Researchers should ensure that datasets containing identifiable data should not be shared outside of your study team unless relevant consent had been obtained from your research subjects. This would be a direct infringement of Singapore's PDPA and HBRA requirements.
If identifiable research data needs to be disclosed or shared (either to external collaborators or service providers), the following must be adhered to:
- The file must be password-protected or encrypted.
- Transmission via portable media must be done via password-protected or encrypted portable devices.
- If the research data is in hardcopy format, it must be sent in sealed envelopes and delivered via secured, tracked and signed courier services.
- The sensitivity of the data and its handling requirements must be communicated to recipients with labels marking the data as "Confidential". Where possible, RCAs (or Service Agreements for external vendors) with NDA clauses should be imposed on external parties.
For overseas disclosure or sharing of identifiable data:
Singapore's PDPA imposes a Transfer Limitation Obligation on the transfer of identifiable data overseas. The following must be satisfied before the transfer.
- The research subject has: (i) consented to the transfer and disclosure of his personal data to the overseas recipient; and (ii) been informed how his personal data will be protected in the destination country.
- The researcher has taken reasonable steps to ensure that the recipient is made legally obligated to protect the transferred personal data to a standard comparable under the PDPA, through either laws (e.g., data protection laws in the recipient’s country/territory)¸ contracts, binding corporate rules, or any other legally binding instruments, and that the personal data will not be used or disclosed by the recipient for any other purpose.
In all situations, researchers are advised to provide only coded/ de-identified/ anonymised data to overseas collaborators. If identifiable data is to be transferred overseas, please seek further advice from RIEO or NTU's Data Protection Officer (DPO).