Singapore PDPA · Section 24

Singapore PDPA: Section 24 on retiring data-bearing media.

The Personal Data Protection Act 2012 obliges organisations to protect personal data with 'reasonable security'. When that data is held on retiring servers, drives, or laptops, 'reasonable security' has a specific shape. Here's what we deliver and how it maps to your evidence.

Get a 2-Hour Quote → Destruction Spec

No obligation · written SGD response within 2 working hours

What PDPA Section 24 says

Reasonable security on disposal — what it means in practice.

Section 24 of the PDPA requires organisations to protect personal data in their possession or control by making reasonable security arrangements to prevent unauthorised access, modification, disposal, or similar risks. On disposal of data-bearing media, this typically means: documented destruction, chain of custody from pickup to destruction, and evidence the destruction occurred.

The PDPC (Personal Data Protection Commission of Singapore) does not license or certify ITAD vendors. There is no PDPA-certification register for ITAD providers. What auditors look for is your evidence: did you choose a reasonable disposal method, did you document it, and can you produce the proof?

Evidence we deliver

What's in your PDPA evidence pack

♦ Asset list pre-pickup with serial numbers, makes, models — proves what was disposed.
♦ Locked-transit log with GPS track and photo-confirmed transfers — proves chain of custody.
♦ NIST SP 800-88 + IEEE 2883-2022 method citation per device — proves the destruction was reasonable.
♦ Per-device wipe-log or shred batch ID — proves the destruction occurred.
♦ Two-operator destruction with witness sign-off — proves the destruction was supervised.
♦ Per-job Certificate of Destruction with PDPA Section 24 alignment statement.
♦ Downstream recipient log: where any residual material went — proves no escape via the recycler chain.

Honest about cross-border

Cross-border data flows on disposal.

If your retiring kit will be refurbished and remarketed across the ASEAN region, Section 26 (Transfer Limitation) and the Cross-Border Privacy Rules conversation apply. The simple rule: data must be destroyed before the kit crosses any border. We do destruction Singapore-side, by default, on every job. The hardware that crosses borders has had its data destroyed; the data does not cross.

PDPA Section 24 in numbers

What it costs to get it wrong.

S$1M

Maximum penalty

Per-breach financial penalty cap under Section 24 — applies to disposal-related failures as well as access-control failures.

Section 24

The Protection Obligation

Specific PDPA section that creates the disposal-evidence requirement on data-bearing media.

PDPC

Regulator

Personal Data Protection Commission of Singapore — administers the PDPA and issues enforcement decisions.

2020

Breach-notification amendment

Mandatory breach notification became enforceable from the 2020 PDPA amendments.

Section 24 — the actual text and the obligations it creates

Reading the PDPA the way an auditor reads it.

Section 24 of the Personal Data Protection Act 2012 reads: ‘An organisation shall protect personal data in its possession or under its control by making reasonable security arrangements to prevent (a) unauthorised access, collection, use, disclosure, copying, modification or disposal, or similar risks; and (b) the loss of any storage medium or device on which personal data is stored.’

The operative words for ITAD are ‘disposal,’ ‘loss of any storage medium,’ and ‘reasonable security arrangements.’ The obligation creates four practical expectations: (1) the organisation chose a destruction method that fits the data classification; (2) the destruction was actually performed; (3) the chain of custody between in-service and destruction was unbroken; (4) the organisation can produce evidence of all three on inspection.

Maximum financial penalty is currently SGD 1 million per breach, with the PDPC issuing decisions that have applied figures up to several hundred thousand Singapore dollars on Section 24 failures involving disposed-of media. Enforcement decisions have specifically called out: media that was sold or disposed of without verification; destruction that was claimed but not evidenced; chain-of-custody gaps; and disposal documented but with the disposal method itself inadequate for the storage class (e.g. wipe applied to SSDs without cryptographic erase).

PDPA evidence pack — what we hand over per job

Items in the file your internal compliance team retains

♦ Pre-disposal asset list with serial numbers, makes, models, and data classifications.
♦ Statement of Work — authorising the disposal, signed by both parties' authorised owners.
♦ Locked-transit log — chain-of-custody between your facility and our destruction site.
♦ GPS track + photographic evidence of each transfer of custody (pickup, vehicle changes, arrival).
♦ Per-job Certificate of Destruction — naming method, standards, operator, witness, completion timestamp.
♦ Per-asset wipe log or shred batch ID — proving the destruction itself occurred.
♦ Standards citation — NIST SP 800-88 Rev. 1 + IEEE 2883-2022; DoD 5220.22-M if used.
♦ PDPA Section 24 alignment statement — reference to the destruction as the protective control.
♦ Downstream-recipient log — where any residual material went, with their licence reference.
♦ Retention plan — how long each side retains the evidence (typically 5–7 years).

PDPC enforcement decisions — common failure patterns

Where Section 24 cases have actually gone wrong.

The PDPC publishes enforcement decisions; reading them is the most useful way to calibrate what ‘reasonable security on disposal’ actually means in practice. Three patterns recur in disposal-related decisions.

Sold-without-wiping. An organisation disposes of equipment to a second-hand dealer or via tender for second-hand sale, without first wiping or verifying that the dealer wiped it. The buyer or a downstream party recovers personal data from the storage. Decision: Section 24 breach, financial penalty.

Wipe-claimed-not-evidenced. An organisation's policy says retiring kit is wiped before disposal, but on inspection the policy isn't backed by per-device evidence — no wipe log, no certificate, no operator sign-off. When a related breach investigation begins, the wipe assertion cannot be substantiated. Decision: Section 24 breach by virtue of weak controls even if the wipe actually happened.

Wrong method for the storage class. An organisation uses a single-pass overwrite on SSDs without cryptographic erase. Forensic recovery later shows data was still recoverable. Decision: Section 24 breach because the method was inadequate for the storage class, even though some destruction did occur.

Avoiding all three is structurally simple: use methods that fit the storage class (NIST 800-88 decision matrix), document the destruction per-device, retain the evidence for the data-retention period.

At a glance

Visual reference.

Singapore ITAD regulatory landscape — regimes, regulators, scope

Data destruction

Methods, evidence, and per-job Certificate of Destruction format.

NIST 800-88

The destruction-method standard cited in PDPA-aligned evidence.

Certificates

Sample Certificate format for auditor review.

PDPA & IT-asset disposal — frequently asked

Are you a PDPC-approved vendor?

The PDPC does not approve, license, or certify ITAD vendors. What we offer is PDPA-aligned destruction documentation, designed to support your Section 24 evidence. If anyone tells you they are PDPC-approved, ask to see the documentation — there isn't a register.

How long should we retain the Certificate of Destruction?

The PDPA itself does not set a fixed retention period for disposal-evidence; in practice, retain it for as long as the underlying data was retained, typically 5–7 years. We retain a backup copy for the same period.

Does Singapore PDPA require destruction of data-bearing IT?

Section 24 of the Personal Data Protection Act 2012 obliges organisations to make ‘reasonable security arrangements’ to protect personal data including against unauthorised disposal. For data-bearing IT this means: documented destruction method appropriate to the storage class, chain-of-custody between in-service and destruction, evidence the destruction occurred, and retention of the evidence. Maximum financial penalty is currently SGD 1 million per breach.

Is Maxicom Singapore a PDPC-approved ITAD vendor?

The Personal Data Protection Commission (PDPC) does not maintain an approved-vendor register for ITAD or any other industry. There is no ‘PDPC-approved’ designation, and similarly no PDPA-certification register exists for ITAD providers. What Maxicom Singapore offers is destruction documentation aligned with PDPA Section 24 obligations, supporting your evidence file for PDPC inspection. Any vendor claim of PDPC approval should be questioned — the designation does not exist.

How long should we keep Certificates of Destruction for PDPA evidence?

PDPA does not set a fixed retention period for disposal-evidence; in practice retain for as long as the underlying data was retained, typically 5–7 years for personal data. For sectors with longer retention (healthcare, insurance), match that retention. Maxicom Singapore retains a counter-signed copy of every Certificate for at least 7 years to support cross-reference if your auditor or the PDPC requests verification.

What does Singapore PDPA require for IT-asset disposal?

Section 24 of the Personal Data Protection Act 2012 (the Protection Obligation) requires ‘reasonable security arrangements’ on disposal of personal data including via storage media. Practical expectations: documented destruction method appropriate to the storage class, chain-of-custody between in-service and destruction, evidence the destruction occurred, retention of the evidence. Maximum financial penalty: SGD 1 million per breach. Maxicom Singapore provides a per-job Certificate of Destruction with PDPA Section 24 alignment statement that fits directly into the customer's compliance evidence file.

How long should we retain Certificates of Destruction for PDPA compliance?

PDPA does not set a fixed retention period for disposal-evidence; retain for as long as the underlying personal data was retained, typically 5-7 years for general personal data. For sectors with longer retention (healthcare, insurance), match that retention. Maxicom Singapore retains a counter-signed copy of every Certificate for at least 7 years to support cross-reference if your auditor or the PDPC requests verification. Long-term archival format (PDF/A) is delivered alongside the standard PDF for retention spanning years or decades.

Has the PDPC issued enforcement decisions about IT disposal?

Yes. Disposal-related PDPC decisions have applied financial penalties up to several hundred thousand SGD on Section 24 failures. Common patterns: media sold or disposed without verification (data later recovered by buyer or downstream party); destruction claimed but not evidenced (no per-device wipe log when investigated); chain-of-custody gaps between in-service and destruction; wrong destruction method for the storage class (overwrite applied to SSDs without cryptographic erase). Avoiding all four is structurally simple with NIST 800-88-aligned destruction and per-device evidence.

Does PDPA apply to disposal of company laptops in Singapore?

Yes. Corporate laptops typically hold personal data (employee records, customer data accessed during work, email archives, document drafts). Section 24 applies on disposal. Practical implication: each laptop's storage media (SSD or HDD) must be destroyed to a method appropriate to the storage class with documented evidence per device. NIST 800-88 Purge via cryptographic erase (for SSDs) or Clear via overwrite (for HDDs) with per-device wipe log satisfies the obligation. Per-job Certificate of Destruction provides the audit-ready evidence.

Singapore PDPA: Section 24 on retiring data-bearing media.