity. Failure to comply with Singapore’s Personal Data Protection Act 2012 (PDPA) could lead to an organisation facing a financial penalty of up to S$1 million. 

The Singapore PDPA was enacted on October 15, 2012 that took effect in three phases: 

• Provision relating to the information of the Personal Data Protection Commission 
• Provision relating to the National Do-Not-Call Registry 
• Main data protection provisions 

The Act also consists of various general or sector / industry-specific guidelines issued by the Commission. While the guidelines are advisory in nature and not legally binding, they indicate the manner in which the Commission will interpret the Act. Therefore, it is best for business leaders to carefully observe and follow these guidelines. 

See also: HR Update: New Employment Rules & Law in Singapore

Moreover, the objective of the Act is not only to secure confidential information of employees but also to protect the fundamental rights and freedoms related to personal information and privacy. Failure of such protection can result in serious harm, for example, criminals are able to extract money from a person’s bank account, blackmail a person by threatening to expose embarrassing sexual secrets, or harm someone by manipulating their health information. Once employees fall into this kind of harmful effect of failing to protect one’s data could result in overall company productivity. 

Under the PDPA clauses, personal data might include but not limited to the following: 

• Full name 
• NRIC, or passport number
• Photograph or video image of an individual 
• Mobile telephone number 
• Personal email address
• Thumbprint
• Name and residential address
• Business contact information, such as name, position name or title, business telephone number, business address, business electronic mail address, business fax number, etc. 

Further, there are no specific requirements relating to online privacy (including cookies and location) under the Act. However, a company that wishes to engage in any online activity that involves the collection, use or disclosure of personal data will still need to comply with the general data protection obligations under the Act. For instance, if a company intends to use cookies to collect personal data, it must obtain consent before the use of any such cookies. 

The organisation that collects, uses or discloses personal data in Singapore must adhere to some obligations, including as follows: 

• appointing a Data Protection Officer (DPO)
• notifying purposes and seeking consent when processing personal data beyond reasonable service or product
• responding transparently when clients ask about personal data 
• Ensuring accuracy and allowing correction of personal data 
• Securing personal data held by the organisation from any harms and cyberthreats 
• Disposing of personal data that is no longer needed 
• Ensuring the protection of personal data when transferring overseas 
• Communicating the data protection policies, practices and processes transparently with consumers and clients 

Please visit PDPC Singapore for more information about the PDPA and how your organisation can be fully integrated with its law. 

Read also: Protecting Employees’ Data Privacy: Q&A with Thomas Matecki, Founder and CEO at Emotional Vector Analytics