PDPA Compliance
How SGsmile helps your clinic comply with Singapore's Personal Data Protection Act.
🛡️ Built for Singapore
SGsmile is designed from the ground up with Singapore's data protection laws in mind. We help dental clinics meet their PDPA obligations while keeping things simple.
What is the PDPA?
The Personal Data Protection Act 2012 (PDPA) is Singapore's main data protection law. It governs the collection, use, disclosure, and care of personal data by organisations. Dental clinics handle sensitive personal and health data, making PDPA compliance essential.
How SGsmile Supports PDPA Compliance
1. Consent Obligation
The PDPA requires organisations to obtain consent before collecting personal data.
- Patient registration forms clearly state what data is collected and why
- Clinics can record consent status per patient
- Patients can withdraw consent, and clinics can update records accordingly
2. Purpose Limitation
Personal data may only be used for purposes the individual has consented to.
- Patient data is used solely for clinic management: scheduling, treatment, billing, and communications
- We do not use patient data for marketing or sell it to third parties
- Appointment reminders are sent only to patients with recorded contact information
3. Access & Correction
Individuals have the right to access and correct their personal data.
- Patient portal allows patients to view their own records
- Clinics can update patient information at any time
- Full audit trail of data changes
4. Data Protection
Organisations must protect personal data with reasonable security measures.
- Encryption: All data encrypted in transit (TLS 1.3) and at rest (AES-256)
- Authentication: Two-factor authentication (2FA) via email OTP
- Access control: Role-based permissions (owner, dentist, staff)
- Infrastructure: Data hosted in Singapore on SOC 2 compliant infrastructure
- Backups: Automated daily backups with point-in-time recovery
5. Retention Limitation
Personal data should not be kept longer than necessary.
- Singapore healthcare guidelines require medical records to be kept for minimum 6 years after last visit
- Clinics can configure retention policies
- Data deletion tools available for records past retention period
6. Transfer Limitation
Data transferred outside Singapore must be protected to a comparable standard.
- All primary data storage is in Singapore (AWS ap-southeast-1)
- Email delivery via Resend (Tokyo region, with Singapore routing)
- Payment processing via Stripe (PCI DSS Level 1 compliant)
7. Data Breach Management
Under the 2021 PDPA amendments, organisations must notify PDPC of significant data breaches.
- Real-time security monitoring and alerting
- Incident response procedures in place
- We will notify affected clinics within 24 hours of a confirmed breach
- Support provided for mandatory breach notifications to PDPC
Clinic Responsibilities
While SGsmile provides the tools and infrastructure for PDPA compliance, clinics are ultimately responsible for:
- Obtaining valid patient consent before data collection
- Appointing a Data Protection Officer (DPO)
- Developing a Data Protection Policy for your clinic
- Training staff on data protection practices
- Responding to patient access and correction requests
- Reporting data breaches to the PDPC when required
Resources
Questions?
If you have questions about PDPA compliance or how SGsmile handles your data, contact us at norman@sgsmile.com.