For business owners, it is important to understand the boundaries, laws and regulations concerning data collection. When customers provide their personal details to your business, they are trusting that you will not abuse this privilege.
To ensure a baseline standard of protection for personal data, Singapore’s Personal Data Protection Act 2012 (PDPA) was implemented.
So just what are these obligations and guidelines that businesses in Singapore have to abide to when collecting customers private information? Read on to get a better understanding of Singapore’s PDPA.
1. Consent [restrict]
You are only allowed to collect, use or disclose data if an individual has given consent. If an individual expresses their displeasure, in line with Singapore’s PDPA you are legally obligated to halt collection, usage or disclosure of their data.
2. Purpose Limitation
Personal data of an individual may only be collected, used or disclosed given that the person has given consent and been informed of the purpose of usage. If you are collecting their information to use on your mailing list, then they must be informed of exactly that.
You may only collect, use or disclose personal data within a circumstances that are considered appropriate and reasonable. If there their data is being used for multiple purposes, they must be informed of all purposes. If an individual finds the requests unreasonable, they have a right to deny disclosure of their data.
It is your duty to ensure that the personal data collected by or on behalf of your business is accurate and complete. If the personal data you have collected is misrepresented, you are required to correct it as soon as possible.
5. Correction & Access
Customers have the right to request information on how their personal data is being used through any period. You are required to oblige and inform upon requests.
If a customer has any discretion regarding their data, you are required to apply changes to their personal data as requested.
6. Retention & Limitation
Once the personal data is no longer necessary for business or legal purposes, you are required to remove the information associated with the customer.
7. Transfer & Limitation
If a transfer of data is necessary for any reason, you must adhere to regulations and requirements.
Ensure that the standard of protection provided meets the Singapore’s PDPA requirements, as well as international Data Privacy Laws. In the event of a data breach, you and your business will be held responsible if protection standards were not met.
Make information on your data protection policies, practices and complaints as transparent as possible. This means making the information available upon collection and requests as necessary.
Compliance with PDPA standards remains the responsibility of your business.
Under section 51(3)(b) and (c) of the PDPA, it s illegal for individuals or organisations to interfere with PDPC inspectors. This includes misleading them with false statements.
For an individual who commits an offence, they are liable to a fine of up to SGD$10,000 and/or imprisonment for up to 12 months. In any other case, it is a fine of up to SGD$100,000
The PDPC serves as a mediating authority between businesses and individuals. While collecting personal data is necessary for most businesses, it is just as important to acknowledge the responsibility to protect said data.
Now that you are up-to-date on what obligations you have as a Singaporean business owner, keep the necessary guidelines in place to ensure trouble-free data collection.
Hopefully this article has provided some insight into what is required in terms of personal data collection.
Be sure to read the PDPA’s Sector Specific Guidelines and Industry-led Guidelines as they contain more information regarding businesses that is specific to your business.