Oralstack

Article · Compliance & trust

Singapore PDPA for dental clinics: what tenant isolation actually means

·9 min read·Oralstack team

Most Singapore dental clinics treat PDPA as a consent form problem — get the patient to tick a box, file the form, done. That handles one of the eleven obligations under the PDPA. The other ten — protection, access, correction, retention, transfer, notification — are technical and operational. They're handled by how patient data is stored, accessed, and isolated, not by a tickbox.

The single most consequential technical concept for PDPA compliance in a multi-clinic context is tenant isolation. Get it right and most of the other protection requirements follow. Get it wrong and no policy doc rescues you when something goes wrong.

This article is for clinic owners, IT leads, and compliance officers evaluating PMS options for Singapore practice. It's not legal advice — for that, talk to a Singapore-qualified privacy lawyer. It's a technical and operational guide to what the law actually requires of the systems you choose.

What PDPA actually requires (in clinic terms)

The Personal Data Protection Act 2012 (with the 2020 amendments) sets out obligations. For a dental clinic, the operationally relevant ones:

  • Notification.Patients must be told what personal data you collect and what you'll do with it. Standard intake form territory.
  • Consent. You need explicit consent for collection, use, and disclosure. Implied consent works for obvious things (using their phone for appointment reminders); explicit for less obvious things (sharing radiographs with a referring specialist).
  • Access. Patients can request a copy of their data. You have 30 days to respond.
  • Correction. Patients can request corrections. You must accommodate or document why not.
  • Protection. You must take reasonable technical and organisational measures to protect data. This is where tenant isolation lives.
  • Retention.Don't keep data longer than you need it. For dental records, professional standards typically require 7 years post last visit.
  • Transfer. Cross-border transfer of personal data requires the receiving country to have comparable protection or explicit patient consent.
  • Data Breach Notification.Notifiable breaches must be reported to the PDPC within 3 days and to affected individuals where there's significant impact.

Where dental clinics commonly fail

Five concrete failures we see when auditing dental clinic systems:

  • Shared spreadsheets between locations.A multi-clinic group runs “a shared Google Sheet” for patient lists. Anyone with the link can see anyone's patients. Tenant isolation: zero.
  • Patient data on staff personal devices. Personal WhatsApp histories, photos taken on staff phones, PDFs forwarded to private email. The clinic has no audit trail, no retention control, no transfer control.
  • Email-based patient communication. Email servers in unspecified jurisdictions, inboxes accessible by whoever has the password, no audit log of when a record was read.
  • Database queries that don't filter by clinic. Multi-clinic PMS implementations where the filter is application-layer only — a SQL bug or misconfigured admin tool can return all clinics' data.
  • No retention policy enforcement. Patient records from 12 years ago still queryable, with no automated archival.

Tenant isolation: the technical concept

Tenant isolation is the property that data belonging to one clinic cannot be accessed by users from another clinic — even if the application has a bug, a misconfigured admin, or a compromised account.

It works in three layers:

Layer 1: Schema

Every patient record (and every related record — appointments, invoices, charts, images) is tagged with a tenant ID column at the database level. Every record. No exceptions.

Layer 2: Database-level enforcement

The database itself enforces that queries can only return records matching the requesting tenant's ID. In Postgres this is done with Row-Level Security (RLS) policies — every query is automatically constrained, even if the application code forgets to filter. Other databases have equivalent features.

This is the critical layer. Without database-level enforcement, a tenant ID column is just a comment — easy to bypass with a bad query.

Layer 3: Application context

The application sets the tenant context on every request based on the authenticated user's clinic membership. Combined with database-layer enforcement, this means the system physically cannot return cross-clinic data even when the application is misbehaving.

For a deeper architectural example, the Oralstack security page documents how tenant isolation is implemented in production.

Why this matters for PDPA

PDPA's Protection obligation requires “reasonable security arrangements.” Reasonable in 2026 means defence-in-depth — the data is protected at multiple layers, so a failure at any single layer doesn't leak data.

A PMS that relies only on application-layer filtering doesn't meet the modern reasonable-security bar. It's one bug away from a notifiable breach.

A PMS with proper tenant isolation can withstand application bugs, query mistakes, and most credential compromises without leaking cross-clinic data. That's what reasonable looks like.

What to look for in a PDPA-aware dental PMS

Six concrete questions to ask before signing:

  • Where is the data hosted? For Singapore patient records, ideally Singapore region (Google Cloud asia-southeast1, AWS ap-southeast-1, Azure Southeast Asia). Cross-border transfer requires explicit PDPA-compliant arrangements.
  • How is tenant isolation enforced?Should be database-layer (RLS in Postgres) plus application context. “We filter in the application” is not a sufficient answer.
  • What does the audit log capture? Reads, writes, adjustments, exports. Who, what, when, from where. The log should be append-only and queryable by clinic admins.
  • Encryption at rest and in transit? Both should be standard (TLS 1.2+ in transit, AES-256 at rest, ideally with customer-managed encryption keys for sensitive data).
  • Patient access and correction workflow? Built-in, not manual. The clinic should be able to satisfy a patient access request in minutes, not days.
  • Data Processing Agreement (DPA) template? Available on request. The DPA documents the data-handling relationship between your clinic (controller) and the PMS vendor (processor), which PDPA Section 11A indirectly requires when a vendor handles data on your behalf.

Cross-border transfer: the migration question

If you're migrating from a legacy on-premise PMS to cloud, check where the cloud provider's servers actually live. Several US-developed dental PMS products host in US-East data centers by default; running Singapore patient data through them requires explicit patient consent under PDPA Section 26. Most clinics either don't want to do this or didn't realise they were.

For migration mechanics, see migrating from Plato to a cloud PMS. The PDPA-relevant part is verifying the destination region before data leaves your premises.

What to do next

Three things, in order:

  1. Audit your current setup. List every system that holds patient data. For each: where is it hosted, who can access it, is there an audit log, when was it last reviewed?
  2. Sunset the obvious leakage points. Personal WhatsApp for patient communication. Shared spreadsheets across locations. Email-based scheduling. These are the highest-impact, lowest-resistance fixes.
  3. Pick a PMS with database-layer tenant isolation. The six questions above are the screen.

See the Oralstack security posture for how this is implemented in production, including Singapore region hosting and Postgres Row-Level Security.

Related reading

See how Oralstack handles this in production.

A 30-minute demo walks the front desk and a clinician through every workflow on a sample dataset that mirrors a typical Singapore clinic.

Book a demo