PDPA and AI for Singapore charities: what you can actually do (2026 guide)

The short answer: the PDPA does not forbid charities from using AI. It asks the same thing it has always asked — that you handle people's information with care, honesty, and accountability. Singapore's privacy regulator has even published guidelines on how organisations can use personal data in AI systems responsibly. What gets organisations into trouble isn't AI; it's carelessness with where data goes and who's accountable for it.

Somewhere in Singapore right now, a charity director is sitting on an idea that would give her caseworkers their evenings back — and not acting on it, because someone in a meeting said the three letters that end conversations in this sector: P-D-P-A.

The fear is understandable. Your data isn't sales leads; it's families in crisis, children's circumstances, financial hardship. If anyone should be careful, it's you.

But "careful" and "frozen" are not the same thing. The PDPA is a law about handling data responsibly, not a law against technology. So let's walk through what it actually asks — in plain English, for the people who run programmes, not the people who run servers.

What the PDPA actually asks of you

The Personal Data Protection Act applies to charities and social service agencies just as it does to companies. Strip away the legal language, and its demands are things a good organisation would want to do anyway:

Have a reason. Collect and use personal data for purposes a reasonable person would consider appropriate — and that you've told people about.
Get consent (or rely on a legal exception), and let people withdraw it.
Protect what you hold. Reasonable security for the data in your care.
Don't keep it forever. When the purpose is over, the data should go.
Mind where it travels. Data sent overseas must enjoy comparable protection.
Own it. Someone in your organisation is accountable — your DPO — and your policies should say what you actually do.

Notice what isn't on that list: any prohibition on using software, automation, or AI. The question the PDPA asks of an AI tool is the same one it asks of a filing cabinet: is the data in it handled properly?

The regulator has already answered the AI question

In March 2024, the Personal Data Protection Commission published its Advisory Guidelines on the Use of Personal Data in AI Recommendation and Decision Systems.¹ The very existence of this document tells you something: the regulator's position is not "don't", it's "here's how".

In plain English, the guidelines say:

You can use personal data in AI systems — with consent, or in some cases under exceptions like business improvement and research.¹
Be transparent. Your written policies should tell people, in understandable terms, when AI plays a part in decisions or recommendations that affect them.
Be accountable. Know what data goes in, document how the system is used, and keep a human responsible for outcomes.
Design privacy in — don't bolt it on after launch.

The guidelines aren't legally binding in themselves, but the PDPC has indicated it will take enforcement positions consistent with them² — which makes them the closest thing you have to a map.

Four rules of thumb that keep you safe

Here is how we translate all of that into practice when we build for the social sector:

The AI sees the minimum, not the maximum

An AI helper that drafts a thank-you letter needs to know a donor gave $2,000 to youth mentoring. It does not need her NRIC, her address, or her family situation. Send the least data that does the job — every field you withhold is a risk that no longer exists.

ii.

Know exactly where the data goes — and ask hard questions

"It's in the cloud" is not an answer. Which provider? Under what terms? Reputable commercial AI services contractually commit not to train their models on business customers' data — but you should see that in writing, along with where processing happens and how long anything is retained. A vendor who can't answer crisply hasn't thought about it.

iii.

A human decides, always

AI drafts; your people approve. This single design rule does enormous work — under the PDPC's guidelines, an AI that recommends with a human deciding is a far gentler proposition than one that decides alone. For a charity, anything touching a beneficiary's services, money, or records should always pass through human hands.

iv.

Match the tool to the sensitivity

Drafting donor letters and tidying month-end reports? A well-configured commercial AI service, used carefully, fits. Raw case files about children or family violence? That calls for stricter architecture — heavier redaction before anything reaches a model, processing arrangements with stronger guarantees, or keeping that workflow out of AI entirely. Not every process needs the same armour; the sensitive ones need more.

The part nobody enjoys: when things go wrong

Since the PDPA's data breach rules took effect, the arithmetic is unforgiving and worth knowing cold: a breach is notifiable if it's likely to cause significant harm to anyone affected, or if it touches 500 or more people. Once you've assessed that a breach is notifiable, you have three calendar days to tell the PDPC — and where significant harm is likely, you must tell the affected individuals too.³

For a charity, the harm bar matters more than the headcount bar: a leak affecting even a handful of beneficiaries in sensitive circumstances can clear "significant harm" easily. Which is exactly why rule i — the AI sees the minimum — is your best insurance. Data that never entered a system can never leak from it.

A checklist before you switch anything on

Name the workflow. One process, clearly described — "drafting donor acknowledgements", not "using AI".
List the data it touches. Then cut the list down. Then cut it again.
Get the vendor's answers in writing. Where is data processed? Is it used for training? How long is it retained? Is there a data processing agreement?
Decide who approves outputs. A named person, not "the team".
Update your privacy notice if AI now plays a part in how you handle personal data.
Tell your DPO — and if you don't have one, appointing one isn't optional under the PDPA.

Six steps, one afternoon with the right people in the room. That's the real cost of doing this properly — not a year of paralysis.

Where we fit

We build software for this sector — Socianote for case management and donor work, and AI-assisted workflows designed the way this article describes: minimum data, human approval, privacy decided at the design stage. When we scope a project, the data-protection questions above are part of the scope document, not an afterthought — and if we think a workflow is too sensitive for AI, we'll tell you to keep it out.

Worth reading next: how to fund a digitalisation project through NCSS — because doing this properly is also the kind of well-governed project that funders like to support.

Got a workflow in mind, and a worry to go with it?

Tell us both. We'll give you an honest read on whether AI fits, how the data should be handled, and what it would take — no obligation, no jargon.

[email protected]

Sources — checked 13 June 2026:

Personal Data Protection Commission — Advisory Guidelines on the Use of Personal Data in AI Recommendation and Decision Systems (published 1 March 2024) — pdpc.gov.sg/guidelines-and-consultation
Bird & Bird, summary of the PDPC Advisory Guidelines — twobirds.com
Personal Data Protection Commission — Report Your Organisation's Data Breach — pdpc.gov.sg/report-data-breach

Important: This article is general information, not legal advice. GoodTechHoldings is an independent software company, not a law firm, and is not affiliated with or endorsed by the PDPC or any government agency. The PDPA's application depends on your organisation's specific circumstances — consult a qualified data protection professional or lawyer before relying on anything here. Details accurate to the sources listed as at 13 June 2026; rules and guidelines change.