Skip to main content
IAM vs. CIAM CIAM Buyer's Guide Contact Us
Janrain respects your privacy and will treat the personal data you choose to share with us in accordance with our privacy policy.

Planning for Privacy Compliance in 2014: The Singapore Personal Data Protection Act

By Lewis Barr | Posted on December 04, 2013

Blog Banner

GM’s recent decision to move its international operations headquarters from Shanghai to Singapore reflects Singapore’s continued transformation from a regional business hub to a global business center. With business moves data. So, as we begin to anticipate privacy law changes coming in the year ahead, it is worth focusing on the Singapore Personal Data Protection Act (the “Act”), which will be enforced beginning July 2, 2014.

The Act establishes a general framework for the protection of “Personal Data” – data about an individual who can be identified from that data or from that data and other data to which an organization has or is likely to have access. The Act requires that before a private organization collects or otherwise processes Personal Data it inform the concerned individual of the purpose of such processing and obtain the individual’s consent. The processing must be for a reasonable purpose. Consent may be either expressed or implied under the circumstances. The Act also requires that individuals be given the opportunity to access their Personal Data and have it corrected.

The Act leaves it to the Singapore Personal Data Protection Commission (“Commission”) and Singapore’s various industry regulatory agencies to provide detailed rules with regard to the collection, use, and disclosure of personal information as well as any data breach notification requirements applicable to particular types of Personal Data, such as financial and health information.

Transfers of Personal Data outside of Singapore are permitted if the transferring organization complies with the Act’s requirements to ensure that the receiving organizations provide protection comparable to that under the Act. In its February 5, 2013 Public Consultation, the Commission indicated that the use of contract clauses (outlined in the Public Consultation) and the use of binding corporate rules would be two alternative ways to satisfy these transfer requirements.

On September 27, 2013, the Commission released advisory guidelines, which explain key concepts of the Act and explore selected topics, indicating how the Commission may apply the Act when enforcing it. Among other things, the guidelines discuss (1) the nine main obligations which organizations are required to comply with regarding their processing of Personal Data, (2) anonymisation, and (3) the treatment of IP addresses and cookies. The guidelines also provide instructive examples. In the future, look for further Commission guidance as well as regulations implementing the Act.


Popular Posts

About the author

Lewis Barr

Lewis Barr

General Counsel and VP, Privacy

Lewis manages Janrain's legal compliance and privacy functions as the company continues its international expansion. He brings more than 15 years of leadership in a wide range of legal and privacy-related matters for growing technology companies. Lewis also utilizes his diverse background as a litigator in private practice, federal appeals court staff attorney, and teacher. Prior to Janrain, Lewis was General Counsel and Secretary of Fios, Inc. and before that, he was General Counsel of New Edge Networks (now EarthLink Business). Lewis holds a Juris Doctor degree from the University of Missouri School of Law and a Bachelor's Degree from Georgetown University’s School of Foreign Service. He is also a Certified Information Privacy Professional (CIPP/US).

View all posts by Lewis Barr