Singapore PDPA8 min read

PDPA Compliance Checklist for Singapore Clinics 2026

A plain-English PDPA checklist for Singapore clinic owners and practice managers. Ten items. Sources. The Section 26 myth, debunked.

title: "PDPA Compliance Checklist for Singapore Clinics 2026" description: "A plain-English PDPA checklist for Singapore clinic owners and practice managers. Ten items. Sources. The Section 26 myth, debunked." slug: "pdpa-compliance-checklist-singapore-clinics" publishedAt: "2026-05-14" category: "singapore-pdpa" tags:

  • pdpa
  • compliance
  • clinic-operations
  • dpo
  • data-protection heroImage: "" heroImageAlt: "" draft: false

A clinic owner does not need a law degree to be PDPA-compliant. She needs ten habits and one person who answers the door when the PDPC writes in. This post gives you both.

We also clear up one thing most clinics get wrong: PDPA does not mandate that patient data be stored in Singapore. That myth costs clinics real money in over-priced "SG-resident" tools. The truth is more useful — and easier to defend.

What this post covers

  • Why PDPA matters more in 2026 than ever.
  • The Section 26 myth, explained in plain English.
  • A ten-item compliance checklist for clinic owners.
  • The third-party data question — what to ask every vendor.

Why PDPA matters in 2026

Two things changed in the last two years. First, the Personal Data Protection Commission (PDPC) has been enforcing more actively, with public fines posted on its enforcement page at pdpc.gov.sg. Second, the Health Information Bill 2024 was passed and is targeted to take effect in early 2027. The bill adds patient-side consent and audit requirements on top of PDPA. Clinics that get PDPA right today have less to fix tomorrow.

A PDPC fine is not the worst outcome. The worst outcome is a published decision with your clinic name on it. Once that lands in a Google search, patients see it for years.

The Section 26 myth

You will hear vendors say: "Our product is PDPA-compliant because everything is hosted in Singapore."

That is true as far as it goes. But the law does not require it.

PDPA Section 26 is the Transfer Limitation Obligation. It says, in plain words:

If you send personal data to a country outside Singapore, you must make sure that country gives the data a comparable standard of protection.

"Comparable" is the key word. You can satisfy Section 26 in several ways:

  • A signed Data Processing Agreement (DPA) with the overseas vendor.
  • A recognised cross-border mechanism like the ASEAN Model Contractual Clauses or the APEC Cross-Border Privacy Rules.
  • A documented Data Transfer Impact Assessment (DTIA) showing the destination country has comparable safeguards.
  • Anonymisation of the data before it leaves Singapore.
  • Patient consent for the specific transfer.

So a clinic can legally use a vendor based in the EU or the US — provided the vendor has a signed DPA, a DTIA on file, and either anonymises the data or has a recognised transfer mechanism in place.

This matters for two reasons. First, "SG-resident" tools cost more — and the price premium is often justified by a legal claim that is not quite right. Second, when you ask a tough question on a sales call, the vendor who waves the residency flag without a DTIA cannot answer follow-ups. The vendor who can show you their DTIA wins your trust.

Section 13, 24, 26 — what each one covers

You do not need to memorise the numbers. You need to know what each obligation asks of you.

  • Section 13 — Consent. You may only collect, use, or disclose personal data if you have valid consent, or one of the limited exceptions applies. For clinics, the common exceptions include emergency care, medical research with safeguards, and "legitimate interests" for non-clinical contexts like referrals.
  • Section 24 — Protection. You must protect personal data with reasonable security: TLS in transit, encryption at rest, access controls, training, and an incident response plan.
  • Section 26 — Transfer. Comparable protection for any data that leaves Singapore. Covered above.

If you only remember three letters of PDPA — make it C, P, T. Consent, Protect, Transfer.

The ten-item clinic checklist

This is the working list a Singapore clinic should have on a page in the back office. Tick once a quarter.

  1. A named Data Protection Officer (DPO). PDPA requires every organisation to designate one. It can be the practice manager, the principal doctor, or an external lawyer. The DPO's email must be public — on your clinic website and on patient-facing forms.
  2. A written privacy notice. One page. Plain English. What data you collect, why, how long you keep it, who you share it with, how patients can request deletion. Linked from your clinic site footer and posted at reception.
  3. A consent flow at every collection point. Online forms have a tick-box; the reception form has a sign-off line; the phone greeting says "this call may be recorded for booking and quality."
  4. A retention policy. A short document that says how long each data class is kept. Call recordings 90 days. Transcripts 1 year. Booking records 7 years aligned to clinic records guidelines. Marketing lists deleted on unsubscribe + 30-day grace.
  5. A sub-processor list. Every third party that touches patient data: your clinic management system, your email tool, your accountant, your hosting provider. Names, roles, regions. Reviewed yearly.
  6. A DTIA register for overseas sub-processors. One page per vendor: data class, region, DPA reference, safeguards, re-assessment date. Mandatory for any tool outside Singapore — see Section 26 above.
  7. A breach response plan. What to do in the first 72 hours of a suspected breach. Who calls who. When to notify the PDPC. When to notify patients. Test it once a year with a tabletop drill.
  8. Staff training, refreshed yearly. A 30-minute session for every staff member. What patient data is, how to handle it, what not to email, what to do if a patient asks for deletion. Sign-in sheet kept on file.
  9. A right-to-delete process. A written workflow for when a patient emails asking for their record to be removed. PDPA gives you 30 days to respond. Aim for 5 working days.
  10. A vendor audit cadence. Once a year, send each sub-processor a short email: are you still SOC 2 certified? Has your DPA changed? Any incidents to declare? Keep the replies on file.

The third-party question

This one is subtle but important. Sometimes data about person A is shared by person B without person A's prior consent. Examples:

  • A receptionist gives a vendor her clinic owner's email so the vendor can pitch the owner.
  • A patient's spouse calls in to book an appointment and gives the patient's NRIC.
  • A referring clinic forwards a patient's file to your specialist clinic.

PDPA covers all three. The legal basis is usually Section 13(1)(f) "legitimate interests" — meaning you may process the data without prior consent if (a) you have a legitimate reason, (b) the impact on the individual is low, and (c) you give the individual a clear opt-out at first contact.

When you sign up for any tool that asks you to share a colleague's or a patient's data, ask the vendor four questions:

  1. What is the legal basis for processing this third party's data?
  2. How do you give the third party a clear opt-out at first contact?
  3. How long do you keep this data if the third party does not respond?
  4. Where in your privacy notice is this disclosed?

A vendor that can answer these in writing is one you can trust. A vendor that cannot is a liability.

What a good vendor disclosure looks like

A clinic owner should be able to read a vendor's security page and answer five questions in five minutes:

  1. Where is my patient data stored, by region?
  2. Who are the sub-processors, by name, role, and region?
  3. What happens if data leaves Singapore — is there a DTIA?
  4. How long is each data class retained?
  5. Who is the vendor's DPO, and what is the reply SLA?

If the answers are not on the page, the vendor is not ready for a clinic buyer. Our own security page is built to that bar; you can use it as a template when assessing other vendors.

What to do this week

PDPA compliance is not a project. It is a habit. The first three habits to build:

  1. Publish your DPO's name and email. Put it on the clinic site footer and reception form, this week.
  2. Write a one-page privacy notice. Use the PDPC template at pdpc.gov.sg as a starting point.
  3. List your sub-processors. Open a page in your clinic ops folder. List every tool that touches patient data. You will use this list for the next eight items on the checklist.

If you want to see a sub-processor register, a DTIA register, and a PDPA Section 26 statement in working form, our security page is public. Steal anything you find useful.

Sources

  • Personal Data Protection Commission, Singapore: pdpc.gov.sg
  • PDPA full text on Singapore Statutes Online: sso.agc.gov.sg
  • IMDA — Guide to Cross-Border Data Transfer: imda.gov.sg
  • Health Information Act 2024 — Bill text and commencement updates: moh.gov.sg

Get the numbers

See how much your clinic loses to missed calls — in 90 seconds.

Get the free Revenue Recovery Report. Answer ten questions; get a costed PDF that maps missed calls to lost S$ for your clinic.

Get my Revenue Recovery Report

Keep reading

🇸🇬PDPA-clean. PSG-eligible. Singapore-built.