From Cybersec Standards
Jump to: navigation, search


This guidance is based on the Singapore Personal Data Protection Act 2012 (PDPA)

Who Does This Privacy Law Apply To?

The PDPA defines an organisation as “any individual, company, association or body of persons, corporate or unincorporated whether or not formed or recognised under the law of Singapore; or resident, or having an office or a place of business, in Singapore”.


a) Any individual acting in a personal or domestic capacity;
b) Any employee acting in the course of his or her employment with an organisation;
c) Any public agency; and
d) Any organisation in the course of acting on behalf of a public agency in relation to the collection, use or disclosure of personal data.

What Data Does This Privacy Law Apply To?

Personal data that can, on its own, be used to uniquely identify an individual, or when used in combination with other available data.[1]

A unique identifier which, on its own, constitutes personal data includes:

  • Full name
  • NRIC Number or FIN (Foreign Identification Number)
  • Passport number
  • Personal mobile telephone number
  • Facial image of an individual (e.g. in a photograph or video recording)
  • Voice of an individual (e.g. in a voice recording)
  • Fingerprint
  • Iris image
  • DNA profile

Generic information, such as gender, nationality, age or blood group, alone is not usually able to identify a particular individual (e.g. gender alone cannot identify the individual). Nevertheless, such information may constitute part of the individual’s personal data if it is combined with a unique identifier5 or other information such that it can be associated with, or made to relate to, an identifiable individual.

When Was This Privacy Law Enacted?

The PDPA was passed by Parliament on 15th October 2012 and assented to by the President on 20th November 2012.

Where Does This Privacy Law Have Jurisdiction?

The PDPA does not define "organization" or "personal data" in terms of geographical location. The PDPA applies to:

  • any organization in Singapore that processes personal data, even data originating outside of Singapore, and
  • any organization outside of Singapore that processes personal data belonging to individuals who are resident in Singapore.

How Must Data Be Protected?

Data must be protected with reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.[2]

External Links


  1. Per PDPA, Part I Preliminary Interpretation 2.—(1), “personal data” means data, whether true or not, about an individual who can be identified — (a) from that data; or (b) from that data and other information to which the organisation has or is likely to have access;
  2. Per PDPA, Part VI Care of Personal Data, Protection of personal data 24. An organisation shall protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.