PDPA

Question 1

BS What is personal data?

Answer 1

Data, whether true or not, that an organisation has, that can narrow identification down to an individual. Business contact info (what can be found on name card/business website info doesn’t count)

Question 1

BS What counts as organisations?

Answer 1

natural persons, corporate bodies, associations etc, regardless of whether they are recognised/live in SG. Includes individuals when not acting in personal/domestic capacity.

Question 2

BS What is not allowed for NRIC/FIN? What are 4 exceptions?

Answer 2

Collection, Use, Disclosure. (c/u/d)

1) required by law
2) healthcare
3) financial/real estate transactions
4) emergency

Question 3

BS What is the protection obligation [PDPA] of an organisation?

Answer 3

An organisation must make reasonable security arrangements to prevent unauthorised access to personal data

Question 4

BS How is PDPA enforced? (2)

Answer 4

1) one makes a complaint to Personal Data Protection Commission (PDPC)
2) PDPC can: fine/warn offender or direct offender to act (e.g. training)

Question 5

BS What are organisations required to do when c/u/d-ing your personal data? (3)

Answer 5

1) notify you of reasonable & specific purposes
2) get your valid consent (actual/deemed), preferably by opt-in (not by failure to opt-out)
3) cannot require an individual to consent to c/u/d of their personal data as a condition of providing a [primary] service - beyond what is reasonably required to provide the product/service. also cannot use deceptive/misleading practices to do so

Question 6

BS What does publicly available data refer to?

Answer 6

personal data that can be observed in public (by reasonably expected means)

Question 7

BS What data can be used without consent?

Answer 7

a
1) publicly available data
2) photos of you in location open to public with few restrictions
3) social media posts if privacy settings are: set to public, closed online group that public can join with minimal effort, not just your closed circle
4) profile photos on social media if set to public on public account
5) news activity by news organisation

Question 8

BS When is consent required for photos with identifiable people in places not open to public?

Answer 8

When photo is not for personal/domestic use (e.g. internet newsletter, website)

Question 9

BS How to get consent for photos with identifiable people in places not open to public? (2)

Answer 9

1) get recorded consent, OR

2) consent may be deemed (if subject allows photo to be taken after given notice of purpose)

Question 10

How to give notice for photos with identifiable people in places not open to public? (3)

Answer 10

1) state in invitation that photos will be taken, OR
2) obvious notice on premises, OR
3) photographer asks permission to take photo (for stated purpose) & you allow it

Question 11

Flashcard 1: Jurisdiction
Which organisations must comply with the PDPA regarding personal data activities?

Answer 11

All organisations dealing with the collection, use, and disclosure of personal data in Singapore, including those based overseas handling data of people in Singapore.

Question 12

What are examples of personal data that identify someone uniquely?

Answer 12

Full name, NRIC or FIN, passport number, mobile number, facial image, and biometric data (voice, thumbprint, iris image, DNA profile).

Business contact info (e.g., from business cards) is NOT considered personal data.

Question 13

How is personal data defined under the PDPA?

Answer 13

Data about an identifiable individual from either the data itself or combined with other accessible information. Determining if data is personal depends on context.

Question 14

When is it permissible to collect, use, or disclose NRIC/FIN?

Answer 14

Generally not allowed, except for legal requirements (e.g., mobile sign-ups), healthcare, financial/real estate transactions, and emergencies (e.g., COVID-19 contact tracing).

Question 15

What is considered an “organisation” under the PDPA?

Answer 15

Includes natural persons, corporate bodies, and associations, regardless of location, covering individuals when not acting in a personal or domestic capacity (e.g., freelance photographers).

Question 16

What actions can the PDPC take upon a PDPA complaint?

Answer 16

The PDPC can fine offenders, mandate corrective actions, issue warnings, and publish decided cases. Advisory Guidelines provide hypothetical examples.

Question 17

What is the Protection Obligation under PDPA?

Answer 17

Organisations must secure data to prevent unauthorized access. Example: PDPC fined IHiS and SingHealth S$1 million for a data breach.

Question 18

What happened in the NUS 2017 Freshmen Orientation Camp incident?

Answer 18

A Google Docs sheet with student data was widely shared without proper access control, violating the protection obligation. Result: Training requirement, not a fine.

Question 19

What are the two requirements when collecting, using, or disclosing personal data?

Answer 19

Notify individuals of reasonable, specific purposes and obtain valid consent (actual or deemed), preferably via opt-in. Exceptions: Public data and news.

Question 20

At a restaurant opening, if attendee data is collected without stating the purpose, what is the issue?

Answer 20

There was no notification of purpose, breaching PDPA requirements.

Question 21

What must be done when collecting, using, or disclosing personal data?

Answer 21

Notify individuals of specific purposes and secure valid consent, preferably opt-in. Exceptions: Public data and news.

Question 22

What makes a purpose “reasonably specific” for data use?

Answer 22

Specific purposes like offering discounts based on past purchases are acceptable, while vague statements are not.

Question 23

What is required for PDPA compliance when collecting personal data?

Answer 23

Notification of specific purposes and obtaining valid consent (actual or deemed), preferably by opt-in.

Question 24

Why is opt-in preferred over opt-out for obtaining consent?

Answer 24

Opt-in demonstrates clear consent, unlike opt-out, where inaction is deemed as consent.

Question 25

Under what conditions is opt-out consent acceptable post-2020 PDPA amendments?

Answer 25

If unlikely to harm individuals, with reasonable notification and response time provided.

Question 26

Does providing a mobile number for booking imply consent to receive relevant service updates?

Answer 26

Yes, for service-related updates (e.g., vehicle arrival). Not for unrelated promotions.

Question 27

When is consent for photography deemed at private events?

Answer 27

When notification states photo purposes or visible notices are displayed at the event.

Question 28

What are two practices that make consent invalid under PDPA?

Answer 28

Using deceptive practices or making consent conditional beyond necessary data collection for services.

Question 29

Is consent valid if a gym requires disclosure of data to third-party retailers?

Answer 29

No, disclosure for third-party marketing isn’t reasonably required for gym services.

Question 30

Can a gym require consent for data disclosure for entry into a prize draw?

Answer 30

Yes, as it’s beyond standard services and offers an optional incentive.

Question 31

When is personal data exempt from notification and consent requirements?

Answer 31

When data is publicly accessible in unrestricted public spaces, such as parks or malls.

Question 32

When is social media data considered “publicly available” under PDPA?

Answer 32

If privacy settings are public, groups are open, or content is accessible with minimal effort.

Question 33

Why are images of people in public spaces permissible for news under PDPA?

Answer 33

Licensed news organisations are exempt from notification/consent for news reporting.