Singapore PDPA & data-disposal: a plain-English explainer for IT teams.
The Singapore Personal Data Protection Act doesn't say 'destroy all data immediately.' Instead, Section 24 requires 'reasonable security' on data you hold — including reasonable security on the way out. This explainer walks through what that means in practice, what the PDPC actually checks, and what evidence pack will satisfy an audit.
Section 24: Protection Obligation
The Personal Data Protection Act (PDPA) 2012 is not a 'destroy everything' law. It's a 'handle data responsibly' law. Section 24 — the Protection Obligation — says organisations must take 'reasonable security measures' to protect personal data. That obligation doesn't end the moment you decide to retire a device or delete a record. It extends to the disposal process itself.
Here's the key: the PDPA doesn't mandate a specific method. It doesn't say 'only use NIST 800-88.' It says 'reasonable.' Reasonable is interpreted in context: the sensitivity of the data, the risk of unauthorised access, the means available to the organisation, and industry-standard practice. For IT organisations, NIST 800-88 clear / purge / destroy is now considered table stakes for 'reasonable.'
The PDPC (Personal Data Protection Commission) doesn't regulate recyclers or ITAD vendors directly. It regulates you — the organisation holding the data. When the PDPC investigates a breach or a complaint, they ask: 'Did you take reasonable steps to prevent access to that data, all the way through disposal?' Your answer is an evidence pack: a Certificate of Destruction, a wipe log, a shred batch ID, photos, and a chain-of-custody trail.
How the Commission evaluates your disposal
When a PDPC investigator looks at your asset-disposal file, they're checking three things. Get all three right, and 'reasonable security' is defensible.
- Was the method appropriate? · Did you use a documented standard (NIST 800-88, IEEE 2883) or equivalent? A one-liner 'we threw it away' isn't enough.
- Did you verify completion? · Did you get a certificate or log showing the data was actually gone? Not promised — gone.
- Can you prove the chain? · From your building to the disposal facility, who touched the device? Is that chain documented and traceable?
What a defensible PDPA-disposal pack looks like
You don't need fancy forms. You need boring, complete, auditable evidence. Here's the minimum.
- ♦ Pre-disposal asset list: serial numbers, device types, the names or types of any personal data known to be on each.
- ♦ Destruction method decision per asset: why you chose wipe vs purge vs shred, documented per device or batch.
- ♦ Proof of completion: a Certificate of Destruction from the disposal vendor, signed and dated, listing each device or batch ID.
- ♦ Per-device or per-batch evidence: a wipe log showing serial, method, pass count, timestamps; or a shred batch ID with weight/count.
- ♦ Chain of custody: pickup date, transit seal, drop-off signature, all dated.
- ♦ Photo evidence: equipment sealed and ready, loaded, and (if shred) post-destruction facility photo.
- ♦ Residual-material disposition: where did the metal, plastic, and electronics go after destruction? Recycler name, date handed over.
Aligning disposal to Section 24
Here's how NIST 800-88 fits into PDPA compliance. They're not the same thing — but NIST methods satisfy the 'reasonable security' standard.
- Clear (overwrite) · Single-pass or multi-pass overwrite of data sectors. Reasonable for low-sensitivity devices destined for remarket or refurbish. Not suitable if data could not be fully overwritten (e.g. encrypted data).
- Purge (cryptographic) · Secure-erase command or firmware-based purge. Ideal for SSDs and modern storage where overwrite cannot reach all sectors. Reasonable for all sensitivity levels.
- Destroy (shred) · Physical destruction to particle size <2mm. The only method suitable when you cannot verify data is actually gone — e.g. legacy encrypted media, factory-sealed drives. Also required for data you cannot verify was fully written (e.g. virtual memory, unallocated space).
PDPA-disposal red flags we see
'We wiped it' with no log
The PDPC will ask: how do you know? No serial number, no operator signature, no timestamp = no proof. Always get a Certificate of Destruction with per-device or per-batch detail.
Donated equipment without clearing first
If the device still held personal data when it left your building, you are liable for any breach during its second life. Clear it first, then donate with a Donation Certificate.
Bulk shred with no batch tracking
If 500 drives went into a shredder, can you prove the ones with your data were in that batch? Get batch IDs, weights, counts, and serial-number pre-shred photos.
No chain of custody in transit
Who transported the locked box from your office to the facility? For how long was it in a van, and how was it sealed? Document it.
Recycler assurance, not destruction proof
A recycler saying 'we handle e-waste securely' is not the same as 'we destroyed your data.' Ask for per-job Certificates of Destruction, not annual ISO statements.
Four steps to stay 'reasonable'
- Classify your data before disposal. Spend 10 minutes asking: what sensitivity level is this device? Production banking data? Customer records? Test lab workstations? The answer drives method choice.
- Pick a method aligned to sensitivity. Low (test data, non-PII): Clear is fine. Medium (customer contact data): Purge. High (production credentials, encryption keys, medical records): Destroy.
- Get a per-job Certificate of Destruction from your vendor, not a template. It should list actual serial numbers, actual method, actual date. A generic 'we comply with standards' certificate won't pass a PDPC audit.
- Keep the pack for 3 years minimum. PDPA allows the PDPC to investigate within 3 years of a breach. Hang onto the evidence pack: Certificate, wipe logs, chain-of-custody photos, and residual-material disposition.
Read next
Maxicom Singapore — frequently asked
Does 'reasonable security' mean a specific standard, or is it up to interpretation?
It's contextual, but interpreted against industry practice. For IT organisations today, NIST 800-88 is considered table stakes for 'reasonable.' A PDPC auditor will ask: 'Is this method consistent with NIST 800-88 or equivalent?' If your answer is no, you'll be asked to justify why a weaker standard was chosen. Easier to use NIST 800-88 from the start.
If we destroy data in-country (Singapore), does PDPA apply to the residual recycled material?
PDPA applies to personal data, not to the physical material after it's destroyed. Once the data is gone (proven by the shred log or wipe certificate), PDPA has done its job. Downstream recycling of the residual material is governed by NEA e-waste rules, not PDPA. But the chain-of-custody handoff (when you hand the residual to a recycler) is part of your 'reasonable security' trail.
Can we claim compliance with PDPA Section 24 if we outsource destruction to a vendor?
No — you remain liable. Section 24 applies to you, the organisation. If you hire a vendor who botches the job (doesn't actually destroy the data, loses the box in transit, etc.), the PDPC will hold you accountable. Your job is to pick a competent vendor, monitor their work, and collect evidence. Insist on per-job Certificates of Destruction with serial-number detail. Get insurance, NDA, and references. Don't just sign a contract and assume they're handling it.