TL;DR: Singapore has no constitutional right to privacy and "few legal barriers" to workplace monitoring. Employers can read your emails, track your computer usage, and watch you on CCTV, even personal accounts accessed on company devices. Retailers are rolling out facial recognition to identify shoplifters across all outlets (Sheng Siong's 83 stores, 1,000+ more under police program). Data brokers face PDPA restrictions but the marketing list industry persists. PDPA provides some protections, but with broad exemptions for "managing employment relationships."

The Corporate Surveillance Landscape

While Singapore's government surveillance gets attention, corporate surveillance is equally pervasive, and often has fewer restrictions. From the office to the shopping mall, private companies collect, track, and analyze your data with minimal legal barriers [1].

Key areas of corporate surveillance:

  • Workplace monitoring: Email, computer usage, CCTV, productivity tracking
  • Retail surveillance: CCTV, facial recognition, behavior analytics
  • Data brokers: Personal information aggregation and sale
  • Marketing data: Telemarketing lists, consumer profiling

The Personal Data Protection Act (PDPA) provides some guardrails, but exemptions for employment relationships and business purposes leave significant gaps. And unlike GDPR, there's no constitutional privacy right underlying the statutory framework [2].

Workplace Monitoring

Singapore employment lawyers are clear: "there are few legal barriers" to monitoring employees in the workplace. Employers have extensive latitude to watch what you do [3].

What Employers Can Monitor

  • Email: Company email accounts are fair game. Personal email accessed through company devices or networks typically has no privacy protection either
  • Computer usage: Browsing history, application usage, files accessed
  • CCTV: Video surveillance of workstations and common areas
  • Phone calls: Calls on company phones, potentially personal phones used for work
  • Productivity software: Keystroke logging, screenshot capture, activity tracking
  • Location tracking: GPS tracking of company vehicles and potentially work phones

"When a staff member accesses personal email through a company-issued computer or phone or via the internal company network, they will generally have no expectation of privacy" [4].

PDPA Employment Exemption

The PDPA normally requires consent for data collection. But there's a significant exemption: employers can collect employee data without consent when it's "reasonable for the purpose of managing or terminating an employment relationship" [5].

This exemption covers most workplace monitoring. If the employer can argue monitoring relates to managing the employment relationship, performance, conduct, security, consent isn't required.

Additionally, employers can collect and use "evaluative data", assessments, opinions, and performance reviews, without consent. This includes monitoring data used to evaluate employee performance [6].

What PDPA Does Require

Even with exemptions, employers must:

  • Have a legitimate business reason for monitoring
  • Use data only for purposes that "a reasonable person would consider appropriate"
  • Ideally notify employees through a written monitoring policy
  • Protect collected data with reasonable security measures

Remote Work Monitoring

The shift to remote work expanded monitoring dramatically. Many Singapore firms rolled out tracking software during the pandemic:

  • Regular screenshots of employee screens
  • Webcam photos throughout the workday
  • Keystroke and mouse activity tracking
  • Application usage monitoring
  • Time tracking and productivity scoring

These tools monitor your home environment through company devices. The legal framework hasn't caught up, employers generally have the same monitoring rights for remote workers as office workers [7].

Best Practices (Often Ignored)

Legal guidance recommends employers:

  • Provide clear written monitoring policies
  • Explain what's monitored and why
  • Specify disciplinary consequences
  • Consider impact on workplace culture and morale

In practice, many employers monitor without clear policies. The absence of strong legal requirements means "best practices" are optional [8].

Retail Surveillance and Facial Recognition

Singapore retailers have embraced surveillance technology, with 93% using CCTV systems. Increasingly, these systems include AI-powered analytics and facial recognition [9].

Facial Recognition for Shoplifter Tracking

In August 2025, supermarket chain Sheng Siong announced deployment of facial recognition CCTV across all 83 outlets. The system:

  • Identifies suspected shoplifters from previous incidents
  • Alerts staff when flagged individuals enter any branch
  • Links to a central database shared across all locations
  • Operates in collaboration with Singapore Police Force [10]

This is part of the Shop Theft for Retailers (STAR) Programme. Over 1,000 retail outlets, including NTUC FairPrice and Cold Storage, have signed up. The police-supported program essentially creates a shared facial recognition database across Singapore's retail sector.

Shop theft cases rose to 2,097 in the first half of 2025 (up 4.2% from 2024), with most involving items under S$50. The retail industry's response is comprehensive biometric surveillance [11].

Beyond Security: Analytics and Profiling

Modern retail CCTV does more than catch shoplifters:

  • People counting: Track foot traffic and optimize staffing
  • Behavior analysis: Detect loitering, unusual patterns
  • VIP recognition: Identify high-value customers for premium service
  • Dwell time tracking: Measure how long customers spend in areas
  • Demographic analysis: Estimate age, gender for marketing insights

Changi Airport's duty-free shops use retail analytics for "customer behavior insights and operational optimization." The technology exists across Singapore's retail landscape [12].

Public Opinion

A survey found 61% of Singapore respondents support facial recognition in public places like airports and shopping malls. But 49% believe individuals should have the right to opt out [13].

Currently, there is no opt-out. If you enter a store using facial recognition, you're scanned. The alternative is not shopping.

Data Brokers and Marketing Lists

Data brokers aggregate personal information and sell it to other organizations. In Singapore, this industry operates under PDPA constraints, but continues to exist.

What Data Brokers Collect

Typical data broker collections include:

  • Names and contact information
  • Demographic data (age, gender, location)
  • Consumer behavior and purchase history
  • Property ownership records
  • Vehicle registration information
  • Professional and business information

PDPA Restrictions

The PDPA restricts data broker activities:

  • Purchasing marketing lists constitutes "collecting personal data", consent requirements apply
  • Selling lists without valid consent is a violation
  • PDPC has taken enforcement action against unauthorized list sellers

Enforcement examples:

  • Re Sharon Assya Qadriyah Tang (2018): S$6,000 penalty for buying/selling marketing lists
  • Re Amicus Solutions Pte Ltd (2019): Enforcement action for unauthorized sale and disclosure of personal data for telemarketing [14]

These penalties are relatively small compared to potential profits, and enforcement is reactive, the PDPC investigates complaints rather than proactively auditing the industry.

Do Not Call Registry

Singapore's DNC Registry lets you opt out of marketing calls and messages. Penalties for violations reach S$200,000 for individuals and S$1 million for organizations [15].

Register at dnc.gov.sg to limit telemarketing, though this only covers direct marketing, not data collection itself.

Foreign-Owned Apps and Platforms

Concerns about foreign-owned apps accessing Singaporean data mirror global debates about TikTok and other platforms.

Singapore has no TikTok ban but has raised concerns about foreign surveillance through apps. The fundamental issue: data collected by foreign platforms may be accessible to foreign governments, regardless of local privacy laws [16].

Key considerations:

  • PDPA applies to data collected in Singapore regardless of company location
  • Cross-border transfer rules require comparable protection
  • But no explicit assessment of foreign government access rights
  • Once data leaves Singapore, local enforcement becomes difficult

Singapore hasn't implemented the data sovereignty measures seen in some countries, no requirement for local data storage or explicit restrictions on foreign platform operations.

Financial Data and Marketing

Financial institutions collect extensive data, with additional sector-specific regulations from the Monetary Authority of Singapore (MAS).

What banks and insurers collect:

  • Transaction history and spending patterns
  • Income and employment verification
  • Credit behavior and loan history
  • Location data from banking apps
  • Biometric data for authentication

Financial institutions can share data within corporate groups and with third-party service providers. "Consent" is typically buried in lengthy terms and conditions that few customers read [17].

The use of SingPass and Myinfo by financial institutions creates another data pathway: government-verified data flowing into private sector systems.

Your Rights Under PDPA

Despite exemptions, PDPA gives you some rights against corporate surveillance:

Access Rights

You can request access to personal data held by organizations. This includes monitoring data, though employers can refuse if disclosure would reveal another individual's data or compromise evaluative processes [18].

Correction Rights

You can request correction of errors in your personal data. This doesn't apply to opinions or evaluations.

Withdrawal of Consent

You can withdraw consent for non-mandatory data collection. In employment contexts, this may affect your ability to work, employers can impose consequences for refusing monitoring.

Complaint to PDPC

You can file complaints with the Personal Data Protection Commission. PDPC investigates and can impose penalties on organizations that violate PDPA.

Private Legal Action

If you suffer harm from PDPA violations, you can pursue private legal action for damages.

Protecting Yourself

At Work

• Assume all company devices and networks are monitored
• Don't access personal accounts on work devices
• Ask about monitoring policies (even if not disclosed)
• Use personal phone with personal data for private matters
• Understand remote monitoring extends to your home

While Shopping

• Know that most stores have CCTV
• Facial recognition is increasingly common
• Loyalty programs track purchase history
• Cash provides more privacy than cards
• There's no opt-out for store surveillance

With Your Data

• Register with DNC Registry
• Exercise PDPA access rights periodically
• Read privacy policies before signing up
• Limit Myinfo sharing consent
• Review app permissions regularly

If You Have Concerns

• Request written monitoring policies from employer
• Document any inappropriate data use
• File complaints with PDPC for violations
• Consult employment lawyers for workplace issues
• Know that enforcement is complaint-driven

The Bottom Line

Singapore's corporate surveillance operates in a permissive environment. No constitutional privacy right. Broad employment exemptions in data protection law. Minimal barriers to workplace monitoring. Retailers deploying facial recognition with police collaboration.

The PDPA provides some protection, but it's designed to balance privacy with business needs, not to create strong individual rights. Employers can monitor extensively with "legitimate business reasons." Retailers can track you biometrically. Data brokers face consequences only when caught and reported.

For individuals, the practical approach is assumption and compartmentalization: assume workplace monitoring is comprehensive, separate personal and work digital lives, and understand that walking into a store increasingly means being identified.

Corporate surveillance in Singapore isn't hidden. It's normalized. The 93% of retailers using CCTV, the facial recognition in supermarkets, the productivity tracking on remote workers, these aren't exceptions. They're the standard operating environment.

References

  1. Law Gazette Singapore - Monitoring in the Workplace
  2. Allen & Gledhill - Employee Privacy and Workplace Monitoring Singapore
  3. Digital Endpoint - Employee Monitoring in Singapore: What's Allowed?
  4. HRD Asia - Is it legal to monitor staff emails and phones?
  5. DataGuidance - Singapore Employee Monitoring
  6. Securiti - Managing Employees' Data Under Singapore PDPA
  7. HRM Asia - Legal compliance of workplace surveillance
  8. Privacy Ninja - Employee Monitoring Data Privacy Rules
  9. CCTV Maintenance Singapore - Retail CCTV Systems
  10. Mothership - Sheng Siong installs face recognition CCTV at 83 outlets (August 2025)
  11. SG-CCTV - Best CCTV Practices for Retail Stores
  12. AvidBeam - The 2025 Guide to Video Security Analytics
  13. Medium - How Singapore uses Facial Recognition
  14. ICLG - Data Protection Laws Singapore 2025-2026
  15. PDPC - Personal Data Protection Commission Singapore
  16. The Diplomat - Data Brokers: A Weak Link in National Security
  17. CMS - Data protection and cybersecurity laws in Singapore
  18. PDPC - Data Protection Obligations