Advisory Guidelines on Key Concepts in the PDPA: 23 Chapters
By now, Singaporeans must already be aware that the Personal Data Protection Act of 2012 is Singapore’s legislative response to the pre-existing patchwork of laws. The latter includes common law, sector-specific legislation and various self-regulatory or co-regulatory codes.
It is to be noted that while the PDPA applies to all organisations in respect of the personal data they collect, use, and or disclose, the following categories of organisations are not bound by the PDPA:
- individuals acting in a personal or domestic scope;
- employees acting in the duration of their employment with an organisation;
- public agencies or organisations acting on behalf of a public agency in relation to the collection, use or disclosure of personal data; or
- any other organisation or personal data, or classes of organisations or personal data as may be defined by the pertinent legislation.
Advisory Guidelines on Key Concepts in the PDPA
The first 9 chapters of the written guidelines cover the introduction and overview as well as the important terms used in the PDPA. In these beginning chapters, we get a clear definition, among others, of how personal data is identified, what collective data is, and what happens to personal data of deceased individuals.
These chapters also touch on excluded organisations as mentioned earlier in this article.
This chapter of the advisory guidelines on key concepts in the PDPA delves into the overview of the data protection provisions. It spells out nine main obligations which organisations are enforced to comply with if they undertake activities relating to the collection, use or disclosure of personal data.
These nine main obligations are:
- The Consent Obligation
- The Purpose Limitation Obligation
- The Notification Obligation
- The Access and Correction Obligations
- The Accuracy Obligation
- The Protection Obligation
- The Retention Limitation Obligation
- The Transfer Limitation Obligation
- The Accountability Obligation
Chapter 11 deals with applicability to inbound data transfers. Under this provision, organisations carrying out activities involving personal data in Singapore must adhere to the country’s existing guidelines. Several examples are also fleshed out in this chapter to paint different scenarios of how the PDPA provisions will be applied.
In Chapter 12, we dive into the consent obligation, wherein it states that organisations are mandated to obtain consent from individuals before collecting, using, or disclosing their personal data.
Whereas there are guidelines on where and to whom the PDPA is applied, chapter 13 touches on the purpose limitation obligation. In essence, it states that an organisation may collect, use or disclose personal data about an individual only for purposes:
- that a reasonable person would consider appropriate in the circumstances; and
- where applicable, that the individual has been informed of by the organisation
The 14th chapter of the advisory guidelines on key concepts in the PDPA talks about the duty of organisations to inform the individuals of the purposes for which their personal data will be collected, used and disclosed in order to get their consent.
The 15th and 16th chapters of the advisory guidelines on key concepts in the PDPA discuss the access and correction obligations as well as the accuracy obligation.
In a nutshell, individuals have the right to request for access to their personal data and for correction of their personal data that is in the possession or under the control of the organisation.
As for the accuracy obligation, the PDPA requires an organisation to make a fair effort to make sure that personal data collected is accurate and complete under certain provisions.
Chapter 17 of the advisory guidelines on key concepts in the PDPA walks us through the protection obligation, where it states that an organisation is required by the PDPA to make reasonable security arrangements to protect personal data in its possession. This is to ensure that they can prevent unauthorised access of data, as well as illegal collection, use, disclosure, copying, and modification of such data, among others.
In chapter 18, the retention limitation obligation is discussed, where it fleshes out when an organisation should cease to retain its documents containing personal data, or remove the means by which the personal data can be associated with specific individuals.
Under the provision discussed in chapter 19, an organisation must not transfer any personal data to a country or territory outside Singapore except in accordance with requirements defined under the PDPA.
Chapter 20 talks about the concept of accountability among organisations in the context of how it discharges its responsibility for the personal data it has collected.
The final chapters of the advisory guidelines on key concepts in the PDPA tackle other rights, obligations, and uses. It bookends the whole document by discussing other minor provisions not yet covered in the previous chapters.
To reiterate, organisations must adhere to these advisory guidelines on key concepts in the PDPA. This is to make sure they do not violate the data privacy of anyone, and that they uphold their credibility as a responsible organisation.