Answer ... (a) Data processing
The term ‘processing’ under the Personal Data Protection Act (PDPA) covers two activities: ‘processing’ and ‘use’. Under the PDPA, ‘processing’ refers to the act of recording, inputting, storing, compiling/editing, correcting, duplicating, retrieving, deleting, outputting, connecting or internally transferring data for the purpose of establishing or using a personal data file. ‘Use’ refers to the act of using personal data through any method other than processing.
(b) Data processor
The PDPA does not specifically adopt any of the terms used in European countries – such as ‘data controller’, ‘data processor’ or ‘data owner’ – to refer to the relevant parties involved in personal data-related activity, although these concepts are embedded in the PDPA. Under the PDPA, a ‘data processor’ is a person or entity that is retained by another to perform data processing activities.
(c) Data controller
Again, the PDPA does not explicitly adopt this term in its text; it simply subjects ‘government agencies’ and ‘non-government agencies’ to two different sets of rules in regard to personal data related activities.
(d) Data subject
Under the PDPA, the term ‘data subject’ refers to an individual whose personal data is collected, processed or used.
(e) Personal data
The PDPA defines ‘personal data’ as a natural person’s name, date of birth, identity card number, passport number, features, fingerprints, marital status, family information, education background, occupation, medical records, healthcare data, genetic data, details of his or her sex life, records of physical examination, criminal records, contact information, financial conditions, data concerning his or her social activities and any other information that may be used to directly or indirectly identify that person.
(f) Sensitive personal data
Personal data pertaining to an individual’s medical records, healthcare, genetics, sex life, physical examination and criminal records is categorised as ‘sensitive personal data’ and is subject to special protection.
Pursuant to the PDPA, consent must be informed and express, with only one exception. This applies where, at the time the data is collected, the data subject is advised of the notification matters required under the PDPA and surrenders his or her data to the data controller without objection after being duly informed.