DEFINITIONS UNDER THE PDPA Flashcards
How is defined personal data under the PDPA?
Personal data is data - whether true or not - about an individual who can be identified from that data - or from that data and other information to which the organization has or is likely to have access. It contains provisions for certain personal data of deceased individuals for a specified period. Under PDPA - IP adresses may not be personal data but the more data points are collected - the more likely the IP address is personal data. However - cookies are considered personal data.
Is Sensitive personal data defined under the PDPA and if so - how?
It is important to know that PDPA doesn’t have a distinct category called sensitive personal data although there is some personal data is considered more sensitive and require higher levels of protection.
What would be considered sensitive personal data under the PDPA?
Biometric data - Health data - Sex life or sexual orientation - Financial data - Minors data - NRIC.
What does the PDPA regulate regarding NRIC numbers?
The collection - use - and disclosure of NRIC numbers and copies to minimize the risk of misuse and identity theft - including consent requirement - purpose limitation - and security safeguards.
Are there data protection rules specifically for children under the PDPA ?
No. But children from 13 to 18 years old can consent if they have sufficient understanding to do so - however - children under 13 have to consent with their parents or legal tutor.
Is pseudonymisation defined under the PDPA and if so - how?
Pseudonymisation isn’t defined by PDPA although considered to be a good practice. Regardless - pseudonymised data is still considered personal data.
Is de-identification defined under the PDPA and if so - how?
-While not being defined by GDPR but joins concepts covered under pseudonymisation and anonymization - the PDPO and PDPA acknowledge de-identification as a process to remove direct identifiers but it’d remain personal data if it could be linked to an individual with additional information.
Is anonymization defined under the PDPA and if so - how?
It is the process of irreversibly removing personal identifiers from data so that the data subject is no longer identifiable by any means reasonable likely to be used. In all cases - anonymized data is not subject to the law.
What is the definition of Organization under the PDPA?
Any individual - company - association - body of persons - corporate or incorporated - whether or not formed or recognized under the law or Singapore - or resident - or having an office or a place of business - in Singapore.
What is the definition of Individual under the PDPA?
A natural person - whether living or deceased. For deceased individuals - only those who have been dead for 10 years of fewer are concerned by the PDPA and for their personal data - only disclosure and security obligations apply to organizations.
What is the definition of Data Intermediary under the PDPA?
An organisation that processes personal data in behalf of another organisation but does not include an employee of that other organisation. They are only subject to the retention limitation and security obligations.
What is the definition of Specified Message under the PDPA?
A message that offers to supply - advertise - or promote goods - services - land - interests in land - business or investment opportunities - or a supplier.
What is the definition of Survivorship under the PDPA?
The PDPA does not specify a survivorship period (retention duration) - but organizations must ensure that they have the necessary consent for the collection - use - and disclosure of personal data.
What is the definition of Publicly Available under the PDPA?
Personal data that is made available to the public without restriction - such as data published in public registers or directories.
