Protection Of Personal Data Important

12 Jun 2014

Forum reply on The Straits Times Interactive Online, 12 Jun 2014

THE Personal Data Protection Commission would like to clarify that the Personal Data Protection Act governs the collection, use, disclosure and care of personal data ("How well protected is Singapore users' personal data?" by Mr Francis Cheng; Forum Online, June 2).

"Personal data" may be data collected online or offline, and includes unique identifiers (for example, NRIC number) or any set of data (name, age, address) which, when taken together, would be able to identify the individual.

When the data protection provisions of the Act come into effect on July 2, organisations may collect, use or disclose personal data only for reasonable purposes for which they have notified and obtained the individual's consent, unless an exception applies (for example, emergency situations where the life, health or safety of an individual is threatened).

Organisations should not, as a condition of supplying a product or service, require an individual to consent to the collection, use or disclosure of personal data beyond what is reasonable to provide the product or service.

Currently, the Act does not provide for a "right to be forgotten". This concept is yet to be adopted by many jurisdictions, and the commission will continue to monitor developments with regard to this issue.

The Act also does not prohibit personal data from being sent out of Singapore. Instead, organisations transferring personal data overseas will have to ensure a standard of protection that is comparable to that accorded under the Act.

This includes making reasonable security arrangements to protect personal data in their possession or under their control against unauthorised access, collection, use or similar risks.

Organisations engaging in data activities in Singapore that do not comply with the Act may be issued a financial penalty not exceeding $1 million. They must also take remedial actions to ensure compliance with the Act.

Lastly, we would like to reiterate that individuals have a responsibility to protect their own personal data and minimise potential risks of misuse, even with the Personal Data Protection Act in place.

Evelyn Goh (Ms) 
Director, Communications, Planning and Policy 
Personal Data Protection Commission

Tags: