Organisations in general are required to comply with the entire Personal Data Protection Act 2012 (PDPA). If your organisation has been contracted to process personal data on behalf of another organisation, your organisation may be considered a “data intermediary”. As a data intermediary processing personal data pursuant to a written contract, your organisation may be exempted from certain obligations in the PDPA and simply be responsible for protecting the personal data in your care and ensuring that the personal data is not kept by your organisation when there is no longer a business or legal need to do so.
Please refer to the following data protection obligations for how your organisation may comply with the PDPA.
9 Main Data Protection Obligations of the PDPA
1. Consent Obligation
Only collect, use or disclose personal data for purposes for which an individual has given his or her consent.
Allow individuals to withdraw consent, with reasonable notice, and inform them of the likely consequences of withdrawal. Upon withdrawal of consent to the collection, use or disclosure for any purpose, your organisation must cease such collection, use or disclosure of the personal data.
2. Purpose Limitation Obligation
An organisation may collect, use or disclose personal data about an individual for the purposes that a reasonable person would consider appropriate in the circumstances and for which the individual has given consent.
An organisation may not, as a condition of providing a product or service, require the individual to consent to the collection, use or disclosure of his or her personal data beyond what is reasonable to provide that product or service.
3. Notification Obligation
Notify individuals of the purposes for which your organisation is intending to collect, use or disclose their personal data on or before such collection, use or disclosure of personal data.
4. Access and Correction Obligation
Upon request, the personal data of an individual and information about the ways in which his or her personal data has been or may have been used or disclosed within a year before the request should be provided. However, organisations are prohibited from providing an individual access if the provision of the personal data or other information could reasonably be expected to:
Organisations are also required to correct any error or omission in an individual’s personal data upon his or her request. Unless your organisation is satisfied on reasonable grounds that the correction should not be made, your organisation should correct the personal data as soon as practicable and send the corrected data to other organisations to which the personal data was disclosed within a year before the correction is made (or, with the individual's consent, only to selected organisations).
5. Accuracy Obligation
Make reasonable effort to ensure that personal data collected by or on behalf of your organisation is accurate and complete, if it is likely to be used to make a decision that affects the individual, or if it is likely to be disclosed to another organisation.
6. Protection Obligation
Make reasonable security arrangements to protect the personal data that your organisation possesses or controls to prevent unauthorised access, collection, use, disclosure or similar risks.
7. Retention Limitation Obligation
Cease retention of personal data or remove the means by which the personal data can be associated with particular individuals when it is no longer necessary for any business or legal purpose.
8. Transfer Limitation Obligation
Transfer personal data to another country only according to the requirements prescribed under the regulations, to ensure that the standard of protection provided to the personal data so transferred will be comparable to the protection under the PDPA, unless exempted by the PDPC.
9. Accountability Obligation
Make information about your data protection policies, practices and complaints process available on request.
Designate one or more individuals as a Data Protection Officer to ensure that your organisation complies with the PDPA, including the implementation of personal data protection policies within your organisation. The business contact information of at least one of such individuals should also be made available to the public. Please note that compliance with the PDPA remains the responsibility of the organisation.
There are, however, exceptions to these rules and they are generally purpose-based. For example, some of these exceptions relate to emergency situations, investigations, publicly available data or where the personal data is used for evaluative purposes. For more exceptions, please refer to the Second to Sixth Schedules of the PDPA.
Your organisation may continue to use personal data that has been collected before the data protection provisions of the PDPA came into effect on 2 July 2014 for the purposes for which the personal data was collected, unless the individual has withdrawn consent. If there is a different purpose for the use of the personal data, consent has to be obtained anew.
For personal data collected after 2 July 2014, your organisation will have to notify and obtain the individual’s consent to the collection, use and disclosure of his or her personal data.
The above is a summary of some highlights from the PDPA. You may wish to refer to the PDPA for more details.