PDPA Section 24 — Singapore Personal Data Protection Act
Singapore's Personal Data Protection Act 2012 (Act 26 of 2012, with substantial 2020 amendments and 2022 implementation) Section 24 establishes the Protection Obligation: organisations must protect personal data in their possession or under their control by making reasonable security arrangements.
For ITAD specifically, Section 24 translates operationally into per-asset data destruction with documentation that the Personal Data Protection Commission (PDPC) can review on inspection. Maxicom Singapore engagements are structured to satisfy PDPA Section 24 and the broader PDPA framework in admissible form.
PDPA Section 24 — Protection Obligation
Section 24 requires reasonable security arrangements proportionate to the sensitivity of the personal data. For retired enterprise IT, this maps to: per-asset sanitisation method matched to data sensitivity, documented Certificate of Destruction, retention. The PDPC Advisory Guidelines on Disposal of Personal Data (December 2014, with subsequent updates) provide operational detail.
PDPC enforcement and breach notification
PDPC investigates complaints, audits organisations, issues directions, and imposes financial penalties up to S$1M or 10% of annual turnover (whichever is higher). Mandatory data-breach notification (since February 2021) requires reporting breaches that pose significant harm within 3 days. ITAD-relevant breaches in scope.
Section 26 — international transfer
PDPA Section 26 governs cross-border transfer of personal data. Comparable level of protection required at the destination. For Maxicom, post-sanitisation cross-border resale of non-data-bearing components is unrestricted; pre-sanitisation cross-border movement of data-bearing media is restricted by engagement contract.
MAS TRM composition
For BFSI engagements, PDPA composes with MAS Technology Risk Management Notice (the MAS TRM Notice + Guidelines, latest version 2021). MAS TRM imposes additional ITAD discipline on financial institutions; Maxicom certificates satisfy both PDPA and MAS TRM simultaneously.
IMDA cloud and outsourcing guidance
IMDA (Infocomm Media Development Authority) issues technology guidance including cloud-services and outsourcing guidelines. For ITAD vendor relationships, the IMDA guidance overlaps with PDPA Section 24 + the PDPC outsourcing guidelines.
Authoritative references
Primary sources for the standards and frameworks referenced on this page. Maxicom maps every engagement to these recognised authorities.
Frequently asked questions
Does PDPA Section 24 require physical destruction of all retired drives?
No. PDPA is method-neutral; Section 24 requires reasonable arrangements proportionate to sensitivity. NIST SP 800-88 Rev. 1 Purge satisfies this for most data classifications.
How long must I retain destruction certificates?
PDPA does not specify a fixed period. Maxicom default 7 years; longer where MAS TRM or sector-specific rules apply.
What about the 3-day breach notification under PDPA?
ITAD-related breaches (data-bearing media loss, unauthorised disclosure) fall in scope. Maxicom incident-response playbook supports the 3-day window.
How does PDPA compose with MAS TRM?
They compose. PDPA covers personal-data protection broadly; MAS TRM covers technology-risk management for FIs specifically. Maxicom certificates satisfy both.
Related practices, regulators & markets
IT Asset Disposal (ITAD)
ITAD
→Data Destruction
Data destruction
→Dell Server Buyback
Dell server buyback
→HPE Server Buyback
HPE server buyback
→Banking & Finance
Banking
→Government & Public Sector
Government
→NIST SP 800-88 Rev. 1
NIST 800-88
→IEEE 2883-2022
IEEE 2883
→Send the asset list. We will send the number.
A photograph of the rack works. A spreadsheet works better. SGD settlement, against PO.