Data protection obligations amendments and updates by the PDPC on 1st Oct 2021. You can download to read it, it’s 100 over pages.
What are the 9 obligations of PDPA
The 9 Obligations of the PDPA are:
- Consent Obligation.
- Purpose Limitation Obligation.
- Notification Obligation.
- Access and Correction Obligation.
- Accuracy Obligation.
- Protection Obligation.
- Retention Limitation Obligation.
- Transfer Limitation Obligation.
- Accountability obligation.
Data Protection Obligations under Accountability
Under accountability obligation, a business has to first appoint a data protection officer to ensure that their organisation has the relevant person dedicated to compliance to the PDPA obligations.
1. Accountability Obligation
Undertake measures to ensure that organisations meet their obligations under the PDPA such as making information about your data protection policies, practices and complaints process available upon request and designating a data protection officer (DPO) and making the business contact information available to the public.
In layman’s terms: You will need to setup your data protection policies to be available upon demand by the public, documentation, practices, train and make sure staff understands the practices, put together processes flows and/or systems to make sure there are sufficient safeguards. This includes making sure the clauses for contracts for staff, contractors and service providers know and can comply and sufficient safeguards are in place.
2. Notification Obligation
Notify individuals of the purposes for which your organisation is intending to collect, use or disclose their personal data.
In layman’s terms: If you are collecting information via a contact form, you will need to state how you will use their personal data.
3. Consent Obligation
Only collect, use or disclose personal data for purposes which an individual has given his/her consent to.
Allow the individual to withdraw consent, with reasonable notice, and inform him/her of the likely consequences of withdrawal. Once consent is withdrawn, make sure that you cease to collect, use or disclose the individual’s personal data.
In layman’s terms: You cannot set clauses that binds the individual to you forever. If the individual decides not to share his/her personal information, you should have a process in place to allow them to withdraw consent and you have to update your database to reflect that.
4. Purpose Limitation Obligation
Only collect, use or disclose personal data for the purposes that a reasonable person would consider appropriate under the given circumstances and for which the individual has given consent.
An organisation may not, as a condition of providing a product or service, require the individual to consent to the collection, use or disclosure of his or her personal data beyond what is reasonable to provide that product or service.
5. Accuracy Obligation
Make reasonable effort to ensure that the personal data collected is accurate and complete, especially if it is likely to be used to make a decision that affects the individual or to be disclosed to another organisation.
In layman’s terms: If for instance you are a health and fitness data company, many insurers use your service to determine if an individual is eligible to a discount or a surcharge based on their health metrics. Then you have to ensure that you make reasonable efforts for accuracy as it may affect the insurer and the cost of the premium for the individual.
6. Protection Obligation
Reasonable security arrangements have to be made to protect the personal data in your organisation’s possession to prevent unauthorised access, collection, use, disclosure or similar risks.
7. Retention Limitation Obligation
Cease retention of personal data or dispose of it in a proper manner when it is no longer needed for any business or legal purpose.
8. Transfer Limitation Obligation
Transfer personal data to another country only according to the requirements prescribed under the regulations, to ensure that the standard of protection is comparable to the protection under the PDPA, unless exempted by the PDPC.
In layman’s terms: This applies to outsourcing work. If you have a call centre outside the country, how do you ensure that you have the same levels of protection? Is teh outsourcing work done by a related company or a service provider? Do the individuals know that their data will be transferred to an external party for example in philippines to make phone calls to service you?
9. Access and Correction Obligation
Upon request, organisations have to provide individuals with access to their personal data as well as information about how the data was used or disclosed within a year before the request.
Organisations are also required to correct any error or omission in an individual’s personal data as soon as practicable and send the corrected data to other organisations to which the personal data was disclosed (or to selected organisations that the individual has consented to), within a year before the correction is made.
10. Data Breach Notification Obligation
In the event of a data breach, organisations must take steps to assess if it is notifiable. If the data breach likely results in significant harm to individuals, and/or are of significant scale, organisations are required to notify the PDPC and the affected individuals as soon as practicable.
11. Data Portability Obligation*
At the request of the individual, organisations are required to transmit the individual’s data that is in the organisation’s possession or under its control, to another organisation in a commonly used machine-readable format.
Exceptions may apply to the obligations above. For more information, please refer to Advisory Guidelines on Key Concepts in the Personal Data Protection Act.
In layman’s terms: This is most apparent in mobile phone line services. With the data portability in place, even if you signed up with Singtel, you can ask to port over the number to M1 or Starhub and vice-versa. Businesses may impose a reasonable charge for doing so, but they are required to comply to an individual’s such request.
What is a breach of PDPA by Businesses?
A breach is deemed to have occured if large amounts of personal data has been:
- Leaked to an unintended external person or organisation which may cause or has caused or likely to cause significant damage to an individual
- Stolen by an external person or organisation which may cause or has caused or likely to cause significant damage to an individual.
A business must quickly assess this damage and report to PDPC and put in place damage control processes.
Data Protection Obligation updates
For the small businesses out there, the compliance is onerous. In case you want to understand the changes, you can read this.
Download the Chapters Listing on Advisory Guidelines from PDPC
- Chapters 1- 2: Introduction and Overview
- Chapters 3 – 9: Important Terms Used in the PDPA
- Chapter 10: Overview of the Data Protection Provisions
- Chapter 11: Applicability to Inbound Data Transfers
- Chapter 12: The Consent Obligation
- Chapter 13: The Purpose Limitation Obligation
- Chapter 14: The Notification Obligation
- Chapter 15: The Access and Correction Obligations
- Chapter 16: The Accuracy Obligation
- Chapter 17: The Protection Obligation
- Chapter 18: The Retention Limitation Obligation
- Chapter 19: The Transfer Limitation Obligation
- Chapter 20: The Data Breach Notification Obligation
- Chapter 21: The Accountability Obligation
- Chapters 22 – 23: Offences affecting personal data and anonymised information
- Chapters 24 – 26: Other Rights, Obligations and Uses
- Annex A: Framework for the Collection, Use and Disclosure of Personal Data
- Annex B: Assessment Checklist for Deemed Consent by Notification
- Annex C: Assessment Checklist for Legitimate Interests Exception