PDPA in Plain English
The Personal Data Protection Act (PDPA) has governed data handling in Singapore since 2012. For GP practices, it's straightforward: treat patient data with the same care you'd want for your own medical records.
What Counts as "Personal Data"?
Anything that identifies a patient:
| Data Type | Examples |
| Identity | Names, NRIC, passport numbers |
| Contact | Phone, email, home address |
| Medical | Diagnoses, prescriptions, test results |
| Administrative | Billing records, insurance claims |
| Historical | Previous visits, family medical history |
The 9 PDPA Obligations (Simplified)
1. Consent — Ask Permission
Get clear consent before collecting or using patient data.
- In practice:
- Written consent form at first registration
- Explain in plain language what you'll do with their data
- Separate consent for marketing (SMS health tips, newsletter)
- Process for patients to withdraw consent
2. Purpose Limitation — Use Data Only as Promised
Only use data for what you told patients you'd use it for.
Example: If you collected their email for appointment reminders, don't add them to a marketing list without separate consent.
3. Notification — Tell Them Why
Inform patients why you're collecting each piece of data.
- Common legitimate purposes:
- Providing medical care
- Billing and payment processing
- Insurance claims
- Appointment scheduling
- Legal/regulatory requirements
4. Access — Let Patients See Their Data
Patients can request access to their own data.
- You can refuse if:
- Disclosure would harm the patient
- Data involves other individuals' privacy
- Legal proceedings require confidentiality
5. Correction — Let Patients Fix Errors
If a patient spots an error in their records, they can request correction.
Your process:
6. Accuracy — Keep Data Correct
Make reasonable efforts to ensure data accuracy—especially when making decisions based on it.
- Practical steps:
- Verify patient details periodically
- Update records when patients inform you of changes
- Flag uncertain information
7. Protection — Secure the Data
Implement "reasonable" security measures.
- Minimum measures for GP clinics:
- Passwords on all systems (12+ characters)
- Screen locks after inactivity
- Locked cabinets for paper records
- Antivirus and firewall
- Staff training on data handling
8. Retention — Don't Keep Data Forever
Delete data when you no longer need it.
- Healthcare retention guidelines:
- Patient records: 7 years after last visit (MOH recommendation)
- Financial records: 7 years (IRAS requirements)
- Job applications (unsuccessful): 1 year maximum
9. Openness — Publish Your Policies
Make your data protection practices publicly available.
- What patients should be able to find:
- What data you collect and why
- How you protect it
- How to request access or corrections
- Who to contact with concerns
---
PDPA vs. HIB: Two Laws, One Practice
You must comply with both. Here's how they differ:
| PDPA | HIB |
| Covers | All personal data | Health information specifically |
| Breach reporting | "As soon as practicable" | 2 hours to MOH |
| Security standard | "Reasonable" (interpreted) | Specific technical requirements |
| Max penalty | S$1 million | S$1 million |
---
The 5 Most Common GP Practice Mistakes
Mistake 1: "They Agreed Verbally"
Risk: No evidence of consent if challenged.
Fix: Written consent at registration. Even a simple tick-box form counts.
Mistake 2: One Consent Form for Everything
Problem: Generic "I consent to everything" form.
Risk: Marketing without proper consent can result in fines.
- Fix: Separate checkboxes for:
- Treatment and medical care
- SMS/email appointment reminders
- Marketing communications
- Research participation
Mistake 3: Keeping Records Forever
Problem: "We never delete anything—might need it someday."
Risk: You're responsible for protecting data you hold. More data = more risk.
Fix: Implement retention schedules. Securely destroy data after retention period.
Mistake 4: Emailing Test Results Unsecured
Problem: Sending lab results via regular email.
Risk: Email can be intercepted. If patient's email is compromised, their health data is exposed.
Fix: Use encrypted email, patient portal, or have patients collect results in person for sensitive findings.
Mistake 5: Everyone Can See Everything
Problem: All staff have access to all patient records.
Risk: Unnecessary exposure. Also violates "purpose limitation"—does the receptionist need to see clinical notes?
Fix: Role-based access. Reception sees scheduling, nurses see clinical notes, billing sees financial data.
---
Daily Operations Checklist
Reception Area
- Computer screens face away from waiting area
- Files never left visible on counter
- Patient numbers (not names) used for queuing
- Appointment books secured or digital
Consultation Room
- Screen locks after 5 minutes of inactivity
- Computer locked when leaving room (even briefly)
- Screens positioned away from door sightlines
- Shredder available for sensitive paper
End of Day
- All staff logged out of all systems
- Paper records secured in locked cabinets
- Patient files returned to filing (not left on desks)
- Premises locked and alarm set
---
When Things Go Wrong: Breach Response
Immediate Steps
Notification Requirements
To patients: Required if breach is likely to cause significant harm or impact.
To PDPC: Required for significant breaches. Guidelines suggest >500 individuals or sensitive data.
---
Making Compliance Manageable
---
The Bottom Line
PDPA compliance isn't about paperwork—it's about respecting the trust patients place in you. They share their most intimate health information. Protecting it properly is part of good care.
---
*Not sure where your practice stands? Synexo provides free PDPA and HIB assessments for Singapore GP practices. We'll identify gaps and create a practical compliance roadmap. Book your assessment.*