What are the Fundamentals of the Personal Data Protection Act?
Personal data refers to data, whether accurate or not, about an individual who can be recognized from that data; or from data and former information to which the organisation has or is expected to have access. Personal data in Singapore is protected in the Personal Data Protection Act 2012 (PDPA).
The PDPA boils down to establishing a data security law that comprises a variety of rules governing the collection, use, disclosure and concern of personal data. It recognises both the rights of each individual to keep their personal data, as well as rights of access, correction, and the needs of organisations to collect, use or disclose personal data for lawful and reasonable purposes.
The PDPA likewise provides for the establishment of a national Do Not Call (DNC) Registry. The DNC Registry allows those to register their Singapore phone numbers to opt-out of receiving marketing phone calls, text messages such as SMS or MMS, and faxes from organisations.
Nowadays, huge amounts of personal data are collected, used and even transferred to third party organisations for a lot of reasons. This trend is likely to grow exponentially as the handing out and analysis of large amounts of personal data becomes possible with more and more sophisticated technology.
With such development comes growing concerns from those about how their personal data is being used. Hence, a data protection committee to monitor the collection, use and disclosure of personal data is essential to address these concerns and to keep up individuals’ trust in organisations that administer data.
By regulating the stream of personal data among organisations, the PDPA also aims to support and entrench Singapore’s competitiveness and place as a trusted, world-class hub for businesses.
How Does the Personal Data Protection Act (PDPA) Work?
The PDPA will make sure a baseline standard of protection for personal data across the market by complementing sector-specific law-making and regulatory frameworks. This means that organisations will have to meet the terms of the PDPA as well as the common and other relevant laws that are useful to the specific industry that they fit in to, when managing personal data in their ownership.
The Fundamentals of the Personal Data Protection Act takes into account the next concepts:
Consent – Organisations may gather, use or disclose personal data only with the individual’s knowledge and permission (with some exceptions);
Purpose – Organisations may gather, use or disclose personal data in a proper manner for the conditions, and only if they have educated the individual of purposes for the collection, use or disclosure; and
Reasonableness – Organisations may gather, use or disclose personal data only for purposes that would be considered suitable to a reasonable person in the given circumstances.
Application of the Personal Data Protection Act
The PDPA covers personal data kept in electronic and non-electronic forms.
The data protection provisions in the PDPA (sections III to VI) generally do not apply to:
Any persons acting in a personal or domestic basis.
Any employee acting on behalf of an organisation he or she is representing.
Any public organisation in the course of acting on behalf of a public agency in relation to the set, use or disclosure of the personal data. You might wish to refer to the Personal Data Protection (Statutory Bodies) Notification 2013 for the listing of specific public agencies.
Business contact information. This refers to a person’s name, position name or designation, business phone number, business address, business electronic mail address and other comparable information about the person, not provided by the person solely for his or her own purposes.
These rules are planned to be the baseline law which operates as part of the law of Singapore. It does not take over from existing statutes, such as the Banking Act and Insurance Act but will work in combination with them and the common law.
When we think about a data breach, the most probable scenario that comes to mind is of a hacker getting hold of unlawful access to an organisation’s network. On the other hand, as most Data Protection Officers (DPOs) are conscious, the weakest link in data security is generally the mere mortal – individuals in the organisation.
While we may instinctively believe a displeased employee to be the reason behind a data breach, a study by Data Protection Excellence Network (DPEX) shows that spiteful hacks constituted only 13% of all enforcement cases announced by PDPC in 2018. Instead, the most common cause is sheer negligence.
So what should organisations do to look after the personal data in their care?
An excellent place to start is to have an information safety policy. Personnel need to know whether their actions are permitted by the organisation. They have to also know the needs of the data protection law, as well as appropriate sectoral regulations such as the Employment Act.
Staff should be aware that classified information should be encrypted before hitting the “send” button. When sending unencrypted emails, all classified documents or files should initially be deleted. Just imagine what can occur if the files are by chance forwarded to unauthorised persons!
If you use cloud storage for your accounts, add more layers of protection with security functions like two-factor verification (2FA) which will need both a login password and a security code sent to your phone or email address every time you log in or add a new device to the account.
Also, use of the password-protected. utility in Microsoft and PDF files to further protect the personal data in your care. Additionally, when you send a protected file to someone, remember to give them the password individually – not in the same message that it is attached to!
Here’s another suggestion that you can do right away – check that the email address or phone number that you are sending the personal data is correct! You can even send an original message to the person to ask them to answer back to confirm the correctness before you send the real file.
If you have to take in some people in the same email thread, think who really needs to get the file and whether the recipients want to know the other recipients’ identities. Consider using the BCC function and when you do, be sure that you have not incorrectly put the email addresses in the “CC” field. You may also wish to delete the previous email trail if the same email has to be forwarded to others.
As we often say, negligence is our greatest enemy which we can never get rid of.
Remember these tips and put them into practice, and start to transfer files more safely today.