Translating Research into Highest Quality Patient Care

Personal Data Protection Act (PDPA)

The purpose of the Personal Data Protection Act is to govern the collection, use and disclosure of personal data by organisations in a manner that recognises both the right of individuals to protect their personal data, and the need of organisations to collect, use or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances.

PERSONAL DATA refers to data, whether true or not, about an individual who can be identified from that data; or from that data and other information to which the organisation has or is likely to have access.

This includes unique identifiers (e.g. NRIC number, passport number), as well as any set of data (e.g. name, age, address, telephone number, occupation, etc) which when taken together would be able to identify the individual.

Researchers should note that the scope of PDPA only applies to identifiable data. The PDPA does not apply to data that is used in anonymised form.

The PDPA takes into account the following concepts:

  • Consent – organisations may collect, use or disclose personal data only with the individual's knowledge and consent (with some exceptions);
  • Purpose – organisations may collect, use or disclose personal data in an appropriate manner for the circumstances, and only if they have informed the individual of purposes for the collection, use or disclosure; and
  • Reasonableness – organisations may collect, use or disclose personal data only for purposes that would be considered appropriate to a reasonable person in the given circumstances.


References and Further Reading

For more information on the Personal Data Protection Act, please refer to the following websites:





Last updated: 2 Nov 2017