PDPA Overview

What is Personal Data?

Personal data refers to data about an individual who can be identified from that data, or from that data and other information to which the organisation has or is likely to have access. 

What is the PDPA?

The Personal Data Protection Act (PDPA) provides a baseline standard of protection for personal data in Singapore. It complements sector-specific legislative and regulatory frameworks such as the Banking Act and Insurance Act.

It comprises various requirements governing the collection, use, disclosure and care of personal data in Singapore. 

It also provides for the establishment of a national Do Not Call (DNC) Registry. Individuals may register their Singapore telephone numbers with the DNC Registry to opt out of receiving unwanted telemarketing messages from organisations.

Objectives of the PDPA

The PDPA recognises both the need to protect individuals’ personal data and the need of organisations to collect, use or disclose personal data for legitimate and reasonable purposes.

A data protection regime is necessary to safeguard personal data from misuse and to maintain individuals’ trust in organisations that manage their data.

By regulating the flow of personal data among organisations, the PDPA also aims to strengthen Singapore’s position as a trusted hub for businesses.

Scope of the PDPA

The PDPA covers personal data stored in electronic and non-electronic formats. 

It generally does not apply to:

  • Any individual acting on a personal or domestic basis.
  • Any individual acting in his/her capacity as an employee with an organisation.
  • Any public agency in relation to the collection, use or disclosure of personal data.
  • Business contact information such as an individual’s name, position or title, business telephone number, business address, business email, business fax number and similar information.

Data Protection Obligations

Organisations are required to comply with the various data protection obligations if they undertake activities relating to the collection, use or disclosure of personal data. Learn more about the obligations.

Development of the PDPA

  

2013

Establishment of the PDPC on 2 January.

2014

The DNC Registry provisions came into force on 2 January and the main data protection rules on 2 July.

2020

Amendments to the PDPA passed on 2 November.

2021

Amendments to the PDPA took effect in phases from 1 February.

The Act

Regulations

Other Subsidiary Legislation

Parties to civil proceedings relating to the PDPA may also wish to refer to the Rules of Court 2021, Order 57.