The Personal Data Protection Act 2012 (PDPA) will come into operation and be enforced in phases, with the provisions relating to the Do Not Call (DNC) Registry coming into force on 2 January 2014 and the provisions relating to the main data protection coming into force on 2 July 2014.
After the transition period, the PDPC may conduct investigations – upon complaint or on its own accord – to determine whether an organisation is complying with the PDPA.
If the PDPC finds that an organisation is in breach of any of the data protection provisions in the PDPA, it may direct the organisation to rectify the breach. These directions may include requiring the organisation to:
- Stop collecting, using or disclosing personal data in contravention of the PDPA;
- Destroy personal data collected in contravention of the PDPA;
- Provide access to or correct the personal data; and/or
- Pay a financial penalty of an amount not exceeding $1 million.
An organisation that contravenes the DNC provisions in the PDPA will commit an offence and will be liable on conviction to may be liable for a fine of an amount not exceeding $10,000 for each offence.
An organisation or a person is also guilty of an offence if any of the following is committed:
- If the organisation or person with an intent to evade a request for access or correction under the PDPA, disposes of, alters, falsifies, conceals or destroys, or directs another person to dispose of, alter, falsify, conceal or destroy, a record containing –
- Personal data; or
- Information about the collection, use or disclosure of personal data
- If the organisation or person obstructs the PDPC or an authorised officer in the performance of their duties or exercise of their powers under the PDPA;
- If the organisation or person knowingly or recklessly makes a false statement to the PDPC, or knowingly misleads or attempts to mislead the PDPC, in the course of the performance of its duties or powers under the PDPA; and
- If a person makes a request under the PDPA to obtain access to or to change the personal data of another individual without that individual’s authority.
What is the Responsibility of an Employer for the Conduct of its Employees?
Any act done or conduct engaged in by an employee in the course of his or her employment shall be treated as done or engaged in by his or her employer as well as by him or her, whether or not it was with the organisation's knowledge or approval. In defence, the employer may prove that he or she took steps where practicable to prevent the employee from doing the act or engaging in the misconduct at hand.