PDPA Series: Consent Obligation

Under the Personal Data Protection Act, there are 9 PDPA Obligations:

  1. Consent Obligation
  2. Purpose Limitation
  3. Notice Obligation
  4. Accuracy Obligation
  5. Protection Obligation
  6. Retention Limitation
  7. Access & Correction Obligation
  8. Transfer Limitation
  9. Openness Obligation

You can get a visual of how this applies throughout your organisation’s information life-cycle from our previous post, 35 Exposures.

In this post, let’s start on the COLLECTION process, Consent Obligation.

Only Collect, Use or Disclose personal data when an individual has given his/her consent.

  • Consent can be verbal or written. If verbal is given, you might still want to send a written acknowledgement.
  • However, consent is invalid if the individual is forced to give consent, and has not been notified of the purpose.
  • The organisation must allow the individual to be able to withdraw consent at any time (organisation has reasonable notice to respond). Organisation will need to inform the individual of the likely consequences of the withdrawal.

Many a times, individuals might not understand the options available, and the customer-facing staff are not properly-trained. This results in the consent failing.

Think about these questions:

  • Do you get consent at the time you collect personal data?
  • Do you get consent when you use personal data?
  • Do you get consent when you disclose or share personal data with others?


Invalid Consent
Consent is invalid if the individual has not been notified of the purpose and the purposes are beyond what is reasonable. It is also invalid if the organisation gave false or misleading information to obtain consent.

However, do note that business contact information (name, business designation, business contact number and address or business email) are not applicable. These business information are not personal data, so they are excluded.

Another common question is if you capture a person’s photo at a public place, do you need consent to use a person’s image on Facebook (for example). The answer is No.

If the personal data was publicly available (CCTV footage in a public page, or at a location or event that is ‘open to public’), the organisation will be able to use and disclose this personal data without consent. Even if the personal data may no longer be publicly available at the time of it being used or disclosed, if the personal data was publicly available at the point of collection, organisations can use and disclose this personal data.

There are other exceptions (do not need to get consent):

  • If the information is required to respond to an emergency situation.
  • If the information is used to recover debts or make payment.


You can read the full Consent Obligation from PDPC.