Although this is not an exhaustive list, controllers must generally ensure that:
- their personal data registries are adequately created and registered;
- data processing agreements are concluded with data processors in accordance with the applicable rules;
- data subjects’ consent is obtained in form and contents as and when required under the law;
- data subjects’ rights are complied with (e.g., the right to be informed);
- technical and organisational security measures are in place.
According to the CDLP the processing of all data shall be carried out:
- In a manner consistent with the law;
- For the purposes permitted by the legal system; and
- With attention to the full exercise of the fundamental rights of the data subject.
Consent of the data subject: Article 4 of the law establishes that the processing of personal data is permitted only when the law authorises it, or the subject expressly consents or authorises it. However, the law does not provide a definition of what the “authorisation” or “consent” of the data subject means or entails.
Quality: Article 6 of the law establishes that personal data will be: destroyed or cancelled when the purpose of its storage has no legal basis or when it has expired; modified when it is inaccurate, inexact, misleading or incomplete; and blocked when it cannot be destroyed or cancelled, and its accuracy cannot be established or whose validity is doubtful.
Confidentiality: Article 7 of the law establishes that people who work in the processing of personal data, in the private and public sector, must maintain confidentiality when the data comes from sources not accessible to the public, as well as with respect to other data information related to the data bank; an obligation that does not cease upon completion of its functions or activities in that field.
Purpose: Personal data will be used only for the purposes for which it was collected, unless it is obtained from sources accessible to the public (Article 9 of the law)
Personal data: Article 10 of the law prescribes that sensitive personal data, defined as any information regarding characteristics of a physical or moral nature of an individual or facts or circumstances of his private life, such as personal habits, racial or ethnic origin, ideologies and political opinions, religious beliefs or convictions, physical or mental health and sexual life, cannot be processed unless:
- The law authorises it;
- The data subject expressly accepts said processing;
- Such data is necessary to establish or grant health benefits that pertain to the respective data subject.
Data security: Article 11 of the law establishes that those responsible for the registries or personal data must “take care of them with due diligence” and be liable for damages.
Organisations, wherever located, that process personal data of individuals in Singapore are required to comply with the PDPA.
The PDPA sets out ten main data protection obligations which are to be complied with when processing personal data.
Under the PDPA, to collect and process personal data lawfully, organisations must comply with the following obligations:
- Consent Obligation – to obtain the consent of the individual;
- Purpose Limitation Obligation – to collect, use or disclose personal data about an individual for the purposes that a reasonable person would consider appropriate in the circumstances and for which the individual has given consent;
- Notification Obligation – to notify individuals of the purposes for which the organisation is intending to collect, use or disclose their personal data on or before such collection, use or disclosure of personal data;
- Access and Correction Obligation – upon request, provide information in which the individual’s personal data has been or may have been used or disclosed and to correct any error or omission in an individual’s personal data;
- Accuracy Obligation – make reasonable effort to ensure that personal data collected by or on behalf of the organisation is accurate and complete;
- Protection Obligation – make reasonable security arrangements to protect the personal data that the organisation possesses or controls;
- Retention Limitation Obligation – cease retention of personal data or remove the means by which the personal data can be associated with particular individuals when it is no longer necessary for any business or legal purpose;
- Transfer Limitation Obligation – ensure that the standard of protection provided to the personal data transferred to another country will be comparable to the protection under the PDPA;
- Data Breach Notification Obligation – assess whether a data breach is notifiable and notify the affected individuals and/or PDPC where it is assessed to be notifiable; and
- Accountability Obligation – implement policies and procedures to meet its obligations under the PDPA, and make information about its policies and practices publicly available and to appoint a data protection officer.
Organisations that have contracted to process personal data on behalf of another organisation may be considered a “data intermediary”.
A data intermediary that processes personal data pursuant to a written contract will only be responsible for the Protection Obligation, the Retention Obligation and the Data Breach Notification Obligation – protecting the personal data in its care, ensuring that the personal data is not retained by the data intermediary when there is no longer a business or legal need to do so, and notifying the organisation or public agency for which it is processing personal data on behalf of where the data intermediary discovers that a data breach has occurred.