Part of a comprehensive analysis of the Personal Data Protection Act 2012
All Parts in This Series
Access and Correction Rights under the Personal Data Protection Act 2012: An In-Depth Analysis of Sections 21, 22, and 22A
The Personal Data Protection Act 2012 (PDPA) establishes a comprehensive framework for the protection of personal data in Singapore. Part 5 of the PDPA specifically addresses the rights of individuals to access and correct their personal data held by organisations. This article provides a detailed examination of the key provisions within Part 5—namely Sections 21, 22, and 22A—highlighting their purposes, operational mechanisms, and interrelations with other statutory provisions.
Section 21: Right of Access to Personal Data
Section 21 of the PDPA enshrines the fundamental right of individuals to access their personal data held by organisations. This provision mandates that, upon request, organisations must provide individuals with their personal data and information regarding its use or disclosure within the preceding year, subject to certain exceptions.
"21.—(1) Subject to subsections (2), (3) and (4), on request of an individual, an organisation must, as soon as reasonably possible, provide the individual with — (a) personal data about the individual that is in the possession or under the control of the organisation; and (b) information about the ways in which the personal data mentioned in paragraph (a) has been or may have been used or disclosed by the organisation within a year before the date of the request." — Section 21, Personal Data Protection Act 2012
The rationale behind Section 21 is to empower individuals with transparency and control over their personal data. By obligating organisations to disclose the data they hold and its usage, the provision promotes accountability and enables individuals to verify the accuracy and appropriateness of data processing activities.
However, Section 21 also recognises the need to balance transparency with other legitimate interests. Subsections (2) and (7) provide exceptions, such as when disclosure would contravene other laws or affect prescribed law enforcement agencies. For instance:
"An organisation must not inform any individual under subsection (1)(b) that the organisation has disclosed personal data about the individual to a prescribed law enforcement agency if the disclosure was made under this Act or any other written law without the individual’s consent." — Section 21(4), Personal Data Protection Act 2012
Verify Section 21 in source document →
"An organisation is not required to provide an individual with the individual’s personal data or other information under subsection (1) in respect of the matters specified in the Fifth Schedule." — Section 21(2), Personal Data Protection Act 2012
Verify Section 21 in source document →
These exceptions exist to safeguard sensitive investigations, national security, and other public interests that could be compromised by full disclosure. Thus, Section 21 carefully balances individual rights with broader societal concerns.
Section 22: Right to Correction of Personal Data
Complementing the right of access, Section 22 grants individuals the right to request correction of errors or omissions in their personal data held by organisations. This provision ensures that personal data remains accurate and up-to-date, which is essential for fair and effective data processing.
"22.—(1) An individual may request an organisation to correct an error or omission in the personal data about the individual that is in the possession or under the control of the organisation." — Section 22(1), Personal Data Protection Act 2012
Upon receiving such a request, organisations are required to make the necessary corrections or, if correction is not feasible, to annotate the data to indicate the individual’s position. This mechanism prevents the perpetuation of inaccurate data that could adversely affect individuals, such as in credit reporting or employment screening.
Section 22 also includes exceptions similar to those in Section 21, as outlined in the Sixth Schedule, to protect sensitive information or comply with other legal obligations:
"An organisation is not required to comply with this section in respect of the matters specified in the Sixth Schedule." — Section 22(7), Personal Data Protection Act 2012
Verify Section 22 in source document →
These exceptions ensure that correction rights do not undermine legitimate confidentiality or legal requirements.
Section 22A: Preservation of Personal Data upon Refusal of Access
Section 22A introduces an important procedural safeguard when organisations refuse access requests under Section 21(1)(a). It mandates that organisations must preserve a complete and accurate copy of the personal data concerned for a prescribed period.
"22A.—(1) Where — (a) an individual, on or after 1 February 2021, makes a request under section 21(1)(a) to an organisation to provide personal data about the individual that is in the possession or under the control of the organisation; and (b) the organisation refuses to provide that personal data, the organisation must preserve, for not less than the prescribed period, a copy of the personal data concerned." — Section 22A(1), Personal Data Protection Act 2012
The purpose of this provision is twofold. First, it ensures that data is not destroyed or altered following a refusal, which could impede subsequent investigations or complaints. Second, it facilitates regulatory oversight and enforcement by preserving evidence of the data held and the basis for refusal.
This preservation requirement reflects a commitment to procedural fairness and accountability, reinforcing the integrity of the access regime under the PDPA.
Absence of Explicit Definitions and Penalties in Part 5
Notably, Part 5 of the PDPA does not contain explicit definitions related to access and correction rights. This absence suggests that the terms used are to be interpreted in their ordinary meaning or as defined elsewhere in the Act. This approach avoids redundancy and maintains clarity by centralising definitions in earlier parts of the legislation.
Similarly, Part 5 does not specify penalties or sanctions for non-compliance with access and correction obligations. Enforcement mechanisms and penalties are addressed in other parts of the PDPA, ensuring a coherent and structured regulatory framework. This separation allows Part 5 to focus squarely on the substantive rights and obligations concerning personal data access and correction.
Cross-References to Other Statutory Provisions
Part 5’s provisions are interwoven with other statutory elements to balance individual rights with public interests and legal obligations. For example, the reference to disclosures to prescribed law enforcement agencies under this Act or any other written law underscores the PDPA’s recognition of overlapping legal frameworks:
"An organisation must not inform any individual under subsection (1)(b) that the organisation has disclosed personal data about the individual to a prescribed law enforcement agency if the disclosure was made under this Act or any other written law without the individual’s consent." — Section 21(4), Personal Data Protection Act 2012
Verify Section 21 in source document →
Moreover, the Fifth and Sixth Schedules specify matters exempted from access and correction requirements, respectively. These schedules typically include sensitive information such as national security data, confidential commercial information, or data subject to legal privilege. By referencing these schedules, Part 5 ensures that access and correction rights do not conflict with other critical legal protections.
Conclusion
Sections 21, 22, and 22A of the Personal Data Protection Act 2012 collectively establish a robust framework for individuals to access and correct their personal data held by organisations in Singapore. Section 21 guarantees transparency by requiring organisations to disclose personal data and its usage, while Section 22 empowers individuals to ensure the accuracy of such data. Section 22A safeguards procedural integrity by mandating data preservation when access is refused.
These provisions are carefully balanced with exceptions to protect sensitive information and comply with other legal obligations, as reflected in the Fifth and Sixth Schedules and cross-references to other laws. The absence of definitions and penalties within Part 5 itself streamlines the focus on substantive rights, leaving enforcement and interpretative clarity to other parts of the PDPA.
Overall, Part 5 of the PDPA exemplifies Singapore’s commitment to protecting personal data rights while maintaining necessary safeguards for public interest and legal compliance.
Sections Covered in This Analysis
- Section 21 – Access to Personal Data
- Section 22 – Correction of Personal Data
- Section 22A – Preservation of Personal Data upon Refusal of Access
- Fifth Schedule – Exceptions to Access Rights
- Sixth Schedule – Exceptions to Correction Rights
Source Documents
For the authoritative text, consult SSO.