Personal Data Protection Act 2012#Personal Data Protection Commission

The PDPA establishes a general data protection regime, originally comprising nine data protection obligations which are imposed on organisations: the Consent Obligation, the Purpose Limitation Obligation, the Notification Obligation, the Access and Correction Obligation, the Accuracy Obligation, the Protection Obligation, the Retention Limitation Obligation, the Transfer Limitation Obligation and the Openness Obligation (now referred to as the Accountability Obligation).{{cite journal|title=Data privacy law in Singapore: the Personal Data Protection Act 2012|first=Benjamin|last=Wong|year=2017|journal=International Data Privacy Law|volume=7|issue=4|pages=287–302|doi=10.1093/idpl/ipx016}}

Major amendments to the PDPA were proposed and passed in 2020.{{Cite news|title=On protecting data while enabling innovation: 6 highlights from MPs' rigorous debate on PDPA amendments|url=https://www.straitstimes.com/singapore/politics/parliament-rigorous-debate-on-amendments-to-personal-data-protection-act|website=The Straits Times}}{{Cite news|title=Parliament: Proposed changes to PDPA include stiffer fines for data breaches, mandatory notification when they occur|url=https://www.straitstimes.com/politics/parliament-proposed-changes-in-law-include-stiffer-fines-for-data-breaches-mandatory|website=The Straits Times}} Among other changes, a tenth data protection obligation was added, namely, the Data Breach Notification Obligation.{{Cite act|date=2 November 2020|legislature=Singapore|title=Personal Data Protection (Amendment) Act 2020|url=https://sso.agc.gov.sg/Acts-Supp/40-2020/}}

The PDPA also governs telemarketing in Singapore. It establishes the Do Not Call Registers, on which telephone numbers may be registered. There are three Do Not Call Registers: (i) the No Fax Message Register; (ii) the No Text Message Register; and (iii) the No Voice Call Register. Generally, if a telephone number is listed on a Do Not Call Register (e.g. the No Text Message Register), then it is not permitted to send a marketing message of the relevant kind to that telephone number.{{cite news|title=Do Not Call Registry: An easy guide for consumers|url=https://www.straitstimes.com/singapore/do-not-call-registry-an-easy-guide-for-consumers|website=The Straits Times}}

The PDPA establishes the Personal Data Protection Commission (PDPC) as the regulatory authority governing data protection in Singapore. The PDPC enforces the PDPA and publishes advisory guidelines on the interpretation of the PDPA.{{Cite web|title=About Us|url=https://www.pdpc.gov.sg/Who-We-Are/About-Us|website=Personal Data Protection Commission|access-date=6 April 2021}} To date, the PDPC has enforced the PDPA against a number of organisations.{{Cite news|title=CDP and two other organisations fined for data privacy breach|url=https://www.straitstimes.com/singapore/cdp-and-two-other-organisations-fined-for-data-privacy-breach|website=The Straits Times}}{{Cite news|title=Courts fined $9,000 for second data breach in two years|url=https://www.straitstimes.com/tech/courts-fined-9000-for-second-data-breach-in-two-years|website=The Straits Times}}{{Cite news|title=Grab fined $10k over fourth data privacy breach in two years|url=https://www.straitstimes.com/tech/grab-fined-10k-over-fourth-data-privacy-breach-in-two-years|website=The Straits Times}} Notable enforcement cases include SingHealth, which was implicated in the 2018 SingHealth data breach.{{Cite news|title=Singapore health system hit by 'most serious breach of personal data' in cyberattack; PM Lee's data targeted|url=https://www.channelnewsasia.com/news/singapore/singhealth-health-system-hit-serious-cyberattack-pm-lee-target-10548318|website=CNA}}

{{Reflist}}

• [https://sso.agc.gov.sg/Act/PDPA2012 Official text of the Act]

{{Law of Singapore}}

{{Privacy}}

Category:2012 in law

Category:2012 in Singapore

Category:Singaporean legislation

Category:Privacy legislation

Category:Data laws of Asia