Answer ... (a) Data processing
‘Data processing’ is defined in the Personal Data Protection Act (PDPA) as “the carrying out of any operation or set of operations in relation to the personal data”, and includes any of the following:
- recording;
- holding;
- organisation, adaptation or alteration;
- retrieval;
- combination;
- transmission; and
- erasure or destruction.
(b) Data processor
The PDPA uses ‘data intermediary’ instead of ‘data processor’ to describe an organisation that processes personal data on behalf of another organisation.
A data intermediary that processes personal data on behalf of another organisation pursuant to a contract which is evidenced or made in writing will be subject to the provisions relating to protection of personal data (referred to in the PDPA as the ‘protection obligation’) and the retention of personal data (the ‘retention limitation obligation’), and not any of the other data protection provisions.
(c) Data controller
The term ‘data controller’ is not used in the PDPA. The more general term ‘organisation’ is used when prescribing the data controller obligations required for compliance with the PDPA.
An ‘organisation’ broadly covers natural persons, corporate bodies (eg, companies) and unincorporated bodies of persons, regardless of whether they are formed or recognised under the law of Singapore, or are resident or have an office or place of business in Singapore.
(d) Data subject
In the context of the PDPA, ‘data subjects’ are referred to as ‘individuals’, defined as “natural persons, whether living or deceased”.
The term ‘natural person’ refers to a human being, distinguished from juridical persons or ‘legal persons’, which are other entities that have their own legal personality and are capable of taking legal action in their own name. An example of such a ‘legal person’ is a body corporate, such as a company.
The term ‘natural person’ would also exclude unincorporated groups of individuals such as an association which may take legal action in its own name.
(e) Personal data
‘Personal data’ is defined in the PDPA as data, whether true or not, about an individual who can be identified:
- from that data; or
- from that data and other information to which the organisation has or is likely to have access.
The term ‘personal data’ is not intended to be narrowly construed and may cover different types of data about an individual and from which an individual can be identified, regardless of whether such data is true or false or whether the data exists in electronic or other form.
(f) Sensitive personal data
There is no category for sensitive personal data in the PDPA. Generally, some data types deemed to be of a more sensitive nature include:
- an individual’s national identification number (eg, National Registration Identity Card);
- personal financial data (eg, transaction and summary details in bank accounts);
- an individual’s personal history (eg, criminal convictions); and
- medical conditions.
(g) Consent
Section 13 of the PDPA prohibits organisations from collecting, using or disclosing an individual’s personal data unless the individual gives, or is deemed to have given, his or her consent for the collection, use or disclosure of his or her personal data.
This requirement to obtain consent does not apply where the collection, use or disclosure of an individual’s personal data without consent is required or authorised under the PDPA or any other written law. This obligation to obtain the individual’s consent is referred to as the ‘consent obligation’ in the PDPA.
There are two kinds of consent: deemed and actual. Consent is deemed if both:
- an individual, without actually giving consent, voluntarily provides the personal data to the organisation for the relevant purpose; and
- it is reasonable that the individual would voluntarily provide the data.
Consent (both actual and deemed) can be withdrawn by an individual at any time. Organisations are not permitted to prevent an individual from withdrawing his or her consent. However, organisations must inform the individual as to the legal and business consequences of the withdrawal. If consent is withdrawn, an organisation and its data intermediaries must stop collecting, using or disclosing personal information unless such collection, use or disclosure without the consent of the individual is required or authorised under the PDPA or other written law.