PDPA Annex A Β· Plain English Navigator

Do I need consent to use personal data?

Answer a few simple questions about your situation. We'll guide you step by step to find out exactly what your organisation needs to do under Singapore's PDPA β€” no legal training required.

4 questions Plain English Real examples 100% accurate
1 Are you handling personal data?
In plain English
"Personal data" means any information that can identify a person β€” directly or indirectly. This includes names, NRIC numbers, phone numbers, email addresses, photos, and even things like IP addresses or employee IDs that can be traced back to someone.
Think about it
Before using personal data, ask: Could I use anonymised or aggregated data instead? For example, instead of tracking individual customer names, could you use aggregate statistics ("60% of customers are male")? If anonymised data works, the PDPA doesn't apply.
βœ“
Yes
I'm dealing with data that can identify a person
e.g. collecting customer names and emails, using employee records, sharing a client's phone number
βœ•
No
Only anonymised / aggregated data, or no data about people
e.g. using statistics like "1,000 visitors last month" with no way to identify anyone
2 Does another law tell you what to do with this data?
In plain English
Sometimes a different law β€” not the PDPA β€” already tells you exactly what to do with personal data. For example, a law might say "you must collect this data" or "you may share this data under these conditions." If that's the case, follow that other law instead of the PDPA consent rules.
Examples of other laws
A bank reporting suspicious transactions under anti-money-laundering laws. A hospital required to report certain diseases to MOH. A telco sharing subscriber data under a court order.
βœ“
Yes
Another law specifically requires or allows this handling
e.g. AML reporting, disease notification, court orders, regulatory filings
βœ•
No
No other law governs this β€” just the PDPA
e.g. marketing to customers, improving products, sharing data with a vendor, most normal business activities
3 Does any exception to consent apply?
In plain English
The PDPA says you usually need consent to handle personal data. But there are special situations where consent is not needed β€” these are called "exceptions." For example: emergencies, investigations, research, or business improvements. If your situation fits one of these exceptions, you can skip consent.
How to decide
If you're not sure, answer "Yes" and we'll walk you through each exception to see if one fits. If you know for certain none of the exceptions apply, answer "No" and we'll go straight to consent.
βœ“
Yes, maybe
I think an exception might apply β€” show me the options
e.g. this is for research, fraud detection, an emergency, or a business merger
βœ•
No
No exception applies β€” I'll need to get consent
e.g. sending marketing emails, most customer communications, sharing data with third parties for general purposes
3a Which situation sounds most like yours?
In plain English
Pick the category that best describes your situation. Don't worry about getting it wrong β€” we'll show you the details and let you verify before confirming.
βœ“ Check all conditions
In plain English
All these conditions must be true for this exception to apply. Tick each one to confirm.
4 Pick the type of consent you'll use
In plain English
No exception applies, so you need consent. The PDPA recognises 4 types β€” from the most direct (asking and getting a "yes") to deemed consent (where consent is assumed because of how the person behaves or what the situation requires). Tap each to see when it applies.
Full Framework Reference