The Personal Data Protection Act 2012 (the “PDPA”) establishes a general data protection law in Singapore which governs the collection, use and disclosure of individuals’ personal data by organizations. The Personal Data Protection Commission (the “Commission”) is established under the PDPA with the key functions, amongst others, of promoting awareness of data protection in Singapore and administering and enforcing the PDPA.
In relation to the Protection Obligation, our company has tight security arrangements to protect personal data in its possession or under its control.
In relation to the retention of patient files and records, our company will cease to retain its documents containing personal data, or remove the means by which the personal data can be associated with particular individuals, as soon as it is reasonable to assume that the purpose for which that personal data was collected is no longer being served by retention of the personal data, and retention is no longer necessary for legal or business purposes. Generally speaking, retaining personal data of existing patients for the purpose of having access to their consultation history would be considered a business purpose. It should be noted that the PDPA does not require an organization to delete all personal data about the individual concerned upon receipt of a notice withdrawing consent.
All the above is in accordance with the requirements of the PDPA Act, from the Ministry of Health’s guidelines.