This article is a follow-up to the previous articles which highlighted in particular the first five main data protection obligations set out by the Personal Data Protection Act (“PDPA”). 1 These obligations were termed the Main Data Protection Obligations by the Personal Data Protection Commission and the purpose of it is to allow for individuals or organisations to better understand the obligations and guidelines that they have to adhere to in order to comply with the requirements set out by the PDPA. In the next 2 articles, we will be discussing the other five main data protection obligations. In particular, these obligations are the Accuracy Obligation, Protection Obligation and the Retention Limitation Obligation.
Data Protection Obligations: Accuracy, Protection and the Retention Limitation Obligation
Accuracy Obligation (Section 23)
The fifth main data protection obligation would be the accuracy obligation. Organisations are required to make “reasonable effort” to ensure that the information and personal data of an individual that is gathered and stored is accurate and complete especially if the information is meant to be used to make a decision that will inevitably affect the individual, or if it is to be disclosed to another organisation or individual. The extent of reasonable effort required depends on the unique circumstances of your organisation, however general factors to consider would include the nature of the information and the purpose for which the information is to be used for. 1 Generally, more effort should be made to ensure the accuracy and completeness of personal data collected and stored if there is an important purpose for it.
This obligation also requires organisations to exercise extra caution when retrieving information from third parties about another individual as the third party providing the information may not have access to the most updated information or their data may not be entirely accurate. Thus, if collaboration with a third party is required, it is important to verify the accuracy and completeness of the personal data after retrieving it from the third party.
Protection Obligation (Section 24)
The sixth main data protection obligation would be the protection obligation. Due to the presence of online risks to online databases, there is a greater emphasis for measures to be taken to protect personal data that is stored online. Essentially, this obligation requires organisations to protect the personal data given to them by individuals from “unauthorised access, collection, use, disclosure or other similar risks”. 1 However, this protection obligation is not only limited to online databases but also to physical storage as well. Hence, as there are separate and independent security risks for both online databases and physical storage, separate unique measures should be adopted for each to maximise the protection accorded to the respective databases.
In addition, the level of security and the protection accorded is also dependent on the nature and confidentiality of the information or personal data in question. If the personal data or information is more vital or confidential, it should be accorded a higher degree of protection to prevent unauthorised access. Thus, there is a need for organisations to constantly and diligently update and maintain their digital security systems to reasonably protect their databases.
Retention Limitation Obligation (Section 25)
The seventh main data protection obligation would be the retention limitation obligation. The retention limitation obligation requires organisations to cease retention of personal data or remove the means of which personal data can be attached to the individuals that it belongs to as soon as the personal data is no longer required for any business or legal purpose. However, a reasonable period of time is allowed for organisations to update their databases and to cease retention of personal data that they no longer require. Thus, there is a need to ensure that personal data is constantly monitored and kept track of to monitor when exactly personal data is no longer required.
Stay tuned for the last article in this series which will explore the remaining obligations; the Transfer Limitation Obligation and the Openness Obligation.
Please note that this article does not constitute express or implied legal advice, whether in whole or in part. For PDPA obligations, Silvester Legal LLC is regularly engaged assisted our clients to review their data collection policies and websites to ensure that they are in compliance with the PDPA. If you have any queries or require legal advice, please contact me at email@example.com.