PDPA

Question 1

Purpose of PDPA?

Answer 1

To govern collection, use, and disclosure of personal data
by organisations
in a manner which recognises
the individual’s right to protect personal data,
and the organisation’s need to collect, use, and disclose personal data, for purposes which a reasonable person would consider appropriate in the circumstances.

Question 2

Who is exempted from Pts III - VI?

Answer 2

• individual acting in personal or domestic capacity
• employee acting in the course of employment with organisation
• public agency or org acting on behalf of public agency
• any other prescribed org or personal data

Question 3

What is an “individual” under the PDPA?

Answer 3

Natural person whether dead or alive

Question 4

Data intermediary exemption?

Answer 4

Exempted from Pts III - VI

• if the org is processing personal data on behalf of, and for purposes of, another org
• pursuant to a contract evidenced / made in writing

EXCEPT FOR

• s24 (protection of personal data)
• s25 (retention of personal data)

Note: Org is still responsible for the personal data as if it were processing it.

Question 5

What is an “organisation” under the PDPA?

Answer 5

• Individual
• Company
• Association
• Body of persons incorporated / unincorporated
• Whether or not formed / recognised in SG
• Whether or not resident, has office, or has place of business in SG

Question 6

What is “domestic” under the PDPA?

Answer 6

Relates to home or family

Question 7

What age of data is exempted from the PDPA?

Answer 7

• Personal data in a >= 100yr record
• Personal data about dead person,
  but if dead for <=10 years, still subject to s24 (protection of personal data)

Question 8

What is “business contact information” under the PDPA?

Answer 8

Exempted from Pts III - VI PDPA, unless BCI expressly referred to.

Question 9

What obligations on companies IRT policies and practices?

Answer 9

(1) Org must develop and implement policies and practices needed to comply with PDPA.
(2) Must communicate them to staff.
(3) Must develop process to receive and respond to complaints.
(3) Upon request, must make info on (1) and (3) available.

Question 10

What obligations on companies IRT DPO?

Answer 10

• Must designate one; can be external / internal.
• DPO can delegate responsibilities.
• DPO’s biz contract info must be available.

Question 11

What happens if a data intermediary goes beyond its contract with the org, in processing data?

Answer 11

Will no longer be a data intermediary in respect of that processing, and will be subject to all the obligations of the PDPA.

Question 12

What is a “data intermediary”?

Answer 12

An org processing data on behalf of another org (but not an employee of that org).

Question 13

What is “processing”?

Answer 13

Carrying out operations IRT personal data, including:

(1) recording
(2) holding
(3) organisation, adaptation, alteration
(4) erasure, destruction
(5) retrieval
(6) transmission

Question 14

What can the PDPC review IRT an org’s decision?

Answer 14

(1) Org refused / failed to give access to personal data.
(2) Amount of $ charged to access / correct personal data [not supposed to charge to correct].
(3) Org refused to correct personal data, or failed to do it within reasonable time.

Question 15

Can appeal PDPC?

Answer 15

Can apply to PDPC within 28 days to reconsider decision / direction. But does not suspend it unless IRT financial penalty.

Can also appeal to Data Protection Appeal Panel within 28 days. But if you apply for PDPC reconsideration, this will be deemed withdrawn.

Then can appeal to HC:

(1) on point of law in decision / direction.
(2) amount of financial penalty.

Then can appeal to CA.

Question 16

Offences under the PDPA?

Answer 16

(1) Obstruction / impediment of PDPC or authorised officer.
(2) Dispose, alter, falsify, conceal, destroy records,
with intent to evade request to access / correct
or info about collection / use / disclosure