Data Privacy Laws

How to train your employees on Personal Data Protection Act, Singapore?


In 2021, MyRepublic, a telecom company based in Singapore, suffered a data breach. According to reports, the personal data of approximately 79,388 Singaporean citizens and permanent residents was stolen.

Want to know the root cause?

Compromised access key.

The organisation made the mistake of storing it on a webpage called ‘PHP info’ (that had read access to the public), which programmers use. This means anyone who knows or can guess the URL for PHP info could quickly obtain the access key. According to PDPC, the access key should have been kept private, given the significant amount of stolen sensitive and confidential data.

Compromised data

Scanned copies of:

  • The National Registration Identity Card (NRIC)
  • Work Passcards

Now you may be wondering who is PDPC. To explain PDPC, first, you must be aware of PDPA.

What is PDPA? 

PDPA, or Personal Data Protection Act, is a data protection law that safeguards the fundamental human right to privacy while ensuring the free flow of information. The PDPA, which was passed in Singapore in 2012, sets the standard for protecting personal data.

The law outlines specific requirements for handling personal data, including collection, use, disclosure, and care. A recent amendment made in November 2020 allows for more data to be collected without consent, but the penalties for violating data protection rules remain severe.

Who will ensure the PDPA provisions are rightly enforced? 

PDPC or Personal Data Protection Commission.

The PDPC is an independent body that oversees and ensures the country’s compliance with international standards for data protection. The PDPA is in charge of creating and enforcing laws related to data protection. They have the authority to adopt methods to resolve disputes and the right to audit and investigation. In the event of a data breach, the PDPC will investigate the incident and determine the underlying cause, as they did in the case of MyRepublic’s data breach.

Who must comply with the law? 

This is clearly explained in ‘The Scope of PDPA‘, which says,

  • Every organisation established under PDPA law must comply with the rules and regulations.

So, if you are employed by a Singapore-based company established under PDPA law, all employees must follow the PDPA rules and regulations, regardless of the company’s location.

  • All organisations, including industry companies and non-company associations, must comply with PDPA unless they process the data for personal or family reasons or an employee is processing personal data where the organisation would be responsible for ensuring compliance and Public institutions like Government.

Who are data intermediaries? 

They are organisations that handle data on behalf of another organisation. As per PDPA regulations, they are only responsible for adhering to data protection and retention restrictions as they do not collect data for their purposes. However, they must comply with the law if they collect data for their use.

PDPA Obligations

So as mentioned, all organisations must abide by PDPA law while collecting, storing or disclosing personal data. To ensure this, there are ten obligations mentioned in the PDPA law, which every individual must follow, and Protection Obligation and Retention Limitation Obligation comes under that.

  1. Protection obligation means an organisation must put security measures in place to protect the data from unauthorised access.
  2. Retention Limitation indicates that only necessary data for legal or business purposes can be kept.

Other obligations include:

  • Consent Obligation
  • Purpose Limitation Obligation
  • Notification Obligation
  • Access and Correction Obligation
  • Accuracy Obligation
  • Transfer Limitation Obligation
  • Data Breach Notification Obligation
  • Accountability Obligation

How to create an effective PDPA awareness program for your employees?

Here are some tips to help you get started. 

Understand employee behaviour 

First, assessing your employees’ behaviour is essential to understand your organisation’s security culture. This will allow you to identify knowledge gaps and tailor training to meet your employees’ needs.

Moving from basics to advanced 

To ensure that your employees understand PDPA compliance, providing basic training on data protection and privacy is essential. This will help them understand the importance of compliance under PDPA law.

Recurring and continuous training 

Implementing a recurring training system is also necessary. This will help your employees stay up-to-date with the latest developments in the cyber threat landscape.

Use microlearning and e-learning hand in hand. 

Microlearning and e-learning can be used hand in hand to create a comprehensive and practical training experience. Microlearning will help in providing quick, targeted knowledge and skills acquisition. Microlearning offers concise, topic-specific courses within 5 minutes, facilitating frequent and periodic knowledge dissemination during work hours. In contrast, e-learning provides in-depth content delivery through videos, presentations, and interactive simulations, enabling employees to understand broader subjects comprehensively.

Here is a recommended PDPA awareness training syllabus.

1. Introduction to PDPA

  • Overview of PDPA and its Purpose
  • Key Concepts and Principles of PDPA Compliance
  • The Scope of PDPA

2. 10 obligations under PDPA law

  1. Retention Limitation Obligation
  2. Protection obligation
  3. Consent Obligation
  4. Purpose Limitation Obligation
  5. Notification Obligation
  6. Access and Correction Obligation
  7. Accuracy Obligation
  8. Transfer Limitation Obligation
  9. Data Breach Notification Obligation
  10. Accountability Obligation

3. Data Protection best practices

  • Safeguarding personal data through security measures
  • Data retention and disposal requirements
  • Data sharing within and outside the organisation

4. Data Breach Awareness

  • Recognising and reporting data breaches
  • Incident response and communication procedures

5. PDPA Compliance Guidelines

  • Employee responsibilities for PDPA compliance
  • Adherence to organisational policies and procedures

Let’s wrap up 

To comply with Singapore’s Personal Data Protection Act (PDPA) and safeguard personal data, organisations need to train their employees on PDPA regulations. Through comprehensive and engaging training, employees can gain the knowledge and skills to handle personal data responsibly.

It’s important to note that PDPA compliance requires ongoing effort, including updates to training materials and reinforcement of best practices to stay current with evolving regulations and emerging threats. At Security Quotient, we have developed a new product which offers micro-learning courses under 5 minutes to enhance employee cyber awareness.