PDPA Data Access Request: How to Handle Subject Access Requests in Singapore

One of the most common PDPA compliance questions Singapore SMEs face is deceptively simple: "A customer asked for all the data we hold about them. What do we do?"

This is a Data Access Request -- formally known as a request under Section 21 of the Personal Data Protection Act. It is one of the core rights the PDPA gives to individuals, and one of the obligations most organisations are unprepared to handle efficiently.

Getting it wrong is not a minor issue. The PDPC has issued enforcement decisions against organisations that failed to respond to access requests properly, resulting in warnings, directions to comply, and reputational damage.

This guide covers everything Singapore SMEs need to know about handling data access requests correctly: what the law requires, how to set up an efficient response process, common mistakes to avoid, and the exemptions you can legitimately rely on.

What Is the Access Obligation?

Under Section 21 of the PDPA, individuals have the right to request access to:

• Their personal data that an organisation has in its possession or under its control
• Information about how that data has been used or disclosed within the past year before the request was made

This right exists regardless of how the organisation collected the data. Whether the individual is a customer, employee, vendor contact, or website visitor, they can make an access request if you hold their personal data.

The individual does not need to provide a reason for the request. The right to access exists independently of any dispute, complaint, or business relationship.

Who Can Make a Data Access Request?

Any individual whose personal data you hold can make an access request. In practice, the most common requesters are:

• Current or former customers who want to know what information you have about them
• Current or former employees requesting their HR records, performance data, or communications
• Job applicants who were not hired and want to know what data you retained
• Business contacts such as vendors or partners whose personal contact details you hold
• Website users if you collect personal data through forms, cookies, or account registrations

A request can come from the individual directly or through an authorised representative (such as a lawyer or parent acting on behalf of a minor).

How to Handle a Data Access Request: Step by Step

Step 1: Acknowledge the Request

When you receive an access request, acknowledge it promptly -- ideally within 3 to 5 business days. Confirm that you have received the request and provide an expected timeline for your response.

If the request came verbally (by phone or in person), ask the requester to submit it in writing. This is not a legal requirement, but it protects both parties by creating a clear record.

Step 2: Verify the Requester's Identity

Before disclosing any personal data, verify that the person making the request is who they claim to be. Disclosing personal data to the wrong person is itself a PDPA breach.

Acceptable verification methods include:

• Checking their identity against records you already hold (email address, phone number, account details)
• Requesting government-issued ID (while being mindful of the NRIC collection restrictions under the PDPA)
• Using your existing authentication system if the request comes through a logged-in account

Do not request more personal data than necessary for verification. Asking for excessive identification documents to discourage requests may be viewed unfavourably by the PDPC.

Step 3: Search for and Compile the Data

Search all systems where the individual's personal data may be stored:

• CRM and customer databases
• Email systems (search by the individual's name and email address)
• HR systems (for employee requests)
• Physical files (if you maintain paper records)
• Third-party platforms you use that store personal data on your behalf
• Backup and archive systems (if reasonably accessible)

Compile the data into a clear, understandable format. You do not need to provide raw database exports -- organise the information so the individual can understand what you hold.

Step 4: Review for Exemptions

Before releasing the compiled data, review it against the exemptions in the Fifth Schedule of the PDPA. You may withhold specific data items if they fall under a valid exemption, but you must still provide access to the remaining data.

Step 5: Respond Within 30 Days

Provide the data to the requester in a format they can reasonably access. Common delivery methods include:

• Secure email with password-protected attachments
• A secure download link (for larger data sets)
• Physical copies delivered by registered mail (for sensitive data)

If you need more than 30 days, inform the requester before the deadline and explain why.

Step 6: Document Everything

Record the following for each access request:

• Date received
• Requester identity and verification method
• Data provided (summary)
• Any exemptions applied and the reason
• Date of response
• Any fees charged

This documentation protects you in the event of a PDPC inquiry and helps you improve your process over time.

Valid Exemptions: When You Can Refuse

The PDPA does not require absolute disclosure. The Fifth Schedule sets out situations where you may refuse or limit an access request:

• Legal privilege -- data protected by solicitor-client privilege
• Safety concerns -- disclosure could threaten the safety or physical/mental health of another individual
• Ongoing investigations -- data relates to an investigation, mediation, or legal proceeding that could be compromised by disclosure
• National interest -- disclosure would be contrary to the national interest
• Evaluative purposes -- data compiled for evaluative purposes (such as performance reviews) where disclosure would compromise the evaluation process
• Frivolous or vexatious requests -- requests that are clearly made in bad faith or designed to harass

When applying an exemption, you must inform the requester that their request (or part of it) has been refused. You should state the reason for refusal, though you do not need to identify the specific exemption by its schedule number.

Important: Exemptions apply to specific data items, not to entire requests. If only some of the data falls under an exemption, you must still provide access to the rest.

Fees: What You Can Charge

You may charge a reasonable fee for responding to an access request. The fee should reflect:

• The cost of searching for and retrieving the data
• The cost of preparing and delivering the response
• Any reproduction costs (photocopying, printing)

You cannot charge a fee designed to discourage access requests. If your fee is disproportionate to the effort involved, the PDPC may consider it a violation of the Access Obligation.

Best practice: Many organisations waive fees for straightforward requests and only charge for requests that require significant effort (for example, retrieving data from archived systems spanning many years).

Common Mistakes to Avoid

Ignoring or Delaying the Response

The most frequent violation. Letting a request sit in someone's inbox for weeks is a compliance failure. Assign clear ownership of access request handling to your Data Protection Officer (DPO).

Not Searching All Systems

Providing data from your main database but overlooking email records, shared drives, or third-party systems means your response is incomplete. A systematic search process prevents this.

Disclosing Other People's Data

When compiling data, watch for personal data of other individuals mixed in. For example, an email thread may contain the requester's data alongside personal data of other people. Redact third-party personal data before releasing.

Over-Relying on Exemptions

Exemptions exist for genuine situations, not as a convenient way to avoid responding. The PDPC takes a dim view of organisations that cite exemptions without proper justification.

Failing to Verify Identity

Releasing personal data to someone who is not the data subject is a data breach. Always verify identity before disclosure, even for requests that seem straightforward.

Building an Efficient Access Request Process

For SMEs handling occasional access requests, a simple process is sufficient:

• Designate responsibility -- your DPO or a specific team member handles all access requests
• Create a request tracking spreadsheet -- log every request with dates, status, and outcomes
• Prepare a search checklist -- list every system where personal data is stored so nothing is missed
• Draft template responses -- acknowledgment email, data delivery email, refusal email (with exemption explanation)
• Set calendar reminders -- for the 30-day deadline on every open request

For organisations receiving frequent access requests, consider investing in compliance software that automates tracking, searching, and response generation. Platforms like ComplyHQ can help SMEs manage their PDPA obligations systematically without dedicated compliance staff.

Data Access Requests from Employees

Employee access requests deserve special attention because HR data is often more sensitive and distributed across more systems:

• HR management system -- personal details, salary, leave records, benefits
• Email and messaging -- communications to and from the employee
• Performance management -- reviews, feedback, goals
• CCTV footage -- if the employee is identifiable
• Access logs -- building entry/exit, system login records

Note that the evaluative purpose exemption may apply to some HR data (such as internal assessments compiled for promotion or disciplinary decisions), but this exemption is narrow. Most employee personal data must be disclosed on request.

The Connection to Other PDPA Obligations

The Access Obligation does not exist in isolation. Handling access requests well requires compliance with other PDPA obligations:

• Purpose Limitation -- if you cannot explain why you hold certain data, you probably should not be holding it
• Retention Limitation -- data you should have deleted cannot cause access request complications if it no longer exists
• Protection Obligation -- the process of responding to access requests must itself protect the data (secure transmission, identity verification)
• Openness Obligation -- your privacy policy should explain how individuals can make access requests

Action Items for SMEs

If you have not already set up an access request handling process, here is what to do this week:

• Appoint a handler. Designate who receives and processes access requests. This should be your DPO or someone who reports to them.
• Audit your data inventory. List every system where personal data is stored. You cannot respond to access requests if you do not know where data lives.
• Create templates. Draft acknowledgment, response, and refusal email templates. Having these ready saves significant time when a request arrives.
• Set a response SLA. Commit to responding within 21 days (leaving a buffer before the 30-day guideline).
• Test your process. Submit an internal test request and walk through the full process. Identify gaps before a real request exposes them.

Handling data access requests is not complex, but it does require preparation. The organisations that struggle are not the ones with difficult data structures -- they are the ones that never set up a process in the first place.