Knowing Your Personal Data & Protection
How much do you know about personal data? Well, to put it simply, personal data is still referring to data about an individual, and that individual can be identified using that data. Organizations are likely to have access to this data and other information about the individual.
In Singapore, your personal data is protected under the Personal Data Protection Act 2012 or PDPA for short. Data protection law is established by the PDPA and consists of various rules which help to govern the collection, use and disclosure and care of these personal data.
The PDPA helps to recognize the rights of individuals to protect their personal data. This includes the rights of access and correction, and the needs of organizations to collect, use and or disclose personal data as long as it is for legitimate and reasonable purposes.
A national Do Not Call Registry (DNC) is established with the assistance of the PDPA. This DNC Registry helps individuals register for their Singapore phone numbers if they want to opt out of receiving unwanted calls or text messages from organizations.
That is a quick overview of what personal data is described as.
What Is the Objective of Having a Personal Data Protection Act?
With so much personal data being collected in today’s technological advancements, data is being transferred, used and collected by third party organizations for various reasons. This trend is not expected to slow down anytime soon, but rather it is anticipated that it is going to grow exponentially as technology continues to become more sophisticated and larger amounts of data get to be processed.
Naturally, there is concern about how personal data is being used, which is why a data protection regime is in place to help govern the collection, disclosure and the use of an individual’s personal data. This is rendered necessary to help address concerns and maintain a person’s trust in the organizations that manage data.
The PDPA is aiming to strengthen and entrench Singapore’s competitiveness and position as a trusted world-class business hub by helping regulate the flow of personal data among these organizations.
The PDPA came into effect in phases, starting with the provisions which related to its formation in January 2013. Then the provisions which related back to the DNC Registry took effect in January 2014, which the main data protection rules were effective in July 2014. Being implemented in gradual stages like this allows organizations time to review and adopt these policies and practices which help them comply with the PDPA’s requirements.
How Exactly Does PDPA Work?
The PDPA works by ensuring there is a baseline standard of protection when it comes to personal data across the economy. How? By complementing sector-specific legislative and regulatory frameworks. Organizations will have to comply with the PDPA’s regulations, and the common law and other relevant laws which are applied to the specific industry that they belong to when it comes to the handling of an individual’s personal data.
The PDPA takes the following concepts into consideration:
- Organizations may collect, disclose and use personal data if the purposes are considered appropriate and reasonable given the circumstances.
- Organizations may collect, disclose and use such personal data only if they have the individual’s knowledge and consent (there are some exceptions).
- Organizations may collect, disclose and use personal data in an appropriate manner if they have informed the individual of the collection purpose.
How Is the PDPA Applied?
Personal data is stored in an electronic and non-electronic form which is covered by the PDPA.
Data protection provisions in the PDPA (in parts III and VI) in general do not apply to the following:
- If an individual acts in a personal or domestic basis.
- Any public agency or organization that is acting on behalf of a public agency in relation to the collection, use or disclosure of the personal data.
- Any employee that is acting during his or her employment with an organization.
- Business contact information, which refers to an individual’s name, position name, title, business phone number, address, electronic mail address, fax number and any other information about the individual.
The PDPA was developed and references were made to the data protection regimes of key jurisdictions which have established comprehensive data protection laws. These jurisdictions include the EU, UK, Hong Kong, Australia, Canada and New Zealand. This also includes the OECD Guidelines on the Protection of Privacy and Transborder Flow of Personal Data. These references are helpful when it comes to the formulation of a regime for Singapore which is relevant to the needs of organizations and individuals, taking international best practices on data protection.