Personal data protection act implemented in Singapore

In Singapore, the Personal Data Protection Act (PDPA) was passed in October 2012 and took effect in phases from January 2013.

However, the main data protection rules came into force on 2 July 2014. Under the PDPA, financial institutions are generally required to seek consent from individual clients for the collection, use and disclosure of clients’ personal data. These institutions also need to specify appropriate purposes for the collection, use and disclosure of the information, such as for marketing purposes.

Despite the effect of the PDPA, financial institutions must continue to comply with their customer due diligence obligations and exercise diligence in combating money laundering and terrorism financing.

To clarify financial institutions’ obligations in relation to Anti-Money Laundering (AML)/Combating the financing of terrorism (CFT), the Monetary Authority of Singapore (MAS) is now proposing changes to the AML/CFT legislation. The amendments seek to clarify that in the course of performing customer due diligence, financial institutions may collect, use, and disclose personal data without customers’ consent. The amendments also preserve customers’ rights under the PDPA to access and correct their personal data.