Personal Data Protection Act 2012 (PDPA)

Data protection law and National Do Not Call (DNC) Registry

· SMU MPA Notes - Accounting

Relevant laws are mainly the following:

Protection from Harassment Act 2014 ( No doxxing, No harassment)

 

What is PDPA?

PDPA Section 3. The PDPA focuses on the need to protect individuals’ personal data and the need of organisations to collect, use or disclose personal data for legitimate and reasonable purposes.

PDPA has 2 parts:

1. Data Protection laws

2. Do not call Registry laws

Personal data:

s2: means data, whether true or not, about an individual who can be identified —

(a) from that data; or

(b) from that data and other information to which the organization has or is likely to have access.

3-Step Process:

1. What exactly is the data.

2. Is purpose of data about individual

3. Can person be identified from data/info

 

PDPA s4(5). Data Protection Laws generally do not apply to Business Contact information. But will apply if given for purely personal purpose.

Personal data under the PDPA can include the following:

Full name, NRIC, or passport number, Photograph or video image of an individual, Mobile telephone number, Personal email address, Health status, Educational background, Individual’s activities like spending patterns etc

 

Only applies to organisations : s2: includes any individual, company, association or body of persons, corporate or unincorporated, whether or not —

(a) formed or recognised under the law of Singapore; or

(b) resident, or having an office or a place of business, in Singapore.

BUT, see s4(1) limits: Data Protection Laws do not apply to—

(a) any individual acting in a personal or domestic capacity;

(b) any employee acting in the course of his or her

employment with an organisation;

(c) any public agency; or d)..

 

10 Main Data Protection Obligations

1. Consent (s13 to 17): Get consent of individual before collecting, using or disclosing his personal data for a purpose. Deemed Consent s15.

 

2. Purpose (s18): May collect, use or disclose personal data about an individual only for purposes that a reasonable person would consider appropriate in the circumstances and, if applicable, have been notified to the individual concerned.

 

3. Notification Obligation (s20): Must notify individual of the purpose(s) for which it intends to collect, use or disclose individual’s personal data on or before such collection, use or disclosure of personal data.

 

4. Access and Correction (s21, 22 and 22A): Must, upon request,

(i) provide an individual with his personal data in the possession or under the control of organisation and information about ways in which the personal data may have been used or disclosed during the past year; and

(ii) correct an error or omission in an individual’s personal data that is in the possession or under the control of the organisation.

5. Accuracy (s23): Must make reasonable effort to ensure that personal data collected is accurate/complete if the personal data is likely to be used by organisation to make a decision that affects the individual concerned or disclosed by organisation.

 

6. Protection (s 24): Must protect personal data in its possession/under its control by making reasonable security arrangements to prevent

(i) unauthorised access, collection, use, disclosure, copying, modification or disposal, or similar risks; and

(ii) loss of any storage medium or device on which personal data is stored.

 

7. Retention Limitation (s 25): Must cease to retain documents containing personal data, or remove means by which the personal data can be associated with particular individuals as soon as it is reasonable to assume that

(i) purpose for which personal data was collected is no longer being served by retention of personal data; and

(ii) retention is no longer needed for legal/business purposes.

 

8. Transfer Limitation (s26): Must not transfer personal data to a country or territory outside Singapore except in accordance with PDPA requirements.

 

9. Data Breach Notification (s 26A to 26E): Must assess if a data breach is notifiable and notify the affected individuals and/or the Commission where it is assessed to be notifiable.

 

10. Accountability ( s11 and 12): Must implement the necessary PDPA policies and procedures and shall make information about its policies and procedures publicly available.

 

National Do Not Call (DNC) Registry

Opt out of marketing messages sent to your telephone, mobile phone and fax machine.

• Do not call Registry provisions in Parts 9 and 9A of PDPA

• Covers telephone calls, text messages and faxes to Singapore telephone numbers (s36, 39)

• Generally, with marketing messages, Organisations Must:

a) Check the relevant Do Not Call Register(s) to confirm if the Singapore telephone number is listed on the Do Not Call Register(s);

b) Provide information on the individual or organisation who sent or authorised the sending of the marketing message; and

c) Not conceal or withhold the calling line identity of the sender of the marketing message.