PDPA Series: Protection & Retention Limitation Obligations


Organisations will need to make reasonable security arrangements to protect personal data in its possession, to prevent unauthorised access, collection, use, disclosure, disposal etc.

In essence, there are 3 levels the personal data should be protected:

  1. Administrative measures, which can be implemented through policies and contracts.
  2. Physical measures such as ensuring the cabinets with sensitive data are security locked etc.
  3. Technical measures through encryption, password-protection etc.


As an organisation, these are the following steps you can execute:

  • Design and organise security arrangements in preparation of a security breach.
  • Train your personnel to be responsible for information security.
  • Implement policies and procedures to ensure appropriate levels of security for personal data.
  • Be prepared to respond to security breaches effectively.


Case Study 1: Easy access to Visitor Log Book

Many condominiums and facilities leave their visitor log book unattended and easily accessible to every visitor. Ensure your visitors do not see the personal data of other visitors through a digital system or cover up the other visitors’ information securely.

Case Study 2: Photocopies on Customer’s NRIC

Always ensure that you dispose of the copy of your customer’s NRIC securely (eg. shredder). After photocopying, faxing or scanning sensitive documents, always remember to remove the original AND the photocopy from the machine. In the cases of recycling paper, always ensure that the paper you place in for recycling does not contain any personal/sensitive data.

See also Retention Limitation Obligation below.

Case Study 3: Placement of Service Counters

At service counters, the screens should not be easily and openly visible to customers. Note that it is important for the design of the service counters to be out of sight to the public area.

Quick Checklist of Physical and Technical Measures

  • Encryption of the important documents, portable storage devices, laptops, personal computers/desktops and any other machines containing/accessing personal data.
  • Screen-lock your computers and mobile devices.
  • Ensure that anti-virus is updated and that scans are regularly conducted.
  • Use strong passwords for database as well as all your online accounts.
  • Do also change your passwords regularly (every 90 days).
  • Always ensure proper customer verification before attending to the customer’s request.
  • Cabinets with sensitive data should be locked with the keys kept secure.
  • Where possible, implement 2-factor authentication for logins.


Identify exposures in your office – do not leave any sensitive documents lying around these areas.

  • Reception Area & Service Counter
  • In/out Trays
  • Recycle Paper Bings
  • Waste Paper Baskets
  • Meeting Rooms
  • Work Areas
  • Shelves & Cabinets
  • Storage of physcial documents
  • Copiers/Fax Machines
  • Server Rooms
  • Key Press
  • Rubbish areas



Organisations will need to ensure that, once the business/legal purpose has been fulfilled, the personal data should not be retained.

By ceasing retention, the document can be destroyed, disposed in an appropriate manner, returned to the individual concerned, or anonymised. With anonymisation, it refers to the process of removing identifying information so that the remaining data does not identify a particular individual.

As a good practice, DPOs should define a document retention policy to state the retention periods of the different types of documents/data. How do you determine the length of the retention period? The short answer is, it depends.

  • On the purpose the data was collected
  • If the purpose for which it was collected remains valid
  • Other legal or business purposes, eg. generating annual reports.


Personal data should not be kept for “just in case”. Organisations will always need to make clear the justification and basis for the retention periods.

In addition, the retention schedules should be communicated to all relevant employees.

You can read the full Protection Obligation and Retention Limitation Obligation from PDPC.