In the yoga and wellness industry, trust is everything. Students share not only their time and money, but often also personal details about their health, wellbeing, and lives. A student who fills in a registration form disclosing a herniated disc, a pregnancy, or a history of anxiety is placing a significant degree of trust in the teacher and the studio. That trust carries ethical and legal responsibilities.
In Singapore, the handling of personal data is governed by the Personal Data Protection Act (PDPA), which is administered by the Personal Data Protection Commission (PDPC). While healthcare providers are subject to additional regulations, yoga studios and wellness businesses are bound by PDPA requirements when they collect, use, or disclose personal data. This post explains what that means in practical terms for yoga teachers.
What the PDPA requires
The PDPA applies to all organisations in Singapore, regardless of size, that collect, use, or disclose personal data. Whether you are a large studio chain or a sole-proprietor yoga teacher conducting private sessions, you are bound by the terms of the PDPA.
Personal data means data about an individual who can be identified – whether directly (e.g. name, NRIC or phone number) or indirectly (e.g. a medical condition disclosed on a health form linked to a name).
The PDPA imposes several key obligations. You must obtain consent before collecting, using, or disclosing personal data. Data can only be used for the purposes stated when consent was obtained – this is the purpose limitation obligation. Individuals must be told why their data is being collected – this is the notification obligation. They have the right to access and correct their data, and the data you hold should be accurate (the accuracy obligation) – a point that matters when a teacher relies on a student’s health declaration to determine modifications. Data must be stored securely to prevent unauthorised access, and should not be kept longer than necessary (i.e. the protection obligation). Where personal data is transferred outside Singapore – for example, to a booking platform whose servers are based overseas – the recipient must be bound by a comparable standard of protection (NB. the transfer limitation obligation restricts the transfer of personal data outside Singapore unless the recipient is bound by a comparable standard of protection).
For yoga teachers and studios, this means that registration forms, mailing lists, health questionnaires, class attendance records, and even casual communication must be handled with care.
Where yoga teachers most commonly collect data
The most obvious point of data collection is the registration or intake form. Most studios collect names, contact details, emergency contacts, and some form of health declaration. Some studios or teachers collect additional information – injury history, medications, pregnancy status – to inform how they teach.
The key principle is proportionality – collect only what is truly necessary for the purpose you have stated. If you collect health information, the purpose should be clearly articulated – for example, “We collect health information to help teachers provide safer modifications in class.” Asking students to disclose every past injury or medical condition they have ever had may be excessive if that level of detail is not genuinely needed for class safety.
Beyond registration forms, data collection also occurs through booking platforms (Mindbody, Momence or similar content management systems that store student profiles and attendance histories), mailing lists used for class updates and marketing, photographs and videos taken during classes for promotional use, and informal channels such as WhatsApp or Telegram groups. Each of these involves personal data, and each is subject to the PDPA’s requirements around consent, purpose limitation, and secure storage.
Health information requires extra care
While yoga teachers are not regulated as healthcare providers, they often deal with health-related information – injuries, pregnancies, chronic conditions, mental health concerns. This information is particularly sensitive and warrants additional caution.
Health information should be treated as especially confidential. Access should be limited to those who genuinely need it – for example, a teacher who is covering a class and needs to know about a student’s lower back condition has a legitimate reason to access that information. On the other hand, front desk staff organising room bookings typically do not need to access that information. Paper forms should not be left visible at the reception desk. Digital records should be password-protected and stored securely.
There is also a dimension of confidentiality that goes beyond formal data protection. Students may share personal details during class conversations – about stress at work, family struggles, or health challenges. While this is not governed by the same legal framework as doctor-patient confidentiality, teachers have an ethical duty to respect that privacy. Sharing student stories casually, even without naming the student, can damage trust if the student learns of it.
Incident reports and complaint records are also personal data records. An incident report typically contains information about an injured student (often including health information) and the names of witnesses. A complaint record typically contains information about the complainant and other parties involved. Both should be stored securely, accessed on a need-to-know basis, retained only for as long as necessary, and disclosed to third parties (such as insurers or lawyers) only on a need-to-know basis.
WhatsApp groups and informal channels
Many yoga teachers and studios use WhatsApp or Telegram groups to coordinate classes, share updates, or build community. These tools are convenient but carry PDPA risks.
When a teacher creates a WhatsApp group and adds students, every member of the group can see every other member’s phone number. This is a disclosure of personal data without consent. If a teacher posts a message to a specific student in a group saying “Just checking in — how is your knee doing after last week’s class?”, the student’s health information has been shared with the entire group.
Accidental disclosures are the most common form of data breach in informal communication channels, and they are also the hardest to reverse. A message sent in a group cannot be unsent from every member’s device. A screenshot can circulate indefinitely.
The safer alternatives are broadcast lists or channels (which allow one-way communication without exposing members’ numbers to each other), or e-mail for private one-to-one communication about health matters. If you do use group chats, obtain consent before adding students, and never discuss individual health details in the group.
Photographs and videos in class
Photographs and videos of identifiable individuals are personal data, and that fact has practical implications for teachers in two ways.
When a studio photographs a teacher for marketing purposes, the studio carries the PDPA obligations – it must notify the teacher of the purposes for which the photographs will be used, and obtain the teacher’s consent for those purposes.
But when a teacher photographs students in their own class – for the teacher’s own social media, marketing, or website – the teacher, not the studio, carries the obligations. Many teachers do not realise that the practical content they create brings them within the scope of the PDPA. In practice, this means notifying students of the purposes for which the photographs will be used, and obtaining their consent before the photographs are taken (and certainly before they are posted).
PDPA consent is conceptually distinct from a copyright licence. A teacher may have a copyright licence to use a photograph while still needing PDPA consent for the particular use. For more on the copyright dimension, see Protecting Your Brand, Content and Course Materials: IP for Yoga Teachers (Part 2), under the section ‘Photos, branding, and your professional identity’.
What happens if something goes wrong
If personal data is lost, stolen, or improperly disclosed, the PDPA requires organisations to assess the breach and, in some cases, report it to the Personal Data Protection Commission (PDPC). A breach does not have to be dramatic – it can be as simple as accidentally e-mailing a student’s health form to the wrong person, leaving completed registration forms visible on a desk, or having a laptop containing student records stolen.
Studios and teachers should have a basic incident response plan. This can mean containing the breach to limit further exposure, assessing what data was involved and how many people were affected, notifying the PDPC if the breach is significant, and informing affected individuals if harm is likely. This does not need to be a complex document – a simple, written protocol that everyone involved in running the studio understands is sufficient.
What this means for you
The PDPA is not designed to make life difficult for yoga teachers. Its requirements align naturally with the values that most teachers already hold – respect for students, care with sensitive information, and an understanding that the relationship between teacher and student is built on trust.
In practical terms, the most important steps are straightforward. Collect only the data you genuinely need, and tell students clearly why you are collecting it. Store data securely, whether on paper or digitally. Use private channels – not group chats – for communication (whether health-related or otherwise). Obtain consent before adding students to mailing lists, WhatsApp groups, or promotional materials. And if something goes wrong, act promptly rather than hoping the problem will resolve itself.
Treating student data with care is a legal obligation under the PDPA. It is also consistent with the mindfulness and respect that underpins good teaching.
This post is part of an ongoing series on legal resources for yoga teachers in Singapore. A comprehensive toolkit covering this topic and more is coming soon!
The information in this article is for general educational purposes only and does not constitute legal advice. It should not be relied upon as a substitute for professional legal advice. Laws and regulations may change, and the information provided may not reflect the most current legal developments. For advice specific to your circumstances, please consult a qualified lawyer. No solicitor-client relationship is created by reading this content.