What Constitutes ‘Personal Data’ (‘PD’)?
The PDPA refers to “PD” as “data about an individual who can be identified from that data; or from that data and other information to which the organisation has or is likely to have access”. This means that information, whether true or false, in both electronic or non-electronic form, concerning a person would constitute “PD”. PD includes:
- unique identifiers of an individual (e.g. NRIC number, passport number); and
- any indicative identifying information of an individual (e.g. name, age, address).
PD does not include the following:
- publically available personal information (eg personal details such as names, date of birth, etc. which are posted on social media applications, the internet, etc.); and
- business contact information on business cards (including an individual’s name, position, title, business telephone number, business address, business e-mail address).
An Organisation’s Obligations under the PDPA
An organisation is obliged to collect, use or disclose an individual’s PD only with the individual’s consent. Individuals may, at any time, withdraw their consent for an organisation’s collection, use or disclosure of their PD for any purpose, at any time, upon the provision of reasonable notice.
Consent comes in two forms: express and deemed. An organisation may, in particular circumstances under an exception in the PDPA, collect an individual’s PD without the individual’s consent.
We frequently work with our organisational clients to assist them in preparing documentation recording an individual’s consent, setting up procedures & processes in relation to the to grant valid consent, individuals must be properly informed about the purpose(s) for which their personal data will be collected, used, or disclosed. Consent that has been granted due to fraudulent information or practices will be deemed invalid. In addition, organisations may not require consent as a condition for the provision of goods or services.
It is strongly advised that organisations obtain consent from individuals in ways that may be recorded for future reference, such as in writing. This would serve as concrete evidence should any dispute occur. Consent may also be obtained verbally, but it is recommended that the organisation record it.
Does Failure to Opt-out Constitute Consent?
Organisations may consider consent via inaction (i.e. failure to opt out), rather than consent through positive action, to be valid under certain circumstances. Generally, consent is more likely to be deemed valid in cases where individuals are unlikely to have omitted to opt out by mistake or inattention, or other reasons unrelated to their consent. For example, a mail flyer sent to customers requiring them to reply to opt out is less likely to be accepted as compared to a checkbox on a form to be signed, for customers are significantly less likely to miss out on a checkbox as compared to a mail flyer. Organisations engaging in telemarketing should note that “clear and unambiguous” consent is required under the Do Not Call Provisions, a condition which is unlikely to be fulfilled should be consent be obtained by the failure to opt-out.
Implementing a Data Protection Policy and Protocol
Organisations are required by the PDPA to develop and implement policies to comply with the PDPA, known as a Data Protection Policy. This policy may be used to notify individuals of the purpose of collecting and using their personal information, and may be provided to them as a hard copy document or on the organisations webpage. Organisations are also required to have a withdrawal policy, where individuals may provide notice to withdraw their consent to having their personal information being used by an organisation.
Appointing a Data Protection Officer
Organisations are required to appoint at least one staff member to ensure compliance to the regulations of the PDPA, known as the Data Protection Officer. His/her business contact information should be made public. His/her responsibilities may include:
- Developing a sound data protection policy to comply with the PDPA and meet the organisations’ needs;
- Handling enquiries and complains related to personal data;
- Liaising with the PDPC over data protection issues.
Do Not Call (DNC) Provision
Private organisations are prohibited from sending commercial (e.g. advertising goods and services) messages to individuals whose contact numbers are listed on the DNC Registry, unless they receive “clear and unambiguous” consent. Messages sent to notify/update individuals that the organisation has an on-going relationship with are not restricted by these rules (although the senders are required to provide a means for individuals to opt out of receiving these messages). Organisations have the duty to check if an individual’s number is on the DNC registry before sending commercial messages. DNC search results are valid for up to 30 days afterwards.
Individuals may register their contact details on the registry through the PDPC’s website, SMS, or phone. Do note that there are 3 separate registries for voice calls, text messages, and faxes. Individuals should expect commercial messages to cease 30 days after registration, and may de-register at any time.
The DNC registry came into effect on 02/01/2014, while the rest of the provisions took effect on 02/07/14. In its role to enforce the PDPA, the Personal Data Protection Commission (PDPC) is empowered to handle complaints made by individuals over breaches of the PDPA, to require to production of information or documents related to an investigation, and to inspect the premises of an organisation.
The PDPC may order organisations violating the PDPA to cease the collection or use of data in violation to the Act, and to delete any data gathered unlawfully. It may also impose financial penalties of up to $1 million on organisations. An organisation infringing DNC regulations can be fined up to $10,000 for each offence. Individuals who make false/misleading declarations to the PDPC, or impede their duties, can be fined up to $10,000 and jailed for up to 12 months, while organisations can be fined up to $100,000.
What Does This Mean for Your Business?
Here are some tips on how business owners can handle Personal Data collected for the following purposes:
Research and Analysis
Organisations that conduct research and analysis activities are required to comply with the PDPA if their activities involve the collection or use of personal data. Data that is consensually obtained for other purposes may be used if the research is related to the original purpose the data was collected for.However, consent is not required for individually identifying data to be used in cases where the use of such data is vital to achieve research aims, but it is deemed impractical to obtain consent to collect the data,. The data used must not be used to contact the individuals to ask them to participate, and must not be detrimental to them. The benefits of using this data should be in the public interest.
CCTV images of individuals would be considered personal data, as individuals can be identified from them. Hence, organisations that install CCTVs on their premises should notify the public. Usually, a notice sign placed at a prominent location (e.g. near the entrance of a compound) informing passers-by that they are under video surveillance should suffice.
Recruitment and Employment
Organisations often hold personal data of their employees, and require job applicants to submit personal data as part of the application process. Usually, the submission of information during a job application can be considered as consent on the part of the applicant. An organisation may keep the personal data of past employees or rejected applicants ONLY for the duration it may require it for legal or business reasons. The PDPA permits employers to collect, use, or disclose personal data from employees in the course of managing or terminating their employment relationship without their consent, but requires employers to notify employees of the purpose of such actions. Thus, firms should consider including general notification in employment contracts or company circulars. For purpose other than the abovementioned, employers would need to seek their employees’ consent.
Generally, IP addresses of networked devices are not considered as personal data, as multiple individuals may use the same device. However when an IP address is viewed together with other information such as browsing history or online purchase records, it may be used to identify a specific individual, and hence be considered as personally identifiable data under the PDPA.
Cookies are text files created on a computer when its web browser loads a website or web application. The PDPA applies to cookies when they collect personal data of web users. Individuals are deemed to have given their consent for the collection and use of their personal data if they are informed of the purpose of data collection, and then voluntarily provide their data for online activities that require cookies to function, such as in web shopping or I-Banking. Individuals may also express consent in the manner they configure their web browsers. For example, if an individual chooses to accept some cookies while rejecting others, it can be assumed that he gave consent to the cookies accepted. However, non-management of an individual’s internet settings does not reflect consent to all cookies.
Best Practices Every Business Should Adopt
Anonymisation is the process of removing individually identifiable information so that the remaining data cannot be linked to any individual. Thus, it would not be considered personal data. Generally, it is advised for organisations to anonymise their data unless there is a need for individually identifying information. However, if the anonymised data can be combined with other data already held to re-identify individuals, the data may still be considered personal data. Hence, organisations must balance between maintaining the usefulness of the information collected while reducing the possibility of re-identification.
NRIC numbers are used in many governmental and business transactions, and hence of particular concern. Hence, organisations should seek to utilize other means of identification if possible. When NRIC numbers are to be disclosed(e.g. publishing the results of a lucky draw), organisations are recommended to only publicise the last 3 digits and letter (e.g. SXXXX567A) and only use the full NRIC to verify the identity of the winner.
Responsibility of an Employer for the Conduct of its Employees
Organisations should note that they are responsible for any violations of the PDPA by their employees (paid or unpaid) in the course of their employment, whether or not it was done in their knowledge or approval. Organisations can avoid liability by taking reasonable actions to prevent employees from violating the PDPA. This can be done by creating a sound data protection policy and communicating it effectively to employees.
Development of Personal Data Policy
Organisations should develop a sound Personal Data Policy to be communicated to both the public and its internal staff, in order to promote understanding for the purposes of collecting personal data and the protections accorded. Organisations should ensure their policies are clear and easily understandable by laymen, and balance between informing individuals of the purposes for data collection and avoiding excessive detail. The PDPC recommends a “layered” policy, where a general summary of the policy is communicated to the public when seeking consent, with a link to the full policy for those who are inclined to find out more.
Appointment of a Personal Data Officer
Organisations should consider if they need to appoint a dedicated Data Protection Officer or the responsibilities can simply be delegated to a staff member already in another role. DPOs are encouraged by the PDPC to attend a 2 day course, An Introduction to the Fundamentals of Personal Data Protection Act for Non-Legal Personnel.
For assistance on regarding PDPA, do contact us for appointment.
Related Commercial Articles