< Back

Share |

New Singapore data protection law expected in force from January 2013

On 15 October 2012, Singapore’s Parliament approved the Personal Data Protection Bill, which provides the first full-coverage data protection law for Singapore. The new law is aimed at providing minimum standards relating to the collection, use and protection of personal data. It also establishes the Personal Data Protection Commission (PDPC) and a Do-Not-Call Registry (DNC). The Personal Data Protection Act 2012 (PDPA) is expected to come into force on 1st January 2013, and organisations will be given a period of 18 months to comply with its requirements. Further guidelines and regulations are expected to give additional clarity to the implementation of the PDPA.


To whom will the PDPA apply?

The PDPA will only apply to the private sector in Singapore, irrespective of size and geographical location, where the personal data in question is collected in Singapore. It will not apply to Singapore’s public sector. In addition, “data intermediaries”, organisations which process personal data on behalf of other organisations will also need to comply with selected obligations under the PDPA.

What constitutes personal data under the PDPA?

Personal data under the PDPA is defined as any data which can identify an individual either on its own or in conjunction with any other data held or likely to be held by any organisation, whether or not kept in electronic form. However, certain types of personal data are excluded from the scope of the PDPA: business contact information relating to an individual’s name, position, business address, number, email or similar information; personal data relating to individuals who have been dead for over ten years (subject to some exceptions); and personal data which has been on record for over 100 years, are all exempt.


Organisations are required to obtain the consent of individuals to their personal data being collected, used or disclosed. Organisations are allowed to decide how to obtain consent subject to certain constraints. Essentially, individuals must be informed of the purposes of the data collection and the uses to which the data will be put which should be those a reasonable person would consider appropriate in the circumstances. If an organisation has acquired an individual’s consent or the individual is deemed to have given consent to disclose information to another organisation, that organisation may also process that personal data.

There are, however, some circumstances where consent is not always necessary for the collection, use or processing of personal data, for example, when it is made publically available; relates to news activities; is for the beneficiaries of trust and insurance policies; or it is collected by a bank or a credit bureau for the purpose of creating a credit report.

Other requirements for organisations processing personal data

Organisations must appoint a privacy officer with responsibility for compliance with the PDPA. Privacy officers are required to ensure data collected is reasonably accurate and complete and take reasonable steps to keep the data secure. Organisations and data intermediaries are also required not to retain personal data for longer than necessary.

Cross-border transfers

data transferThe PDPA allows for cross-border data transfers provided the organisation wishing to transfer the personal data ensures that the receiving party has adequate levels of protection (whether prescribed by regulation or contractual) of no less than the standard of protection under the PDPA.


The PDPA establishes the PDPC to enforce and implement the PDPA. The PDPC may also issue advisory guidelines to clarify the PDPA and its effect on both organisations and individuals. There is no breach notification requirement under the PDPA. Organisations can be fined up to S$100,000 (just under €65,000) for obstructing the PDPC from carrying out its duties and S$50,000 (around €32,000) for certain breaches of the PDPA.

Do Not Call Registry

The DNC allows individuals to opt out of receiving unsolicited marketing messages. This excludes email and post but includes voice calls, text messages and multimedia messaging services. Messages or calls made to a Singapore phone number, sent, received or accessed in Singapore will be caught by the regime. If clear, unambiguous consent has been obtained by an organisation then marketing messages may still be sent to an individual on the register. Organisations which intend sending marketing material are obliged to check whether intended recipients are registered with the DNC before doing so.


The PDPA is expected to enter into force in January 2013. There will be a transitional period of eighteen months following this to allow private organisations time to comply with the new regime. Personal data collected before the PDPA comes into force may continue to be used without obtaining fresh consent unless consent to use it is withdrawn by the relevant individual but the PDPA requirements in relation to retention and security will apply across the board.


protectionThe PDPA is a welcome piece of legislation and follows the trend of equivalent data protection legislation enacted in other parts of Asia in 2010 and 2011.

For individuals, this legislation provides comfort that personal data collected from them will be subject to minimum standards of protection and will not be put to use outside the scope of their consent.

For organisations which collect personal data, the sunrise period together with the implementing regulations and guidelines that are coming, are intended to provide clarity as to the scope of their obligations and should assist and enable them to prepare for compliance with the legislation.

If you have any questions on this article or would like to propose a subject to be addressed by the Global Data Hub please contact us.

Introduction to new law in Singapore
Rizwi Wun

Rizwi Wun looks at the forthcoming data protection law for Singapore and the implications it will have.

"The PDPA is a welcome piece of legislation and follows the trend of equivalent data protection legislation enacted in other parts of Asia in 2010 and 2011."