The Personal Data Protection Act (PDPA) is Singapore’s privacy law that aims to protect individuals’ personal information. It complements sector-specific legislative and regulatory frameworks such as the Banking Act and Insurance Act.
The PDPA covers personal data such as NRIC numbers, photos, and other data that can be used to identify individuals. The law also addresses sensitive data such as race, sex, religion, health and biometrics.
Definitions
The PDPA defines personal data as any information that can directly or indirectly pinpoint an individual. This includes full name, NRIC number, passport number, photograph, CCTV image, personal mobile telephone number, residential address, DNA profile, biometric data, and voice recording.
Generally, businesses are not allowed to collect, use or disclose the Personal Data of an individual unless they have obtained consent from the individuals or for a purpose that is reasonable in relation to the data collected and processed. Moreover, businesses are required to keep the Personal Data they collect and use up-to-date and accurate.
Under the PDPA, organisations are also required to notify individuals of the collection, use and disclosure of their personal data. These notifications must be provided in a clear and understandable manner and the individual must be given a chance to withdraw their consent at any time.
Scope Of The PDPA
The PDPA applies to all organizations that collect, use, or disclose personal data in Thailand or from individuals residing in Thailand. This extraterritorial scope of the PDPA represents a significant expansion of Thailand’s data protection obligations to cover all processing activities that involve Thai-based data subjects.
A key element of the PDPA is that it requires organisations to obtain prior consent for the collection, use, and disclosure of personal data from data subjects. Organisations must provide a clear and easy-to-understand consent form, as well as clearly explain the purposes for which data is being collected.
Furthermore, organisations must inform data subjects of the rights they have under the PDPA, including the right to access their personal data and request its deletion. They must also notify the PDPC of any personal data breach.
Organizations must also implement suitable security measures to protect stored personal data from unauthorized access, loss, misuse, modification, or disclosure. These must be reviewed regularly to ensure they are effective.
Registration Of Data Users
The PDPA requires data users who collect, use or disclose personal information to register with the Personal Data Protection Commissioner. This includes communications, banking and financial institutions, insurance, health, tourism and hospitalities, transportation (aviation), education, direct selling, professional services, real estate, Utilities, pawn brokering and moneylending.
The Commissioner will also conduct inspections of the personal data systems of data users to ensure that they are compliant with the PDPA. Non-compliance will attract a fine of up to RM 200,000 or imprisonment for a term not exceeding two years.
As the PDPA comes into force in stages, it is important that data users understand their obligations and take measures to comply with them. This may include appointing a data protection officer, and ensuring that data systems are compliant. It is especially important for businesses with large volumes of personal data to implement the appropriate data security measures. This is an area where it may be useful to seek advice from a specialist lawyer.
Data Breach Notification
The PDPA requires organisations to notify affected individuals of any data breach that results or is likely to result in significant harm. It also requires that if an individual requests access to their personal information, the organisation must allow them to do so.
However, not all organisations have these obligations in place. For example, healthcare providers that use data intermediaries to process their personal information may have to review existing data transfer and processing agreements to ensure they meet the mandatory requirements of the PDPA for data intermediaries.
Under Oregon law, entities that experience a data security breach must provide notice to the Attorney General’s office and to Credit Reporting Agencies in a timely manner. This notice must be provided without unreasonable delay and in no case later than 45 days after the discovery of a breach.
