In recent times data protection worldwide has become a trending topic for discussion and Singapore makes no difference. Data protection in the country is governed by the Personal Data Protection Act (PDPA). The PDPA aims to balance regulations between recognizing the rights of individuals regarding their personal data and the interest of businesses to use data for reasonable purposes.
The Personal Data Protection Act provides a complex regulation of the data processing activities and the related rights of individuals. We will be exploring it in a series of posts on the topic and this is the first part.
Application of the PDPA
The main provisions of the PDPA, simply put, apply to businesses. They do not apply to any individual who is acting in a personal or domestic capacity. The same is also valid for employees acting in the course of their employment with an organization. Companies that collect and use personal data represent the majority of entities who may be found liable under the Act if their conduct is contrary to what is required.
There are also other exceptions for which the PDPA does not apply to such as the public agencies and organizations that are acting on behalf of a public agency. If an individual or an entity does not fall under one of these exceptions they will have to adhere to the PDPA obligations and guidelines to avoid being liable under the Act.
What is personal data?
Personal data means any information about an individual that is likely to allow the identification of that individual. It can also be a combination of data like email, name, phone number, address, etc. Data that is related to an individual who can be identified can be considered personal data.
Consent as a ground for collecting and using personal data
The consent obligation requires entities that are liable under the PDPA to first obtain consent before they are allowed to collect, use or disclosure the personal data of individuals. Consent is usually provided explicitly, i.e. in writing or verbally agreeing. This includes also the marking of a checkbox on a website or clicking a button indicating the provision of consent for collection and use of data. The PDPA also recognizes the form of deemed consent. An example of deemed consent would be when an individual is repeatedly given the option to opt out of giving consent, however whether the failure to opt out is considered deemed consent is also dependent on the unique circumstances of each case.
The consent must be informed. This means that the individual must be notified of the purposes for which the organization is collecting (or using, disclosing) his personal data. The consent given is limited to the collection, use and/or disclosure of the personal data only for the purposes stated in the notice.
It is also important for the individual to be allowed to withdraw the consent after he has given it. If an individual chooses to withdraw consent, the organization or individual that has his information is required to inform him about the likely consequences of him withdrawing his consent. This gives the individual the opportunity to consider his options and decide accordingly.
Another important aspect of the consent obligation is that businesses are not allowed to require customers to allow the collection, use, or disclosure of personal data for any purpose other than as necessary to provide them with the product or service they are purchasing. A company may not refuse to provide a service or a product to customers if they do not give their consent for such additional uses.