Data Retention Policy (Singapore)

A Data Retention Policy in Singapore sets out the standards and procedures the organisation expects its people to follow.

Beyond the PDPA, multiple sector-specific statutes impose minimum retention periods that a Data Retention Policy must address. The Companies Act 1967 (Cap. 50), Section 199, requires companies registered with the Accounting and Corporate Regulatory Authority (ACRA) to keep accounting records for at least five years after the transactions to which they relate. The Employment Act 1968 (Cap. 91) mandates that employers retain employee records — including salary records, leave records, and service records — for a minimum of two years after an employee leaves the organisation, as enforced by the Ministry of Manpower (MOM). The Income Tax Act (Cap. 134) requires retention of records supporting tax returns for five years, as administered by the Inland Revenue Authority of Singapore (IRAS).

A well-constructed Data Retention Policy assigns responsibility for data management across departments, identifies the categories of data held (personal data, financial records, HR records, operational data, correspondence), and maps each category to an applicable retention period drawn from the relevant statute or regulatory guidance. The PDPC's Guide to Data Protection Practices for ICT Systems recommends that organisations implement automated deletion schedules and periodic audits to prevent over-retention. Each category must be accompanied by a documented legal basis and a named data steward responsible for compliance monitoring.

Singapore's High Court has recognised that failure to implement adequate data retention and disposal practices can constitute a breach of the Protection Obligation under Section 24 of the PDPA. In Re Horizon Fast Ferry Pte Ltd [2020] SGPDPC 6, the PDPC imposed financial penalties on an organisation that retained personal data beyond the period necessary for the original collection purpose without any documented justification. The Competition and Consumer Commission of Singapore (CCCS) has similarly noted the importance of records management during compliance investigations into anti-competitive conduct.

Organisations operating across borders must also consider the PDPA's Transfer Limitation Obligation under Section 26, which restricts the transfer of personal data outside Singapore unless the recipient jurisdiction provides a comparable standard of protection. A Data Retention Policy should address cross-border data storage arrangements — for example, cloud storage with servers located outside Singapore — and document the safeguards applied under the Second Schedule of the PDPA. The Monetary Authority of Singapore (MAS) imposes additional record-keeping requirements on financial institutions through MAS Notice 610 and MAS Technology Risk Management Guidelines, adding another layer of compliance for organisations in the financial sector. Healthcare organisations regulated by the Ministry of Health (MOH) under the Private Hospitals and Medical Clinics Act (Cap. 248) face separate medical records retention obligations that the policy must also incorporate.

A Data Retention Policy becomes necessary whenever an organisation collects, processes, or stores personal data or regulated business records in Singapore.

When an organisation first registers with ACRA and begins collecting customer or employee data, a Data Retention Policy should be among the foundational compliance documents adopted alongside the organisation's privacy policy. The PDPC expects every organisation subject to the PDPA to have documented retention practices from the point of first data collection, not as an afterthought after a data breach or enforcement action. Early adoption of a retention framework reduces the risk of accumulating data without a documented purpose or legal basis.

When an employer hires staff and begins maintaining HR records, a Data Retention Policy defines how long employment contracts, salary slips, CPF contribution records, and leave applications are kept. Section 95 of the Employment Act 1968 (Cap. 91) requires employers to maintain key employment records for current employees and for two years after an employee's departure, and the Central Provident Fund Act (Cap. 36) imposes its own retention requirements for CPF contribution records administered by the CPF Board.

When a company undergoes an external audit or prepares statutory financial statements, auditors from firms registered with ACRA will examine whether accounting records have been retained for the minimum five-year period mandated by Section 199 of the Companies Act 1967 (Cap. 50). Without a Data Retention Policy specifying these periods, organisations risk non-compliance findings and potential penalties from ACRA or adverse audit opinions.

When an organisation adopts cloud computing or third-party data processing services, a Data Retention Policy governs how long data remains on external servers, when deletion requests are triggered, and how the organisation verifies that deletion has been completed by the service provider. The PDPC's Guide on Managing and Notifying Data Breaches under the PDPA (revised 2021) emphasises that organisations remain responsible for personal data held by their data intermediaries, regardless of the storage location.

When a business operates in a regulated sector — banking (regulated by MAS), healthcare (regulated by the Ministry of Health under the Private Hospitals and Medical Clinics Act, Cap. 248), or telecommunications (regulated by the Infocomm Media Development Authority, IMDA) — sector-specific retention periods apply in addition to the PDPA baseline, and a Data Retention Policy must reconcile all applicable requirements into a single operational framework that prevents both over-retention and premature disposal.

A Singapore Data Retention Policy should contain the following essential elements to satisfy the PDPA and related statutory frameworks.

Scope and Applicability: A clear statement defining which entities, departments, subsidiaries, and data categories the policy covers. The scope should identify whether the policy applies to personal data under the PDPA alone or extends to all business records, including those governed by the Companies Act 1967 (Cap. 50), the Employment Act 1968 (Cap. 91), and sector-specific regulations issued by bodies such as MAS and IMDA.

Definitions: Precise definitions of key terms — personal data (as defined in Section 2 of the PDPA), business records, data intermediary, data subject, processing, and disposal. Aligning definitions with the PDPA's statutory language prevents ambiguity and supports enforcement. The definition section should also cover terms such as "legal hold," "data controller," and "cross-border transfer" to address operational scenarios.

Retention Schedule: A detailed table or schedule listing each data category, the applicable retention period, the legal basis for that period (citing the specific statute and section), and the department responsible for compliance. Common categories include: financial records (5 years, Companies Act Section 199), employee records (2 years post-departure, Employment Act), tax records (5 years, Income Tax Act Cap. 134), customer transaction records (period determined by business purpose plus any applicable sector regulation), and personal data collected for marketing (until consent is withdrawn or purpose is fulfilled, PDPA Section 25). Medical records retained by healthcare providers should follow MOH guidelines.

Purpose Limitation: A statement linking each retention period to a documented purpose, consistent with the Purpose Limitation Obligation under Section 18 of the PDPA. Data collected for one purpose cannot be retained indefinitely for an unrelated future use without fresh consent from the data subject. The policy should require periodic reviews of whether the original purpose remains valid.

Disposal and Destruction Methods: Detailed procedures for secure disposal of data at the end of the retention period. The PDPC's Advisory Guidelines recommend physical destruction (shredding, degaussing) for physical media and secure deletion (overwriting, cryptographic erasure) for electronic data. The policy should specify the standard applied — for example, NIST SP 800-88 Guidelines for Media Sanitization — and require disposal certificates or logs signed by the responsible data steward.

Roles and Responsibilities: Designation of a Data Protection Officer (DPO), as required by Section 11(3) of the PDPA, with named responsibility for overseeing the policy. The policy should assign data stewardship roles to department heads and specify escalation procedures for retention disputes or legal hold requests from the organisation's legal counsel. The board of directors or senior management should receive annual compliance reports.

Review and Audit: A commitment to periodic review — at minimum annually — to account for legislative changes, new regulatory guidance from the PDPC or ACRA, and changes in the organisation's data processing activities. Audit findings should be documented and reported to senior management or the board of directors, and corrective actions should be tracked to completion.

Breach and Non-Compliance: Consequences for employees who fail to follow the policy, including disciplinary measures. Reference to the PDPA's enforcement framework, under which the PDPC may impose financial penalties of up to S$1 million (or 10% of annual turnover for organisations with turnover exceeding S$10 million, following the 2020 amendments) for breaches of the data protection provisions. Users of forms-legal.com can download this Data Retention Policy template and customise the retention schedule to match their organisation's specific regulatory obligations and operational requirements.