Oralstack

Reference · Compliance & trust

PDPA compliance checklist for Singapore dental clinics

Last reviewed 27 Apr 2026·13 min read·Free reference

The 9 PDPA obligations mapped to dental operations. DPO scope, consent flows, access requests, breach notification (72-hour clock), retention windows (PDPA + MOH overlap), vendor due diligence, annual review.

PDPA enforcement in dental has been picking up. The PDPC has published several decisions involving healthcare providers in the last 24 months — most involved misdirected patient records, weak vendor controls, or inadequate access-request handling. Dental clinics handle exactly the kind of data PDPA is most protective of (medical records of identifiable individuals), which means they get extra scrutiny.

This checklist maps the 9 PDPA obligations to specific dental clinic operations. It's not legal advice — for that, talk to a Singapore-qualified data protection lawyer. It's an operational reference for the clinic owner / DPO / office manager.

Section 1 — The 9 PDPA obligations and how each shows up in dental

  1. Consent. You can only collect, use, or disclose personal data with consent (or under a permitted exception). For dental: explicit consent at intake, separate consent for marketing / recall, separate consent for clinical photos used in case studies.
  2. Purpose Limitation.Data collected for one purpose can't be used for another without fresh consent. For dental: a patient who consented to recall messages hasn't consented to receiving clinic newsletter content.
  3. Notification. You must inform the patient of the purposes for which their data is collected. For dental: intake form notice + privacy notice on the website.
  4. Access and Correction. Patients can request a copy of their data and request correction of errors. 30-day response window.
  5. Accuracy. Reasonable effort to ensure data is accurate and complete. For dental: confirm contact details, insurance, allergies at every visit.
  6. Protection. Reasonable security to protect personal data. For dental: encryption at rest + in transit, access controls, audit logging, secure backups.
  7. Retention Limitation.Don't hold data longer than necessary. For dental: there's tension between PDPA's “don't over-retain” and MOH's minimum retention windows for dental records. Section 6 below covers the overlap.
  8. Transfer Limitation. Cross-border transfer requires comparable protection. For dental: cloud PMS hosted outside SG must demonstrate equivalent protection.
  9. Accountability.Designate a DPO; document policies; demonstrate compliance on request. The DPO must be named publicly (PDPC's requirement).

Section 2 — Data Protection Officer (DPO)

Every clinic must designate a DPO. The DPO must:

  • Be named on the clinic's privacy notice (typically the website privacy page).
  • Have a contact email/phone published — patients and PDPC must be able to reach them.
  • Understand PDPA at a working level — formal training preferred but not legally required.
  • Have authority within the clinic to investigate and enforce policies. A DPO with no power is non-compliant in spirit.

For most solo and small-group clinics, the clinic owner or practice manager wears the DPO hat. Multi-location groups typically appoint a dedicated DPO as headcount grows.

Section 3 — Consent flows

Patient intake consent

  • Plain-language consent statement at intake — what data is collected, what it's used for, who it's shared with (insurance, lab, referrals).
  • Separate consent checkboxes for: clinical care (mandatory), recall communications (optional), marketing communications (optional), clinical-photo case-study use (optional).
  • Withdraw mechanism — patient can revoke any of the optional consents at any time, via email/phone/in-clinic.

Recall and reminder consent

  • Capture channel preference — WhatsApp / SMS / email / phone. Some patients want only one.
  • Frequency limit — recall is one motion; marketing is another. Patients who consent to recall haven't consented to monthly newsletters.
  • Easy unsubscribe — clear opt-out in every recall message beyond “reply STOP”.

Marketing consent

  • Opt-in only, never opt-out (PDPA + Spam Control Act).
  • Maintain a Do-Not-Call (DNC) registry check before any telemarketing. Even one call to a DNC-registered number is a PDPA breach.

Clinical photo / case study consent

  • Specific written consent. Generic “we may share your data” doesn't cover identifiable clinical photos.
  • Specify scope — internal training only, marketing materials, published case studies. Each is a separate consent.
  • Time-bound or revocable.

Section 4 — Access request handling

Under PDPA Section 21, patients can request:

  • A copy of their personal data held by the clinic.
  • A record of how their data has been used or disclosed.

Response window: 30 days from request. If you can't meet that, notify in writing with a reasonable extended timeline.

Access request workflow

  • Receive and log. Date, requester identity, nature of request. Logged centrally (not in a personal inbox).
  • Verify identity.NRIC + a second proof (address, DOB, prior appointment date). Don't release to an impersonator.
  • Compile. Pull the patient record: demographics, treatment history, financial history, audit log of access if requested, any notes.
  • Sanitise third-party data. If the record contains data about others (e.g. an emergency contact), redact before release.
  • Deliver securely. Encrypted email (password shared via separate channel) or secure portal. Not plain email.
  • Charge a reasonable fee if applicable. Small fee permitted for compilation work. Document the fee schedule publicly.

Section 5 — Breach notification (72-hour PDPC clock)

From 1 Feb 2021, PDPA mandates breach notification to PDPC within 72 hours if the breach:

  • Causes (or is likely to cause) significant harm, OR
  • Affects 500 or more individuals.

And to affected individuals if significant harm is likely.

Breach response runbook

  • Detect and contain (hour 0–4).Stop the breach. Take affected systems offline if needed. Preserve forensic evidence (don't reset what you don't understand).
  • Investigate (hour 4–24). What was accessed? By whom? How? Was data exfiltrated? Document everything for the PDPC report.
  • Assess severity (hour 24–48). Number of individuals affected, sensitivity of data, likelihood of harm. Decide: notify PDPC, notify patients, both, neither.
  • Notify (hour 48–72).PDPC online form; affected patients via email/letter with what happened, what data, what we're doing about it, what they should do.
  • Remediate (week 1–4). Fix the root cause. Update controls. Document the post-mortem. Some breaches require ongoing monitoring (e.g. credential exposure).
  • Audit and improve (month 2+). Review what allowed the breach. Update DPIA, training, controls.

Section 6 — Retention windows: PDPA vs MOH overlap

PDPA says: don't retain longer than necessary. MOH says: retain dental records for at least specified minimum periods. Both apply.

  • Adult patient records: minimum 6 years from last visit (per MOH guidance + PDPA reasonable retention).
  • Paediatric patient records: retain until age 21 + 6 years (per MOH paediatric records guidance).
  • Radiographs: per dental record retention, minimum 6 years; longer for orthodontic / implant cases.
  • Financial records: minimum 5 years per IRAS (Income Tax Act).
  • Audit logs: at least 3 years for security investigation purposes; longer if linked to clinical decisions.

The practical PDPA-aligned policy: keep what MOH and IRAS require, archive (cold storage, restricted access) anything older that you can't fully delete, document the policy publicly so patients know what's held and why.

Section 7 — Vendor due diligence

Your cloud PMS, your email provider, your imaging archive, your recall SMS service — every one processes patient data on your behalf. PDPA holds you (the clinic) accountable for their practices.

Per-vendor checklist

  • Data Processing Agreement (DPA). Signed, covering: purpose, duration, security obligations, breach notification, sub-processor disclosure, deletion on contract end.
  • Hosting jurisdiction. Where does the data physically live? Singapore preferred; cross-border requires comparable-protection demonstration.
  • Encryption.At rest and in transit. Verify, don't take their word.
  • Access controls. Vendor staff access to your data must be role-restricted, audit-logged, and minimum necessary.
  • Sub-processor list. Vendor must disclose who they share your data with (their cloud host, their analytics tools, etc.). You must be notified of changes.
  • Breach notification clock.Vendor must notify you within a window short enough that you can still meet PDPA's 72-hour clock to PDPC. 24 hours is typical.
  • Data deletion / portability on exit. Bulk export available; full deletion on contract end with written confirmation.
  • Independent security attestations. SOC 2 / ISO 27001 / equivalent. Not legally required but strong signal.

Section 8 — Annual PDPA review

Schedule an annual review (e.g. January each year). Walk through:

  • DPO contact details current (website, intake forms, public notices).
  • Privacy notice up to date with current data handling.
  • Vendor list reviewed — any new vendors added without DPA? Any obsolete vendors still holding data?
  • Consent records audited — sample 10 patient files and verify consents are documented.
  • Access logs reviewed — any suspicious access patterns? Any stale accounts to deactivate?
  • Retention windows enforced — old records archived per policy?
  • Staff PDPA training refreshed (annual minimum).
  • Breach response runbook tested — tabletop exercise with key staff.
  • DPIA updated — any new processing activities introduced this year?

Section 9 — Common dental PDPA pitfalls

  • WhatsApp on personal staff phones. Patient messages on a personal phone are uncontrolled, unaudited, unbacked-up. Use WhatsApp Business API on a clinic-owned number with audit-logged messaging instead.
  • Email autocomplete misdirection.Sending a patient's file to the wrong “John” in your contacts is the most common dental PDPA breach. Internal policy: confirm recipient address before attaching anything identifiable.
  • Unencrypted USB sticks.Carrying patient data on a USB for “backup” or transfer is a textbook breach risk. Encrypted drives only, audit-logged.
  • Lapsed staff accounts. Former employee credentials still active months after departure. Quarterly access review minimum.
  • Marketing without renewed consent.Patient intake consent doesn't cover marketing. Separate consent, opt-in only.
  • No Data Processing Agreement with cloud PMS. Operating without a written DPA is itself a PDPA gap. Get one signed before sending live data.

For the technical foundations — append-only audit log, tenant isolation, role-based access, encryption, Singapore region hosting — Oralstack is built around PDPA + MOH alignment. See /security and our PDPA dental article.

Try Oralstack

Want this in your clinic, not just on paper?

Oralstack's compliance & trust module is built around the motions in this reference. A 30-minute demo walks the relevant team through it on a sample dataset that mirrors a Singapore clinic.

Book a demo →