Charities, societies and companies limited by guarantee in Singapore run on personal data. Member rolls, donor records, volunteer files, beneficiary case notes: a non-profit often holds more sensitive information per dollar of budget than a small company does. A common and costly assumption is that the Personal Data Protection Act 2012 (PDPA) somehow goes easier on the voluntary sector because the work is charitable and the resources are thin. It does not. This guide sets out how a Singapore non-profit should collect, use, store and protect member and donor data so that it stays accountable to the Personal Data Protection Commission (PDPC) and to the people whose trust keeps it funded.
Does the PDPA actually apply to non-profits?
The first thing to clear up is the most widely repeated misconception in the sector: that charities and societies sit outside the PDPA. They do not. The Act regulates any organisation, and that word is defined broadly enough to capture a registered society, a charity, an Institution of a Public Character (IPC) and a company limited by guarantee alike. There is no general charitable exemption and no turnover floor below which a non-profit escapes the rules. A residents' committee collecting names at a flag day and a large welfare organisation running a CRM are both bound by the same ten data protection obligations.
What changes between organisations is scale, not the duty itself. A small society with a single shared inbox and a spreadsheet of members carries the same obligations of consent, protection and accountability as a charity with a dedicated database, even if the practical measures look different. Treating "we're only a small charity" as a defence is exactly the reasoning the PDPC has rejected in its enforcement decisions. The volume of data a non-profit holds tends to be high relative to its administrative capacity, which is precisely why the sector is exposed rather than excused.
The legal framework every non-profit committee should know
The PDPA rests on a set of data protection obligations that govern the full life of a record. The Consent Obligation requires that you obtain consent before collecting, using or disclosing personal data, and the Purpose Limitation Obligation confines that use to the purposes a reasonable person would consider appropriate and that were notified. The Notification Obligation means you must tell people why you are collecting their data before you do so, which is the work a clear privacy notice does at the point of sign-up or donation. Individuals keep the right to access and correct what you hold under the Access and Correction Obligation, and they may withdraw consent on reasonable notice, after which you must stop the relevant processing.
Two obligations catch non-profits off guard more than the rest. The Accountability Obligation requires every organisation to appoint a Data Protection Officer (DPO) under section 11(3) of the PDPA, to put written policies in place, and to make the DPO's business contact information publicly available. Since 2024 that contact information must also be filed with the PDPC through ACRA's BizFile+ system. In the ACL Construction decision, an organisation that held no compromised personal data was still found in breach simply because it had neither appointed a DPO nor adopted any policy, a reminder that the duty bites before any leak occurs. The Data Breach Notification Obligation under sections 26A to 26E completes the picture and is covered below.
You can read the operative text and the PDPC's guidance directly on the PDPC's data protection obligations overview, which remains the authoritative starting point for any committee drafting its first policy. A non-profit that also incorporates as a company limited by guarantee should keep its data policies consistent with its governing documents, so a Singapore CLG constitution drafted under the Companies Act 1967 and its internal data rules point the same way rather than contradicting each other.
Handling member data the right way
Membership records are the spine of most societies, and they are where consent and purpose limitation are tested daily. When someone joins, you typically capture a name, NRIC or FIN, contact details, sometimes payment information and occasionally health or dietary data for events. Each of those fields needs a purpose the member was told about. Collecting a NRIC deserves particular caution, because the PDPC's guidance restricts the collection of full NRIC numbers to situations where it is required by law or necessary to verify identity to a high degree of fidelity. A society that records full NRICs purely to number its members is collecting more than it can justify.
The committee should also resist the habit of quietly repurposing member data. A list gathered to administer membership cannot simply be turned into a fundraising or marketing list without addressing consent, and any electronic marketing message runs into the separate rules on unsolicited messages and the Do Not Call Registry. Reusing a members' roll for a new purpose is one of the most common informal breaches in the sector, precisely because it feels harmless. Good practice is to keep a short record of what each data set was collected for and to review access so that only the office-bearers who need a field can see it. Appointment and handover of those office-bearers is itself worth documenting, which is why many committees pair their data rules with office-bearer appointment and resignation letters under the Societies Act 1966 so that responsibility for the data is always clearly held by a named person.
Handling donor data and the trust it carries
Donor data sits on a sharper edge because it ties a named person to a financial act and, often, to a cause they would rather keep private. A donation record might reveal religious affiliation, political sympathy or a health concern by inference alone, so the protection standard a reasonable donor expects is high. Consent for the donation is not the same as consent to be contacted again, to be named in an annual report, or to be added to a major-donor cultivation list. Each of those uses should be notified and, where it goes beyond what is reasonably necessary, separately agreed.
IPC-status organisations carry an added layer, because issuing tax-deductible receipts means transmitting donor identifiers to the authorities, and that flow needs to be explained in the privacy notice rather than assumed. In practice, the most damaging donor incidents are mundane: a year-end thank-you email that exposes the whole list in the "To" field instead of using blind copy, or a pledge spreadsheet shared with a volunteer who never needed it. A formal Volunteer Agreement helps here by binding helpers to confidentiality and limiting what they may do with donor and beneficiary records; the Singapore volunteer agreement aligned with the Code of Governance is a practical way to extend the organisation's data discipline to the people who are not on its payroll.
What to do when a data breach happens
Since the mandatory regime took effect, a Singapore non-profit must assess any incident involving personal data in its possession or control and decide whether it is notifiable. A breach is any unauthorised access, collection, use, disclosure, copying, modification or disposal, which includes a lost laptop, a stolen volunteer's phone or that misdirected email. Under section 26B, the breach becomes notifiable if it is likely to cause significant harm to affected individuals, or if it is of significant scale, meaning it touches 500 or more individuals regardless of the harm involved. Either threshold on its own triggers the duty.
The clock is unforgiving. Once the organisation has assessed a breach as notifiable, it must inform the PDPC no later than three calendar days afterward, and where significant harm is likely it must also tell the affected individuals. A volunteer-run charity that discovers a breach on a Friday cannot wait until the following week to think about it. The realistic preparation is to decide in advance who assesses an incident, how containment happens and where the PDPC's e-service form lives, so the committee is not improvising mid-crisis. Penalties for getting this wrong are now substantial, and the PDPC's enforcement record shows that notification failures, not just the underlying leaks, draw sanctions.
Building your PDPA documents on Captain.Legal
Most of PDPA compliance is paperwork done before anything goes wrong, and that is where generating the right documents pays off. On Captain.Legal you start by choosing the document type and answering guided questions about your organisation, so the output reflects whether you are a society, a charity or a company limited by guarantee and what data you actually handle. A privacy notice, an internal data protection policy, a consent clause for membership and donation forms, and a volunteer confidentiality undertaking can all be produced in a form that names a DPO and states the purposes of collection in plain language.
The platform adjusts the local references for you, so a Singapore non-profit gets wording aligned with the PDPA and the PDPC's expectations rather than a generic overseas template that quietly imports the wrong law. You can download each document as Word and PDF, which means you can adapt the policy as your committee changes and keep a signed copy on file. For an organisation still settling its founding papers, it is worth pairing the data policy with a society constitution registered with the Registrar of Societies and the broader set of templates in the non-profit and associations document category, so governance and data protection are built together rather than bolted on later.
Common mistakes non-profits make with personal data
The first and most frequent error is assuming the PDPA does not apply, which leads a committee to skip the DPO appointment and the written policy entirely. As the enforcement record shows, that omission is itself a breach even when no data has leaked. A close cousin is appointing a DPO in name only, listing a busy honorary secretary who never reviews a single process, which leaves the organisation exposed the moment something happens.
The other recurring problems cluster around everyday handling. Committees over-collect, gathering full NRIC numbers or unnecessary personal details out of habit. They repurpose data, sliding a membership list into a fundraising campaign without addressing consent. They under-protect, leaving shared drives open to volunteers who have long since left, or emailing unencrypted donor spreadsheets between personal accounts. And they over-retain, keeping the records of lapsed members and one-time donors indefinitely when the Retention Limitation Obligation requires disposal once the purpose has ended. Each of these is cheap to fix in advance and expensive to explain after a complaint. A short annual review, a clear access list and a habit of asking "do we still need this" closes most of the gap.
Frequently asked questions
Does the PDPA apply to small charities and societies in Singapore?
Yes. The PDPA regulates every organisation, and that definition covers registered societies, charities, IPCs and companies limited by guarantee without any general exemption for the voluntary sector. There is no minimum size or budget below which a non-profit is excused. A small society holding only a membership spreadsheet has the same core obligations of consent, protection and accountability as a large welfare organisation, even though the practical security measures will be proportionate to its scale and resources.
Do non-profits need to appoint a Data Protection Officer?
Yes. Section 11(3) of the PDPA requires every organisation, including non-profits and sole proprietorships, to designate at least one individual as a Data Protection Officer responsible for compliance. The DPO can be an existing committee member or an external provider, but their business contact information must be publicly accessible and filed with the PDPC through ACRA's BizFile+ system. Appointing a DPO does not transfer the organisation's liability; the committee remains accountable for compliance whatever the DPO does day to day.
Can we use our membership list to ask members for donations?
Not automatically. Data collected to administer membership was gathered for that purpose, and using it for fundraising engages the Purpose Limitation and Consent obligations. If members were not told their details might be used to solicit donations, you should address consent before launching a campaign, and any electronic marketing also has to respect the rules on unsolicited messages and the Do Not Call Registry. The cleaner approach is to notify members at sign-up that their contact details may be used for fundraising, so the later campaign rests on consent already given.
When must a non-profit report a data breach to the PDPC?
A breach is notifiable under section 26B if it is likely to cause significant harm to affected individuals, or if it affects 500 or more individuals regardless of harm. Either threshold alone triggers the duty. Once you have assessed a breach as notifiable, you must notify the PDPC no later than three calendar days afterward, and where significant harm is likely you must also notify the individuals concerned. Because the timeline is so short, the practical step is to agree in advance who assesses incidents and how the notification is filed.
How long can we keep old member and donor records?
The Retention Limitation Obligation requires you to stop keeping personal data, or to dispose of it properly, once it is no longer needed for the purpose it was collected or for any legal or business reason. There is no fixed number of years in the PDPA, so the test is necessity. In practice a non-profit should set its own retention schedule, distinguishing active members from lapsed ones and one-time donors from regular givers, and review it periodically. Indefinite retention "just in case" is the pattern the obligation is designed to prevent.
Is a privacy policy legally required, and what should it cover?
A written privacy policy is effectively required, because the Accountability Obligation demands that you make information about your data protection policies, practices and complaints process available on request. A workable policy identifies your DPO and their contact details, states the purposes for which you collect member, donor and volunteer data, explains how people can access or correct their data or withdraw consent, and describes how the organisation protects and disposes of records. Keeping it in plain language matters more than length, since the document has to be usable by ordinary members and donors.
In what format can we download the documents we generate?
Documents created on Captain.Legal can be downloaded as both Word and PDF. The Word version lets your committee edit names, purposes and contact details as the organisation changes, while the PDF gives you a clean copy to publish, sign or file. Because data protection arrangements need updating whenever your DPO, your systems or your activities change, having an editable master is more useful for a non-profit than a locked file you cannot revise.
What happens if our non-profit ignores the PDPA?
Non-compliance carries real consequences. The PDPC can issue directions and impose financial penalties, and its enforcement decisions have penalised organisations both for the breaches themselves and for failing to appoint a DPO or maintain policies. Beyond the legal exposure, a data incident damages the donor and member trust a non-profit depends on, and that reputational cost is often harder to recover from than any penalty. The reassuring side is that the groundwork is inexpensive: a DPO, a clear policy, sensible access controls and a retention schedule put most small organisations on solid ground.