Singapore Unit 2B PDPA II Flashcards
Is it mandatory to appoint DPO under SG PDPA? What must organisation do to comply with Section 12 (Accountability Obligation)?
Yes, organisations are required to appoint a Data Protection Officer (DPO) who oversees the organisation’s data protection responsibilities, and ensure the organisation compiles with the PDPA.
Under PDPA Section 12, an organisation must:
- Develop and implement policies and practices that are necessary for the organization to meet the obligations of the organisation under the PDPA and
- Communicate information about such policies and practices to its staff
Staff Training
- All employees of the organisation must be trained on the internal corporate data protection policies and practices
> Classroom training
> E-learning
> Briefing sessions
- Compliance with the data protection policies and practices should be included in each employee’s employment contract. There should be disciplinary consequences that arise where there is a failure to comply with them.
Consent Obligation and exemptions
The organisation can only collect, use or disclose personal data for purposes for which an individual has given his or her consent.
Actual consent can either be verbal or written.
- Written consent preferred for future reference
- If verbal consent given, send written acknowledgment (as evidence)
Actual consents can be either:
- Express, e.g., “I hereby consent to …” or
- Implied, e.g., An action that is consistent only with actual consent
Consent can be given by a person validly acting on behalf of the individual.
Consent is invalid if:
- Individual is forced to give consent
- Individual has not been notified of the purpose
- Purposes are beyond what is reasonable
- The organisation gives false or misleading information to mislead or deceive to obtain consent
Organisation is not allowed to prohibit the withdrawal of consent. Individuals must be informed of the expected consequences of such withdrawal.
DEEMED CONSENT
1) Deemed consent by conduct
(a) Individual is deemed — that is, considered — to have given consent for a purpose if:
(i) The individual, without actually giving consent, voluntarily provides the personal data the organisation for that purpose
(ii) It is reasonable the individual would voluntarily provide the data
2) Deemed consent by contractual necessity
3) Deemed consent by notification — requires a risk assessment and certain other steps to be taken and documented
CONSENT OBLIGATION - EXCEPTIONS
1) Vital Interest of individual
(a) Respond to emergency
(b) Contacting next-of-kin of injured, ill or deceased individual
2) Matters affecting the public
(a) Publicly available data
(b) National interest
(c) Artistic, journalism and media, news organization for news
(d) Archival/historical
3) Public interest
(a) Disclosure to public agency
(b) Law enforcement
4) Business asset transactions
5) Business improvement
6) Research
Disclosure for research purpose (historical, statistical)
7) Legitimate interests
(a) General legitimate interest (interest of organization outweigh interest of individual) - conduct assessment:
- Adverse effect on individual
- Reasonable measures to eliminate, reduce likelihood or mitigate adverse effect
- Comply with prescribed requirements
- Provide individual with reasonable access to info about organisation’s collection, use or disclosure of personal data
(b) Specific
Evaluative, employment
Investigations in legal proceedings
Payment / debt
Credit reporting
Purpose Limitation
The organisation may collect, use or disclose personal data about an individual for the purposes that a reasonable person would consider appropriate in the circumstances and for which the individual has given consent.
The organisation may not require the individual to consent beyond what is reasonable to provide that product or service.
- Can only collect, use or disclose individuals’ personal data based on the specific purpose for which they have given consent.
- Collect personal data only to the extent that it is necessary and reasonable to meet legitimate business purposes.
- Obtain fresh consent if the purpose has changed.
- If you wish to ask for more personal data, indicate which information must be provided and which is optional and the purpose for which the optional information will be collected, used or disclosed.
Notification Obligation
Organisation must notify the individual of the purpose(s) for which it intends to collect, use or disclose the individual’s personal data on or before such collection, use or disclosure of the personal data.
Notification Obligation does not apply:
- Where there is deemed consent by conduct, deemed consent by contractual necessity
- Where there is an exception to the need for consent in the First and Second Schedules
Notification is required (on and after 1 February 2021) where:
- there is deemed consent by notification or
- the purpose is entering into an employment relationship or
- the organisation relies on a general ‘legitimate interests’ exception to consent
Notification should also include:
- Any purpose for the use or disclosure of the personal data which has not been previously notified to the individual.
- On request of the individual, the business contact information of a person who is able to answer on the organisation’s behalf questions about the collection, use or disclosure about the personal data.
Accuracy Obligation
Organisation must make a reasonable effort to ensure that personal data collected by or on behalf of the organisation is accurate, up-to-date and complete if the personal data is likely to be:
- Used by the organisation to make a decision that affects the individual concerned or
- Disclosed by the organisation to another organisation
Organisation must make reasonable effort to:
- Accurately record personal data which it collects
- Collect all relevant parts of the personal data (so that it is complete)
- Take appropriate (reasonable) steps in the circumstances to ensure the accuracy and correctness and
- Consider whether it is necessary to update the information
Protection Obligation
Organisation must protect personal data in its possession or within its control by making reasonable security arrangements to prevent:
a) unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks; and
b) the loss of any storage medium or device on which personal data is stored (on and after 1 February 2021)
Personal data should be protected at 3 levels:
1) Administrative measures (implementation of policies, confidentiality statements and contracts)
2) Physical measures (safes, cabinets, vaults)
3) Technical measures (encryption, passwords, data loss prevention)
Retention Limitation Obligation
Organisation must cease to retain documents containing personal data or remove the means by which the personal data can be associated with particular individuals as soon as it is reasonable to assume that:
- Purpose for which the personal data was collected is no longer being served by retention of the personal data and
- Retention is no longer necessary for legal or business purposes
Depends on:
- The purpose(s) for which personal data was collected
- If one or more of the purposes for which it was collected remains valid
- Personal data should not be kept for “just in case”
- Other legal or business purposes e.g. legal action, required under other applicable laws or regulations, needed for generating annual reports, or performance forecasts, etc.
Access And Correction Obligation and exemptions
Organisation must upon request:
- Provide an individual with his personal data in the possession or within the control of the organisation, and information about the ways in which the personal data has been or may have been used or disclosed during the past one year
- Correct an error or omission in an individual’s personal data that is in the possession or within the control of the organization
Organisation must preserve a complete and accurate copy of any personal data to which it refuses to give access until any appeals against that refusal are completed.
- Fulfilment as soon as reasonably possible and otherwise, preferably, fulfilment within 30 days of the request; otherwise, a response within such 30 days to inform about expected time of fulfilment
- If valid request, correct the personal data as soon as reasonably possible and send the corrected data to other organisations to which the personal data was disclosed within a year before the correction is made
- Not required to provide opinion data kept solely for an evaluative purpose
- Not required to alter an opinion, including a professional or expert opinion
- Can charge an individual a reasonable fee for access to personal data about the individual – must notify the amount of the fee first and limit it to the incremental costs of providing access (i.e. reasonable)
ACCESS: PROHIBITION
Do not provide the personal data if by doing so, it could reasonably be expected to:
- cause immediate or grave harm to the individual’s safety or physical or mental health;
- threaten the safety or physical or mental health of another individual;
- reveal personal data about another individual;
- reveal the identity of another individual who has provided the personal data, and the individual has not consented to the disclosure of his or her identity; or
- be contrary to national interest.
EXCEPTIONS TO ACCESS
- A repetitious request that would unreasonably interfere with the operations of the organisation
- A request where the burden or expense of granting access would be unreasonable to the organisation disproportionate to the person’s interest
- A request for information that does not exist or cannot be found
- A request for trivial information
- A frivolous or vexatious request
EXCEPTIONS TO CORRECTION:
- Opinion kept solely for evaluative purpose
- Any exam conducted by an education institution, exam scripts, and prior to release, exam results
- PD of the beneficiaries of a private trust kept solely for the purpose of administering the trust
- PD kept by an arbitral institution or mediation centre solely for the purposes of arbitration or mediation proceedings
- Documents related to a prosecution where related proceedings have not been completed
Transfer Obligation
An organisation must not transfer personal data to a country or territory outside Singapore except in accordance with the requirements prescribed under the PDPA:
- to take appropriate steps to ensure that the organisation will continue to comply with the PDPA and
- to ensure that organisations overseas provide a standard of protection to personal data so transferred that is comparable to the protection under the PDPA
Options to satisfy requirement of comparable standard of protection include:
- Recipient country has adequate data protection law
- getting informed consent
- coming within an exception
- getting contractual protection or
- relying on binding corporate rules
- Overseas organization that is CBPR, PRP certified
Data Breach Notifcation Obligation
DEFINITION - DATA BREACH
Data Breach Notification Obligation
a) Unauthorised access, collection, use, disclosure, copying, modification or disposal of personal data or
b) Loss of any storage medium or device on which personal data is stored in circumstances where the unauthorised access, collection, use, disclosure, copying, modification or disposal of the personal data is likely to occur
Mandatory To notify PDPC, affected individuals (<3 days) if
- Significant scale (>= 500 people)
- Significant harm (prescribed personal data)
Notify other regulators under other laws, e.g.
- MOH
- MAS
- EMA
*Unreasonable delay in notification = breach of Data Breach Notification
**a data breach that relates to the unauthorised access, collection, use, disclosure, copying or modification of personal data only within an organisation is deemed not to be a notifiable data breach.
DATA BREACH NOTIFICATION OBLIGATION
Significant harm include physical, psychological, emotional, economic and financial harm, as well as harm to reputation and other forms that a reasonable person would identify as a possible outcome of a data breach.
Prescribed Personal Data
1) Full name or Full National ID in combination with:
- Financial info
- Life/health insurance
- Specified medical information
- Private key for authentication - biometric data, security code, access code, password or answer to security question
- Identification of vulnerable person or minor
2) Account information in combination with account access (eg, User ID + Password or biometric access)
Data Intermediary ⇒ Duty to notify organization (data controller) without delay
Organisation ⇒ Duty to conduct assessment - Whether Notifiable Data Breach (significant harm or scale)
- Duty to notify PDPC
(a) Significant Harm or
(b) Significant Scale - Duty to notify individuals
(a) Significant Harm
(b) Exceptions apply when: - Remedial action taken to reduce significant harm
- Personal data encrypted to reasonable standard
(See flowchart)
*The timeframes for notification will commence from the time the organisation determines that the data breach is notifiable, i.e. Day 1 starts the day after breach determined to be notifiable.
Accountability Obligation
Organisation is required
- to develop and implement policies and practices that are necessary for the organisation - to meet its obligations under the PDPA
- to make information about their data protection policies and practices available upon request
to demonstrate accountability
In particular, the organisation is required to designate at least one individual (“DPO”) to be responsible for ensuring its compliance:
- Designated individual(s) may delegate responsibility conferred to another individual(s)
- Designation of individual(s) does not relieve the organisation of any of its obligations under the PDPA and
- Make available the business contact information of a DPO or an individual to whom the DPO’s responsibility has been delegated
Can the PDPA override other written laws if they conflict with the PDPA? Give an example of when this may happen.
Other written laws (including sectoral laws) shall prevail over the Data Protection Provisions to the extent of any inconsistency between them.
Data Protection Provisions will not affect any authority, right, privilege, immunity, obligation or limitation by or under the law, except that performance of a contractual obligation shall not be an excuse for contravening the PDPA.
What is the grandfathering rule under SG PDPA?
Organisations may continue to use – but not disclose – personal data that was collected before the appointed date (2 July 2014) for the purposes for which it was collected unless consent is withdrawn under the PDPA or the individual has otherwise indicated that he does not consent to such use.
