Singapore: Signed Personal Data Protection Act (PDPA) including personal information protection in electronic commerce

On 20 November 2012, the Personal Data Protection Act (PDPA) including personal information protection in electronic commerce, was signed by the President of Singapore. The PDPA stipulates various obligations for organisations operating in Singapore, including making information about their data protection policies, practices, and complaints process available upon request, designating a data protection officer (DPO) and making the officer's contact information public. Organisations are further obligated to notify individuals of the purposes for which their personal data is being collected, used, or disclosed. They can only collect, use, or disclose personal data for purposes for which the individual has given consent. According to the Act, organisations cannot require individuals to consent to the collection, use, or disclosure of their personal data beyond what is reasonable to provide a product or service. Individuals must be allowed to withdraw consent with reasonable notice and informed of the likely consequences of withdrawal. Upon withdrawal, the organisation must cease collecting, using, or disclosing the individual's personal data. Moreover, organisations are required to make reasonable security arrangements to protect the personal data in the organisation’s possession, preventing unauthorised access, collection, use, and disclosure. Regarding the storage of personal data, the Act stipulates that when personal data is no longer needed for any business or legal purpose, organisations must cease retention of the data or properly dispose of it. Further, organisations must provide individuals with access to their personal data and information about how it was used or disclosed upon request. Lastly, in the event of a data breach, organisations must assess if it is notifiable and if the breach likely results in significant harm to individuals or is of significant scale. Organisations are required to notify the Personal Data Protection Commission (PDPC) and the affected individuals as soon as possible.