PDPA Vs GDPR — Whose Privacy Is Being Protected?

 ON ITS website, SingHealth has a page devoted to the Personal Data Protection Act (PDPA) which took effect on January 2, 2013.  As a public healthcare institution, it declares that it keeps personal data safe by: 

  • Limiting access to only doctors and healthcare personnel who are involved in your care, and to the supporting internal processes;
  • Conducting regular checks to ensure that your personal data is only accessed by authorised persons;
  • Removing details, as far as possible, that identify you when using your data for internal purposes.

That didn’t work too well when SingHealth’s system was breached and the information of 1.5 million Singaporeans was stolen between 27 June and 4 July, 2018. A police report was made on 12 July, and the breach was announced at a press conference several days later, on 20 July.

Sharing Of Data

SingHealth adds that as a public healthcare institution, it shares relevant data and participates in national and multi-agency efforts to:

  • Review healthcare policies and requirements;
  • Review programmes that ensure patient safety and improve the quality of healthcare services;
  • Conduct disease surveillance to address public health concerns;
  • Train future generations of healthcare professionals.

Finally, it notes that to ensure continual improvement of the quality of medical care being provided to Singaporeans by the SingHealth cluster, personal data may “from time to time and where relevant, be used and disclosed within the SingHealth cluster so that we can conduct quality assurance and service improvement audits and studies.”


All this suggests that SingHealth moves personal medical information around quite a bit to different destinations. This may make it easier to hack its data such as what happened in the recent data breach.

Withholding or withdrawing consent seems to be the logical thing to do if people are worried about their privacy. Can individuals not give their consent for their personal data to be used for such things at SingHealth? 

You Might Also Like To Read:

Why Empathy May Not Always Be Good 

National Day Special Dishes At Folklore 

Confusing Arguments

It is possible but not exactly encouraged by SingHealth, and this is revealed in the SingHealth Data Protection Policy document that was last updated on 4 January 2018. It notes that, as is recognised by and provided for under the Personal Data Protection Act (PDPA), it may be that any choice an individual makes to withhold or withdraw consent may impact SingHealth’s ability to proceed with his or her transactions, agreements or interactions with it, and in particular:

  • In some cases, it may also become unsafe or unlawful for SingHealth to provide (or continue to provide) medical treatment without the ability to collect, use or disclose personal data. 
  • It may not be possible, without undue risk, cost or liability to SingHealth, to proceed with a particular transaction, agreement or interaction with an individual and it may be left with no choice but to cease or refrain from the same.

SingHealth adds that it “will take the approach that best safeguards us, you and others from risks, and we may well have no choice but to decline to proceed with the transaction, agreement or interaction in question to avoid causing harm or exposing us, you or others to risk.” 

At the same time, it notes that withholding/withdrawal of consent will not prevent SingHealth from exercising its legal rights including any remedies or undertaking any steps that it may be entitled to take by law.

Who Is Being Protected?

Based on SingHealth’s policy on personal data protection, PDPA looks more aligned with corporate rather than individual needs. This would not surprise locals in business-friendly Singapore.

For More Commentaries visit http://www.storm.sg/views/

Further, privacy seems to be less of an issue these days to a younger generation that is driven by the open concept of social media as well as the increasing use of online channels to cater for a lot of their modern-day needs.

However, the SingHealth data breach is a signal that PDPA, as it stands now, is a weak Act that doesn’t do enough to protect individuals’ privacy rights.


The framework of a new European legislation, General Data Protection Regulation (GDPR) which came into force two months ago may be more in line with what businesses need to do in terms of making data privacy more robust for the people that they serve.

GDPR is a new data protection law that will affect any business located within the European Union (EU) or any business that offers goods and services to EU residents.

Non-compliance to GDPR may result in suspension of data processing and fines of up to 4% of turnover or €20 million, whichever is greater.

A Stronger Option

In an article for the International Association of Privacy Professionals, Lim Yee Fen, Associate Professor, Division of Business Law, College of Business (Nanyang Business School), compared PDPA to GDPR. She wrote that “although PDPA is as technology-neutral as GDPR, it is a “light touch regime”.

Most notably for PDPA, consent is not required for business contact information, the public sector and data intermediaries.”

She also noted that GDPR does not allow for the concept of deemed consent — processing of all personal data requires a clear affirmative action for the consent to be valid. “Consent must also be given by someone with the legal capacity to do so — a factor not stipulated in PDPA,” she noted.


The GDPR is robust because it takes the view that the customer is always right. Among its elements is that a business has to have a lawful basis for processing customers’ data —consent is one lawful basis.

Another element of GDPR is that a customer has to be given the right to opt out of research and marketing. GDPR also requires businesses to encrypt their customer data. It is important to know where a business keeps all its customer data so that it can be managed in a more meaningful manner. 

There are elements of the GDPR that could be and should be injected to the PDPA in Singapore in order to make it more robust. It is hoped that the Committee of Inquiry (COI) just called to address the SingHealth data breach uses GDPR as a best-practice model for any updates to privacy laws in Singapore. 


by Jean-Michel Franco, data governance expert of Talend

1. Quantum of penalty. The amount they will have to pay out will make organisations take it more seriously.

2. Customer relationship. Consider GDPR as something your customer wants. So don’t make it too legal. Make it understandable, like the Scoot privacy policy.

3. Accountability. Enterprises have to define the processes and not leave it to the regulator to determine them. While it’s about compliance, it’s also about delivering a service.

4. Is the data verifiable? Has it been updated for GDPR? Are you able to get back your data in 30 days?

5. Right Of Explanation. The next big thing in GDPR will be machine learning. More decisions will be influenced by data. Can such a system also explain why your loan application was approved or turned down? It must be able to do so.

Thus It Was Unboxed by One-Five-Four Analytics presents alternative angles to current events. Reach us at 154analytics@gmail.com

Main Image: / Shutterstock.com

See also  How Hepatitis Affects The Liver


Please enter your comment!
Please enter your name here