Loading Events

« All Events

  • This event has passed.

Knowing and Innovating with the Enhanced PDPA

28 May 2021

Knowing and Innovating with the Enhanced PDPA

28 May 2021, Singapore – With more and more work processes being digitised, more employees are relying on technology and digital tools to efficiently carry out tasks at the workplace. This includes the sharing of personal data, both intentionally and unintentionally. As many may or may not be aware, there have been amendments to the Personal Data Protection Act (PDPA).

In support of the Privacy Awareness Week 2021, and to help ASPRI members stay updated on the amendments to the PDPA, ASPRI, together with the Association of Singapore Marine Industries (ASMI), worked with the Personal Data Protection Commission (PDPC) to organise a webinar titled, “Knowing & Innovating with the Enhanced PDPA”. The webinar, which was held on 28 May 2021, aimed to educate business owners, data protection officers (DPO) and any personnel handling personal data to understand the amendments made to the PDPA and how it relates to organisations handling personal data.

The webinar also covered Infocomm Media Development Authority’s (IMDA) Data Protection Trustmark (DPTM) certification, and how it can help organisations strengthen consumer and regulator trust and increase one’s competitive advantage in the digital economy.

Mr Justin Lee, Senior Associate (Technology, Media & Telecomm) at Rajah & Tan Singapore LLP, was the guest speaker of the webinar. Rajah and Tann Singapore LLP is a full service law firm in Singapore. Due to their experience and track record in data protection matters, they have been appointed by PDPC and IMDA to support the industry engagement efforts in raising awareness and promoting compliance of the PDPA.

In the first part of the webinar, Mr Lee defined personal data as data about an individual who can be identified from that data, or from that data and other information to which the organisation has or is likely to have access.

The PDPA provides a baseline standard of protection for personal data in Singapore. It complements sector-specific legislative and regulatory frameworks such as the Banking Act and Insurance Act. It comprises various requirements governing the collection, use, disclosure and care of personal data in Singapore. It also provides for the establishment of a national Do Not Call (DNC) Registry. Individuals may register their Singapore telephone numbers with the DNC Registry to opt out of receiving unwanted telemarketing messages from organisations.

The PDPA covers personal data (PD) stored in electronic and non-electronic formats. However, there are common exceptions. The PDPA does not apply to the following situations:

  1. Responding to an emergency that threatens the life , safety or health of an individual
  2. Managing or terminating employment relationship
    • Using employee’s bank account details to deposit salary
    • Monitor how employee uses company resources
    • Posting employees’ photos on the staff directory
    • Managing staff benefit schemes
  3. Evaluative purposes – to determine suitability or eligibility of an individual for:
    • Employment or for appointment to office
    • Promotion in employment or for continuance in employment
    • Removal from employment
    • Award of contracts, awards, bursaries, scholarships or other similar benefits
  4. Publicly available
    • PD that is generally available to the public
    • At a location or an event at which the individual appears and that is open to the public
    • Any member of the public could obtain or access the data with few or no restrictions

Mr Lee then shared on the new exceptions that were part of the amendments. He noted the following:

  1. Use of PD without consent for:
    • Enhancing goods and/or services
    • Improving operational efficiencies
    • Understanding customers to offer personalised services
    • Example: Credit card company derive customers’ spending habits to develop a new line of credit or reward schemes
  2. Collect, use and disclose of PD without consent for lawful interest of organisation, or for a segment of the public
    • Example: Hotels get together to compile and share a blacklist of “hotel skippers” who do not fulfil payment for the use of hotel services

In the second part of the webinar, Mr Lee discussed the DPTM in detail. The DPTM is a voluntary enterprise-wide certification for organisations to demonstrate accountable data protection practices. The DPTM will help businesses increase their competitive advantage and build trust with their customers and stakeholders.

From the perspective of a consumer, they can be rest assured that an organisation certified with the DPTM has put in place responsible data protection practices and will take better care of their personal data. The directory of DPTM-certified organisations can be found here.

The certification involves two fees. Firstly is an application fee of S$535 (with GST) which is payable to IMDA. The second is an assessment fee which is payable to the Assessment Body (AB). The AB acts as an independent body to assess that an organisation’s data protection practices conform to the DPTM requirements. More details on DPTM can be found here.

Towards the end of the webinar, the attendees got the opportunity to clarify their concerns and doubts through a Q&A session with Mr Lee. The webinar was attended by over 90 attendees who found the session to be insightful and useful.


28 May 2021