13 Flashcards
What does PDPA stand for?
Personal Data Protection Act
What is the purpose of the Personal Data Protection Act (PDPA) of Singapore?
To govern the collection, use, and disclosure of personal data.
What does ‘Personal Data’ mean according to the PDPA?
Data about an individual who can be identified from that data or from that data and other information.
What are the legal implications of non-compliance with the PDPA?
Organizations may face penalties, legal action, and loss of reputation.
True or False: The PDPA applies only to organizations in Singapore.
True
What organization enforces the PDPA in Singapore?
Personal Data Protection Commission (PDPC)
What is the first obligation of organizations under the PDPA?
Notification of individuals about the purposes for collecting their personal data.
Fill in the blank: Organizations must obtain _______ from individuals before collecting their personal data.
consent
What is deemed consent under the PDPA?
Consent that is inferred when an individual voluntarily provides personal data for a specific purpose.
What must organizations do if an individual withdraws consent?
Cease collecting, using, or disclosing the personal data.
List two examples of personal data that can be collected.
- Name
- Address
What does the PDPA aim to maintain regarding individuals?
Trust in organizations that manage data.
What is a potential risk associated with data breaches?
Identity theft
What is one exception to the notification obligation under the PDPA?
If the individual has deemed consent.
What must organizations inform individuals about during the withdrawal of consent?
The likely consequences of withdrawing consent.
True or False: Organizations can ignore consent if the personal data is publicly available.
True
What can organizations do with personal data only for purposes that a reasonable person would consider appropriate?
Collect, use, or disclose personal data.
What type of information is at risk of being sold to marketing firms?
Personal information
What must individuals be notified of before their personal data is collected?
The purposes for which their personal data will be collected.
What does ‘privacy intrusion’ refer to?
Disclosure of private information or data without authorization.
What is necessary for the PDPA to address growing concerns from individuals?
A data protection regime.
What is the ultimate goal of the PDPA regarding Singapore’s position in the business world?
To strengthen and entrench Singapore’s competitiveness as a trusted hub for businesses.
What must a company do with the information collected from individuals?
Use it only for the purposes informed to the individual when consent was given.
Example: A fashion retailer states in the membership registration form that the purposes for which it may use the data collected includes providing them with updates on new products and promotions.
What is deemed consent in terms of personal data collection?
An individual is deemed to have consented under section 15.
This means the individual is considered to have given consent even if they did not explicitly do so.
When can an organization collect personal data without consent?
When it falls under section 17 exceptions to consent.
Example: A customer’s image captured by CCTV for security reasons in a store.
What must organizations do regarding the accuracy of personal data?
Make reasonable efforts to ensure that the personal data is accurate and complete.
Especially if it is likely to be used to make a decision affecting the individual.
What actions should organizations take to ensure personal data accuracy?
Ensure accurate recording, include all relevant parts, and take reasonable steps for correctness.
Good practice includes asking individuals to verify their data.
What security arrangements must organizations make for personal data?
Make reasonable security arrangements to protect personal data from unauthorized access, collection, use, disclosure, and similar risks.
Organizations should identify reliable personnel and implement robust security policies.
When should an organization cease retaining personal data?
As soon as the purpose for which the personal data was collected is no longer being served.
Example: If a company collects data for birthday promotions, it must erase that data once it stops using it for that purpose.
What factors determine the retention period for personal data under the PDPA?
The purposes for which the personal data was collected and other legal or business purposes.
Data should not be retained just in case it may be needed for other purposes not notified to the individual.
What is required for transferring personal data outside Singapore?
Ensure that the receiving organization provides a comparable standard of protection to that under the PDPA.
Organizations must take appropriate steps to ensure the recipient is bound by enforceable obligations.
What must happen for a transfer of personal data to be deemed necessary?
The individual must give consent, or the transfer must be necessary for a contract or vital interests.
This includes cases where data is in transit or publicly available in Singapore.
What must an organization provide upon an individual’s request regarding their personal data?
Personal data in possession and information on how it has been used or disclosed within the past year.
Organizations must comply with access and correction obligations.
Name one exception to the obligation to provide access to personal data.
If the request would unreasonably interfere with the operations of the organization.
Other exceptions include if the information does not exist or is trivial.
What must organizations do in the event of a data breach?
Notify the PDPC and affected individuals as soon as possible if significant harm is likely.
Organizations should document all steps taken in assessing the breach and notify within 3 calendar days.
What is the responsibility of an organization regarding personal data?
Discharge its responsibility for the personal data in its possession or control.
This includes ensuring compliance with the PDPA and protecting individuals’ data rights.
What is the primary purpose of the Personal Data Protection Act (PDPA)?
To govern the collection, use, and disclosure of personal data
This is necessary to maintain individuals’ trust in organizations that manage data.
What should organizations do to exercise accountability over personal data?
Appoint a Data Protection Officer, develop and implement data protection policies and practices, conduct Data Protection Impact Assessments (DPIA)
These measures ensure organizations manage personal data responsibly.
How many main obligations are there for organizations under the PDPA?
9
These obligations are essential for compliance with the PDPA.
True or False: The PDPA aims to strengthen Singapore’s competitiveness as a trusted business hub.
True
By regulating the flow of personal data, the PDPA enhances Singapore’s position in the business world.
Fill in the blank: An organization must notify affected individuals of a data breach via _______.
This ensures transparency and allows individuals to take necessary precautions.
What is one key responsibility of organizations regarding personal data?
Determine the purposes for which the personal data is collected, used, or disclosed
This is part of the accountability principle under the PDPA.
What does DPIA stand for?
Data Protection Impact Assessments
DPIAs help organizations identify and mitigate risks related to personal data processing.
What is the role of a Data Protection Officer?
To oversee the organization’s data protection strategy and ensure compliance with the PDPA
This role is crucial for maintaining accountability.
True or False: The PDPA only applies to private organizations.
False
The PDPA applies to both public and private organizations that handle personal data.