Answer ... (a) Data processing
There is no specific definition of ‘data processing’ set out in the Personal Data Protection Act (PDPA). However, it can be assumed that ‘data processing’ means any operation or set of operations which is performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, and erasure or destruction.
(b) Data processor
The PDPA defines a ‘data processor’ as a natural or legal person that undertakes the collection, use or disclosure of personal data pursuant to orders given by or on behalf of a data controller, whereby such person is not the data controller.
(c) Data controller
The PDPA defines a ‘data controller’ as a natural or legal person who has the power and duties to make decisions regarding the collection, use or disclosure of personal data.
(d) Data subject
There is no specific definition of a ‘data subject’ set out in the PDPA. However, it can be assumed that a ‘data subject’ is any individual who owns personal information and can be identified, directly or indirectly:
- via such personal information, such as a name, an ID number or location data; or
- via factors specific to the person’s physical, physiological, genetic, mental, economic, cultural or social identity.
In other words, a ‘data subject’ is an end user whose personal data can be collected.
(e) Personal data
The PDPA defines ‘personal data’ as information that:
- directly or indirectly relates to an individual;
- stipulates specific requirements relating to certain types of data; and
- applies to the collection, use or disclosure of personal data.
(f) Sensitive personal data
There is no specific definition of ‘sensitive data’ set out in the PDPA. However, it can be assumed that ‘sensitive data’ is any data relating to race; ethnic origin; political view; doctrinal, religious or philosophical beliefs; sexual behaviour; criminal record; health record; and biometric information.
(g) Consent
There is no specific definition of ‘consent’ set out in the PDPA. However, it can be assumed that ‘consent’ means permission from a data subject allowing a data controller to collect his or her personal data. In addition, under the PDPA, a data controller must obtain the explicit consent of the data subject, either in writing or in electronic form, in order to collect his or her personal data.