Personal Data Protection Act 2012

Last updated
Personal Data Protection Act 2012
Parliament House Singapore.jpg
Parliament of Singapore
  • An Act to govern the collection, use and disclosure of personal data by organisations, and to establish the Do Not Call Register and to provide for its administration, and for matters connected therewith, and to make related and consequential amendments to various other Acts.
CitationNo. 26 of 2012
Enacted byParliament of Singapore
Passed15 October 2012
Assented to20 November 2012
Legislative history
Bill Personal Data Protection Bill
Introduced byAssoc Prof Dr Yaacob Ibrahim
Status: In force

The Personal Data Protection Act 2012 ("PDPA") sets out the law on data protection in Singapore. The PDPA regulates the processing of personal data in the private sector. [1]

Contents

Overview

The PDPA establishes a general data protection regime, originally comprising nine data protection obligations which are imposed on organisations: the Consent Obligation, the Purpose Limitation Obligation, the Notification Obligation, the Access and Correction Obligation, the Accuracy Obligation, the Protection Obligation, the Retention Limitation Obligation, the Transfer Limitation Obligation and the Openness Obligation (now referred to as the Accountability Obligation). [2]

Major amendments to the PDPA were proposed and passed in 2020. [3] [4] Among other changes, a tenth data protection obligation was added, namely, the Data Breach Notification Obligation. [5]

The PDPA also governs telemarketing in Singapore. It establishes the Do Not Call Registers, on which telephone numbers may be registered. There are three Do Not Call Registers: (i) the No Fax Message Register; (ii) the No Text Message Register; and (iii) the No Voice Call Register. Generally, if a telephone number is listed on a Do Not Call Register (e.g. the No Text Message Register), then it is not permitted to send a marketing message of the relevant kind to that telephone number. [6]

Personal Data Protection Commission

The PDPA establishes the Personal Data Protection Commission ("PDPC") as the regulatory authority governing data protection in Singapore. The PDPC enforces the PDPA and publishes advisory guidelines on the interpretation of the PDPA. [7] To date, the PDPC has enforced the PDPA against a number of organisations. [8] [9] [10] Notable cases include SingHealth, which was implicated in the 2018 SingHealth data breach. [11]

Related Research Articles

Information privacy is the relationship between the collection and dissemination of data, technology, the public expectation of privacy, and the legal and political issues surrounding them. It is also known as data privacy or data protection.

Medical privacy or health privacy is the practice of maintaining the security and confidentiality of patient records. It involves both the conversational discretion of health care providers and the security of medical records. The terms can also refer to the physical privacy of patients from other patients and providers while in a medical facility, and to modesty in medical settings. Modern concerns include the degree of disclosure to insurance companies, employers, and other third parties. The advent of electronic medical records (EMR) and patient care management systems (PCMS) have raised new concerns about privacy, balanced with efforts to reduce duplication of services and medical errors.

Data Protection Act 1998 United Kingdom legislation

The Data Protection Act 1998 was an Act of Parliament of the United Kingdom designed to protect personal data stored on computers or in an organised paper filing system. It enacted provisions from the European Union (EU) Data Protection Directive 1995 on the protection, processing, and movement of data.

Information Commissioners Office Non-departmental public body

The Information Commissioner's Office (ICO) is a non-departmental public body which reports directly to the Parliament of the United Kingdom and is sponsored by the Department for Digital, Culture, Media and Sport (DCMS). It is the independent regulatory office dealing with the Data Protection Act 2018 and the General Data Protection Regulation, the Privacy and Electronic Communications Regulations 2003 across the UK; and the Freedom of Information Act 2000 and the Environmental Information Regulations 2004 in England, Wales and Northern Ireland and, to a limited extent, in Scotland.

<i>Personal Information Protection and Electronic Documents Act</i> 2000 Canadian law

The Personal Information Protection and Electronic Documents Act is a Canadian law relating to data privacy. It governs how private sector organizations collect, use and disclose personal information in the course of commercial business. In addition, the Act contains various provisions to facilitate the use of electronic documents. PIPEDA became law on 13 April 2000 to promote consumer trust in electronic commerce. The act was also intended to reassure the European Union that the Canadian privacy law was adequate to protect the personal information of European citizens. In accordance with section 29 of PIPEDA, Part I of the Act must be reviewed by Parliament every five years. The first Parliamentary review occurred in 2007.

Personal data, also known as personal information or personally identifiable information (PII), is any information related to an identifiable person.

The Telephone Preference Service (TPS) is a UK register of domestic telephone numbers whose users have indicated that they do not wish to receive sales and marketing telephone calls. Registration is free of charge. The service is paid for by the direct marketing industry. There is a similar service for corporate users, the Corporate Telephone Preference Service (CTPS). Similar do not call lists are implemented in other countries.

The Privacy Act 1988 is an Australian law dealing with privacy. Section 14 of the Act stipulates a number of privacy rights known as the Australian Privacy Principles (APPs). These principles apply to Australian Government and Australian Capital Territory agencies or private sector organizations contracted to these governments, organizations and small businesses who provide a health service, as well as to private organisations with an annual turnover exceeding AUD$3M. The principles govern when and how personal information can be collected by these entities. Information can only be collected if it is relevant to the agencies' functions. Upon this collection, that law mandates that Australians have the right to know why information about them is being acquired and who will see the information. Those in charge of storing the information have obligations to ensure such information is neither lost nor exploited. An Australian will also have the right to access the information unless this is specifically prohibited by law.

Human rights in Singapore

Human rights in Singapore are codified in the Constitution of Singapore, which sets out the legal rights of its citizens. These rights are protected by the Constitution and include amendments and referendums. These rights have evolved significantly from the days since independence though the government in Singapore has broad powers to possibly limit citizens' rights or to inhibit political opposition. In 2018, Singapore was ranked 151st by Reporters Without Borders in the Worldwide Press Freedom Index. U.S.-based Freedom in the World scored Singapore 3 out of 7 for "political freedom", and 3 out of 7 for "civil liberties", with an overall ranking of "partly free" for the year 2015.

Privacy law is the body of law that deals with the regulating, storing, and using of personally identifiable information, personal healthcare information, and financial information of individuals, which can be collected by governments, public or private organisations, or other individuals. It also applies in the commercial sector to things like trade secrets and the liability that directors, officers, and employees have when handing sensitive information.

ដោយការ

Security breach notification laws or data breach notification laws are laws that require individuals or entities affected by a data breach, unauthorized access to data, to notify their customers and other parties about the breach, as well as take specific steps to remedy the situation based on state legislature. Data breach notification laws have two main goals. The first goal is to allow individuals a chance to mitigate risks against data breaches. The second goal is to promote company incentive to strengthen data security.Together, these goals work to minimize consumer harm from data breaches, including impersonation, fraud, and identity theft.

Privacy law in Denmark is supervised and enforced by the independent agency Datatilsynet based mainly upon the Act on Processing of Personal Data.

The Personal Data Privacy and Security Act of 2009, was a bill proposed in the United States Congress to increase protection of personally identifiable information by private companies and government agencies, set guidelines and restrictions on personal data sharing by data brokers, and to enhance criminal penalty for identity theft and other violations of data privacy and security. The bill was sponsored in the United States Senate by Patrick Leahy (Democrat-Vermont), where it is known as S.1490.

General Data Protection Regulation European regulation on personal data

The General Data Protection Regulation (EU) (GDPR) is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). The GDPR is an important component of EU privacy law and of human rights law, in particular Article 8(1) of the Charter of Fundamental Rights of the European Union. It also addresses the transfer of personal data outside the EU and EEA areas. The GDPR's primary aim is to enhance individuals' control and rights over their personal data and to simplify the regulatory environment for international business. Superseding the Data Protection Directive 95/46/EC, the regulation contains provisions and requirements related to the processing of personal data of individuals who are located in the EEA, and applies to any enterprise—regardless of its location and the data subjects' citizenship or residence—that is processing the personal information of individuals inside the EEA.

The Office of the Privacy Commissioner administers the Privacy Act 2020. The Privacy Commissioner is entrusted to protect personal information of New Zealanders in accordance with the Privacy Act. Starting on 5 July 2022, the next privacy commissioner will be Michael Webster.

Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 Act of the Parliament of Australia

The Telecommunications Amendment Act 2015 is an Australian law that amends the Telecommunications Act 1979 and the Telecommunications Act 1997 to introduce a statutory obligation for Australian telecommunication service providers to retain, for a period of two years, particular types of telecommunications data (metadata) and introduces certain reforms to the regimes applying to the access of stored communications and telecommunications data under the TIA Act.

According to the Civil Aviation Authority of Singapore (CAAS), an unmanned aircraft (UA), commonly known as a drone, is operated without a pilot on board. An unmanned aircraft system (UAS) comprises the UA and associated elements such as the remote control equipment.

The California Consumer Privacy Act (CCPA) is a state statute intended to enhance privacy rights and consumer protection for residents of California, United States. The bill was passed by the California State Legislature and signed into law by Jerry Brown, Governor of California, on June 28, 2018, to amend Part 4 of Division 3 of the California Civil Code. Officially called AB-375, the act was introduced by Ed Chau, member of the California State Assembly, and State Senator Robert Hertzberg.

The 2018 SingHealth data breach was a data breach incident initiated by unidentified state actors, which happened between 27 June and 4 July 2018. During that period, personal particulars of 1.5 million SingHealth patients and records of outpatient dispensed medicines belonging to 160,000 patients were stolen. Names, National Registration Identity Card (NRIC) numbers, addresses, dates of birth, race, and gender of patients who visited specialist outpatient clinics and polyclinics between 1 May 2015 and 4 July 2018 were maliciously accessed and copied. Information relating to patient diagnosis, test results and doctors' notes were unaffected. Information on Prime Minister Lee Hsien Loong was specifically targeted.

References

  1. "Parliament: Public agencies not governed by PDPA because of fundamental differences in how they operate". The Straits Times.
  2. Wong, Benjamin (2017). "Data privacy law in Singapore: the Personal Data Protection Act 2012". International Data Privacy Law. 7 (4): 287–302. doi:10.1093/idpl/ipx016.
  3. "On protecting data while enabling innovation: 6 highlights from MPs' rigorous debate on PDPA amendments". The Straits Times.
  4. "Parliament: Proposed changes to PDPA include stiffer fines for data breaches, mandatory notification when they occur". The Straits Times.
  5. "Personal Data Protection (Amendment) Act 2020". Act of 2 November 2020. Singapore.
  6. "Do Not Call Registry: An easy guide for consumers". The Straits Times.
  7. "About Us". Personal Data Protection Commission. Retrieved 6 April 2021.
  8. "CDP and two other organisations fined for data privacy breach". The Straits Times.
  9. "Courts fined $9,000 for second data breach in two years". The Straits Times.
  10. "Grab fined $10k over fourth data privacy breach in two years". The Straits Times.
  11. "Singapore health system hit by 'most serious breach of personal data' in cyberattack; PM Lee's data targeted". CNA.