Professional Documents
Culture Documents
Personal Data Protection Checklist: For Organisations
Personal Data Protection Checklist: For Organisations
Personal Data Protection Checklist: For Organisations
FOR ORGANISATIONS
How well does your organisation protect personal data? This self-assessment checklist is based on the
nine personal data protection obligations underlying the Personal Data Protection Act 2012 (PDPA) and is
designed to assist your organisation in reviewing its policies and to consider ways in which it can protect
the personal data in its custody.
Please note that the data protection provisions in the PDPA (parts III to VI) do not apply to:
An individual acting in a personal or domestic capacity;
An employee acting in the course of his or her employment with an organisation;
A public agency or an organisation in the course of acting on behalf of a public agency
in relation to the collection, use or disclosure of the personal data; and
Business contact information. This refers to an individuals name, position name or
title, business telephone number, business address, business electronic mail address or
business fax number and any other similar information about the individual, not provided
by the individual solely for his/her personal purposes.
Consider the following questions along with your organisations current practices.
YES / NO
Collection of Personal Data ACTION PLAN
1 Do you collect personal data about your customers or employees, such as:
Full name
NRIC or FIN number
Passport number
Photograph or video image of an individual
Mobile telephone number
Personal email address
Thumbprint
DNA profile
Name and residential address
Name and residential telephone number
Personal data refers to data, whether true or not, about an individual who can
be identified from that data; or from that data and other information to which
the organisation has or is likely to have access.
Knowing the personal data you collect may help you to identify and put in
place appropriate data protection policies.
1
YES / NO
3
ACTION PLAN
When collecting personal data, do you clearly inform the individual the
purpose(s) for which it will be collected, used or disclosed and obtain
his/her consent?
4 If you collect personal data from third parties, do you ensure that the
third party has obtained consent from the individuals to disclose the
personal data to you for your intended purposes?
You should generally ensure that the third party has obtained the consent from
the individuals to collect, use and disclose their personal data for your intended
purposes, before collecting, using or disclosing the personal data.
Whilst a data intermediary may only be required to comply with the Protection
and Retention Limitation Obligations, the organisation for whom it is processing
personal data will be subject to the entire PDPA in respect of such personal
data.
Use of
Personal Data
8 Do you limit the use of personal data collected to only purposes that
you have obtained consent for?
You may continue to use personal data that has been collected before the data
protection requirements of the PDPA come into operation for the purposes for which
the personal data was collected, unless the individual has withdrawn consent. If
there is a fresh purpose for the use of such personal data, consent should be
obtained. For personal data collected after the data protection requirements of the
PDPA come into operation, you should notify and obtain the individuals consent to
the collection, use and disclosure of his/her personal data.
2
YES / NO
ACTION PLAN
10 If you intend to use personal data without consent, have you checked
the Third Schedule and other provisions of the PDPA to understand
when you may use personal data without consent?
12 If you intend to disclose personal data without consent, have you checked
the Fourth Schedule and other provisions of the PDPA to understand
when you may disclose personal data without consent?
Under the PDPA, individuals may request to access their personal data.
There are, however, prohibitions and exceptions under the PDPA that may
apply.
You should provide information about the ways in which the individuals
personal data has been or may have been used or disclosed by the organisation
within a year before the request.
3
YES / NO
17
ACTION PLAN
Have you established a formal procedure to send corrected personal
data to third party organisations that personal data was disclosed to
within one year of the correction?
If a correction is made, generally, you should send the corrected data to other
organisations to which the data has been disclosed within a year the correction is
made, unless the organisation does not need the corrected data for business or
legal purposes. Further, with the individuals consent, you may send the corrected
data only to selected organisations (unless you are a credit bureau).
18 Have you checked S21(3), and the Fifth and Sixth Schedules of the
PDPA to understand when you are not required to provide access or
correct personal data?
V. Accuracy Obligation
19 Do you make reasonable effort to verify that the personal data kept
are accurate and complete (i) prior to any use to make a decision that
affects the individual or (ii) prior to disclosure?
You are obligated to keep the personal data you collect reasonably accurate
and complete, if the personal data is likely to be used to make a decision about
the individual, or is likely to be disclosed to another organisation.
VI. Protection Obligation
20 Have you assessed the personal data protection risks within your
organisation and put in place personal data security policies?
Keep personal data in your possession or under your control safe and secure
from unauthorised access, modification, disclosure, use, copying, disposal or
similar risks, whether in manual or electronic form. Analyse the likelihood of
security failures occurring, considering possible threats and vulnerabilities.
Please refer to our online Guide on Securing Personal Data on Electronic
Medium for an overview of the common information and communications
technology (ICT) areas and related security measures that can be adopted.
4
YES / NO
23
ACTION PLAN
Do external parties have easy access to the personal data that you
hold?
Ensure that such outsourced parties who are data intermediaries under the
PDPA will take the necessary action to ensure that your organisation will be in
compliance with the PDPA. Please refer to the note in Qn 5.
Do not keep personal data for longer than necessary for business or legal
purposes. Define specific retention periods for your various classifications of
personal data in accordance with legal and business requirements.
For example, hard copy records containing personal data should be shredded
or otherwise securely destroyed. Electronic data should be erased completely.
Otherwise, anonymise the data such that no individual can be identified from
the data kept.
5
IX. Openness Obligation
30
YES / NO
Have you designated one or more individuals (who may be referred to ACTION PLAN
as data protection officers) to be responsible for ensuring that the data
protection policies and practices of your organisation are in compliance
with the PDPA?
Organisations should make their data protection policies and the business
contact information of their data protection officers (or the individuals to
whom the responsibility have been delegated to) publicly available.
6
YES / NO
ACTION PLAN
If your organisation is a data intermediary*, please consider the question below, in conjunction with the
questions in sections VI-IX of the main obligations of the PDPA.
Data Intermediary
YES / NO
ACTION PLAN
*Data Intermediary refers to an organisation which processes personal data on behalf of another organisation but
does not include an employee of that other organisation.
How well-prepared is your organisation when the Do Not Call Registry comes into operation in early
2014? This part of the checklist focuses on your organisations obligations under the DNC provisions.
DNC Registry
YES / NO
39 Have the individuals on your marketing list given their clear and
unambiguous consent, evidenced in written or other accessible form,
ACTION PLAN
The DNC Registry provisions under the PDPA generally prohibits organisations
from sending certain marketing messages to Singapore telephone numbers,
including mobile, fixed-line, residential and business numbers, registered with
the registry. If the individual has not given you his/her clear and unambiguous
consent, evidenced in written or other accessible form, to the sending of
the telemarketing messages to his/her telephone number, you will need
to check the relevant DNC Register(s) before sending your telemarketing
messages.
7
YES / NO
40
ACTION PLAN
In relation to individuals who have not given their clear and
unambiguous consent for telemarketing, have you established an
internal process for checking with the DNC Registry prior to your
telemarketing campaigns?
If your organisation is making (or causing or authorising the making of) a voice
call containing a marketing message, ensure that the calling line identity (phone
number or information identifying the sender) is not concealed.
The message should include information about the organisation and how the
recipient can readily contact you. In addition, the message should reasonably
be valid for at least 30 days after the message is sent. This allows the recipient
to contact you for clarifications, if necessary.
COPYRIGHT 2015 Personal Data Protection Commission Singapore and Info-communications Development Authority of Singapore
This publication gives a general introduction to the personal data protection law in Singapore and best practices. The contents herein are not
intended to be an authoritative statement of the law or a substitute for legal advice. The Personal Data Protection Commission (PDPC), the Info-
communications Development Authority of Singapore (IDA) and their respective members, officers and employees shall not be responsible for any
inaccuracy, error or omission in this publication or liable for any damage or loss of any kind as a result of any use of or reliance on this publication.
The contents of this publication are protected by copyright, trade mark and other forms of proprietary rights. All rights, title and interest in the
contents are owned by, licensed to or controlled by PDPC and/or the IDA, unless otherwise expressly stated. This publication may not be reproduced,
republished or transmitted in any form or by any means, in whole or in part, without written permission.