chapter 4 Flashcards
what is the PDPA
–> Is Singapore’s data privacy regulation
–> Governs the collection, use, disclosure and care of
personal data
–> Regulates telemarketing practices through the Do Not
Call registry
why do we need PDPA
–> Is designed to encourage business innovation, while
also guaranteeing that personal data protection
–> Aims to strengthen Singapore’s position as a trusted
hub for businesses
who does the PDPA apply to
–> Recognizes the right of individuals to protect their personal data
–> Recognizes the need for organisations to collect, use or
disclose personal data for legitimate and reasonable purposes
–> Does not apply to the public sector, which has separate
rules under the government
where is the PDPA applicable
Has extraterritorial effect.
–> It is applicable to organizations collecting, using or disclosing personal data in Singapore, regardless of the organization’s
physical presence or where it was incorporated
what is the cost of failing to comply with the PDPA
–> 10% of an organization’s annual turnover in Singapore,
or SGD 1 million, whichever is greater
–> Reputation damage
how many PDPA obligations are there
11
what are the 11 PDPA obligations
Accountability
Notification
Consent
Purpose limitation
Accuracy
Protection
Retention Limitation
transfer limitation
Access and correction
data breach notification
data portability
what does accountability mean
Accountability helps organisations to strengthen trust and enhance competitiveness.
Organisations must take responsibility for the personal
data under their possession or control:
* Appoint a data protection officer
* Develop data protection policies
* Foster a data protection awareness and culture
* Implement measures to meet PDPA obligations
what are the pdpa obligations which come under the collection of personal data category
notification
consent
purpose limitation
what does notification mean ?
Notify individuals of the purposes for which the organisation is intending to collect, use or disclose their personal data
Important considerations for Notification include:
* Content of the notification
* Format of the notification
* When to notify
what does consent mean ?
Personal data may be collected, used or
disclosed only after consent has been given
by the individual
Important considerations for obtaining Consent
include:
* Consent cannot be accepted, unless the individual
has been Notified of the purposes
* Allow the individual to withdraw consent
* Consent can be obtained in writing or verbally
Collection of Personal Data
what does purpose limitation mean ?
Personal data may be collected, used or
disclosed ONLY for the purposes that is
reasonable to provide the organisation’s
product or service
Important considerations for Purpose Limitation
include:
* Collect, use and disclose personal data, that are
relevant for the purposes
* Ensure the purposes are reasonable for the product
or service provided
4 obligations under care for personal data
accuracy
protection
retention limitation
transfer limitation
what does accuracy mean ?
Organizations should ensure that the personal data collected is accurate and complete
Important considerations for Accuracy include:
* Reliability of the data
* Currency of the data
* Impact of the data
what does protection mean ?
Organizations should put in place the required security measures to protect personal data to prevent unauthorized
access
Important considerations for Protection include:
* Well-trained personnel responsible for ensuring
information security
* Robust information security policies and procedures
* Breach response preparedness
what does retention limitation mean
Organizations should cease retention of personal data or dispose of it in a proper manner
Important considerations for Protection include:
* Review the need to hold personal data on a regular
basis
* Render personal data completely irretrievable or
inaccessible
* No means to associate the personal data with
particular individuals
what does transfer limitation
Ensure that the standard of protection is
comparable to the PDPA when transferring
personal data to another country
Important consideration for Transfer Limitation:
* In transferring data overseas, the receiving
organisation is not subject to Singapore laws
* The Accountability Obligation requires that the
transferring organisation ensures that personal data
under its care continue to be protected to the same
standard as that established in PDPA
what does accesss and correction mean ?
Individuals have the right to request for access to their personal data and for correction of their personal data
Organizations may not accede to an access request
where the provision of personal data is expected to:
* threaten the safety or physical or mental health of
an individual
* reveal personal data about another individual
* be contrary to the Singapore’s national interest
what is data breach notificaiton
In the event of a data breach, that likely results in significant harm to individuals, or are of significant scale, PDPC and the
affected individuals need to be notified
Significance in Breach Notification include:
* Name or alias or full national identification number
* Financial/health information, not publicly disclosed
* Identification of vulnerable individuals
* Private key used to authenticate/sign an digital
document
what is data portability
At the request of the individual, organisations
are required to transfer the individual’s data
to another environment
*As at March 2022, this Obligation is under review and
will take effect when it is later issued
what are the 3 obligations that come under Individual’ autonomy over personal data
data portability
data breach notification
access and correction
