We thank Mr Anand Srinivasan for his letter “Minimise data collection to avoid exposure, misuse” (March 30).

Personal data needs to be adequately protected. Under the Personal Data Protection Act (PDPA), organisations can collect, use, or disclose personal data only for relevant purposes. They are also not allowed to retain personal data when it is no longer needed.

The need to protect personal data well is the foundation for a trusted data environment.

This in turn allows businesses to use data responsibly, for innovation towards better services and products that they can then provide to end consumers. However, if companies fail to protect data, they will be breaching the PDPA, which was enhanced in 2020 with increased penalties.

Organisations also increasingly need to implement necessary information technology security measures to protect data. The Personal Data Protection Commission’s “Guide to Data Protection Practices for ICT Systems” provides guidance. Those seeking to authenticate their users’ identity can also consider the Singpass-based authentication system.

Ultimately, organisations need to be accountable and to seek consent from their customers.

Customers can also protect themselves by clarifying any uncertainty over the data collected with the organisation.

Denise Wong

Deputy Commissioner

Personal Data Protection Commission