Legal Tech9 min read

PDPA-Safe Claude Prompts: A Singapore Lawyer's Checklist

Eight rules and ready-made redaction prompts so Singapore lawyers can use Claude without breaching PDPA. Aligned with the MinLaw GenAI Guide for the Legal Sector.

Haojun See

Founder & Director, On The Ground

Updated 1 May 2026

The eight rules

Singapore lawyers can use Claude productively and lawfully. The risk of PDPA breach or professional-conduct issue is real but manageable. These eight rules cover ~95% of the risk. 1. Use only enterprise-tier (or Pro / Team) plans, never free tiers. Free tiers may train on your input. Enterprise tiers contractually exclude this. 2. Redact before you prompt. Replace names with [PARTY_A], dates with [DATE], identifying numbers with [AMOUNT]. The legal analysis is rarely sensitive to those identifiers. 3. Don't paste full client documents unless necessary. Often you only need the operative clauses. Send less, get sharper output. 4. Document AI use in the matter file. A line in the file: "[date]: Used Claude Sonnet for first-pass review of NDA, redacted version, output verified by [associate]." That's the audit trail expected by the MinLaw guide. 5. Verify legal citations independently. Claude can hallucinate case names and citations. Cross-check against LawNet before any citation goes in a document. 6. Get partner sign-off on the AI-use protocol for a matter. Not every matter needs the same protocol. Routine NDA review and contested commercial litigation are different. 7. Disclose to client where material. When AI is material to the engagement (e.g. AI-assisted review is a key value proposition or a billing factor), include a clause in the engagement letter. 8. Use on-device for the most sensitive class. For criminal defence, matrimonial, regulated industries with data-residency rules, or matters where the client has explicitly objected to cloud AI, use OTG Legal Box or equivalent on-device deployment.

Ready-made redaction prompt

Paste this into Claude before sending any client material. It produces a redacted copy you can then prompt against: *"Below is a document for legal analysis. Produce a redacted version that: - Replaces all personal names with [PARTY_A], [PARTY_B], etc. - Replaces all specific monetary figures with [AMOUNT] - Replaces all specific dates with [DATE] - Replaces all addresses, phone numbers, NRIC numbers with [REDACTED] - Preserves clause structure, paragraph numbering, and substantive legal terms exactly Output only the redacted document. Do not summarise or analyse."* Now use the redacted output as input to your actual analysis prompt. The legal analysis is the same; the personal data never reaches the model.

Engagement-letter clause (optional)

If your firm wants to formalise AI use in client engagements, here's a clause many firms in Singapore have adopted (general template — adapt with your firm's risk and compliance team): *"Use of AI tools. The Firm may use generative AI tools (such as Anthropic Claude or OpenAI GPT-class models) to assist with document review, research, and drafting. Where used, all AI-generated output is reviewed by a qualified lawyer before acceptance. The Firm uses enterprise-tier AI services with contractual exclusion from model training. Personal data is redacted before submission to AI tools where the analysis does not require identifiers. Client may request that AI not be used for specific matters, in which case the Firm will accommodate or decline the engagement."* Simple, transparent, defensible.

What happens if it goes wrong

Two scenarios worth thinking through. Scenario A — accidentally pasted full client identifiers into a free tier. Stop using that account immediately. Switch to enterprise. Document the incident in the matter file. Notify the firm's data protection officer (DPO). Most cases don't require client notification — but assess against the PDPA's notifiable data breach criteria. See PDPC guidance. Scenario B — Claude hallucinated a case citation that ended up in a memo. Pull back the memo, correct, document. Underlying issue: insufficient verification step. Fix the workflow, not just the document — every legal output drafted with Claude must be cite-checked by a human. The model will sometimes invent. Trust comes from verification, not from the model's confidence.

What to read next

For working contract-review prompts, see AI Contract Review in Singapore. For research and memo drafting, see Claude for Legal Research. For document review at scale (hundreds or thousands of files), see AI E-Discovery in Singapore: 5-Step Claude Workflow. For the broader PDPA prompting framework that goes beyond legal use, see PDPA Prompting Checklist: 8 Rules Before You Hit Send. OTG runs custom training for Singapore law firms covering all of the above. Book a free 30-minute call to discuss.

Frequently asked questions

Is using Claude for client work a PDPA breach?

Not inherently. PDPA permits processing of personal data for legitimate business purposes with appropriate safeguards. Using Claude with proper redaction, an enterprise-tier no-training-on-data plan, and documented internal controls is consistent with PDPA — but the responsibility to ensure that sits with the firm, not the AI vendor. See [PDPC's PDPA legislation overview](https://www.pdpc.gov.sg/overview-of-pdpa/the-legislation/personal-data-protection-act).

Do I need to disclose AI use to clients?

The [MinLaw Guide for Using Generative AI in the Legal Sector](https://www.mlaw.gov.sg/files/Guide_for_Using_Generative_AI_in_the_Legal_Sector.pdf) does not mandate client disclosure in every case but expects firms to consider client expectations and to disclose where the AI use is material to the engagement or where the engagement letter requires it. Many firms now include a standard clause in engagement letters.

What about lawyer-client privilege?

Privilege attaches to communications, not the data itself. Sending privileged content to a third-party AI vendor does not waive privilege if the vendor is acting under appropriate confidentiality terms (most enterprise plans satisfy this). For the most sensitive matters, use on-device deployments via [OTG Legal Box](/apps/legal-box).

What's the most common mistake Singapore lawyers make?

Using personal Claude / ChatGPT accounts (which may train on input) for client work. Switch to enterprise-tier accounts immediately. Second most common: pasting full identifying details when the analysis doesn't need them — redaction takes 30 seconds and removes the risk.

Can I use Claude for matters involving children, criminal defence, or high-profile clients?

Apply maximum care: enterprise tier with no training on input, full redaction, on-device deployment if available, partner sign-off on AI-use protocol for the matter. For these matter types, OTG typically recommends on-device deployment over any cloud-based AI.

PreviousAI Contract Review in Singapore: A Claude Prompt Playbook Next Claude for Legal Research: 12 Prompts That Beat Manual Search

Want to Apply This to Your Business?

We're a Singapore AI development and automation agency. Let's discuss how we can help solve your specific challenges.

Get in Touch View our services