A. Definition of Personal Data
Personal data is defined as any data that about an individual who can be identified from that data; or from that data & other info that the organisation has or is likely to have access. Examples of personal data, which includes but not limited to the following:
A.1 Unique data
Full name
NRIC Number or FIN (Foreign Identification Number)
Passport number
Personal mobile telephone number
Facial image of an individual (e.g. in a photograph or video recording)
A.2 Generic data
Gender
Age
Nationality
Past employment
Education
Income
Spending habits
Medical information
A.3 Exemption:
Business contact information such as an individual’s name, position, title, business phone number, business address, business email address or business fax number.
Personal data that has been recorded at least 100 years
Personal data of a person who has been deceased for over 10 years
B. Obligations under PDPA
(1) Consent Obligation
Consent to be obtained from individuals before collecting, using or disclosing their personal data.
The Organization must receive clear and free consent from the individual before collecting their personal data.
Personal data volunteered by individual can be considered to be deemed consent.
An Organization does not need to obtain consent for publicly-available data (e.g through social media LinkedIn)
Individuals shall be allowed to withdraw consent at any time but must be made aware of the consequences. (e.g stoppage of services)
(2) Purpose Limitation Obligation
The purpose of collecting personal data must be justified, reasonable and limited in scope.
Organization must not collect excess data for which there is no purpose.
Personal data collected for one purpose cannot be used for another purpose or scope under contractual agreement
(3) Notification Limitation
Individuals must be informed of the purpose before collecting their personal data, through a notification, which should be clear and unambiguous.
Organizaton is to make sure that this notification appears and prominent wherever personal data is collected.
No notification needed in case of deemed consent or if individual is aware of specific purpose.
Provide a link to the Organization's Privacy Policy in the notification (layered)
(4) Access and Correction Obligation
The organization must allow the individual access to his/her personal data that the organization currently has, uses and shares.
Ensure that this right of individuals is unhindered.
The organization must respond within 30 days of the request.
The individual also has the right to ask for their personal data be corrected should there be inaccuracies.
The organization is allowed to charge a reasonable fee for the access but cannot charge fees for the correction.
(5) Accuracy Obligation
The organization is obligated to ensure accuracy and completeness of the personal data collected both directly from the individual as well as indirectly from third parties.
Verify the accuracy of the details with the individual before using it
(6) Protection Obligation
The organization must make reasonable security arrangements to protect personal data in its possession or under its control in order to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal or similar risks.
Organization need to ensure secure handling of personal data at every stage, from collection to usage, sharing to disposal.
Consider strong passwords, restricted access, encryption, anti-virus, firewalls.
(7) Retention Limitation
The organization is not supposed to retain personal data of individuals when the purpose is no longer justified, either for legal or business purposes.
No one solution for all scenarios. No ‘magic’ time limit – depends solely if the purpose is being served.
Consider labelling ‘destroy-by date’ once the personal data has outlived its purpose.
Consider anonymization of the personal data aspect of the data set
(8) Transfer Limitation Obligation
Personal data transferred abroad should be limited in scope and must be accorded the same level (or better) protection as in the PDPA.
Consider reviewing situations where personal data residing on servers locally can be accessed by foreign entities or our data residing on foreign-based servers.
(9) Accountability (Openness) Obligation
Appoint at least one Data Protection Officer (DPO)
Develop Data Protection Policies and procedures for all employees to adhere to.
Develop procedures to handle complaints.
Make available the Organization's privacy policy.
Publish the DPO’s Business Contact Information (BCI)
Comments