What is Personal Data?

Personal data refers to data about an individual who can be identified from that data, or from that data and other information to which the organisation has or is likely to have access. 

What is the PDPA?

The Personal Data Protection Act (PDPA) provides a baseline standard of protection for personal data in Singapore. It complements sector-specific legislative and regulatory frameworks such as the Banking Act and Insurance Act.

It comprises various requirements governing the collection, use, disclosure and care of personal data in Singapore. 

It also provides for the establishment of a national Do Not Call (DNC) Registry. Individuals may register their Singapore telephone numbers with the DNC Registry to opt out of receiving unwanted telemarketing messages from organisations.

Objectives of the PDPA

The PDPA recognises both the need to protect individuals’ personal data and the need of organisations to collect, use or disclose personal data for legitimate and reasonable purposes.

A data protection regime is necessary to safeguard personal data from misuse and to maintain individuals’ trust in organisations that manage their data.

By regulating the flow of personal data among organisations, the PDPA also aims to strengthen Singapore’s position as a trusted hub for businesses.

Scope of the PDPA

The PDPA covers personal data stored in electronic and non-electronic formats. 

It generally does not apply to:

• Any individual acting on a personal or domestic basis.
• Any individual acting in his/her capacity as an employee with an organisation.
• Any public agency in relation to the collection, use or disclosure of personal data.
• Business contact information such as an individual’s name, position or title, business telephone number, business address, business email, business fax number and similar information.

Data Protection Obligations

Organisations are required to comply with the various data protection obligations if they undertake activities relating to the collection, use or disclosure of personal data. Learn more about the obligations.

Development of the PDPA

	2013 Establishment of the PDPC on 2 January.
	2014 The DNC Registry provisions came into force on 2 January and the main data protection rules on 2 July.
	2020 Amendments to the PDPA passed on 2 November.
	2021 Amendments to the PDPA took effect in phases from 1 February.

The Act

• Personal Data Protection Act 2012
• Info-communications Media Development Act 2016

Regulations

• Personal Data Protection (Composition of Offences) Regulations 2021
• Personal Data Protection (Do Not Call Registry) Regulations 2013
• Personal Data Protection (Enforcement) Regulations 2021
• Personal Data Protection Regulations 2021
• Personal Data Protection (Appeal) Regulations 2021
• Personal Data Protection (Notification of Data Breaches) Regulations 2021

Other Subsidiary Legislation

• Personal Data Protection (Statutory Bodies) Notification 2013
• Personal Data Protection (Prescribed Law Enforcement Agencies) Notification 2014
• Personal Data Protection (Prescribed Law Enforcement Agency) Notification 2020
• Personal Data Protection (Prescribed Healthcare Bodies) Notification 2015
  

Parties to civil proceedings relating to the PDPA may also wish to refer to the Rules of Court 2021, Order 57.

• Rules of Court 2021, Order 57