Written Answer · 2024-04-03 · Parliament 14
Provision for Deletion of Personal Data Upon Request under Personal Data Protection Act 2012 and Recourse Available to Individuals
An MP asked whether the PDPA includes a right to deletion of personal data and the available recourse. The government replied that the law requires organisations to stop retaining or properly dispose of personal data when no longer needed, with or without consent, and the Personal Data Protection Commission has the power to direct organisations to destroy or stop using such data. The core debate: whether there is an explicit "right to erasure" clause and how it is enforced.
Key Points
- • No explicit right to erasure clause
- • Strict limits on data retention
- • Regulator has enforcement power
Supports existing legal provisions and oversight mechanisms.
Questions the lack of an explicit right-to-erasure safeguard.
Strengthen oversight of data retention and disposal.
"The Personal Data Protection Commission (PDPC) has the power to direct the organisation to destroy, or stop collecting, using or disclosing, the personal data concerned."
Participants (2)
Original Text (English)
SPRS Hansard · Fetched: 2026-05-02
27 Mr Chua Kheng Wee Louis asked the Minister for Communications and Information given the absence of a 'right to erasure' clause, whether the Personal Data Protection Act 2012 provides for (i) individuals who have not given consent for the collection, use, or disclosure of their personal data and requiring an organisation to delete their personal data upon request and (ii) the recourse for such individuals if the organisation does not do so.
Mrs Josephine Teo : The Personal Data Protection Act (PDPA) requires an organisation to cease retention of personal data or dispose of it in a proper manner when it is no longer needed for the purposes it was collected for, or other legitimate business or legal purpose.
This requirement applies regardless of whether consent had or had not been given for the organisation's collection, use or disclosure of personal data. Retention limits under the PDPA sufficiently safeguard the further use of an individual's personal data. If the organisation does not adhere to these requirements, the Personal Data Protection Commission (PDPC) has the power to direct the organisation to destroy, or stop collecting, using or disclosing, the personal data concerned.