Personal Data Protection Act 2010

Jillian Chia recommends measures that can be taken to comply with the Act.
 
The Personal Data Protection Act 2010 (“PDPA”) came into force on 15 November 2013. Several regulations and orders were also issued in conjunction with the announcement of its enforcement date.
 
The transitional provisions in the PDPA require a data user (i.e. a person who processes or authorises or controls the processing of personal data) who has collected personal data prior to the enforcement of the PDPA, to comply with the PDPA within three months of the PDPA coming into operation. Based on a strict interpretation, any personal data collected after the PDPA came into operation would have to comply with the requirements of the PDPA.
 
With the PDPA in force and a short transition period for compliance, a data user may wish to consider the matters which are discussed below.
 
Audit personal data
 
An audit of all the personal data (i.e. data which can identify an individual, such as name, identification numbers, contact numbers and addresses) should be the first thing in order.
 
The initial audit should be carried out to weed out the essential data from the non-essential data, and consideration should be given as to whether the deletion or destruction of unnecessary data would be possible.
 
notification and consent forms
 
Once the initial audit has been completed, a data user should determine the groups of data subjects, namely the persons to whom the personal data relate, which require notification. For example, separate notification forms may be required for customers, suppliers, employees etc. as the scope of use of the personal data for each group may differ.
 
It would be advisable for a data user to work closely with its relevant business groups and legal advisers to determine the contents of the notification forms. When drafting a notice, the Notice and Choice Principle in the PDPA sets out a number of requirements which have to be complied with. These include the purpose of use, the third parties to whom the data may be disclosed and the contact details for submitting inquiries and complaints.
 
Consent for the use and processing of the personal data is also required from the data subject save where the data user intends to rely on the exceptions provided in the PDPA, such as where the processing of data is necessary for the performance of a contract to which the data subject is a party. When in doubt as to whether the exceptions apply, a data user should err on the side of caution and obtain consent from the data subject.
 
With respect to the form of consent acceptable under the PDPA, the Personal Data Protection Regulations 2013 (“Regulations”) stipulate that consent must be capable of being recorded and properly maintained by a data user. The requirement for the consent to be recorded, if interpreted conservatively, implies that consent by way of conduct, continued use or opt-out methods may not be sufficient, as it would not be possible for the data user to record such consent. However, this would be subject to the regulator’s interpretation and it remains to be seen whether implied consent, consent by way of conduct or opt-out consent would be accepted.
           
access, correction, inquiries and complaints
 
The PDPA imposes an obligation on a data user to provide a data subject with the right to access and correct his personal data. These rights are required to be set out in the notice form. It would be advisable for a data user to appoint a designated officer who is charged with dealing with access and correction requests or any other matter relating to personal data. Although the designation of a data protection officer is not mandatory under the PDPA, from a practical standpoint, a specific person or department should be appointed as the PDPA imposes strict timelines within which requests for access and correction are to be complied with.
 
As complaints from data subjects are likely to be the triggers for enforcement actions against a data user, adequate procedures should be put in place to deal with complaints and inquiries. Complaints and inquiries should be dealt with expeditiously and escalation procedures should be provided for.
 
security measures
 
The Security Principle under the PDPA requires personal data to be protected from loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction. The PDPA also sets out the factors that should be taken into account when developing security measures, such as the nature of the personal data, the location where the data is stored and the security measures to be incorporated into equipment where the data is stored.
 
Personal data which are sensitive or critical and which may cause serious repercussions if lost, disclosed or damaged (such as credit card details, financial data or health-related information) should be afforded higher levels of security.
 
Levels of security placed on data storage equipment and databases should be looked into, as well as the access granted to personnel within the organisation. Where possible, access to personal data should be on a ‘need-to-know’ basis and limited to the extent necessary to perform obligations. A data user may also consider including a requirement for personnel who have access to personal data to sign non-disclosure or confidentiality agreements.
 
The Regulations require a data user to develop and implement a security policy in accordance with the security standards issued by the Personal Data Protection Commissioner (“Commissioner”). However no standards for security have been issued as yet.
 
contracts with data processors
           
Where a data user uses a data processor (i.e. a person who processes data solely on behalf of a data user) to process personal data, the PDPA requires the data user to obtain sufficient guarantees from the data processor to protect the personal data. In addition, a data user must monitor compliance with such guarantees. In practice, this means that a contract with a data processor (e.g. where information technology or administrative functions are outsourced to a third party vendor or where marketing is handled by an external agent) should contain guarantees that any personal data received will be adequately protected. Preferably, back-to-back clauses should be incorporated so that the data processor is bound by the same obligations as the data user under the PDPA.
 
Storage of data at remote locations or on the cloud storage platform is commonplace these days. Therefore, a data user should ensure that the contracts with its storage or cloud providers require the data processor to protect personal data in accordance with the PDPA and the data user’s internal security policies.
 
Audit clauses and provisions granting the right to the data user to monitor and inspect its data processor’s systems should also be included in the contracts.
 
A data user may also consider seeking indemnities in the event its data processor defaults on its obligations. However, as a breach of the PDPA attracts not only fines, but possibly, imprisonment, it should be noted that indemnities will not shield a data user from criminal liability.
 
Retention periods
 
As the PDPA only permits personal data to be kept for “as long as necessary”, retention periods should be stipulated for personal data which are in the data user’s possession. Retaining personal data in accordance with statutory requirements, such as the income tax retention period or the limitation period for commencing legal proceedings, would appear to be acceptable.
 
Retaining personal data beyond the relevant periods required by law is permissible if a data user is able to justify the retention of the data for that period (e.g. use of the data is still required, the agreement between the data user and data subject is still valid and being performed).
 
Awareness and training
 
It is imperative that all members of a data user’s organisation are made aware of the organisation’s obligations under the PDPA.
 
For example, a data user’s sales force must be aware that collection or use of personal data without consent and notification could potentially be in violation of the PDPA. Personnel who are tasked with dealing with data subjects should be given training on the standard operating procedures before collecting and using data, for example, by ensuring that the customer signs off on the consent and notice form and subsequently, submitting such form to the designated department for safe-keeping.
 
Although the PDPA does not provide for the reporting of breaches of the PDPA, it would be good practice for a data user to have an internal breach reporting system, and to take remedial action immediately upon discovery of any breach to avoid complaints being lodged with the Commissioner against the data user.
 
Registration as a data user
 
A data user who is included in any class of data users listed in the Personal Data Protection (Class of Data Users) Order 2013 (“Order”) is required to register with the Personal Data Protection Commission (“Commission”) within three months from the date that the PDPA came into force. The classes of data users are: communications, banking and financial institutions, insurance, health, tourism and hospitalities, transportation, education, direct selling, services, real estate and utilities.
 
Fees are chargeable for registration and it is envisaged that the registration is to be valid for 24 months, after which renewal is required.
 
As the grace period to apply for registration is short, a data user should submit its application without delay. If a data user falls into more than one of the classes specified, a separate application has to be filed for each class.
 
EXERCISE RESTRAINT
 
The PDPA requires that personal data be processed only for a purpose directly relating to the activity of the data user and should not be excessive. In this regard, the Privacy Commissioner for Personal Data in Hong Kong recently made a finding that the collection by a fitness centre of copies of identity cards and full birth date particulars of its members amounted to “excessive collection of personal data”. The data user has indicated that it will appeal against the decision.
 
Aside from the PDPA’s restrictions on data collection, a data user should also appreciate that the more personal data it holds, the more responsibilities it will assume in ensuring that the personal data is processed and protected in accordance with the data protection principles in the PDPA
 
Thus, the rule of thumb for a data user is to exercise restraint and collect only personal data which are necessary for its operations.
 
RECOMMENDED COMPLIANCE CHECKLIST
 1-2.png