The hot topic these days (other than Medishield Life) is the PDPA, otherwise known as the Personal Data Protection Act.
Recently, you might have received some communication with the companies that you have a relationship with informing you of certain things with regards to the Act.
The provisions relating to the personal data protection come into effect today on 2 July 2014, while the provisions relating to the Do Not Call (DNC) Registry came into effect earlier on 2 January 2014.
For most of us individuals, the DNC was the best thing of the PDPA.
Ever since I registered my number on the DNC Registry, the number of spam SMS and phone calls have dropped significantly. Previously, a lot of the SMSes that I receive are from real estate agents. These have stopped completely as the real estate companies are mostly compliant with the PDPA provisions pertaining to DNC.
If you have not done registered your number on the DNC yet, you can refer to my instructions here:
How to Register on DNC
With regards to personal data protection, the Act governs how business can make use of our personal data as well as our rights. These are the key points:
- You can request to access your personal data that an organisation has.
- You can also request to be provided with information about the ways in which such personal data has or may have been used or disclosed within the year before the request. However, in certain circumstances or in respect of certain types of personal data, organisations are prohibited from granting such access or may choose whether or not to provide such access.
- You can request an organisation to correct an error or omission in your personal data. The organisation should also send the corrected data to other organisations to which your data has been disclosed within a year the correction is made. Unless there are reasonable grounds for a correction not to be made, the organisation should correct your data as soon as practicable.
- Organisations should make reasonable effort to ensure that your personal data with them is accurate and complete, if your personal data is likely to be used to make a decision that affects you, or is likely to be disclosed to another organisation.
- Organisations should make reasonable security arrangements to protect personal data they possess or control, to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.
- Organisations should stop keeping your personal data when it is no longer necessary for legal or business purposes.
- Organisations may only transfer your personal data outside of Singapore if the organisations put in place measures to ensure that the protection provided to the personal data transferred is comparable to the protection under the PDPA, unless exempted by the PDPC. The measures to be put in place will be prescribed in due course.
With the implementation of the PDPA, most forms now have an additional paragraph to cater for the clauses of the PDPA. An unfortunate consequence of this is that many existing forms have to be destroyed and replaced. The amount of paper that is wasted is staggering.
For more information on the PDPA, you can refer to the Personal Data Protection Commission website.