Data Collection Consent Form (Singapore)

A Data Collection Consent Form in Singapore records the consent or release given and the scope of what the party agrees to.

The Personal Data Protection Commission (PDPC) — the statutory body established under Part IX of the PDPA to administer and enforce the Act — has published Advisory Guidelines on the PDPA for Selected Topics that detail the requirements for valid consent. Consent must be informed (the individual must know the purpose for which data is collected), voluntary (not obtained through deception, coercion, or bundled with an unrelated service), and specific (limited to the stated purposes). The PDPC's enforcement decisions have repeatedly emphasised that blanket consent clauses — authorising unlimited data collection without specifying purposes — do not satisfy the PDPA's consent standard.

The 2020 amendments to the PDPA (effective 1 February 2021) introduced deemed consent by notification (section 15A) and legitimate interests exceptions (section 17), which allow organisations to collect and use personal data without explicit consent in certain circumstances. However, the consent form remains the primary compliance tool for most data collection activities, particularly where the organisation intends to use the data for marketing, profiling, sharing with third parties, or purposes beyond what is reasonably expected by the individual.

The Do Not Call (DNC) Registry — administered by the PDPC under Part IX of the PDPA — imposes additional consent requirements for marketing communications. Organisations sending marketing messages via telephone calls, SMS, or fax to Singapore numbers must check the DNC Registry and obtain clear and unambiguous consent from the individual before sending marketing messages. The consent form must separately address DNC consent if the organisation intends to send marketing communications.

Section 26 of the PDPA grants individuals the right to access and correct their personal data held by an organisation. The consent form should inform the individual of this right and provide the contact details of the organisation's Data Protection Officer (DPO) — the person designated under section 11(3) of the PDPA to handle data protection queries and requests.

The PDPC's Advisory Guidelines on the Personal Data Protection Act for NRIC and Other National Identification Numbers (issued in 2018) restrict the collection of NRIC numbers, birth certificate numbers, FIN numbers, and passport numbers to situations where collection is required by law or where the NRIC number is necessary to accurately identify the individual. Consent forms that request NRIC numbers must comply with these guidelines, and organisations that collect NRIC numbers without legal justification face PDPC enforcement action.

The PDPC's enforcement track record includes significant penalties for consent violations — organisations have been fined for collecting NRIC numbers without legal justification, obtaining consent through misleading or deceptive means, and using personal data for purposes beyond the scope of the consent obtained. Reviewing published PDPC enforcement decisions provides practical guidance for organisations drafting consent forms, identifying common compliance pitfalls, and calibrating their consent collection practices to meet the PDPC's expectations.

A Data Collection Consent Form is needed in Singapore whenever an organisation collects personal data directly from an individual and the collection does not fall within one of the PDPA's consent exceptions.

Customer onboarding and account registration require consent forms when businesses collect customer names, contact details, NRIC numbers (subject to the PDPC's Advisory Guidelines on NRIC and Other National Identification Numbers, which restrict collection of NRIC numbers unless required by law or necessary for accurate identification), and financial or health information. Retail businesses, membership organisations, financial institutions, and healthcare providers all deploy consent forms during customer registration.

Employment and HR processes trigger consent form requirements when employers collect employee personal data beyond what is covered by the employment relationship exception. While the PDPA provides an exception for collection, use, and disclosure of personal data for evaluative purposes in an employer-employee relationship (Sixth Schedule, paragraph 1), employers collecting biometric data (fingerprint scanners, facial recognition for attendance), health screening results, or CCTV footage should obtain separate consent or rely on other PDPA exceptions.

Marketing and promotional activities require explicit consent under the PDPA's DNC provisions. Organisations planning to send marketing messages — SMS promotions, email newsletters, telemarketing calls — must obtain clear and unambiguous consent from each individual, and the consent form must specify the types of marketing messages and the channels through which they will be sent. The PDPC has imposed penalties on organisations that relied on ambiguous or bundled consent for marketing purposes.

Research and surveys conducted by organisations, universities, and government agencies require consent forms when collecting identifiable personal data from participants. The National University of Singapore (NUS) Institutional Review Board (IRB) and similar research ethics committees at Nanyang Technological University (NTU) and the Agency for Science, Technology and Research (A*STAR) require PDPA-compliant consent forms for research involving human participants.

Events, conferences, and exhibitions where organisers collect attendee data (registration forms, badge scanning, photography consent) require consent forms specifying how the data will be used — follow-up communications, marketing, sharing with sponsors, or publication of photographs.

Third-party data sharing triggers a consent requirement when an organisation intends to disclose an individual's personal data to a third party (business partner, vendor, related company, government agency) for a purpose not covered by the original consent or a PDPA exception.

A PDPA-compliant Singapore Data Collection Consent Form must contain the following elements to satisfy the requirements of sections 13, 14, 20, and 26 of the Personal Data Protection Act 2012, the PDPC's Advisory Guidelines, and industry standard practices.

**Organisation Identification** provides the organisation's registered name, UEN issued by ACRA, registered address, and the name and contact details of the Data Protection Officer (DPO) designated under section 11(3) of the PDPA. The PDPC requires organisations to make the DPO's contact information publicly available.

**Purpose of Data Collection** must state clearly and specifically why the organisation is collecting the individual's personal data — the PDPA prohibits collection for vaguely stated or undisclosed purposes. Each purpose should be listed separately (e.g., processing your order; sending marketing communications; conducting customer satisfaction surveys; sharing with our logistics partners for delivery). The PDPC's enforcement decisions have penalised organisations that used generic phrases like "for all purposes" or "for improving our services" without further specificity.

**Types of Personal Data Collected** lists the categories of data being collected: name, NRIC or identification number (subject to PDPC restrictions), contact details, date of birth, financial information, health information, photographs, biometric data, etc. The organisation should collect only data that is necessary for the stated purposes — the PDPA's purpose limitation obligation under section 18 prohibits excessive collection.

**Third-Party Disclosure** identifies any third parties to whom the personal data may be disclosed — service providers, business partners, regulatory authorities, related companies — and the purpose of each disclosure. Under section 14 of the PDPA, the organisation must notify the individual of third-party disclosures at or before the time of collection.

**Retention Period** states how long the organisation will retain the personal data, or the criteria used to determine the retention period. Section 25 of the PDPA requires organisations to cease retaining personal data when it is no longer necessary for any business or legal purpose. The consent form should state the retention period (e.g., "for the duration of your account plus 7 years for regulatory compliance") or reference the organisation's data retention policy.

**Individual Rights** informs the individual of their right to access and correct their personal data under sections 21 and 22 of the PDPA, and the right to withdraw consent under section 16. The form must explain how to exercise these rights (by contacting the DPO) and any consequences of withdrawing consent (e.g., inability to continue providing the service). Withdrawal of consent does not affect the legality of processing conducted before withdrawal.

**DNC Consent** (where applicable) separately addresses consent for marketing communications under the PDPA's Do Not Call provisions. The form must clearly state the types of marketing messages (SMS, email, telephone, fax) and allow the individual to opt in or opt out of each channel. Bundling DNC consent with other consent requirements without clear separation may render the DNC consent invalid under PDPC enforcement practice.

**Data Portability** (where applicable under the data portability provisions introduced by the 2020 PDPA amendments) informs the individual of their right to request the transmission of their personal data to another organisation in a commonly used machine-readable format.

**Consent Declaration** provides a clear and prominent statement for the individual to sign (or tick, for online forms), confirming that they have read and understood the purposes of data collection and consent to the collection, use, and disclosure of their personal data as described. The declaration should not be pre-ticked — the PDPC considers pre-ticked consent boxes to be inconsistent with the voluntary consent requirement.

The forms-legal.com Data Collection Consent Form template includes all PDPA-mandated elements and modular sections for DNC consent, third-party disclosure, and data portability, adaptable to various industries and data collection contexts in Singapore. Under Singapore law, sections 13, 14, 20, and 26 of the Personal Data Protection Act 2012 (PDPA) govern the core requirements for this type of document. Under Singapore law, Section 6 of the Wills Act (Cap. 352) and Section 8 of the Employment Act 1968 (Cap. 91) govern the core requirements for this type of document.