What is the Personal Data Protection Act?
The PDPA establishes a data protection law that comprises various rules governing the collection, use, disclosure and care of personal data. It recognises both the rights of individuals to protect their personal data, including rights of access and correction, and the needs of organisations to collect, use or disclose personal data for legitimate and reasonable purposes.
The PDPA provides for the establishment of a national Do Not Call (DNC) registry. The DNC registry will allow individuals to register their Singapore telephone numbers to opt out of receiving marketing phone calls, mobile text messages such as SMS or MMS, and faxes from organisations.
The PDPA takes effect in phases starting with the provisions relating to the formation of the Personal Data Protection Commission (PDPC) on 2 January 2013. Provisions relating to the DNC registry will come into force on 2 January 2014 and the main data protection rules will come into force on 2 July 2014. This allows time for organisations to review and adopt internal personal data protection policies and practices, to help them comply with the PDPA.
Government agencies and statutory boards are excluded from the law — which was passed in Parliament in October last year — as they are governed by internal rules, most of which have not been made public.