The 9 Data Protection Obligations
The Personal Data Protection Act (PDPA) was enacted in October 2012 to govern the collection, use and disclosure of personal data. Following the amendments made to the Personal Data Protection (Amendment) Act 2020, the PDPA has established nine data protection obligations that an organisation ought to act in compliance with. In an effort to assist these organisations in evaluating whether its data protection policies satisfy the obligations stated in the PDPA, the Personal Data Protection Commission (PDPC) has produced a PDPA Assessment Tool for Organisations (PATO).
The PATO serves as a questionnaire which consists of several prompts and information pertinent to the 9 principal categories which reflect the salient obligations that an organisation will have to act in accordance with.
This article will deal with the first 5 Personal Data Protection Obligations.
I. Consent
1. Your organisation seeks consent from individuals for the collection, use or disclosure of their personal data.
- It is required for organisations to obtain consent of the individual prior to the collection, use or disclosure of their personal data for a purpose.
- Organisations must not:
- as a condition for the provision of a product or service, require an individual to consent to the collection, use or disclosure of their personal data beyond what is reasonable; or
- obtain or attempt to obtain consent before collecting, using or disclosing individual’s personal data by providing false or misleading information or using deceptive or misleading practices.
- Consent is only valid when the individual is notified of the purpose of the collection, use or disclosure of their personal data.
2. Your organisation notifies and seeks fresh consent from individuals when personal data for a new or different purpose is used.
- For an organisation to obtain consent from individuals to collect, use or disclose their personal data, they must inform individuals of the purpose(s) for which organisations collect, use or disclose their personal data or before collecting the data.
- If an organisation intends to use or disclose the personal data collected for purposes which it has not yet informed the individual, or for which it has not obtained the individual’s consent, organisations are required to notify the individuals of these purposes and obtain fresh consent before using or disclosing the data.
- If an organisation fails to inform the individual of the purposes for which it intends to use or disclose the personal data for, it must notify the individual of these purposes and obtain fresh consent before using or disclosing the data.
3. Your organisation responds to withdrawal of consent requests by individuals
- Individuals are allowed to withdraw their consent given or deemed to have been given in accordance with the PDPA in respect of the collection, use or disclosure of their personal data at any time.
- After being given reasonable notice, organisations are required to permit individuals to withdraw consent, and inform them of the likely consequences of the withdrawal. Once consent is withdrawn, organisations will have to stop collecting, using or disclosing the personal data. Upon receiving a withdrawal of consent request, organisations must inform the individual regarding the likely consequence of withdrawing consent, and organisations must cease collection, use or disclosure of the personal data belonging to that individual.
4. Your organisation ensures that the person providing consent on behalf of an individual is validly acting on behalf of that individual
- Consent may be given, or deemed to have been given, by any person validly acting on behalf of the individual for the collection, use or disclosure of the individual’s personal data.
- Organisations should therefore implement appropriate measures to ensure that the person is legally authorised to act on behalf of the individual.
5. Your organisation ensures that third party sources which your organisation obtained personal data from, had obtained valid consent from individuals.
- Organisations that obtain personal data from third party sources ought to exercise the appropriate due diligence to confirm and ensure that the third-party source can validly provide consent for the collection, use and disclosure of personal data on behalf of the individual, or that the source had obtained consent for disclosure of the personal data.
II. Purpose Limitation
1. Your organisation only collects, uses or discloses personal data for reasonable purposes that individuals had been informed and had consented to
- An organisation can collect, use or disclose personal data regarding an individual only for purposes that a reasonable would deem to be appropriate in the circumstances and that the individual has been informed by the organisation as expressed in the notification obligation.
- Whether a purpose is reasonable is dependent on whether a reasonable person would consider it appropriate in the circumstance.
III. Notification
1. Your organisation informs individuals of the purposes for the collection, use or disclosure of their personal data on or prior to the collection of data.
- Organisations are obliged to inform individuals of the purposes for collecting, using or disclosing their personal data on or prior to the collection of data.
- Organisations should know that failure to inform the individual of the purposes would not amount to consent under the PDPA.
IV. Access & Correction
1. Your organisation responds to access requests made by individuals as soon as reasonably possible
- Organisations must, upon request made by an individual, as soon as reasonably possible, provide the individual with their personal data in their possession or under their control, and information about the manner in which the personal data has been or will be used or disclosed during the past year.
2. Your organisation informs the individual making the access request of any fees that is associated with processing the request
- Organisations are permitted to charge a reasonable fee to recover the incremental costs that may be incurred for responding to an individual’s access request.
- Organisations that charge a reasonable fee must provide the individual with a written estimate of fee.
3. Your organisation responds to requests by individuals to rectify their personal data as soon as practicable.
- An individual may request an organisation to rectify an effort or omission in the individual’s personal data that is in the possession or under the control of the organisation.
4. Your organisation informs the individual of the time needed to respond to an access or correction request.
- Under the PDPA, the onus remains on the organisation to provide access as soon as reasonably possible to make the relevant corrections to the personal data as soon as practicable.
- Organisations should respond to requests made by individuals for access or correction of personal within 30 calendar days.
5. Before responding to an access or correction request, your organisation exercises due diligence to confirm the identity of the individual making the request or confirm that the third party is legally authorised to act on behalf of the individual
- Once a submission is made by an individual for access request and before processing the access request, the organisation must verify the identity of the applicant. This could be executed in the form of a staff member requesting answers from the applicant to a set of questions so as to verify the applicant’s identity
- If a third party makes an access and/or correction request on behalf of the individual, the organisation should confirm that the third party is legally authorised to carry out the activity on the individual’s behalf.
V. Accuracy
1. Your organisation verifies that personal data collected from individuals is accurate and complete.
- Organisations must make a reasonable effort to ensure that personal data collected by or on behalf of the organisation is accurate and complete, if the personal data
- might be made use of by the organisation to make a decision that may affect the individual to whom the personal data pertains to; or
- might be disclosed by the organisation to another organisation.
2. Your organisation ensures that personal data of individuals collected from a third-party source is accurate and complete
- Organisations are obligated to make reasonable efforts to ensure that personal data collected on behalf of the organisation is accurate and complete
If you require assistance regarding an identical issue or have any questions regarding preparation of a Notice of Revision, please contact us.
Please note that this article does not constitute express or implied legal advice, whether in whole or in part. If you require legal advice, please contact me at walter@silvesterlegal.com.