Personal Data Protection Act (PDPA)

The purpose of Singapore's Personal Data Protection Act is to govern the collection, use and disclosure of personal data by organizations in a manner that recognizes both the right of individuals to protect their personal data, and the need of organizations to collect, use or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances.

PERSONAL DATA refers to data, whether true or not, about an individual who can be identified from that data; or from that data and other information to which the organization has or is likely to have access.

This includes unique identifiers (e.g. NRIC number, passport number), as well as any set of data (e.g. name, age, address, telephone number, occupation, etc) which when taken together would be able to identify the individual.

Researchers should note that the scope of PDPA only applies to identifiable data. The PDPA does not apply to data that is used in anonymized form.

The PDPA takes into account the following concepts:

• Consent – organizations may collect, use or disclose personal data only with the individual's knowledge and consent (with some exceptions);

• Purpose – organizations may collect, use or disclose personal data in an appropriate manner for the circumstances, and only if they have informed the individual of purposes for the collection, use or disclosure; and

• Reasonableness – organizations may collect, use or disclose personal data only for purposes that would be considered appropriate to a reasonable person in the given circumstances.

 References and Further Reading

• Personal Data Protection Commission Singapore (PDPA Overview)

• Singapore Statutes Online (Personal Data Protection Act 2012)