Data Protection Law Passed In Singapore

Data Protection Law Passed In Singapore

On 15 Oct 2012, Singapore’s Parliament passed the Personal Data Protection Bill, a law enacted to protect the personal data of individuals. With it comes the creation of a new government entity, the Personal Data Protection Commission and a National Do-Not-Call Registry (DNC). The Personal Data Protection Commission will oversee and enforce matters relating to the Act while the DNC allows individuals to register their number if they do not wish to be contacted by businesses for commercial purposes.

The registry is expected to be ready for the public to sign-up in early 2014.

The impetus for Singapore to pass such a law is economic survival. For a country without a provision for the protection of privacy in its constitution, this is unsurprising. For more than a decade, however, the Bill was resisted on the grounds that it would unnecessarily burden SMEs. Then, the Model Data Protection Code introduced in 2002 for voluntary adoption was considered sufficient. The introduction of this bill now brings us up to the information protection levels of countries such as Hong Kong, Canada, New Zealand, neighbouring Malaysia and the E.U.

This far-reaching law will affect all organizations and businesses except government agencies. All entities in possession and control of personal data will have to check if they need to comply. One example would be the use and storage of personal data for Human Resource (HR) purposes. With the new law in effect, after recruitment exercises, firms are required to destroy the personal data of unsuccessful candidates. Transactions such as mergers and acquisitions, amalgamation, leasing or financing will now have to take this law into account, if personal data is used. Telemarketers will need to send their database to be filtered by the Do-Not-Call Registry.

Violators can be charged up to $10,000 for every unsolicited marketing call and be fined up to $1 million for every data protection offense.

Not all data fall within the ambit of the Act. One general exception is business contact details, information usually found on business cards.

The law has a sunrise period of 18 months for compliance with the data protection regime. During this period,all organizations with a database of personal data should assign a person to ensure that the organization is in compliance with the new law and their contact information must be made public.

Should you require any assistance, please contact


Featured Image courtesy of adamr at