The Personal Data Protection Act 2012 (PDPA) of Singapore partially exempts personal data of deceased individuals from its scope, with specific provisions applying for a limited period after death.

Text of Relevant Provision

PDPA 2012 Article 4(4)(b):

"This Act does not apply in respect of — [...] (b) personal data about a deceased individual, except that the provisions relating to the disclosure of personal data and section 24 (protection of personal data) apply in respect of personal data about an individual who has been dead for 10 years or less."

Analysis of Provision

The PDPA establishes a nuanced approach to the protection of deceased individuals' personal data. The general rule, as stated in the first part of Article 4(4)(b), is that the Act does not apply to "personal data about a deceased individual". This means that most of the obligations and rights under the PDPA cease to apply once an individual has passed away.

However, the provision includes a significant exception to this general rule. It states that "the provisions relating to the disclosure of personal data and section 24 (protection of personal data) apply in respect of personal data about an individual who has been dead for 10 years or less". This creates a limited period of continued protection for certain aspects of a deceased person's data.

The provision can be broken down into two key elements:

1. Time-limited protection: The exception applies only to individuals who have been deceased for 10 years or less. After this period, the PDPA ceases to apply entirely to the deceased's personal data.
2. Limited scope of protection: During the 10-year period, only specific provisions of the PDPA continue to apply: a. Provisions relating to the disclosure of personal data b. Section 24, which concerns the protection of personal data

This approach reflects a balance between respecting the privacy of the recently deceased and their families, while also recognizing that the need for data protection diminishes over time after an individual's death.

Legal Standing for Deceased Individuals

Under the Personal Data Protection Regulations 2021, specific persons may exercise rights (including consent, access requests, and bringing complaints) on behalf of a deceased individual who has been dead for 10 years or fewer. These persons, in order of priority, are:

1. A person appointed under the deceased's will to exercise such rights, or a personal representative (executor or administrator) of the deceased, unless they have renounced the grant of such right
2. If no such person or personal representative is able to exercise the right, the deceased's nearest relative, determined by the following priority order:

• Spouse at the time of death
• Child (legitimate, legitimated, or adopted)
• Parent
• Brother or sister
• Other relative

Where multiple persons of equal priority exist (e.g., multiple children), the elder or eldest is preferred. If the person with priority dies, is legally incapable, or is unable or refuses to make a decision, the next person in priority becomes the nearest relative.

Implications

The partial exemption for deceased individuals' data in the PDPA has several implications for businesses and data handlers:

1. Time-sensitive data management: Organizations must implement systems to track the date of death for individuals whose data they hold, to ensure compliance with the 10-year rule.
2. Differential treatment of data: For a decade after an individual's death, companies must continue to protect and manage the disclosure of their personal data in line with PDPA requirements. After this period, these obligations cease.
3. Limited data subject rights: During the 10-year period, only certain provisions apply (disclosure and Section 24 protection). Organizations must recognize that access and correction requests may be made by authorized representatives as defined in the Personal Data Protection Regulations 2021.
4. Continued disclosure controls: Organizations must maintain controls over the disclosure of deceased individuals' data for the 10-year period, including processes to verify the authority of persons claiming to act on behalf of the deceased (such as personal representatives or nearest relatives).
5. Data retention considerations: Companies may need to review their data retention policies to account for this 10-year period of partial protection after an individual's death.
6. Estate planning implications: Individuals may need to consider how their personal data will be handled after their death, potentially incorporating data management instructions into their estate planning.
7. Genealogical and historical research: After the 10-year period, the relaxation of PDPA restrictions may facilitate easier access to deceased individuals' data for historical or genealogical research purposes.

This provision in the PDPA demonstrates Singapore's attempt to balance data protection with practical considerations surrounding deceased individuals' data, recognizing both the diminishing need for protection over time and the potential value of such data for legitimate purposes after a certain period.