Jurisdictional comparison

Question 1

What are the different consent obligations in Singapore

Answer 1

Organisation can only collect, use or disclose personal data for purposes for which an individual has given his or her consent.
- Can be in verbal or written form.
If verbal consent given, give written acknowledgement.
- DNC

Question 2

What are the different consent obligations in HK

Answer 2

• Consent needed in relation to direct marketing
• If verbal, written confirmation needed in 14 days
• Consent needed if online tracking info related to personal data and is collected for direct marketing purposes

Question 3

What are the consent obligations in India

Answer 3

A business cannot collect SPDI unless it obtains the prior consent of the provider of the info.

Consent has to be provided by letter, fax or email

No specific legislation that governs online direct marketing. However general practice to allow opt in/ opt out

Question 4

What are the notification obligations in Singapore

Answer 4

Notify ind of purposes before collection, use or disclosure

Question 5

What are the notification obligations in HK

Answer 5

PICS - Informed of purpose for which data is to be used and classes of person to whom the data may be transferred

Question 6

What are the notification obligations in India

Answer 6

Provider of info should be made aware that info is being collected, purpose of use, recipients, name of collection agency

Prior consent required for disclosure to any party other than gov

Question 7

What are the access obligations in SG?

Answer 7

Must upon request provide individual with his data in the possession or within the control of the organisation and information about the ways in which the personal days has been or may have been used or disclosed during the past one year

Question 8

What are the access obligations in HK?

Answer 8

The data subject to be informed of his/her rights to request access and the correction of the data and the name, job title, and address of the individual to handle any such request made to the data user.

Under DPP6 (Access and Correction), data subjects are entitled to request access to personal data within 40 days.

Failure to comply with a data access request is an offence under the PDPO

Question 9

What are the access obligations in India

Answer 9

The business should permit the provider of the info the right to review the info

Question 10

What is the response period and fulfilment or request for SG?

Answer 10

Fulfilment as soon as reasonably possible and otherwise, preferably, fulfilment within 30 days of the request, otherwise a response within such 30 days to inform about expected time of fulfilment

If valid request, correct the personal data as soon as reasonably possible and send the corrected data to other organisations to which the personal data was disclosed within a year before the correction is made.

Question 11

What is the response period and fulfilment or request for HK

Answer 11

Require data users to inform a data requestor if it does not hold any of the requested data within 40 days of receiving such a request

Question 12

What is the response period and fulfilment or request for India

Answer 12

Not stated

Question 13

Can an access fee be charged in SG?

Answer 13

Can charge an individual a reasonable fee for access to personal data about the individual

Question 14

Can an access fee be charged in HK?

Answer 14

May be entitled to request a fee if not excessive

Question 15

Can an access fee be charged in India

Answer 15

No requirement

Question 16

What are the correction obligations in SG?

Answer 16

If valid request, org must correct the personal data as soon as reasonably possible and send the corrected data or other organisations to which the personal data was disclosed within a year before the correction is made

Question 17

What are the correction obligations in HK

Answer 17

Data subjects are entitled to request the correction of personal data without charge to the data subject

Question 18

What are the correction obligations in India

Answer 18

The business should ensure that any information found to be inaccurate or deficient be corrected

Question 19

What are the complaint rights of individuals in SG

Answer 19

Can submit complaint to PDPC. individual can also take civil action against organisation

Question 20

What are the complaint rights of individuals in HK

Answer 20

Can submit complaint to PCPD. Privacy Comm may grant assistance such as legal rep and advice to data subjects

Question 21

What are the complaint rights of individuals in India

Answer 21

Body corporate must designate grievance officers to manage compliances. Grievance officer shall redress the grievances or provider of info expeditiously but within one month from the date of receipt of grievance.

Question 22

What are the exemptions in SG

Answer 22

Public sector, public authorities, publicly available information, public agency, business contracted by SG gov

Question 23

What are the exemptions in Hk

Answer 23

Chinese central gov org and media

Question 24

What are the exemptions in India

Answer 24

Limited application for sensitive data, limited application to “providers” not data subjects, freedom of speech, lack of openness

Question 25

What is the difference between privacy and security?

Answer 25

Info privacy: Application of rules that govern collection, usage and disclosure (CUD) of personal data / information

Info security: Also protecting any type of info or info asset that supports a business, while ensuring Confidentiality, Integrity and Availability (CIA)

Question 26

What are the info security requirements in SG?

Answer 26

Must make reasonable security arrangements to prevent unauthorised access, collection, use and other risks

Question 27

What are the info security requirements in Hk

Answer 27

DPP4 - Security: A data user needs to take practical steps to safeguard personal data from unauthorised or accidental access, processing, erasure, loss or use

Question 28

What are the info security requirements in India

Answer 28

The IT Act requires reasonable security procedures to be maintained in order to escape liability. Standards based or code by an industry association and approved and notified by the government. At least once a year audit by an independent auditor approved by the government.

Question 29

What are the DPO requirements in SG?

Answer 29

Each org must appoint one or more DPOs. May delegate certain reps, including to non-employees. Business contact of DPO must be made available to the public.

Question 30

What are the DPO requirements in HK

Answer 30

No legal requirement for DPO. However PCPD issued a best practice guide to encourage users to appoint DPO.

Question 31

What are the DPO requirements in India?

Answer 31

Every corporate entity collecting SPDI must appoint a Grievance Officer to address complaints, and respond to requests in an expeditious manner within one month.

Question 32

What are the breach notification requirements in SG?

Answer 32

No mandatory req.

Best practice guide recommends that affected individuals be notified immediately if sensitive personal data involved.

PDPC should be notified ASAP for breaches that might cause public concern or where there is a risk of harm to a group of affected individuals.

Question 33

What are the breach notification requirements in HK

Answer 33

No mandatory requirement.

However according to non-binding guidance issued by the PCPD; encourages notification to the PCPD and to data subjects and where there would be a risk of harm but not notifying.

Question 34

What are the breach notification requirements in India

Answer 34

Upon the occurrence of some cybersecurity incidents, companies a data required to notify the Cert-in within reasonable time.

Breach notice obligations depend upon the place of occurrence of such breaches and whether or not Indian customers have been targeted.

Question 35

What are Binding Corporate Rules?

Answer 35

BCRs are a set of rules adopted within a particular company or corporate group that provide legally binding protections for data processing within the company or the group.

Question 36

What is pseudonymisation?

Answer 36

Anonymisation technique that replaces personal identifiers with other references

Question 37

What is de-identification?

Answer 37

Process used to prevent a person’s identity from being connected with info

Question 38

What is anonymisation?

Answer 38

Removing identifying info

Question 39

What is the definition of personal data in SG?

Answer 39

Data, whether true or not, about an individual who can be identified from that data and other information to which the organisation has or is likely to have access.

Individual is defined as natural persons whether living or deceased

Question 40

What is the definition of personal data in HK

Answer 40

Data relating directly or indirectly to a living individual. From which it is practicable to identify the individual in a form in which access to or processing of the data is practical.

Does not protect info concerning a deceased individual

Question 41

What is the definition of personal data in India?

Answer 41

No definition of personal data, only personal information.

Defined as any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such a person.

Question 42

What is the definition of sensitive data in SG?

Answer 42

No concept or specific requirement.

Reasonableness requirement in CUDS leads to a need for additional measures in practice in connection with sensitive data.

Question 43

What is the definition of sensitive data in HK

Answer 43

No concept or specific requirement.

Sensitive data include ic card numbers, healthcare, biometric data, financial info

Question 44

What is the definition of sensitive data in India?

Answer 44

SPDI includes passwords, financial info, physical, physiological and mental health condition, sexual orientation, medical records and history, biometrics.

Question 45

What are the children’s data protection rules in SG?

Answer 45

No concept or specific requirement.

In advisory-Data Activities relating to Minors

Age threshold of 13- typically have sufficient understanding to be able to consent on his own behalf.

Question 46

What are the children’s data protection rules in HK?

Answer 46

No concept or specific requirement

PCPD leaflet to help parents and Teachers help children under their care to protect their personal data in the online environment.

Question 47

What are the children’s data protection rules in India?

Answer 47

Child porn crime.

s67 of IT Bill- creating, transmitting, browsing obscene material.

Question 48

What is the treatment of publicly available data / registries in SG?

Answer 48

Generally available if any member of the public could obtain or access the data with few or no restrictions.

Consent not needed if data is publicly available.

Question 49

What is the treatment of publicly available data / registries in HK?

Answer 49

May access and obtain public information, but must still observe Data Protection Principle 1(2) and 3

If for direct marketing activities has to comply with Part VIA of the PDPO and obtain consent.

Relevant factors for assessing:

• Original purpose for which the personal data was placed in the public domain
• Restrictions
• Reasonable expectation of the personal data privacy of the data subjects

Question 50

What is the treatment of publicly available data / registries in India?

Answer 50

No mention of treatment of public registers.

Question 51

What is the National ID system in India?

Answer 51

UIDAI (Unique Identification Authority of India) created In 2009 to issue biometric UID, Aadhaar

Question 52

What is the position for national surveillance in SG?

Answer 52

Credit reporting covered under where necessary for loan evaluation.

Question 53

What is the position for national surveillance in HK

Answer 53

PDPO Code of Practice on consumer credit data.

Question 54

What is the position for national surveillance in India

Answer 54

Only India has credit reporting limitations.

The Credit Information Companies (Regulations) Act is the only Indian legislation, other than the IT code, to have its own data protection code.

India’s Centralised Monitoring system

Question 55

What are the rules on data processing and export in SG?

Answer 55

Transfer only where overseas organisation provide a comparable standard of protection

Question 56

What are the rules on data processing and export in HK?

Answer 56

S33 PDPO - prohibits transfer abroad except in certain circumstances.

Question 57

What are the rules on data processing and export in India?

Answer 57

A business can only transfer the SPDI or information to a party overseas if the overseas party ensures the same level of protection provided for under the Indian Rules.

Question 58

What is the position for intermediaries in SG?

Answer 58

Only the Retention Limitation and Protection obligation are applicable.

Question 59

What is the position for intermediaries in HK

Answer 59

Data processor: DPP2 (Accuracy and retention) and DPP 4 (Security) had been revised to cover data processors.

In outsourcing arrangements (within or outside HK), data user must adopt “contractual means or other means” to prevent any personal data transferred to the data processor from being kept longer than is necessary for processing of that data.

Data user remains accountable for the acts done and practices engaged by data processor

Question 60

What is the position for intermediaries in India?

Answer 60

No concept of data processor - only body corporate

Entire s43A and the Rules are clearly intended to impose liability on:

• Business process outsourcing
• IT enabled Services
• Other outsourced providers

Question 61

What is the extra-territoriality of the data privacy rules in SG?

Answer 61

No specific provisions for extraterritorial operations of the PDPA.

Foreign companies which do not have a physical presence in SG can still be liable under the PDPA but only for actions which takes place in SG such as collection or disclosure of personal information

Question 62

What is the extra-territoriality of the data privacy rules in HK?

Answer 62

No provision dealing with extraterritorial application of the ordinance.

In yahoo Hk case, Privacy Commissioner concluded that the China entities not liable.

Question 63

What is the extra-territoriality of the data privacy rules in India?

Answer 63

IT Act s1(2) unlimited territorial jurisdiction and applies to any offence or contravention committed outside India by any person.

Section 75(1) and (2) states “the act or conduct constituting the offence involved a computer, computer systems or computer network located in India.

Question 64

What are the rules for marketing in SG?

Answer 64

The data protection principles apply to any marketing activities (including electronic marketing) which involve the collection, use or disclosure of personal data.

Telemarketing needs to comply with DNC provisions.

Question 65

What are the rules for marketing in HK?

Answer 65

Data users who wish to use personal data for data user’s own direct marketing purposes to obtain prior consent from the data subject for such action and notify the data subject accordingly.

If consent given orally, data users have the additional obligation to send a written confirmation to the data subject confirming the particulars of the consent received.

Sharing personal data with third party requires prior written consent.

Question 66

What are the rules for marketing in India?

Answer 66

Act does not refer to electronic marketing directly. Privacy rules provide the right to “opt out” of email marketing, and the company’s privacy policy must address marketing and info collection practices.

DNC registry effectively implemented by TRAI.

Question 67

What are the OECD principles?

Answer 67

CUPIDASO
Collection Limitation 
Use Limitation
Purpose Specification 
Individual Participation
Data Quality
Accountability
Security safeguards
Openness

Question 68

What are the SG PDPA Principles?

Answer 68

Carp on Tap

Consent
Accuracy
Retention Limitation
Purpose Limitation

Openness/accountability
Notice Specification

Transfer Limitation
Access & Correction
Protection

Question 69

What are the India security practices rules?

Answer 69

Rule 4 : Provide privacy policy
Rule 5: Collection of information (Consent and Purpose Limitation; Lawful purpose and minimal collection, notice and purpose Limitation, Retention, use, subject access and correction, option to refuse or withdraw consent, security, complaint handling
Rule 6: Disclosure limitations and exceptions/ Processing of info
Rule 7: Transfer of information/ data export restriction
Rule 8: Reasonable security practices and procedures

Question 70

What are the HK data privacy rules

Answer 70

CArUSOA

1. Collection
2. Accuracy & Retention
3. Use
4. Security
5. Openness
6. Access & Correction

Question 71

What HK law covers surveillance and identification?

Answer 71

Interception of Comms and Surveillance Ordinance

Introduced a requirement for judicial authorisation of both interception of communications and the more intrusive types of other covert surveillance by law enforcement bodies, while allowing law enforcement agencies to sanction their own use of less intrusive forms.

Question 72

What are the key constitutions for the protection of privacy in Hk

Answer 72

Basic Law which provides the continued application of the International Covenant in Civil and Political Rights; Bill of Rights Ordinance.

ICPR 1966 is the broadest international convention protecting human rights.

Question 73

What is the key ICCPR provision?

Answer 73

Art 17 - deals with the protection of privacy, family, home, correspondence, honour and reputation.

Question 74

What is the HK Bill of Rights 1991?

Answer 74

• Binding only on the gov and all public authorities

- article 14 replicates 17 of the ICCPR

Question 75

What is the HK position for online tracking info?

Answer 75

Consent is needed if online tracking info relates to personal data and is collected for direct marketing purposes

Question 76

What are the Codes of Practice issued for HK DPP1

Answer 76

Consumer credit data, human resource management, IC and other personal identifiers

Question 77

What does excessive disclosure of personal information breach in Hk?

Answer 77

DPP3 Use

Question 78

What are the consequences of not providing a HK user with an opt out right from consent?

Answer 78

Non compliance HK$500k-1m and imprisonment of 3-5 years depending if personal data used for personal gain.

Question 79

What are the security measures (DPP4) for outsourcing in HK?

Answer 79

In outsourcing arrangements (within or outside HK)(data users must adopt contractual or other means to prevent unauthorised or accidental access, processing, erasure, loss or use of the data transferred to the data processor (DPP4(2)

Question 80

What are the new amendments for DPP5 in HK under the Amendments Ordinance?

Answer 80

Commissioner is empowered to serve enforcement notice directing the data user who is found to have contravened DPP5 (Openness) to remedy and it appropriate, prevent any recurrence.

Recommendations: systematic approach by data users in implementing a privacy management programme built upon a robust data privacy policy and practices that are properly executed,reviewed and assessed by designated data protection officers.

Question 81

How Long can personal data of unsuccessful candidates be held in HK?

Answer 81

2 yrs from date of rejection. may retain beyond 2 if it has a subsisting reason to do so or the applicants have given their consent.

Question 82

What are the consequences of breaching an enforcement notice in Hk?

Answer 82

Fine of HK$50k on first conviction and HK$100k on subsequent conviction and imprisonment for two years

Question 83

What are the penalties for direct marketing contraventions in HK?

Answer 83

If the data user provided data for gain- fine of up to HK$1m and imprisonment for up to five yrs

If otherwise than for gain- fine of up to $500k and imprisonment for up to 3 yrs

If it fails to stop using data for direct marketing, punishable for a fine of up to Hk$500k and imprisonment for up to 3 yrs.

Question 84

Which two DPPs were breached by Octopus in 2010?

Answer 84

DPP 1 Data collection - collected HKID etc for authentication. Commissioner found that Octopus had failed to justify claim that collecting HKID numbers necessary to safeguard against damage and loss. PICS also in unreasonably small font.

DPP3 - Data use (sale of personal data not made clear to data subject)

Question 85

What can a HK complainant appeal to AAB?

Answer 85

A complainant may appeal to AAB (Administrative Appeals Board) against a decision of the Privacy Commissioner not to issue an enforcement notice following an investigation into a complaint.

Can appeal decision not to investigate or to discontinue an investigation, to issue an enforcement notice.

Question 86

What are the two HK consultative advisory committees?

Answer 86

Personal Data (Privacy) Advisory Committee to advise the Commissioner on privacy matters.

Standing Committee on Technological Developments - to advise the Commissioner on matters relevant to the developments in the processing of data and computer tech

Question 87

What laws regulate data privacy in India?

Answer 87

ITA 2000, ITAA 2008!

April 2011, Indian Ministry of Communications and IT published four sets of rules implementing certain provisions of the 2008 amendment:

• The Security Practice Rules require entities holding SPDI to maintain certain specified security standards
• The Intermediary Guidelines Rules
• The Cyber Cafe Rules
• Electronic Service Delivery Rules

Question 88

What are the key sectoral laws in India?

Answer 88

Public Financial Institutions Act 1993, Professional Code of Ethics of Doctors, Telecommunications Laws, Banking Laws

Question 89

What are the two major laws dealing with telephonic and digital surveillance in India?

Answer 89

Indian Telegraph Act 1885
- interception in public emergency and if it is considered necessary

ITA 2000
69: Empowers Central Gov and State Gov to issue directions for monitoring, intercepting or decrypting any info transmitted, received or stored through a computer resource.

Question 90

What is the Indian surveillance system?

Answer 90

Centralised Monitoring System - gives the authorities sweeping access to citizens’ phone calls and internet comms in the name of national security.

No law exists which mandates or regulates the CMS. This mass surveillance system is merely regulated under section 5(2) of the Indian Telegraph Act 1885 which empowers the Indian gov to intercept comms on the occurrence of any public emergency or in the interest of public safety.

Question 91

What is the only Indian legislation, other than the ITA, to provide a data protection code?

Answer 91

Credit Information Companies (Regulation) Act

Question 92

Are there any express provisions in the Constitution of India on the right to privacy?

Answer 92

Only implicit in 2 fundamental rights:

• Art 19(1)(a) Right to freedom and expression
• Art 21: Right to life and personal liberty

Question 93

What are the permitted reasonable restrictions in Art 19(2) in the constitution of India?

Answer 93

State can impose any reasonable restrictions:
(A) in the interest of sovereignty and integrity of India
(B) Security of the state
(C) Friendly relations with foreign states
(D) Public order
(E) Decency
(F) Morality
(G) Contempt of court
(H) Defamation
(I) Incitement to an offence

Question 94

What Indian act mandates timely response to citizens requests for gov info?

Answer 94

Right to Information Act 2005

Question 95

What are the key highlights under the proposed data protection act released by the Ministry of Electronics & IT, Gov of India MeitY?

Answer 95

(1) Extra territorial application to foreign data processors insofar as they have a business connection to India or carry on activities involving profiling of individuals in India
(2) Differential obligations for personal data and sensitive personal data
(3) Obligations of the Data Controller: Notice, Purpose and Collection Limitation, maintaining data quality, storage Limitation
(4) Grounds for processing in addition to consent include use for employment purposes as well as emergencies

Question 96

What are high risk data for processors required to implement under the upcoming India Data Protection Act?

Answer 96

Trust scores, data audits as well as a data protection impact assessment

Question 97

Is data localisation applicable in India?

Answer 97

Under the upcoming Data Protection Act, a copy of all personal data must be stored in India; additionally the Gov may notify certain types of personal data that should mandatorily be processed only in India. the Gov has retained with itself the powers to exempt storage of copies of Sensitive Personal Data

Question 98

What are the requirements for cross border data flows under the upcoming Indian Data Protection Act?

Answer 98

In addition to consent cross border transfers would also require the use of: (a) model clauses and (b) possible adequacy requirements - that is transfer to jurisdictions approved by the Gov

Question 99

What is the court that resolves disputes under the IT Act 2000?

Answer 99

Cyber Appellate Tribunal

Question 100

What is s43 of the IT Act in India?

Answer 100

Section 43 relates to penalty and compensation for damage to computer, computer systems which attracts civil prosecution and criminal action

Question 101

What is section 65 of the Indian IT Act?

Answer 101

Tampering with computer source documents

Penalty: 3yrs imprisonment and 2 lakh rupees

Question 102

What is section 66 of the IT Act

Answer 102

Hacking of computer system

Penalty: 3 yrs imprisonment and fine up to INR 500,000

Question 103

What is section 72 of the Indian IT Act?

Answer 103

Penalty for breach of confidentiality and privacy

Penalty: Three years imprisonment( fine up to INR 100,000)

Question 104

What does the new Section 43A of the ITAA cover?

Answer 104

(A) Where a body corporate
(B) possessing, dealing and handling SPDI or info in a computer resource that it owns, controls or operates
(C) is negligent in implementing and maintaining reasonable security practices and procedures
(D) Causes wrongful loss or gain
(E) Liable to pay damages by way of compensation, not exceeding five crore rupees, to the persons affected

Question 105

What is s66A of the ITAA?

Answer 105

Has been held to be unconstitutional because it was over broad, penalised the sending of offensive messages

Petition that it violated the freedom of speech guarantee in art 19(1)(a) in the Constitution of India

Found unconstitutional in the Shreya Singhal 2015 case

Question 106

Which sections of the ITAA penalise identity theft and computer based scams?

Answer 106

Sections 66C and 66D

Question 107

Which is the national agency for cybersecurity in India?

Answer 107

Indian Computer Emergency Response Team as established by s70B ITAA

Question 108

What is the coverage of the IT Rules 2011?

Answer 108

Bodies corporate or persons located in India

Does not apply to the processing of data in India regarding data subjects located overseas

Some of the rules do not apply to B2B, but only to the collection of individuals’ data by businesses

Covers private sector only

Question 109

What three categories are exempt under the IT Rules?

Answer 109

Religious and social, charitable orgs, non-commercial orgs, non-automated data

Question 110

What is the definition of “personal data” under the IT Rules?

Answer 110

No specific definition of the term “personal data”

IT Rules define “personal info” as “any info that relates to a natural person which, either directly or indirectly, in combination with other info available or likely to be available with a body corporate, is capable of identifying such a person.

Question 111

What is SPDI under section 43A?

Answer 111

• passwords
• financial info
• physical, physiological and mental health info
• sexual orientation
• medical records and history
• biometric info

Question 112

What is the definition of a body corporate?

Answer 112

Any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities

Question 113

Under the India IT Rules, is there data protection where info is collected from third parties or other documentary sources?

Answer 113

Possibly no as some rules only apply to “providers of information”.

Question 114

What is acceptable as reasonable security procedures under s8 of the IT Rules?

Answer 114

Either the IS/ISO/IEC 27001 or a code developed by an industry association and approved and notified by the government.

Question 115

Who is the regulator of CICRA?

Answer 115

Reserve Bank of India

Any Indian citizen can also move to The National Human Rights Commission with an application of violation of privacy right.

Question 116

Who enforces the IT Act in India?

Answer 116

The adjudicating officer and Cyber Appellate Tribunal and thereafter, the different High Courts and the Supreme Court

Question 117

Who regulates unsolicited commercial communications through telephone or text?

Answer 117

Telecom Regulatory Authority of India (TRAI)

Telemarketers must register with TRAI before they may send out marketing communication through telephone or text messages.

Can register preference with Customer Preference Registration Facility (CPRF) or DNC

Question 118

What is s46 of the IT Act?

Answer 118

An adjudicating officer appointed to discern IT Act violations

Question 119

What kind of claims does an Indian adjudicating officer have jurisdiction over?

Answer 119

Claims only to a max of INR 50 million. Jurisdiction for all claims exceeding INR 50 million is vested with the competent court

Question 120

Are the orders of the adjudicating officer appealable?

Answer 120

Yes before the Cyber Appellate Tribunal and thereafter, to the High Courts and the Supreme Court.

Question 121

What are the powers of the adjudicating officer?

Answer 121

• Hear offences of a civil and criminal nature
• Award compensation as damages in a civil remedy
• Impose penalties for the contravention of the Act

Question 122

How soon must grievance officers redress grievances according to the IT Rules?

Answer 122

Within one month from date of receipt

Question 123

What is s72A of the IT Act?

Answer 123

Punishment for disclosure of information in breach of lawful contract - 3 yrs imprisonment and five lakh rupees

Question 124

What is the NCDRC and it’s function?

Answer 124

National Consumer Disputes Redressal Commission

Customers can lodge complaints and includes consumer disputes involving privacy issues

Question 125

What are the penalties for breaching the PDPA?

Answer 125

Up to $1 million. 10k per DNC breach.

Question 126

What are the penalties for breaching the PDPO?

Answer 126

HK$500k -1m of fines and 3-5 yrs jail.

Question 127

What is business contact info in SG?

Answer 127

The personal data protection rules do not apply to business contact info, which is defined as:
- an individual’s name
- business title
- business telephone number 
- business address
- business email or fax 
- any other similar info 
Which is not provided by the individual solely for personal purposes

Question 128

What is the definition of “organisation” in Singapore

Answer 128

Any individual, company, association, body of persons, corporate or incorporated, whether or not formed or recognised under the law or Singapore, or resident, or having an office or a place of business, in Singapore.

Question 129

What is the definition of individuals in PDPA?

Answer 129

A natural person, whether living or deceased. Not data relating to corporate bodies and other legal persons.

Question 130

What is the definition of a data intermediary?

Answer 130

An organisation that processes personal data in behalf of another organisation but does not include an employee of that other organisation.

Question 131

What provisions apply for a deceased person who has been dead for 10 yrs or fewer

Answer 131

Only the disclosure and protection obligation.

Question 132

What is the definition of a “specified message”?

Answer 132

Under s37 PDPA, a message is a “specified message” if the purpose of the message, or one of its purposes is:
- to advertise, promote or offer to supply or provide any of the following:
> goods or services
> land or an interest in land or
> a business opportunity or an investment opportunity
- to advertise or promote a supplier/ provider or prospective supplier/ provider

Question 133

What are the exclusions from the scope of the DNC as set out in the 8th Schedule of the PDPA?

Answer 133

For voice calls, text and fax messages:

• B2B Marketing
• Personal calls and sms es
• Market research / surveys
• Messages by public agencies for non-commercial programmes
• Servicing messages
• Customer services (appointments)

For text and fax messages: Does not apply to voice calls

• current ongoing relationship with recipient
• message relates to subject of ongoing relationship

Question 134

What does the exemption for evaluative purposes mean?

Answer 134

Organisations may collect, use and disclose personal data without consent where this is necessary for evaluative purposes. (This is set out as exception 1(f) in the Second Schedule, 1(f) in the Third Schedule and 1(h) in the Fourth Schedule respectively).

The term “evaluative purpose” is defined in section 2(1) of the PDPA and includes, amongst other things, the purpose of determining the suitability, eligibility or qualifications of an individual for employment, promotion in employment or continuance in employment.

Hence, the evaluative purpose exception allows employers to collect, use and disclose personal data without the consent of the individual or employee concerned for various purposes that are common in the employment context, for example:

a) Obtaining a reference from a prospective employee’s former employer to determine his suitability for employment; or
b) Obtaining performance records or other relevant information or opinions to determine the performance of an employee.

Question 135

Is consent required when using personal data for managing and terminating the employment relationship in Singapore?

Answer 135

No consent required, only notification needed.

The PDPA does not prescribe the manner of notification and organisations should determine the form and manner that would provide the individual with the required information that allows him to understand the purposes for which his personal data would be collected, used and disclosed. For example, organisations may determine in the particular circumstances if it would be appropriate to inform their employees of these purposes through employment contracts, employee handbooks, or notices in the company intranet. Organisations should also keep their employees updated about new purposes for which an employee’s personal data may be collected, used and disclosed without consent.

For the avoidance of doubt, where an organisation has sufficiently provided a general notification to employees on the purposes for which their personal data may be collected, used and disclosed, for example for performance appraisals, the Commission does not expect organisations to notify employees of the same purpose prior to each time that the organisation engages in such activities.

Question 136

When would consent be invalid under the PDPA?

Answer 136

Consent is invalid if:

• individual is forced to give consent
• individual has not been notified of the purpose
• purposes are beyond what is reasonable
• The organisation gives false or misleading info to mislead or deceive to obtain consent

Question 137

What are the exceptions to consent for collection in SG?

Answer 137

Emergency, publicly available data, public agency

Question 138

What are the exceptions to consent for usage in SG?

Answer 138

Employment, business purposes, professional purposes, business asset transactions.

Question 139

What are the exceptions to consent for disclosure in SG?

Answer 139

Recover debts, make payment, evaluative purposes.

Question 140

What are the options to satisfy the requirement of comparable standard of protection in SG?

Answer 140

• Recipient country has adequate data protection law
• getting informed consent
• coming within an exception
• getting contractual protection or
• relying on binding corporate rules

Question 141

When was the PDPC established?

Answer 141

2 Jan 2013

From 1 Oct 2016, the IMDA is designated as the PDPC

Question 142

Individuals who suffer loss or damage directly as a result as a result of a contravention of which provisions of the PDPA have a right of action for relief in civil proceedings?

Answer 142

Part IV- Collection, use and disclosure of personal data
Part V- Access to and correction of personal data
Part VI- Care of person data

Question 143

What is the liability for breaches of the Banking Act?

Answer 143

Liability for fine up to 125k and/or imprisonment up to 3 yrs or fine up to 250k for non individuals

Question 144

Outsourcing Risk Management key requirements

Answer 144

Institutions should perform:

• The necessary due diligence and apply sound governance and risk management practices when subscribing to cloud services
• take active steps to address the risks associated with data access, confidentiality, integrity, sovereignty, recoverability, regulatory compliance and auditing
• Ensure that the service provider possesses the ability to clearly identify and segregate customer data using strong physical or logical controls

Question 145

What directions can PDPC give to Ensure compliance with the PDPA?

Answer 145

• To stop collecting, using or disclosing of personal data in contravention of PDPA
• To destroy personal data collected in contravention of PDPA
• To comply with any directions concerning access and correction
• Except where any failure to comply with the PDPA is an offence, pay a financial penalty not exceeding $1m

Question 146

What are the possibilities for appeal or individuals or orgs dissatisfied with PDPC decisions?

Answer 146

28 days to appeal to Data Protection Appeal Panel (DPAP)

Will be heard by an Appeal Comm (3 or more members). Appeal Committees will have all the powers and duties of the PDPC necessary for their work, plus those of a district court.

There can also be appeals to the HC (On a point of law or amount of a financial penalty) or the COA. No appeals thus far.

Question 147

How should organisations handle data breaches under PDPC guidance?

Answer 147

Containing the breach
Assessing risks and impact
Reporting the incident
Evaluating the response and recovery to prevent future breaches

Question 148

Is it an offence to make an access or correction request about another individual without the authority of that individual in SG?

Answer 148

Yes under s51(1) PDPA.

A person who commits an offence under s51(1) is liable to a fine not exceeding 5k or to imprisonment for a term not exceeding 12 months or to both.

Question 149

Is it an offence to alter, destroy documents to evade an access and/or correction request in SG?

Answer 149

Yes under s53(3)(a) of PDPA.

An org or person that commits an offence under s53(1)(a) is liable:

• in the case of an individual, to a fine not exceeding 5k
• in any other case, to a fine not exceeding 50k

Question 150

What PDPA offence is under s51(3)(b) and (c)?

Answer 150

(A)Obstructing or hindering the PDPC in the exercise of their powers or performance of their duties; or
(B) Knowingly or recklessly make a false statement to the PDPC; or
(c) knowingly misleads or attempts to mislead the PDPC in the course of the performance of the duties or powers of the PDPC under the PDPA

Question 151

What is the penalty for breaching 51(3)(b) and (c) PDPA?

Answer 151

In the case of an individual, to a fine not exceeding 10k or to imprisonment for a term not exceeding 12 months or to both

In any other case, to a fine not exceeding $100,000

Question 152

What are the penalties for breaching the DNC

Answer 152

Fine is 10k per offence. In appropriate cases, PDPC may compound the offence for a sum of up to 1k

Question 153

Outsourcing arrangements in the 2012 amendments of the HK PDPO are requirements under which data protection principles?

Answer 153

Security principle (DPP 4) as well as Accuracy and Retention (DPP 2)

Question 154

What is the significance of the Do No Evil Mobile App case in HK?

Answer 154

Issue of aggregating data from publicly available sources- The Commissioner ruled that the use of personal data obtained from the public domain for due diligence review and background check was inconsistent with the original purpose of data collection by the Judiciary, ORO and Companies Registry, as well as their purposes of making the data publicly available.

Question 155

The Octopus Rewards case was a breach of which data protection principles under the PDPO?

Answer 155

Data collection and data use

Question 156

Can a complainant appeal the decision of the AAB in HK?

Answer 156

There is no appeal against the decision to court, but aggrieved parties can seek judicial review of the AAB decision.

Question 157

Out of SG, HK and India, which relates to personal identifiable information that relates directly or indirectly to the individual?

Answer 157

HK and India

HK: Data relating directly or indirectly to a living individual (data subject). From which it is practicable to identify the individual in a form in which access to or processing of the data is practical.

India: Defined as any info that relates to a natural person, which, either directly or indirectly, in combination with other info available or likely to be available with a body corporate, is capable of identifying such a person.

Singapore does not make such references in the PDPA

Question 158

What kind of individuals are not covered by Singapore’s PDPA?

Answer 158

An employer or domestic maid is not covered as the PDPA does not apply to any individual acting in a personal or domestic capacity.

Would cover a financial advisor or a Real Estate agent.

Question 159

What kind of records are exempted by PDPA?

Answer 159

Personal data that is in a record more than 100 yrs old

Question 160

Which telephone lines applies to SG’s DNC registry?

Answer 160

Fixed residential lines and business numbers (a telemarketer May target a CEO and call him or her at his office line).

Question 161

What kind of records are exempted by PDPA?

Answer 161

Personal data that is in a record more than 100 yrs old

Question 162

Which telephone lines applies to SG’s DNC registry?

Answer 162

Fixed residential lines and business numbers (a telemarketer May target a CEO and call him or her at his office line).

Question 163

The following are requirements under the SG DNC registry rules except:

Answer 163

Providing opt in consent at point of collection.

Real requirements: Organisations must check against DNC registry within 30 days before doing marketing unless they have clear and unambiguous consent in evidential form, display their ID, contact info and originating number.

Question 164

What are the exceptions to getting consent in Singapore?

Answer 164

• Emergency situation
• Publicly available data
• When the information consists of documents produced for employment business or professional purposes (eg. a business contract which involves personal data)
• When two companies merge or there is an acquisition (business asset transactions)

Question 165

Which of the following does not apply when managing opt outs?

Answer 165

Clear and unambiguous consent required under the Consent obligation (as this is under the DNC provisions not Consent).

Fresh consent for new purposes is required under the consent obligation and purpose Limitation obligation.

Question 166

Is there a common law tort of invasion of privacy in Hk or SG?

Answer 166

No

Question 167

Which are the ways in which there is constitutional protection of privacy in HK?

Answer 167

• Basic Law specifically provides the protections in relation to privacy
• HK’s Bill of Rights Ordinance
• Basic Law (1990) provides for the application of the ICCPR

Question 168

Does the PDPO distinguish between automated and non automated data or processing?

Answer 168

No

Question 169

How is “person” defined in HK PDPO?

Answer 169

Includes any public body and any body of persons, corporate or unincorporate

Question 170

What is the definition of a data user?

Answer 170

A person who, either alone or jointly or in common with other persons, controls and collection, holding, processing or use of the data

Question 171

Is fabricated or untrue data relating to an individual considered as personal data under Hk PDPO?

Answer 171

No.

However biometric data, mobile phone numbers and exam scripts on their own will not be considered personal data unless coupled with other personally identifiable information.

Question 172

What are the key amendments in the Personal Data (Privacy) (Amendment) Ordinance 2012?

Answer 172

The Amendment Ordinance changes took effect on 1 Oct 2012 :

• use of personal data for direct marketing (new sections 35B to 35H)
• provision of personal data to another for use in direct marketing (new sections 35I and 35M)
• exclusions for social services, welfare dept, health care services
• disclosure of personal data obtained without consent
• regulating data processors
• enforcement notices
• legal assistance for aggrieved individuals

Question 173

What is a general vs partial exemption under Hk PDPO?

Answer 173

General exemption: personal data held for domestic or recreational purposes

Partial exemption: publicly available data, employment related matters, legal proceedings and legal privilege

Question 174

What are the constitutional protections that may relate to privacy in India?

Answer 174

Constitution of India does not contain any express provisions on the right to privacy. It is only implicit in two fundamental rights of the India Constitution:

• Right to freedom of speech and expressions (Art 19(1)(a))
• Right to life and personal liberty (Article 21)

Other Constitutional Protections

• The Right to Information Act 2005
• The Protection of Human Rights Act 1993

Question 175

Section 43A and the 2011 Rules are also know as

Answer 175

Reasonable security practices and procedures

Question 176

Which of the three jurisdictions has a code of practice for the national ID?

Answer 176

PCPD Code of Practice on ID card numbers and other personal identifiers

Question 177

Section 43A and the 2011 Rules are also know as

Answer 177

Reasonable security practices and procedures

Question 178

Which of the three jurisdictions has a code of practice for the national ID?

Answer 178

PCPD Code of Practice on ID card numbers and other personal identifiers