Flashcards in PDPA Deck (16)
Purpose of PDPA?
To govern collection, use, and disclosure of personal data
in a manner which recognises
the individual's right to protect personal data,
and the organisation's need to collect, use, and disclose personal data, for purposes which a reasonable person would consider appropriate in the circumstances.
Who is exempted from Pts III - VI?
- individual acting in personal or domestic capacity
- employee acting in the course of employment with organisation
- public agency or org acting on behalf of public agency
- any other prescribed org or personal data
What is an "individual" under the PDPA?
Natural person whether dead or alive
Data intermediary exemption?
Exempted from Pts III - VI
- if the org is processing personal data on behalf of, and for purposes of, another org
- pursuant to a contract evidenced / made in writing
- s24 (protection of personal data)
- s25 (retention of personal data)
Note: Org is still responsible for the personal data as if it were processing it.
What is an "organisation" under the PDPA?
- Body of persons incorporated / unincorporated
- Whether or not formed / recognised in SG
- Whether or not resident, has office, or has place of business in SG
What is "domestic" under the PDPA?
Relates to home or family
What age of data is exempted from the PDPA?
- Personal data in a >= 100yr record
- Personal data about dead person,
but if dead for <=10 years, still subject to s24 (protection of personal data)
What is "business contact information" under the PDPA?
Exempted from Pts III - VI PDPA, unless BCI expressly referred to.
What obligations on companies IRT policies and practices?
(1) Org must develop and implement policies and practices needed to comply with PDPA.
(2) Must communicate them to staff.
(3) Must develop process to receive and respond to complaints.
(3) Upon request, must make info on (1) and (3) available.
What obligations on companies IRT DPO?
- Must designate one; can be external / internal.
- DPO can delegate responsibilities.
- DPO's biz contract info must be available.
What happens if a data intermediary goes beyond its contract with the org, in processing data?
Will no longer be a data intermediary in respect of that processing, and will be subject to all the obligations of the PDPA.
What is a "data intermediary"?
An org processing data on behalf of another org (but not an employee of that org).
What is "processing"?
Carrying out operations IRT personal data, including:
(3) organisation, adaptation, alteration
(4) erasure, destruction
What can the PDPC review IRT an org's decision?
(1) Org refused / failed to give access to personal data.
(2) Amount of $ charged to access / correct personal data [not supposed to charge to correct].
(3) Org refused to correct personal data, or failed to do it within reasonable time.
Can appeal PDPC?
Can apply to PDPC within 28 days to reconsider decision / direction. But does not suspend it unless IRT financial penalty.
Can also appeal to Data Protection Appeal Panel within 28 days. But if you apply for PDPC reconsideration, this will be deemed withdrawn.
Then can appeal to HC:
(1) on point of law in decision / direction.
(2) amount of financial penalty.
Then can appeal to CA.