Knowing Personal Data Protection Laws
How much do you know about personal data? Well, to put it simply, personal data is still referring to data about an individual, and that individual can be identified using that data. Organizations are likely to have access to this data and other information about the individual. In Singapore, your personal data is safe under the Personal Data Protection Act 2012 or PDPA for short. Data protection law exists through the PDPA and consists of various rules which help to govern the collection, use, and disclosure and care of these personal data.
The PDPA helps to recognize the rights of individuals to protect their personal data. This includes the rights of access and correction, and the needs of organizations to collect, use and or disclose personal data as long as it is for legitimate and reasonable purposes.
A national Do Not Call Registry (DNC) is established with the assistance of the PDPA. This DNC Registry helps individuals register for their Singapore phone numbers if they want to opt out of receiving unwanted calls or text messages from organizations.
What Is the Objective of Having a Personal Data Protection Act?
With so much personal data being collected in today’s technological advancements, data transfer and collection is becoming more prevalent. Third-party organizations usually conduct such actions for various reasons. This trend will not slow down anytime soon. Rather, it may even grow exponentially as technology continually progresses and larger amounts of data get to be processed.
Naturally, there is a concern on the usage of personal data. This is why a data protection regime is in place to help govern the collection, disclosure and the use of an individual’s private information. This is necessary to help address concerns and maintain a person’s trust in the organizations that manage data.
The PDPA is aiming to strengthen and entrench Singapore’s competitiveness and position as a trusted world-class business hub by helping regulate the flow of personal data among these organizations.
The PDPA came into effect in phases, starting with the provisions which related to its formation in January 2013. Then the provisions which related back to the DNC Registry took effect in January 2014, which the main data protection rules were effective in July 2014. Implementation in gradual stages allows organizations time to review and adopt these policies and practices. As a result, this helps them comply with the PDPA’s requirements.
How Exactly Does PDPA Work?
The PDPA works by ensuring there is a baseline standard of protection when it comes to personal data across the economy. How? By complementing sector-specific legislative and regulatory frameworks. Organizations will have to comply with the PDPA’s regulations. Additionally, they must follow common laws and other statutes that apply to the specific industry that they belong to. This is important especially when it comes to the handling of an individual’s personal data.
The PDPA takes the following concepts into consideration:
- Allow organizations to collect, disclose and use personal data if the purposes are appropriate and reasonable given the circumstances.
- Permit organizations to collect, disclose and use such personal data only if they have the individual’s knowledge and consent. However, there are some exceptions.
- Allow organizations to collect, disclose and use personal data in an appropriate manner. This happens if they have informed the individual of the collection purpose.
How Does PDPA Apply?
Personal data is stored in an electronic and non-electronic form which is covered by the PDPA.
Data protection provisions in the PDPA (in parts III and VI) in general do not apply to the following:
- If an individual acts in a personal or domestic basis.
- Any public agency or organization that is acting on behalf of a public agency in relation to the collection, use or disclosure of the personal data.
- Any employee that is acting during his or her employment with an organization.
- Business contact information, which refers to an individual’s name, position name, title, business phone number, address, electronic mail address, fax number, and any other information about the individual.
The PDPA references exist in accordance with data protection regimes of key jurisdictions. In other words, the government has established comprehensive data protection laws through PDPA. These jurisdictions include the EU, UK, Hong Kong, Australia, Canada, and New Zealand. This also includes the OECD Guidelines on the Protection of Privacy and Transborder Flow of Personal Data. These references are helpful when it comes to the formulation of privacy laws in Singapore which is relevant to the needs of organizations and individuals, taking international best practices on data protection.