Forum reply on The Straits Times, 8 April 2024

We thank Mr Anand Srinivasan for his letter “Minimise data collection to avoid exposure, misuse” (March 30).

Personal data needs to be adequately protected. Under the Personal Data Protection Act (PDPA), organisations can only collect, use, or disclose personal data for relevant purposes. Organisations are also not allowed to retain personal data when it is no longer needed.

The need to protect personal data well is the foundation for a trusted data environment. This in turn allows businesses to use data responsibly, for innovation towards better services and products that they can then provide to end-consumers. However, if companies fail to protect data, they will be breaching the PDPA, which was enhanced in 2020 with increased penalties.

Organisations also increasingly need to implement necessary IT security measures to protect data. The Personal Data Protection Commission’s “Guide to Data Protection Practices for ICT systems” provides guidance in this respect. Organisations seeking to authenticate their users’ identity can also consider the Singpass-based authentication system.

Ultimately, organisations need to be accountable and to seek consent from their customers. Customers can also protect themselves by clarifying any uncertainty over the data collected with the organisation.

Personal Data Protection Commission