Channel NewsAsia

Personal Data Protection Act kicks in tomorrow

Private sector organisations in Singapore will on Wednesday need to obtain consent and notify people of what personal information is being collected and how it will be used.

SINGAPORE: The Personal Data Protection Act (PDPA) takes full effect on Wednesday (July 2), after an 18-month transition period for companies. This means organisations in Singapore will have to notify people of the purposes for which their personal data is being collected, used and disclosed. More importantly, they need to obtain individuals' consent to do so.

The organisations will also have to make "reasonable security arrangements" to prevent any unauthorised access of the personal data, the Personal Data Protection Commission (PDPC) said in a news release on Tuesday. And they will have to stop retention of personal data when no longer necessary for business or legal purposes.

All organisations must also designate at least one person to be a data protection officer, to ensure compliance with the Act. "Organisations will benefit from complying with the PDPA as it will help them gain consumer confidence and trust," said the PDPC in its statement.

Public sector agencies are exempted from the PDPA, since they already have their own data protection policies in place.

As for individuals, they now have the right to access and correct the personal data collected. Requests for organisations to correct the data must be responded to within 30 days.

One in two organisations recently surveyed said they already had adequate data protection measures, and were clear on what they needed to do under the PDPA.

Mr Leong Keng Thai, Chairman of the Commission said: "With increasingly more data being generated and shared, the PDPA is necessary in order to strengthen Singapore's position as a trusted global data hub."

More information can be found at

Tweet photos, videos and updates on this story to  @channelnewsasia