--- title: 'Lecture 07 PDPA' disqus: hackmd --- :::info ST2502 Computer Law & Investigation ::: Lecture 07 Personal Data Protection Act === <style> img{ /* border: 2px solid red; */ margin-left: auto; margin-right: auto; width: 80%; display: block; } </style> ## Table of Contents [TOC] Background --- - PDPA aims to strengthen & entrench sg's competitiveness & position as trusted, world-class hub for businesses Data Privacy & Personal Data --- ### Data Privacy - data privacy - right to prevent release of personal info to public - in sg, personal data protected under PDPA Act 2012 (PDPA) - administered by personal data protection commission (PDPC) ### Personal Data - personal data - data abt indiv who can be identified from data - doesnt matter if true or false - only certain rules apply for personal data on deceased - protection up to 10 years after death - covers electronic & non-electronic data #### Examples - unique identifiers - NRIC - set of data put tgt that will identify indiv - name, age, job, address - includes  #### NRIC Collection Rules - illegal for orgs to hold on to indiv's NRIC & collect its full num - penalty up to 1 mil Personal Data Protection --- - PDPA comprises of rules governing - collection - use - disclosure - care of personal data - PDPA recognises both - rights of indivs to protect their personal data - includes rights of access & correction - needs of org to collect, use or disclose personal data for legit & reasonable purposes #### PDPC's Decision - breach of protection obligation by tan tock seng hospital 4 Nov 2019 - warning issued to tan tock seng hospital for failing to implement reasonable security arrangements to orevent unauth disclosure of personal data of patients - 85 notif letters to patients to reschedule appointments sent to wrong addresses ### PDPA's Coverage - organisation, grp of peeps whether or not - formed or recognised under sg law - resident or having office/place of business in sg #### Doesn't Cover - indiv acting in personal/domestic capacity - Eg. personal friends - employee acting in course of employment with org - Eg. as employee - public agency/org acting on behalf of pub agency in relation to collection/use/disclosure of personal data - Eg. gov service - civil service ### Key Concepts - consent - orgs can collect/use/disclose personal info only with indiv's knowledge & consent - has exceptions - purpose - orgs can collect in appropriate manner for circumstances only if informed the indiv of purposes for collection - reasonableness - orgs can collect only for purposes considered appropriate to reasonable person in given circumstances ### Overview of Data Protection Regime  #### Discussion      ### Case Studies          ### Disposal of Data in Electronic Media - physical destruction of media itself to render stored data inaccessible - Eg. cut it up/smash it - disposal of data in media only - specialised software tools used to securely erase all data in media - just moving to recycle bin is insufficient as it's recoverable even after the bin is emptied - companies can choose disposal methods as long as data cannot be recovered ### Points to Note - companies liable for employee's acts/breaches of PDPA - engaging external service providers to dispose docs containing data doesnt relieve companies of their PDPA obligations to protect data #### Examples - PDPC fines singhealth for data breach - https://www.todayonline.com/singapore/pdpc-slams-singhealth-being-overly-dependent-ihis-metes-out-total-s1-million-fines-over?cid=h3_referral_inarticlelinks_03092019_todayonline - recent personal data leak by singapore accountacy commission - https://www.straitstimes.com/singapore/singapore-accountancy-commission-accidentally-leaks-personal-data-of-6541-people?utm_source=STSmartphone&utm_medium=share&utm_term=2019-11-22+18%3A16%3A16 ### Do Not Call Registry - PDPA provides for establishment of national __do not call (DNC) registry__ - DNS registry allow indivs to register sg telephone nums to opt out of receiving marketing phone calls, mobile text msgs & faxes - email ads are regulated by spam control act - covered - B2C marketing msgs - Eg. offer to supply, advertise or promote goods/services - includes voice calls, SMS/MMS/texts, faxes - not covered - B2B marketing - personal calls & SMSes - market research/surveys - msgs by public agencies for non-commercial programmes - doesnt include msgs sent w/o use of phone nums - Eg. cell-broadcast - orgs obliged to check DNC registry within 30 days of doing marketing - unless have clear & unambiguous consent in evidential form - display their ID, contact info & originating num - indiv registers phone num with DNC registry - num addedd to registry - number remains thr unless indiv deregisters or terminates service #### Isit Effective? - https://www.straitstimes.com/forum/letters-in-print/do-not-call-registry-does-not-appear-to-stop-unsolicited-messages-calls More PDPA Cancer --- - collection, use & disclosure of personal data - consent required ### Part IV - Collection, use & disclosure of personal data      ### Part V - Access to & correction of personal data  ### Part VI - Care of personal data   ### Part IX - Do not call registry    ###### tags: `CLI` `DISM` `School` `Notes`