Personal data refers to data about an individual who can be identified from that data, or from that data and other information to which the organisation has or is likely to have access.
The Personal Data Protection Act 2012 (PDPA) provides a baseline standard of protection for personal data in Singapore. It complements sector-specific legislative and regulatory frameworks such as the Banking Act 1970 and Insurance Act 1966. It comprises various requirements governing the collection, use, disclosure and care of personal data in Singapore. It also provides for the establishment of a national Do Not Call (DNC) Registry.
The PDPA recognises both the need to protect individuals’ personal data and the need of organisations to collect, use or disclose personal data for legitimate and reasonable purposes. A data protection regime is necessary to safeguard personal data from misuse and to maintain individuals’ trust in organisations that manage their data.
Political parties, candidates and their election agents who collect, use or disclose the personal data of individuals must comply with the data protection provisions under the Personal Data Protection Act 2012 (PDPA) (“Data Protection Provisions”). They are responsible for ensuring that their staff and volunteers also comply with the Data Protection Provisions. Political parties, candidates and their election agents should conduct the necessary training for them and put in place specific policies and procedures appropriate for their operations, to ensure the proper handling of personal data.
Some key obligations under the Data Protection Provisions are highlighted below:
Political parties, candidates and their election agents must ensure that individuals are notified of the purposes of the collection, use or disclosure of their personal data, and that consent is obtained from the individuals for such collection, use or disclosure. For instance, a candidate who wishes to take a photograph of individuals at election campaign activities in a private location will need to obtain the individuals’ consent.
Political parties, candidates and their election agents must implement reasonable security arrangements to protect personal data in their possession or under their control in order to prevent any unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks. These may include technical measures such as encrypting personal data to prevent unauthorised access, as well as physical measures such as the proper shredding of confidential documents. As good practice, candidates should avoid leaving personalised election mailers bearing electors’ personal data on the doors or gates of their houses, but instead slot them into the letterboxes or under the doors of their houses.
Political parties, candidates and their election agents must cease to retain documents containing personal data when there is no business or legal purpose to retain it. Personal data must not be kept indefinitely or “just in case” it may be needed for other purposes that have not been notified to the individuals.
Political parties, candidates and their election agents who send any message to Singapore telephone numbers, the sole purpose of which is for election campaigning, are not prevented from doing so by the Do Not Call Provisions under the PDPA, so long as the message does not offer to supply, advertise or promote a good or service, or include any of the other purposes listed in the definition of a “specified message” under the PDPA.
Political parties, candidates and their election agents may purchase a copy of a Register of Electors and use the information recorded in the register only for communicating with electors. The information must not be used for commercial or other purposes. They may therefore collect, use or disclose information in the registers without obtaining consent under the Personal Data Protection Act 2012 to the extent that such collection, use or disclosure is for the purpose of communicating with electors in accordance with the relevant laws. They may also disclose information recorded in the registers to others provided such persons give their written acknowledgement that they are bound by the same restrictions on the use of information in the registers.
More information on how to purchase a copy of a register to communicate with electors can be found in the Campaigning webpage.
Political parties, candidates and their election agents are required under the Foreign Interference (Countermeasures) Act 2021 (FICA) to collect the full names, NRIC numbers and addresses of the individual donors from whom they have received political donations, where such donations must be reported under FICA. Candidates may therefore collect, use or disclose such information, without obtaining consent under the Personal Data Protection Act 2012, for the purpose of complying with the requirements under FICA.
