Obligations under the PDPA when handling personal data – Obligations 2 – 4
In this second article on the PDPA, I look at the next 3 obligations (obligations 2-4) required of individuals or organisations when they handle the personal data of individuals under the PDPA.
In summary, Obligations 2 – 4 are: Obligation No. 2 – The Purpose Limitation Obligation (Section 18 PDPA) – This states that personal data may only be used, collected and disclosed for purposes that a reasonable person would consider appropriate in the circumstances. Obligation No. 3 – Notification Obligation (Section 20 PDPA) – The notification obligation requires the individual, company or organisation who collected the personal data to inform the person whom the data belongs to the exact reasons for which the data is being collected for. Obligation No. 4 – Access and Correction Obligation (Section 21 PDPA) – This obligation requires individuals or organisations who have collected personal data to provide access to the personal data that was previously provided by individuals upon request within a reasonable timeframe. We elaborate on the above-mentioned obligations below:
Purpose Limitation Obligation (Section 18)
The second main data protection obligation would be the purpose limitation obligation. The PDPA states that personal data may only be used, collected and disclosed for purposes that a reasonable person would consider appropriate in the circumstances. As this obligation is considered relatively broad, it once again depends on the circumstances of each case.
If the purposes for which the data is used, collected or disclosed is beyond what is considered appropriate, it will not be permitted. Reasonable purposes would include for verification purposes if it is necessary to verify the identity of the individual or for communication purposes to ensure that contact is not lost.
Notification Obligation (Section 20)
The third main data protection obligation would be the notification obligation. This notification obligation also highlights the importance of maintaining an effective and working communication channel between the parties. The notification obligation requires the individual, company or organisation who collected the personal data to inform the person whom the data belongs to the exact reasons for which the data is being collected for.
This also allows for individuals to make an informed choice of whether to provide consent for the collection, use and disclosure of his personal data to other individuals or organisations.
Access and Correction Obligation (Section 21)
The fourth main data protection obligation would be the Access and Correction obligation. This obligation requires individuals or organisations who have collected personal data to provide access to the personal data that was previously provided by individuals upon request within a reasonable timeframe. Organisations are also obligated to provide information on how the individual’s personal data was used or disclosed within a year before the request was made. Thus, if an individual requests for information about how his personal data was used for a period that is more than a year before the request was made, the request may be rejected without contravening the PDPA.
However, there are still exceptions made in Section 21(3) for which information should not be given access to despite requests made by individuals.[1] Examples of these exceptions would include information that would threaten the safety or physical or mental health of an individual other than the one making the request, or a request to reveal personal data about another individual without his consent.
The correction obligation is also tied alongside with the access obligation, the correction obligation requires the organisation or individual to “correct an error or omission in the personal data about the individual” as soon as possible if the individual makes a request for it.[2] This reduces the likelihood of personal data being used wrongly especially when it is inaccurate or outdated. Thus, this also highlights the importance of ensuring that all the requests made are frequently monitored to ensure that responses and accommodations can be made.
Conclusion
This sums up the first four data protection obligations, however there are still five more main data protection obligations which have yet to be covered. We will proceed to elaborate on the five remaining main data protection obligations in the next few articles.
