Update on the Personal Data Protection (PDPA) - the “Research” exception

Update on the Personal Data Protection (PDPA) - the “Research” exception

by Aaron Tay, Lead, Data Services

As researchers who use data, you may want to be aware of the laws in Singapore that might affect your use of the data in question.

One example is the Computational Data Analysis exception that was in the updated Singapore Copyright Law 2021 which empowers researcher to do text mining and analysis, something we covered here.

The other major law in Singapore that governs the use of data used in Singapore is the Personal Data Protection Act or PDPA.

The Personal Data Protection Act (PDPA) is a legislation in Singapore that governs the collection, use, and disclosure of personal data. One of the provisions of the PDPA is that organisations are generally not allowed to collect, use, or disclose personal data for any purpose other than the specific purpose for which the data was collected unless the individual has given his or her consent.

However, with the new amendments to PDPA which took effect in 2021, there are now two exceptions to the consent requirement – one of which is the research exception.

It states

“The research exception provides that organisations may use personal data for a research purpose, including historical and statistical research, subject to the following conditions:

  1. The research purpose cannot reasonably be accomplished unless the personal data is provided in an individually identifiable form;
  2. There is a clear public benefit to using the personal data for the research purpose;
  3. The results of the research will not be used to make any decision that affects the individual; and
  4. In the event the results of the research are published, the organisation must publish the results in the form that does not identify the individual.”

There is also a research exception if organisations wish to disclose personal data. All the conditions above are applicable and there is an additional fifth condition where

“It is impracticable for the organisation to seek the consent of the individual for the disclosure.”

For more clarification, please consult SMU’s Data Protection Officer (DPO) or your department’s Data Protection Officer Representative (DPO Rep)