Singapore PDPA Privacy Guide: Your Rights Under the Personal Data Protection Act

Singapore's Personal Data Protection Act (PDPA) has been in effect since 2014, yet many Singaporeans remain unaware of the rights it gives them. In a city-state where nearly every transaction — from taking a taxi to buying bubble tea — involves some form of data collection, understanding your privacy rights is not optional. It is essential.

The PDPA governs how organizations collect, use, disclose, and store your personal data. It is enforced by the Personal Data Protection Commission (PDPC), which has the power to investigate complaints, issue directions, and impose financial penalties of up to S$1 million per breach.

What the PDPA Covers

Personal Data Under PDPA

Personal data is defined as any data that can identify an individual, either on its own or combined with other information. This includes:

Type	Examples
Identifiers	NRIC number, FIN, passport number
Contact information	Phone number, email address, home address
Financial data	Bank account numbers, credit card details, income
Employment data	Job title, employer, salary, performance reviews
Health data	Medical records, prescriptions, insurance claims
Biometric data	Fingerprints, facial recognition data
Digital identifiers	IP addresses, device IDs, browsing history
Images and recordings	CCTV footage, photos, voice recordings

What Is Not Covered

The PDPA does not apply to:

• Government agencies (governed by the Government Instruction Manual)
• Personal or domestic purposes (your personal contact list)
• Business contact information used for business purposes
• Data about deceased individuals (more than 10 years after death)

Your 5 Key Rights Under the PDPA

1. Right to Consent

Organizations must obtain your consent before collecting, using, or disclosing your personal data. You must be informed of the purpose of collection, and your consent must be voluntary. You can withdraw consent at any time, though the organization may inform you of the consequences.

Practical tip: If a store asks for your NRIC to join a loyalty program, you can refuse. They must provide the service without requiring unnecessary personal data.

2. Right to Access

You can request access to your personal data held by any organization, as well as information about how your data has been used or disclosed in the past year. The organization must respond within 30 days.

Practical tip: You can write to any company and ask them what personal data they hold about you. They are legally required to tell you.

3. Right to Correction

If your personal data held by an organization is inaccurate or incomplete, you have the right to request correction. The organization must correct the data and send the corrected version to any other organization it was shared with in the past year.

4. Right to Withdraw Consent

You can withdraw your consent for an organization to collect, use, or disclose your personal data at any time. The organization must comply within a reasonable period and inform you of any consequences (such as being unable to provide certain services).

5. Right to Data Portability (2021 Amendment)

The Data Portability Obligation, introduced in the 2021 PDPA amendment, allows you to request that your data be transmitted to another organization in a commonly used format. This applies to data that was provided by you and is in electronic form.

The NRIC Collection Rules

One of the most impactful PDPA guidelines affects NRIC collection. Since September 2019:

Situation	Can They Collect Your Full NRIC?
Opening a bank account	Yes — legally required
Hospital registration	Yes — legally required
Employment records	Yes — legally required
Building visitor log	No — use last 4 characters or alternative ID
Retail loyalty program	No — use alternative identifiers
Lucky draw registration	No — use alternative identifiers
Gym membership	No — use alternative identifiers

What to do: If a non-essential service asks for your full NRIC, you can refuse and cite the PDPA Advisory Guidelines on NRIC numbers.

The Do Not Call Registry (DNC)

The PDPA established Singapore's Do Not Call (DNC) Registry, which allows you to opt out of telemarketing calls, SMS, and faxes. You can register your numbers at dnc.gov.sg.

Registration	Protection
No Call Register	Blocks telemarketing voice calls
No Text Register	Blocks telemarketing SMS
No Fax Register	Blocks telemarketing faxes

Organizations face penalties of up to S$10,000 per unauthorized marketing message.

How to File a PDPA Complaint

If you believe an organization has mishandled your personal data:

Step 1: Contact the Organization Directly

Write to the organization's Data Protection Officer (DPO). Every organization covered by the PDPA is required to designate a DPO. Clearly state what happened and what you want them to do about it.

Step 2: File a Complaint with the PDPC

If the organization does not respond satisfactorily within 30 days, file a complaint with the PDPC at pdpc.gov.sg. Include:

• Your personal details
• The organization's details
• Description of the incident
• Evidence (screenshots, emails, correspondence)
• What resolution you are seeking

Step 3: PDPC Investigation

The PDPC will assess the complaint and may initiate an investigation. Possible outcomes include:

• Direction to the organization to stop the data practice
• Direction to destroy improperly collected data
• Financial penalty of up to S$1 million
• Public enforcement decision (published on PDPC website)

Notable PDPA Enforcement Cases

Year	Organization	Breach	Penalty
2019	SingHealth	1.5 million patient records breached	S$250,000
2019	IHiS (IT vendor)	Failed security measures in SingHealth breach	S$750,000
2020	Integrated Health Information Systems	Unauthorized data disclosure	S$50,000
2021	Various SMEs	Improper NRIC collection	Warnings and directions
2022	Multiple organizations	Data breaches from inadequate security	Various penalties

Practical PDPA Tips for Everyday Life

1. Read privacy policies before signing up for services — know what data is collected
2. Use the DNC Registry to stop unwanted marketing messages
3. Request data deletion from services you no longer use
4. Know when to refuse NRIC collection — cite the PDPA advisory guidelines
5. Report data breaches you discover to the PDPC
6. Ask for the DPO's contact when an organization collects your data
7. Exercise your access rights to find out what data companies hold about you

Share Personal Data Securely

Under the PDPA, organizations must protect your data. But you also have a role in protecting your own information. When you need to share personal data — your NRIC for a bank application, financial details for a transaction, or medical records for a referral — avoid sending them in plain text through WhatsApp or WhatsApp.

Use LOCK.PUB to create a password-protected, self-destructing link containing your sensitive information. The recipient enters the password to view it, and the data disappears after the set expiration. This minimizes the risk of your personal data being exposed through compromised messaging accounts or device theft.

The Bottom Line

The PDPA gives you real, enforceable rights over your personal data in Singapore. The most important takeaway: you have the right to know what data organizations collect about you, the right to refuse unnecessary collection, and the right to file complaints when your data is mishandled.

Exercise these rights actively. Refuse unnecessary NRIC collection, register on the DNC Registry, request data deletion from unused services, and when you do need to share personal information, use LOCK.PUB to do it securely. Privacy is not a luxury — it is a right protected by Singapore law.