Part of a comprehensive analysis of the Personal Data Protection Act 2012
All Parts in This Series
Key Provisions and Their Purpose Under Part 6: Care of Personal Data
Part 6 of the Personal Data Protection Act 2012 (PDPA) sets out critical obligations for organisations regarding the care of personal data. These provisions ensure that personal data is handled responsibly, accurately, securely, and with respect to individuals’ privacy rights. The key provisions and their purposes are as follows:
"An organisation must make a reasonable effort to ensure that personal data collected by or on behalf of the organisation is accurate and complete, if the personal data — (a) is likely to be used by the organisation to make a decision that affects the individual to whom the personal data relates; or (b) is likely to be disclosed by the organisation to another organisation." — Section 23, Personal Data Protection Act 2012
Verify Section 23 in source document →
This provision exists to prevent harm or unfair treatment to individuals arising from inaccurate or incomplete personal data. By mandating reasonable efforts to ensure accuracy, the law protects individuals from adverse decisions or reputational damage caused by erroneous data. It also promotes trust in data sharing between organisations.
"An organisation must protect personal data in its possession or under its control by making reasonable security arrangements to prevent — (a) unauthorised access, collection, use, disclosure, copying, modification or disposal, or similar risks; and (b) the loss of any storage medium or device on which personal data is stored." — Section 24, Personal Data Protection Act 2012
Verify Section 24 in source document →
This section aims to safeguard personal data from security breaches and misuse. It recognises the risks posed by unauthorised access or loss of data, which can lead to identity theft, fraud, or privacy violations. By requiring reasonable security arrangements, the provision compels organisations to implement appropriate technical and organisational measures to protect personal data.
"An organisation must cease to retain its documents containing personal data, or remove the means by which the personal data can be associated with particular individuals, as soon as it is reasonable to assume that — (a) the purpose for which that personal data was collected is no longer being served by retention of the personal data; and (b) retention is no longer necessary for legal or business purposes." — Section 25, Personal Data Protection Act 2012
Verify Section 25 in source document →
This provision addresses the principle of data minimisation and limits unnecessary retention of personal data. Retaining personal data beyond its intended purpose increases the risk of misuse or breaches. By requiring organisations to cease retention or anonymise data when it is no longer needed, the law reduces privacy risks and promotes responsible data lifecycle management.
"An organisation must not transfer any personal data to a country or territory outside Singapore except in accordance with requirements prescribed under this Act to ensure that organisations provide a standard of protection to personal data so transferred that is comparable to the protection under this Act." — Section 26(1), Personal Data Protection Act 2012
Verify Section 26 in source document →
This provision safeguards personal data when it is transferred overseas. Since data protection laws vary globally, this section ensures that personal data leaving Singapore continues to receive a comparable level of protection, preventing circumvention of the PDPA. It also empowers the Personal Data Protection Commission to impose conditions or grant exemptions, maintaining regulatory oversight over cross-border data flows.
"The Commission may, on the application of any organisation, by written notice exempt the organisation from any requirement prescribed pursuant to subsection (1) subject to such conditions as the Commission may impose." — Section 26(2), Personal Data Protection Act 2012
Verify Section 26 in source document →
This subsection provides flexibility by allowing the Commission to grant exemptions from the cross-border transfer requirements under specific conditions. This recognises that in certain circumstances, strict compliance may be impractical or unnecessary, while still ensuring adequate protection of personal data.
Absence of Definitions in Part 6
Unlike other parts of the PDPA, Part 6 does not contain specific definitions. This is because the obligations under Part 6 apply broadly to "organisations" and "personal data" as defined elsewhere in the Act. The absence of definitions in this part indicates that the general definitions in the PDPA’s preliminary sections govern the interpretation of terms used in Part 6.
No Penalties Specified in Part 6
Part 6 does not explicitly prescribe penalties for non-compliance within its text. However, this does not imply that breaches of these obligations are without consequences. The PDPA contains general enforcement provisions and penalties applicable to contraventions of its obligations, including those under Part 6. The absence of specific penalties in Part 6 allows for a unified enforcement framework under the Act’s broader provisions.
Cross-References Within the PDPA
Part 6 references "requirements prescribed under this Act" particularly in relation to cross-border data transfers, indicating that additional rules or regulations may be set out elsewhere within the PDPA or by the Personal Data Protection Commission (PDPC). For example:
"An organisation must not transfer any personal data to a country or territory outside Singapore except in accordance with requirements prescribed under this Act..." — Section 26(1), Personal Data Protection Act 2012
Verify Section 26 in source document →
"The Commission may, on the application of any organisation, by written notice exempt the organisation from any requirement prescribed pursuant to subsection (1)..." — Section 26(2), Personal Data Protection Act 2012
Verify Section 26 in source document →
These references highlight the PDPC’s regulatory role in prescribing detailed requirements and granting exemptions, ensuring that the Act remains adaptable to evolving data protection challenges. While Part 6 does not explicitly cross-reference other statutes, it operates within the broader legal framework of Singapore’s data protection regime.
Conclusion
Part 6 of the PDPA establishes foundational obligations for organisations to care for personal data responsibly. By mandating accuracy, security, limited retention, and controlled cross-border transfers, the provisions protect individuals’ privacy and promote trust in data handling practices. The flexibility granted to the PDPC to prescribe requirements and exemptions ensures that the law can respond effectively to technological and business developments. Organisations must therefore implement robust data governance frameworks to comply with these obligations and uphold the standards set by the PDPA.
Sections Covered in This Analysis
- Section 23 – Accuracy of Personal Data
- Section 24 – Protection of Personal Data
- Section 25 – Retention of Personal Data
- Section 26(1) – Transfer of Personal Data Outside Singapore
- Section 26(2) – Exemptions by the Commission
Source Documents
For the authoritative text, consult SSO.