There are probably a lot of personal data about you which commercial parties have already gathered.
Today, you can store and transfer vast amounts of your data to third parties. For example, as you complete your data on an entry sheet, data about your address, e-mail, gender, and age can be collected.
Even then, what data is collected is no longer the limit. You generate a ton of data all the time without having to work actively. An app you use may access geolocation data and know, for example, where you are at different times of the day.
Every day, new business models emerge with increasing Internet access via the smartphone. StatCounter reports recently that worldwide use of mobile and tablets has exceeded desktop for the first time. Many of these models are focused on collecting large quantities of personal data as startups and businesses are trying to make use of these data to create more value.
This trend is expected to grow exponentially, given the increase in technology and data collection capacity. According to the Economic Development Board (EDB), the data analytics industry is expected to add a value of $1 billion to the economy by 2017. Similarly, data collection will be of growing importance.
2013: Singapore launched the PDPA to protect personal data
In response, the Government of Singapore has introduced the Privacy Act (PDPA). As a law, the PDA aims to govern the collection and utilisation of personal data between organisations.
The PDPA intends to make Singapore a world-class business hub by strengthening data protection measures. However, only a few SMEs have a clear understanding of data privacy.
AsiaLawNetwork has worked with two lawyers specializing in data protection to speak in detail about PDPA. The following article is a PDPA guide by Mark Toh (Engelin Teh Practice LLC) and Jeremiah Chew (Lee & Lee).
What is data protection?
Data protection is the right of every person in Singapore, according to Jeremiah Chew, to ensure that its personal information is only collected, used, and/or disclosed with his/her approval.
What is PDPA?
Jeremiah further explained that “the Personal Data Protection Act, or PDPA, is a statute passed in 2012, and came into operation in four stages in 2013 and 2014. It regulates the collection, use, and communication of personal information by organizations and also establishes the Do Not Call Register.
Top 3 most common misconceptions about PDPA?
Misconception 1 — “It’s all right to gather as much information as I want from my customers and staff. One day, I might need it.”
FACT: An agency can obtain personal information only for legitimate purposes. In other words, organizations should ask themselves before collecting any personal data-Do I need this personal data? As an example, one of my customers who rents space for events requested customers to provide their nationality and date of birth. This information was not necessary for the business purposes of the customer, and we informed the customer not to collect it.
Misconception 2 — “I can collect information about a person without requesting permission such as geographical location, gender, and the date of birth because it is not considered to be personal information.”
FACT: In the PDPA, “personal data” has a broad meaning. It does not only apply to data that allow a person to be recognized on their own (e.g., name, NRIC). It also applies to data that can be classified in conjunction with other available data. For example, if viewed individually, the height of a person (175 cm), gender (male), race (Chinese), and house position (Bishan) may not appear to be particularly “personal.” But what if I know that only one Chinese man in an organization lives 175 cm in Bishan? If so, I could identify that person based on the data I have about him-even if I don’t know his name or his appearance.
Misconception 3 — “When we are all part of the same company, I can transfer personal data to my office in another country.”
FACT: In the context of the PDPA, for an individual to move personal data outside Singapore, other conditions of the PDPA must be met. It must ensure, in particular, that the transmitted personal data are secured in compliance with or identical to PDPA requirements.
According to Mark, here are some misconceptions:
Misconception 4 — “PDPA grants people a right to privacy, including against the government.” (For the general public)
FACT: Instead of privacy, the PDPA is concerned with data protection. Data protection means “personal data protection” (Oxford Law Dictionary), which is more restrictive. On the other hand, privacy is “a person’s right to be left alone and to keep certain matters separate from the general public” (Oxford Dictionary of Law). Due to the adverse impact of American and European culture, “privacy” is generally seen as enforceable against all, including the privacy government.
However, the PDPA does not bind the Government.
Misconception 5 — (For the public) “The PDPA imposes responsibilities on all.”
FACT: The PDPA applies only in the course of the company to the collection of personal data. Still, certain types of businesses are specifically exempt from certain PDPA parts.
Misconception 6 — “Only large companies must comply with the PDPA.”
FACT: PDPA covers all organizations, including companies, non-governmental organizations, charities, religious organizations, unincorporated organizations, informal associations, student organizations, private schools, etc.
For more information on the PDPA Regulations, you can check out the government body of Singapore for a thorough guide.