Singapore I (POPCON ExTRASADD) Flashcards
Which was the precursor to SG PDPA?
Model Data Protection Code for the Private Sector by the National Internet Advisory Committee
> National DNC Provisions > Personal Data Provisions
How is personal data defined in SG PDPA?
Data, whether true or not, about individual can be identified a) from that data. [Unique identifier] b) from the data and other information to which the organisation has or likely to have access. [Partial Identifier]
What is Business Contact Information (BCI)? What is the difference between personal data and business contact information?
An individual’s name, business title, business telephone number, business address, business email or fax, or any other similar information about the individual, which is not provided by the individual solely for personal purposes.
The definition of BCI is dependent on the purpose(s) for which such contract information is provided by an individual.
Explain what the “publicly available” exception allows an organisation to do in Singapore?
It refer to personal data generally available to the public. This includes personal data that is observed in public by reasonably expected means (e.g., CCTV footage in supermarket, contacts for phone directories). A location or event would be considered “open to the public” if members of the public can enter or access the location with few or no restrictions, even if they must register or buy a ticket.
As long as the personal data was publicly available at the time of collection, the organisation can collect, use and disclose it without consent, even if it may no longer be publicly available at the time it is used or disclosed.
DNC - What is a specified message?
Advertise, Promote, Offer.
A message is a “specified message” if the purpose of the message / one of its purposes is:
- to advertise, promote or offer to supply or provide any of the following:
(a) goods or services,
(b) land or an interest in land or
(c) a business opportunity or an investment opportunity,
- to advertise or promote a supplier / provider of such items,
- any other prescribed purpose related to obtaining or providing information.
What is the difference between employment purposes and evaluative purposes with regards to consent and notification obligation?
Employment Purposes - for entering into, managing and termination an employment relationship. Consent not required, notification required (organisations must inform their employees of such collection, use or disclosure, even though their consent is not required. The notification is often included in an Employee Handbook.)
Evaluative Purposes - for hiring decisions & performance assessment etc. Consent and notification not required.
What obligations does a data intermediary have to comply with?
Protection, Retention Limitation and Data Breach Notification
What is the legal requirements for transfer of personal data overseas from Singapore?
An organisation must not transfer personal data to a country / territory outside Singapore except in accordance with the requirements prescribed under the PDPA:
(a) To take appropriate steps to ensure that the organisation will continue to comply with the PDPA
(b) To ensure that organisations overseas provide a standard of protection to personal data so transferred that is comparable to the protection under the PDPA
- Recipient country has adequate data protection law
- Getting informed consent
- Coming within an exception
- Getting contractual protection or
- Relying on binding corporate rules
- Overseas organization that is CBPR (Global Cross-Border Privacy Rules) / PRP (Privacy Recognition for Processors) certified
=> APEC CBPR: USA, Mexico, Japan, Canada, Singapore, Republic of Korea, Australia, Chinese Taipei, Philippines
What can the PDPC do with effect from 1st February 2021 (which it could not have done previously) when an organisation breaches DNC provisions?
Financial penalty -
(i) up to S$200,000 in the case of an individual;
(ii) and where it is an organisation, up to S$1 million or *5% of the organisation’s annual turnover in Singapore, whichever is higher.
List the enforcement powers of the PDPC.
The PDPC has the power to investigate an organisation: upon complaint or of its own motion (for example, where it suspects an infringement). However, it does not have an explicit general audit power.
PDPC may enter premises with, or without, a warrant and has the power to require the production of documents and/or information.
List the enforcement options of the PDPC.
(a) Suspension / discontinuation
- Where impact is assessed to be low
- When complainant has not complied with a direction
E.g., if any party has commenced legal proceedings in respect of any contravention of PDPA
- The matter may be more appropriately investigated by another regulatory authority
(b) Voluntary undertaking
- For organisations which request early that have good accountability practices & effective remediation plan with timeframe
- Includes a written agreement between the organisation and the PDPC
(c) Expedited breach decision
- For organisations which request early and provide upfront voluntary admission for breach of the PDPA & the facts (i.e., the organisation’s role in the breach).
(d) Full investigation
- For incidents with high impact, and where facilitation and/or mediation is appropriate in the circumstances.
What are MAS outsourcing guidelines for FIs?
Outsourcing Risk Management Guidelines
Institutions should -
- Perform necessary due diligence and apply sound governance and risk management practices when subscribing to cloud services
- Take active steps to address risks associated with data access, confidentiality, integrity, sovereignty, recoverability, regulatory compliance and auditing
- Ensure that the service provider possesses the ability to clearly identify and segregate customer data using strong physical or logical controls.
Guidelines contain a section on cloud computing, revised definition of “material outsourcing arrangement” to include, under certain circumstances, an arrangement that involves customer information. Removed the requirement for financial institutions to pre-notify MAS of material outsourcing arrangements.
