Jump to content

Personal Data Protection Act 2012

From Wikipedia, the free encyclopedia
This is an old revision of this page, as edited by Yqwong.benjamin (talk | contribs) at 06:06, 1 May 2017 (Data protection). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.
Personal Data Protection Act 2012
Parliament House, Singapore
Parliament of Singapore
  • An Act to govern the collection, use and disclosure of personal data by organisations, and to establish the Do Not Call Register and to provide for its administration, and for matters connected therewith, and to make related and consequential amendments to various other Acts.
CitationNo. 26 of 2012
Passed byParliament of Singapore
Passed15 October 2012
Assented to20 November 2012
Legislative history
Bill titlePersonal Data Protection Bill
Introduced byAssoc Prof Dr Yaacob Ibrahim
Status: In force

The Personal Data Protection Act 2012 (the "Act") sets out the law on data protection in Singapore. Apart from establishing a general data protection regime, the Act also regulates telemarketing practices.

Structure of the Act

The Act is arranged into ten Parts:

Part I: Preliminary
Part II: Personal Data Protection Commission and administration
Part III: General rules with respect to protection of personal data
Part IV: Collection, use and disclosure of personal data
Part V: Access to and correction of personal data
Part VI: Care of personal data
Part VII: Enforcement of Parts III to VI
Part VIII: Appeals to Data Protection Appeal Committee, High Court and Court of Appeal
Part IX: Do Not Call Registry
Part X: General

Personal Data Protection Commission

The Act establishes the Personal Data Protection Commission ("PDPC"). The PDPC is Singapore's primary data protection authority, and also administers the Do Not Call Registry. Among other matters, the PDPC issues advisory guidelines on the Act, and also enforces the Act.[1]

Advisory guidelines

The PDPC publishes a comprehensive set of guidelines. The guidelines provide guidance on how the PDPC interprets the Act. They are advisory in nature, and are not legally binding. The guidelines serve as accessible reference material for organisations seeking to comply with the Act.[2]

Data protection

The Act establishes a general data protection regime, comprising nine data protection obligations which are imposed on organisations.[3]

  1. Consent Obligation
  2. Purpose Limitation Obligation
  3. Notification Obligation
  4. Access and Correction Obligation
  5. Accuracy Obligation
  6. Protection Obligation
  7. Retention Limitation Obligation
  8. Transfer Limitation Obligation
  9. Openness Obligation

The PDPC's Advisory Guidelines On Key Concepts In The Personal Data Protection Act[4] gives detailed guidance on each of these obligations.

The Consent Obligation is the first data protection obligation in the Act. According to the PDPC:[5]

An organisation must obtain the consent of the individual before collecting, using or disclosing his personal data for a purpose.

Purpose Limitation Obligation

The Purpose Limitation Obligation is the second data protection obligation in the Act. According to the PDPC:[6]

An organisation may collect, use or disclose personal data about an individual only for purposes that a reasonable person would consider appropriate in the circumstances and, if applicable, have been notified to the individual concerned.

Notification Obligation

The Notification Obligation is the third data protection obligation in the Act. According to the PDPC:[7]

An organisation must notify the individual of the purpose(s) for which it intends to collect, use or disclose the individual's personal data on or before such collection, use or disclosure of the personal data.

Telemarketing

The Act also regulates telemarketing practices in Singapore.

First, the Act establishes the Do Not Call Registers, on which telephone numbers may be registered. As of 30 April 2017, there are three Do Not Call Registers: (i) the No Fax Message Register; (ii) the No Text Message Register; and (iii) the No Voice Call Register. Generally, if a telephone number is listed on a Do Not Call Register (e.g. the No Text Message Register), then it is not permitted to send a marketing message of the relevant kind (e.g. text message) to that telephone number.[8]

Second, the Act imposes duties to provide information on, and to not conceal, the identities of the senders of marketing messages.[9]

The PDPC's Advisory Guidelines On The Do Not Call Provisions[10] gives detailed guidance on the Do Not Call provisions of the Act.

References

  1. ^ "Who We Are". Personal Data Protection Commission. Retrieved 30 April 2017.
  2. ^ "Guidelines". Personal Data Protection Commission. Retrieved 1 May 2017.
  3. ^ "Overview". Personal Data Protection Commission. Retrieved 30 April 2017.
  4. ^ "Advisory Guidelines On Key Concepts In The Personal Data Protection Act". Personal Data Protection Commission. Retrieved 1 May 2017.
  5. ^ Ibid.
  6. ^ Ibid.
  7. ^ Ibid.
  8. ^ "Do Not Call Registry & You". Personal Data Protection Commission. Retrieved 30 April 2017.
  9. ^ "Do Not Call Registry & Your Business". Personal Data Protection Commission. Retrieved 30 April 2017.
  10. ^ "Advisory Guidelines On The Do Not Call Provisions". Personal Data Protection Commission. Retrieved 1 May 2017.

Further reading

Retrieved from "https://en.wikipedia.org/w/index.php?title=Personal_Data_Protection_Act_2012&oldid=778114264"