Answer ... (a) Data processing
Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
(b) Data processor
A natural or legal person, or the government, which alone or in conjunction with others processes data on behalf of the data controller.
(c) Data controller
A natural or legal person, or the government, which either alone or jointly with others has the authority to make a decision on the collection, obtaining, usage or disclosure of personal data.
(d) Data subject
A natural person who is the subject of the personal data.
(e) Personal data
Any information that relates directly or indirectly to a data subject who is identified or identifiable from that information, or from that and other information in the possession of a data controller, including any sensitive personal data. Anonymised, encrypted or pseudonymised data which is incapable of identifying an individual is not personal data.
(f) Sensitive personal data
- data relating to access control (username and/or password);
- financial information such as details of bank accounts, credit cards, debit cards or other payment instruments;
- passport information;
- biometric data;
- information on the data subject’s physical, psychological or mental health conditions;
- medical records;
- details pertaining to an individual’s ethnicity or religious beliefs; and
- any other information for the purposes of the draft bill and rules issued thereunder.
Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, through a statement or a clear affirmative action, signifies agreement to the collection, obtaining and processing of his or her personal data.