Personal Data

What is considered Personal Data?

 

Personal data (under PDPA) refers to data, whether true or not, about an individual who can be identified (1) from that data; or (2) from that data and other information to which the organisation (or individual) has or is likely to have access.

Individually-Identifiable (under HBRA), in relation to a person's human biological material or health information (HBM/HI), means that the person can be identified (1) from the HBM/HI; or (2) from that HBM/HI and other information to which the person, research institution, tissue bank or other organisation has or is likely to have access. 

Note1: When sharing or publishing the research data, researchers should be aware of the disclosure risks stemming from the release of direct identifiers or indirect identifiers in the datasets.

Note2: Datasets which have been anonymised are still considered personal data if a research team has access to the key/linkages to re-identify the data, unless it have been irreversibly-deidentified.

Note3: Personal data collected from research should be classified as "Confidential" under NTU's Data Governance Policy. Refer here for handling requirements of Confidential data. 

 

Examples of Personal Data

 

Direct (unique) identifiers
​Indirect (Dataset) identifiers 
​Data, which, on its own, constitutes personal data or data that can explicitly identify individuals.

Note: Researchers are required to remove direct identifiers before any dataset is released unless specific consent for identifiable data to be shared has been obtained from the research subjects.

​Dataset that can be used together, or in conjunction with other information, to identify particular individual or a group of individuals. 
  • ​Full name
  • NRIC Number/ FIN Number/ Passport number
  • Personal mobile/ Telephone number
  • Facial image of an individual (e.g. in a photograph or video recording)
  • Voice of an individual (e.g. in a voice recording)
  • Fingerprint/ Iris image
  • Mailing address
  • Email address
  • Driver's license numbers
  • Vehicle identifiers and serial numbers, including license plate numbers
  • Account numbers/ Medical records numbers/ Insurance policy numbers
  • Certificate/ License numbers (e.g. professional licenses)
  • IP / MAC address
  • Device identifiers and serial numbers
  • Any other unique identifying number, characteristic, or code (this does not include the unique code assigned by the investigator to code the data)

  • ​Gender
  • Initials
  • Age / Age range
  • Birth year / Date of birth
  • Nationality
  • Race / Religion / Ethnicity
  • DNA profile*
  • Geographical indicators
    •    Postal code
    •    Place of birth
  • Employment information
    •    Occupation
    •    Place of work
    •    Business telephone number
    •    Business mailing or email address
  • Medical information
    •    Weight / Height
    •    Blood group
    •    Rare disease or treatment
  • Financial information
    •    Annual income
  • Education information

* Refer to section on Whole genomic data below. 

Whole genomic data as identifiable data

In Singapore, whole genomic data1 is considered identifiable personal data if linked to identifiers or indirect identifiers, or on its own. It is not considered as personal data if the data is anonymised and protected against re-identification.

In our local context of healthcare and biomedical sciences research where appropriate levels of data treatment2 and managerial controls3 are in place, whole genomic data that has been de-identified is considered as anonymised data.

Note:
Short genetic sequences such as single nucleotide polymorphisms (SNPs) and short tandem repeats (STRs) are not considered personally identifiable on their own.


1 Whole genomic data i.e., Whole Genome Sequence (WGS) refers to the entire DNA of the genome of an organism and Whole Exome Sequence (WES) refers to the protein coding sequences from the genome.

2 Examples of data treatment controls include removal of direct identifiers such as national identification numbers, names, and addresses, and generalisation of indirect identifiers such as age and demographic data.

3 Examples of managerial controls include applying access controls such as physical, technical and/or administrative measures to restrict access to only authorised parties, designing approval processes and process controls that minimise risks of collusion, and prohibiting unauthorised re-identification of individuals.

 

Reference: MOH Circular No. 17/2023