Data collection methods: How to do these right
The use and disclosure of personal data have been the practice of organisations, big or small. But before they can do such, they must collect it from customers and clients who are willing to provide their confidential information in exchange for services offered by the organisation.
Historically, the protection of personal data has been crucial for organisations. This is because when there is a failure to prevent valuable data from leaking out, the organisation typically covers the risk of paying a hefty financial penalty which ranges up to S$1,000,000. Moreover, the organisation could also suffer from the closure of business as clients and potential customers receive a bad reputation that their data is not safe from your organisation.
With this, it is imperative for organisations to handle personal data with the utmost diligence, especially from the data collection stage. The case of Clearview AI is a prime example of why this due diligence is required.
Also Read: Why cybersecurity is important for businesses in Singapore
Clearview AI gets third €20 million fine for illegal data collection
France’s data protection authority (CNIL) has fined Clearview AI €20 million for illegally collecting and processing biometric data from French citizens. Clearview AI got the same fine from both the Italian and Greek data protection agencies in March and July for the same violation.
CNIL also told the American company that does facial recognition to stop collecting any more data and to delete all the data they already had within two months.
If Clearview AI doesn’t follow the orders after two months, CNIL will fine the company €100,000 per day if it doesn’t follow the orders.
A controversial model
Clearview AI takes pictures and videos of people that are available to the public on websites and social media sites and matches them to their identities. Using this method, the company has collected more than 20 billion images that are being added to a biometric database of facial scans and identities.
The company sells access to this database to people who run facial recognition systems. Some of these systems are used by law enforcement agencies and private companies around the world.
The Personal Data Protection Act (PDPA) in Singapore provides that any data collection must be made aware to the people and get their permission.
Even if Clearview AI doesn’t use leaked data and doesn’t spy on people, most people don’t know that Clearview AI customers are using their photos to identify them.
There are a lot of methods to use in collecting the personal data of costumers and clients for the organisation. However, such methods must be in accordance to the PDPA to avoid breaching the obligations stated therein. The following are potential legal bases for processing personal data:
Legal bases to collect and process personal data in accordance with the PDPA
- An appropriate notice has been given to or made available to the data subject.
- The data subject has given consent to the processing for the identified purposes.
- The personal data is necessary to fulfill a contract with the data subject.
- The personal data is necessary to comply with a legal obligation.
- The personal data is necessary to protect the vital interests of a natural person.
- The personal data is necessary for the public interest.
Data collection, done right.
While the Clearview AI case happened in France, a similar consequence may happen for Singapore organisations. This is because under the PDPA, organizations need to secure consent from individuals whose personal data belongs. In collecting individuals’ personal data, they must be made aware that their personal data are being recorded or risk breaching the PDPA and be imposed with a hefty fine.
It is also essential that the data collection’s purpose is legal and supported by evidence to avoid unnecessary questions with regard to the collection of data by the PDPC.
A DPO can help
An outsourced Data Protection Officer (DPO) oversees data protection responsibilities and ensures that organizations comply with the Personal Data Protection Act (PDPA). Furthermore, every Organization’s DPO should be able to curb any instances of PDPA noncompliance as it is the officer responsible for maintaining the positive posture of an organization’s cybersecurity.
DPOs complement organizations’ efforts to ensure that the organisation’s methods of collecting personal data comply with the PDPA. It also ensures that policies are set in place to make sure that there will be no instances of data collection without the proper procedures being followed.
Also Read: Choosing a penetration testing vendor: Your complete checklist in Singapore