DPCR Lec 1 Anki PDF

Summary

These lecture notes cover the Personal Data Protection Act (PDPA) and its application to organizations. It details what constitutes personal data, the scope of the law in handling cases of deceased individuals, and personal data processing.

Full Transcript

#separator:tab
#html:false
What is the legal effect of advisory guidelines issued by PDPC under the PDPA? These Guidelines are advisory in nature and are not legally binding on the Commission, or any other party. However, they indicate the Commission’s approach in handling complaints, reviews and investigations of breaches of the data protection rules, as well as enforcement and sanctions.
PDPA does not {{c2::control proprietary rights over}} personal data. PDPA does not require that the data be {{c2::factual or opinion based}}. PPA provides that nothing in the data protection provisions will {{c3::affect any authority, right, privilege, immunity or obligation or limitation under another law}}. In the event of any inconsistency between PDPA and another law, the provision of the {{c3::other law shall prevail}}. PD can be of a natural person, {{c1::living or deceased}}, so long as it is {{c1::data of an identifiable individual}}. PDPA exceptions: The Act also does not place any obligations on an employee acting in the course of his employment with an organisation, hence the onus is clearly on the employer. The legislation makes this very clear in section 11(2), where it stresses that an “{{c1::organisation is responsible for personal data in its possession or under its control}}”.11 The Commission has made it clear that one cannot take personal data that one has been provided with in one’s commercial capacity and disclose it in a {{c1::personal or domestic capacity “as and when he chooses”.}}111 In Chua Yong Boon Justin,
Data Intermediary is sometimes known as data processors are {{c2::organizations that process personal data}} on behalf of another organization. Data controllers are the organizations which {{c2::engage a data intermediary to process their personal data}}. In relation to the target data processing activities, the terms {{c1::collection, use and disclosure}} are not defined in the PDPA, but they do not overlap with the defined term processing. “processing”, in relation to personal data, means the carrying out of any operation or set of operations in relation to the personal data, and includes any of the following: (a) recording; (b) holding; (c) organisation, adaptation or alteration; (d) retrieval; (e) combination; (f) transmission; (g) erasure or destruction;
What are the key elements of the scope of the PDPA? The key elements of the scope of the Personal Data Protection Act (PDPA) include the following: {{c1::Scope}}: The PDPA applies to the collection, use, and disclosure of personal data by organizations in a manner that recognizes both the right of individuals to protect their personal data and the need of organizations to collect, use, or disclose personal data for legitimate and reasonable purposes1. {{c1::Mandatory Requirements}}: Organizations are required to develop and implement policies and practices that are necessary for the organization to meet its obligations under the PDPA2. {{c1::Policies and Practices}}: Organizations must develop a data protection policy that sets out the purposes for which personal data is collected, used, and disclosed3. {{c1::Personal Data Audit}}: Organizations should conduct a personal data audit to identify the types of personal data they hold and how it is being used4. {{c1::Enforcement of Rights}}: The PDPA establishes the Personal Data Protection Commission (PDPC) which has the power to enforce the provisions of the PDPA, including the power to resolve disputes and review decisions5. I hope this helps! If you have any more questions, feel free to ask.
How do we determine if data is personal data? the following types of data are generally considered personal data on their own:Full nameNRIC number or FIN (Foreign Identification Number)Passport numberPersonal mobile telephone number. The concept of being able to identify an individual is essentially about being able to single out the {{c1::flesh and bone individual}}. The definition of Personal Data in the PDPA maintains the position that {{c2::information (whether a single piece of information or a group of information taken together)}} that relates to an identified or identifiable individual will be considered personal data, [emphasis in original] the Act is worded such that it requires the data to be able to identify an individual. This means that it must not be {{c3::a mere hypothetical possibility}}. If the possibility does not exist or is negligible, the individual should not be considered identifiable and the information would not be considered as personal data.
What provisions / obligations apply to personal data of deceased individuals? Protection of Personal Data: Organisations are required to {{c1::protect the personal data of deceased individuals}} in their possession or under their control by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal, or similar risks. {{c1::Retention Limitation}}: Organisations must cease to retain the personal data of deceased individuals or remove the means by which the personal data can be associated with particular individuals when it is no longer necessary for any business or legal purpose. Disclosure of Personal Data: Organisations may disclose the personal data of deceased individuals to a {{c2::prescribed class of persons for specific purposes}}, such as for the administration of the deceased's estate or for research purposes, subject to certain conditions and safeguards. Access and Correction: The PDPA provides for the right of access and correction of personal data of deceased individuals by their {{c2::next-of-kin or legal representatives}}, subject to certain conditions and limitations.
What kinds of organisations does the PDPA apply to? List some examples. Private Sector Organizations: This includes businesses and companies that collect, use, or disclose personal data in the course of their operations1. Public Sector Organizations: Government agencies and statutory boards that handle personal data as part of their functions1. Non-Profit Organizations: Charities, clubs, and societies that collect, use, or disclose personal data for their activities1. {{c1::Educational Institutions:}} Schools, colleges, and universities that manage personal data of students, staff, and other stakeholders1. {{c1::Healthcare Providers}}: Hospitals, clinics, and other healthcare facilities that handle personal data of patients1.
" What is “written law” in section 4(6) of the PDPA? In section 4(6) of the PDPA, ""written law"" refers to any law that is {{c1::enacted by the legislature and is in written form}}. This includes statutes, regulations, and other legal instruments that have been formally enacted and are legally binding"
{{c1::image-occlusion:rect:left=.4953:top=.2143:width=.1839:height=.3126:oi=1}} {{c2::image-occlusion:rect:left=.7101:top=.2143:width=.0751:height=.197:oi=1}} {{c3::image-occlusion:rect:left=.8188:top=.2314:width=.0919:height=.1713:oi=1}}
{{c1::image-occlusion:rect:left=.3817:top=.4263:width=.2399:height=.122:oi=1}} {{c2::image-occlusion:rect:left=.3803:top=.8352:width=.2606:height=.1542:oi=1}} {{c3::image-occlusion:rect:left=.0315:top=.6083:width=.2206:height=.1584:oi=1}} {{c4::image-occlusion:rect:left=.0728:top=.2271:width=.2192:height=.0471:oi=1}} {{c5::image-occlusion:rect:left=.7305:top=.1993:width=.1985:height=.1734:oi=1}} {{c6::image-occlusion:rect:left=.754:top=.5826:width=.2413:height=.1071:oi=1}}
The main points on the responsibility for personal data under section 11(2) are as follows:{{c1::Accountability}}: Organizations are accountable for personal data under their control and must ensure compliance with data protection regulations.{{c1::Data Protection Officer}}: Organizations must appoint a Data Protection Officer (DPO) to oversee data protection activities and ensure compliance.{{c1::Policies and Procedures}}: Organizations must implement policies and procedures to protect personal data and ensure compliance with data protection regulations.{{c1::Training and Awareness}}: Organizations must provide training and raise awareness among employees about data protection and privacy.{{c1::Monitoring and Auditing}}: Organizations must regularly monitor and audit their data protection practices to ensure compliance with regulations.{{c1::Incident Response}}: Organizations must have an incident response plan in place to address data breaches and other data protection incidents.
What are the permitted modes of personal data transfer ? The permitted modes of personal data transfer include:Consent: Personal data can be transferred if the individual has given their explicit consent to the transfer.Contractual Necessity: Transfer is permitted if it is {{c1::necessary}} for the performance of a contract between the individual and the organization.Legal Obligation: Transfer is allowed if it is {{c1::necessary}} for compliance with a legal obligation to which the organization is subject.Vital Interests: Transfer is permitted if it is {{c1::necessary}} to protect the vital interests of the individual or another person.Public Interest: Transfer is allowed if it is {{c1::necessary}} for the performance of a task carried out in the public interest or in the exercise of official authority.Legitimate Interests: Transfer is permitted if it is {{c1::necessary}} for the purposes of legitimate interests pursued by the organization or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the individual.
When can personal data be collected? Personal data can be collected when the data subject has given consent for their data to be used for specific purposes1. Additionally, personal data can be collected if it is necessary for the {{c1::performance of a contract}} to which the {{c1::data subject is a party}}, for {{c2::compliance with a legal obligation}}, to {{c2::protect the vital interests of the data subject (First Schedule Part 1)}} or another person, for the performance of a task carried out in the public interest or in the exercise of official authority, or for the {{c3::purposes of legitimate interests pursued by the data controller or a third party (First Schedule Part 3)}} How should personal data be processed? Data minimisation means that personal data collected should be adequate, relevant, and limited to {{c3::what is necessary for the purposes}} for which they are processed1. Data minimization is not an obligation on its own, but {{c3::arises from purpose limitation.}} Purpose limitation means that personal data should be collected for specified, explicit, and legitimate purposes and {{c3::not further processed in a manner that is incompatible with those purposes}}1.
What are the secuirty requirements in the data lifecycle under the PDPA? {{c1::Policies and Practices}}: Organizations must develop and implement comprehensive data protection policies and practices to ensure the security of personal data1.{{c2::Personal Data Audit}}: Conducting regular audits of personal data to ensure compliance with data protection regulations2.{{c2::Enforcement of Rights}}: Ensuring that individuals' rights to access, correct, and delete their personal data are enforced3.{{c2::Data Protection by Design}}: Implementing data protection measures from the design phase of any system or process4.{{c2::Risk Assessment}}: Regularly assessing risks to personal data and implementing measures to mitigate those risks5.{{c2::Data Breach Notification}}: Notifying relevant authorities and affected individuals in the event of a data breach6.
4. How should disclosed personal data be protected? Disclosed personal data should be protected by implementing a {{c1::comprehensive data protection policy}}. This includes conducting a personal data audit, developing policies and practices, and ensuring compliance with mandatory requirements1. The data protection policy should cover the structure and content of personal data, enforcement of rights, and the powers of the Personal Data Protection Commission1. Additionally, it is important to ensure the accuracy and completeness of personal data, and to implement a data protection by design approach1.
5. How should personal data be disposed of? {{c1::Data anonymization}}: Altering data so that the data subject is no longer directly or indirectly identified1.{{c1::Data deletion}}: Removing data from a system1.Data {{c1::crypto shredding}}: For encrypted data, this involves destroying the encryption keys1.Data {{c1::degaussing}}: Using a strong magnetic field to erase data from magnetic storage media1.Data {{c1::destruction}}: Physically destroying the media that stores the data1.
What is the PDPA's standard of reasonableness? One of the key principles is that organizations should only collect, use, or disclose personal data for purposes that {{c1::a reasonable person would consider appropriate under the given circumstances and for which the individual has given consent}}1. This standard of reasonableness ensures that personal data is handled in a manner that {{c2::respects the privacy and rights of individuals}}.
In general, What purposes can an organisation collect, use and disclose personal data for ? Organizations can collect, use, and disclose personal data for purposes that a {{c1::reasonable person would consider appropriate under the given circumstances}} and {{c2::for which the individual has given consent1}}. Some common purposes include:Providing Services: Collecting personal data to provide products or services requested by the individual.Marketing: Using personal data for marketing purposes, such as sending promotional materials, but only with the individual's consent.Legal Obligations: Collecting and using personal data to comply with legal requirements.Employment: Using personal data for employment-related purposes, such as payroll and benefits administration.Security: Collecting personal data to ensure the security of the organization's systems and premises.
What are the legal bases for processing personal data which are permitted under the PDPA? Where are they found in the PDPA and when do they apply? Consent: The individual has given clear consent for the processing of their personal data. This is detailed in the Consent Obligation {{c1::(s15 PDPA).}}Contractual Necessity: The processing is necessary for the performance of a contract to which the individual is a party. This is covered under the Exceptions to the Consent Obligation {{c2::(e.g. Employment, insurance, s17 PDPA).}}Legal Obligation: The processing is necessary for compliance with a legal obligation. This is also mentioned in the Exceptions to the Consent Obligation {{c3::(First Schedule Part 3 para 1(1): the legitimate interest outweigh the adverse effect on the individual).}}Vital Interests: The processing is necessary to protect the vital interests of the individual or another person. This is detailed in the {{c4::Emergencies (First Schedule Part 1 para 2).}} Public Interest: The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority. This is covered under the Exceptions to the Consent Obligation ({{c5::Second Schedule Part 3 para 1}}).Legitimate Interests: The processing is necessary for the purposes of legitimate interests pursued by the organization or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the individual. This is also mentioned in the Exceptions to the Consent Obligation ({{c6::First Schedule Part 3 para 1(1)}})
When is notification of purposes required under the PDPA? Under the Personal Data Protection Act (PDPA), organizations must inform individuals of the purposes for which their personal data will be collected, used, or disclosed in order to obtain their consent. This is referred to as the Notification Obligation. Specifically, {{c1::Section 20}} of the PDPA sets out the obligation of organizations to inform individuals of these purposes. Organizations must inform individuals of the purposes for the collection, use, and disclosure of their personal data on or before collecting the personal data1.
How can organisations ensure accuracy of personal data collected? {{c3::Accurate Recording}}: Ensure that personal data is accurately recorded when collected, whether directly from the individual or through another organisation1.{{c2::Completeness}}: Ensure that the personal data collected includes relevant parts to all make it complete1. {{c1::Reasonable Effort}}: Make a reasonable effort ensure the accuracy and completeness. to of personal data. This includes considering factors such as the nature of the data, significance to the individual, the purpose for which it is, and the reliability and currency of the data1. 4 collected its. Updating Information: Consider whether it is necessary to update the information to maintain its accuracy1.{{c4::Data Protection by Design}}: Implement a data protection by design approach, which includes {{c3::risk assessment}} and {{c4::measures to protect}} personal data1.
How long can organisations retain documents containing personal data? What are the legal and business purposes mentioned in section 25 of the PDPA? From your document Organisations can retain documents containing personal data for as long as it is necessary to fulfil the purposes for which the data was collected, or for legal or business purposes1. Section 25 of the PDPA mentions several legal and business purposes for retaining personal data, including: {{c1::Legal Obligations}}: Compliance with legal obligations, such as tax and employment laws. {{c2::Business Operations}}: Necessary for business operations, such as maintaining business records and managing customer relationships. {{c3::Dispute Resolution}}: Retaining data for the purpose of resolving disputes or enforcing agreements. {{c4::Research and Analysis}}: Using data for research and analysis to improve products and services2. By adhering to these guidelines, organisations can ensure that they retain personal data only for as long as necessary and in compliance with the PDPA.
What are the obligations of data controllers in relation to their data intermediaries? {{c1::Compliance and Accountability}}: Data controllers must ensure that data intermediaries comply with data protection laws and demonstrate accountability. This includes maintaining records of processing activities and ensuring that data intermediaries adopt good practices when processing data on behalf of the data controller12. {{c2::Security Measures}}: Data controllers are responsible for ensuring that data intermediaries implement appropriate technical and organizational measures to protect the integrity and security of the data. This includes measures such as pseudonymization, encryption, and regular monitoring and auditing of safeguards23. {{c3::Contractual Obligations}}: Data controllers must include specific clauses in contracts with data intermediaries to ensure compliance with data protection laws. These clauses may include prohibiting the use or disclosure of personal data for unauthorized purposes, prohibiting sub-contracting without approval, and ensuring the timely return or destruction of personal data when it is no longer required14. {{c4::Data Protection by Design and Default}}: Data controllers must ensure that data protection principles are embedded into systems, projects, and services from the beginning. This includes implementing appropriate technical and organizational measures to ensure that only necessary personal data is processed for each specific purpose2. {{c5::Impact Assessments}}: Data controllers must conduct impact assessments prior to processing personal data to assess the necessity and proportionality of the processing. This helps to identify and mitigate potential risks to data subjects
How can an organisation meet its obligations under the PDPA if they wise to transfer personal data out of Singapore? An organization must ensure that the recipient of the data provides a standard of protection comparable to that under the PDPA. This can be achieved by: {{c1::Legally Enforceable Obligations}}: The recipient must be bound by legally enforceable obligations to provide a standard of protection that is comparable to the PDPA. These obligations can be imposed under any law, contract, or binding corporate rules1. {{c2::Appropriate Steps}}: The organization must take appropriate steps to ensure compliance with the Data Protection Provisions in respect of the transferred personal data while it remains in its possession or under its control1.
What are the Accountability measures organisations must implement? Organisations must implement several accountability measures to ensure compliance with data protection laws and regulations. These measures include: {{c1::Governance and Risk Assessments}}: Establishing a structure for governance and conducting risk assessments to identify and mitigate potential risks1. {{c2::Management Policies and Practices}}: Developing and implementing management policies and practices for handling personal data1. {{c3::Operational Processes}}: Establishing processes to operationalise the management policies and practices1.
{{c1::Right to Withdraw Consent}} – PDPA section 16 – Organisations must give effect to the {{c1::withdrawal of consent}}, although this does not affect the legal consequences which may arise – Organisations may continue to collect, use and disclose personal data if doing so without consent is required or authorised under written law
Rights of {{c2::Access and Correction}} – PDPA sections 21 and 22 and PDPR Part 2 Right to {{c1::Data Portability}} – Not yet in force (not covered in this unit) Right of {{c3::Private Action}} – PDPA section 48O – See SGCA 60 (Note: This case relates to the former PDPA section on right of private action which was repealed and replaced by section 48O) s32 (1) created a statutory tort, expressly a right of private action, with the requirement that loss or damage was founded on emotional distress.
How can an individual withdraw consent for collection, use and/or disclosure of their personal data under the PDPA? Under the Personal Data Protection Act (PDPA), an individual can withdraw consent for the collection, use, and/or disclosure of their personal data {{c1::at any time}}. The withdrawal of consent must be done in a manner that is {{c2::reasonable and practicable}}. Once consent is withdrawn, the organization must {{c2::cease the collection, use, and/or disclosure}} of the individual's personal data. This is clear indication that under the Singapore personal data protection regime, it is not possible to withdraw consent for the collection, use or disclosure of personal data that falls within the situations set out in the {{c3::Second (use by public agency/public interest) Schedule}}. It should be noted that the withdrawal of consent {{c4::will not affect the retention of data}}. Under section 25, an organisation may retain personal data, for example, if it is necessary for legal or business purposes.39 Certainly, for most organisations, it would be advisable to retain the personal data for at least until the {{c4::statute of limitations expires}}.
How should an organisation process a request for access to, or correction of, personal data? When is an organisation permitted (or required) to deny or refuse such a request? An organisation should process a request for access to, or correction of, personal data by {{c1::first determining if the request involves the collection, use, or disclosure of personal data1}}. If it does, the organisation should respond to the request within a {{c1::reasonable time1}}. If the organisation refuses to provide access or make the correction, the individual can {{c1::apply to the Personal Data Protection Commission (PDPC)}} to review the matter1. An organisation is permitted (or required) to deny or refuse such a request in certain situations. For example, if the request involves other types of data, the organisation will take a case-by-case approach in accordance with the Commission’s Advisory Guidelines on Key Concepts in the PDPA to determine whether the data involved {{c2::constitutes personal data}}1. Additionally, the organisation may refuse to provide access or make the correction if it believes that the request is {{c3::frivolous or vexatious}}1.
What is the scope of individuals’ private right of action under the PDPA? The Personal Data Protection Act (PDPA) provides individuals with a private right of action. This means that individuals who suffer {{c1::loss or damage}} as a direct result of a {{c2::contravention of specific parts of the PDPA (Parts 4, 5, 6, 6A, 6B, Division 3 of Part 9, or section 48B(1)}}) may commence civil proceedings in the courts against the organisation.
What did the court decide in the Michael Reed v. Alex Bellingham case SGCA 60? Held: {{c2::Emotional distress }} falls within the ambit of “loss or damage” of s32, and {{c1::not loss of control of personal data}}. Factors the court will consider are: The nature of the personal data involved in the breach: for instance, financial data is likely to be sensitive. The nature of the breach: e.g., whether the breach of the PDPA was one-off, repeated and/or continuing The nature of the defendant’s conduct: for instance, proof of fraudulent or malicious intent may support an inference that the plaintiff was more severely affected. The risk of future breaches of the PDPA causing emotional distress to the plaintiff. The actual impact of the breach on the plaintiff.
What are the PDPA provisions which whether/how organisation can conduct any kind of research? s17(1) (b) An organisation may collect use and disclose personal data without individual's consent for the purposes of search under Second Schedule Part 2 Division 3 (a) the research purpose {{c1::cannot reasonably be accomplished}} unless the personal data is used in an individually identifiable form; (b) there is a {{c1::clear public benefit}} to using the personal data for the research purpose; (c) the results of the research will not be used to {{c1::make any decision that affects the individual}}; and (d) in the event that the results of the research are published, the organisation publishes the results in a form that {{c1::does not identify the individual}}.
What is anonymisation? When is data considered to be anonymised? Why do organisations need (or want to anonymise personal data? Anonymisation is the process of {{c3::removing or altering personal data so that individuals cannot be identified from the data}}, either {{c3::directly or indirectly}}. This involves techniques such as data masking, pseudonymisation, and aggregation1. Data is considered to be anonymised when it is no longer possible to identify individuals from the data, even when combined with other information. This means that the data cannot be {{c4::traced back to an individual, ensuring their privacy2.}} Organisations need or want to anonymise personal data for several reasons: Compliance with legal requirements: Many data protection laws, such as the GDPR, require organisations to protect personal data and may mandate anonymisation as a way to achieve this. Reducing risk: Anonymising data reduces the risk of data breaches and the potential harm that can result from the exposure of personal information. Enabling data sharing and analysis: Anonymised data can be shared and analysed without compromising individual privacy, allowing organisations to gain insights and make data-driven decisions while respecting privacy3.
What types of data may be created and/or used during online activities? Which of these constitute personal data? When is consent required for use of cookies? During online activities, various types of data may be created and/or used, including personal data, anonymized data, and cookies. Personal data is any information that can identify an individual, such as names, addresses, email addresses, and IP addresses12. Cookies are small text files stored on a user's device that can track online activity and preferences56. {{c1::Consent}} is required for the use of cookies, especially those that are not strictly necessary for the functioning of the website. This includes cookies used for analytics, advertising, and tracking user behavior56. Users must be informed about the use of cookies and provide explicit consent before these {{c2::cookies can be stored on their devices}}56.
What are the obligations of cloud service providers, and the organisations which use them, under the PDPA? Obligations of Cloud Service Providers under the PDPA:Data Protection: Cloud service providers (CSPs) must ensure that they have reasonable security arrangements in place to protect personal data1.Retention Limitation: CSPs must cease retaining documents that contain personal data or anonymize personal data as soon as it is no longer needed1.Overseas Transfer: CSPs must ensure that data transferred across boundaries in a cloud environment is protected. They must only transfer data to locations with a {{c1::comparable data protection regime to Singapore or where recipients are legally bound by similar contractual standards1}}. Obligations of Organisations which Use Cloud Service Providers under the PDPA:Responsibility: Organisations remain responsible for ensuring that the CSP complies with the PDPA, especially in relation to the processing of personal data on their behalf1.Contractual Compliance: Organisations must ensure that their contract with the CSP complies with the PDPA and adequately protects the organisation1.Data Protection: Organisations must ensure that the CSP has reasonable security arrangements in place to safeguard personal data1.Retention Limitation: Organisations must ensure that the CSP ceases retaining documents that contain personal data or anonymizes personal data as soon as it is no longer needed1.Overseas Transfer: Organisations must ensure that the CSP only transfers data to locations with a {{c2::comparable data protection regime to Singapore or where recipients are legally bound by similar contractual standards1}}.