Applying the Personal Data Protection Act (Singapore)
Download as PPTX, PDF1 like4,992 views
The document discusses the Personal Data Protection Act (PDPA) in Singapore, emphasizing the importance of consent for the collection, use, and disclosure of personal data. It outlines the requirements and responsibilities of organizations under the PDPA, highlighting specific cases related to Nutz supermarket's handling of customer data. It also addresses potential actions individuals can take if they believe their data rights have been violated.
Applying the Personal Data Protection Act (Singapore)
- 1. Title of Show Name of Presenter Date Applying the Personal Data Protection Act (Prepared for the Internet Society, Singapore Chapter) Benjamin Ang Lecturer, Law & Management, Temasek Polytechnic Consultant, Keystone Law Corporation techmusicartandlaw.blogspot.com www.isoc.sg
- 2. Are these practices safe under the Act? o NUTZ Supermarket runs a lucky draw contest and collects phone numbers and email addresses from 100,000 customers. 1. NUTZ hires a telemarketing company to call all the customers to offer them discount card membership 2. NUTZ shares the phone numbers with Krusty Cheese, a large supplier of NUTZ, so that Krusty can run a sales promotion
- 3. Are these practices safe under the Act? 3. Jacky, the former IT manager of NUTZ, leaves to start his own business, and sends SMS to all customers telling them of his new venture 4. In order to investigate CBT by Jacky, NUTZ hands over the customer data to the police 5. Customers call NUTZ to complain, and are left on hold because no department is prepared to handle them
- 5. Personal Data Protection Act o Controls the collection, storage, use and disclosure of personal data – • data about an individual who can be identified from that data, or • who can identified from that data + other information to which the organisation has or is likely to have access o Does not apply to actions by individuals for personal use (s4) o Does not apply to Business Contact Information
- 6. Business Contact Information o Information not provided by the individual solely for his personal purposes e.g. • name, • position name or title, • business telephone number, • business address, • business electronic mail address etc
- 7. Consent Required o Section 13: Organizations need consent to • Collect personal data • Use personal data • Disclose personal data o Section 14: Organizations cannot collect consent through deceptive or misleading practices o Section 16: Individuals can withdraw consent that they have given to organizations
- 8. Where Consent is Not Required o Section 21: Organizations are allowed to release personal data to law enforcement agencies o No changes to other existing laws (e.g. search and seizure under the Criminal Procedure Code)
- 9. The Do Not Call Registry (Part IX) o If a person signs up with the Do Not Call Registry, organizations cannot call or message that person to try to • sell products or services • or offer business • or investment opportunities o unless the person has given consent o Also covers SMS messages (Sections 36 and 37).
- 10. DNC Registry – persons responsible o “sender”, means a person — • sends the message / makes a call, • causes the message to be sent / call to be made, or • authorises the sending of the message / making of the call
- 11. DNC Registry - duties o Duty to check the Register anytime within the period of 30 days before sending the message o Calling line identity not to be concealed o Clear and accurate information of persons who authorises the sending o Contact information of individual/organisation o Information provided to be reasonably for at least 30 days after message is sent
- 12. What organisations must do o Develop policies and practices to ensure compliance o Designation of key personnel to ensure compliance but organisation remains ultimately responsible o Staff education o Develop a complaints response process – e.g. a process to take in requests for correction of DP and withdrawal of consent o Transparency to the public regarding information of designated personnels and complaints response process o Seek legal advice
- 13. What individuals can do o Make a complaint to the Personal Data Protection Commission, who can • direct them to resolve it through mediation (Section 27), • or make an order against the organization to stop what it’s doing, destroy the data, and pay a penalty of up to $1 million o If the individual wants compensation, • start civil proceedings in court (Section 32) • seek compensation or an injunction
- 14. Are these practices safe under the Act? o NUTZ Supermarket runs a lucky draw contest and collects phone numbers and email addresses from 100,000 customers. 1. NUTZ hires a telemarketing company to call all the customers to offer them discount card membership 2. NUTZ shares the phone numbers with Krusty Cheese, a large supplier of NUTZ, so that Krusty can run a sales promotion 3. Jacky, the former IT manager of NUTZ, leaves to start his own business, and sends SMS to all customers telling them of his new venture 4. In order to investigate CBT by Jacky, NUTZ hands over the customer data to the police 5. Customers call NUTZ to complain, and are left on hold because no department is prepared to handle them