Legitimate processing of PII

Legitimate processing – grounds

Does the law require that the holding of PII be legitimised on specific grounds, for example to meet the owner’s legal obligations or if the individual has provided consent?

Yes, the processing of personal data includes ‘collection, use and disclosure’ of the same under the Personal Data Protection Act 2012 (No. 26 of 2012) (PDPA). An individual’s consent is required before an organisation can collect, use or disclose such individual’s personal data unless otherwise required or authorised by law. Such consent must be validly obtained and may be either expressly given or deemed to have been given.

For consent to be considered validly given, the organisation must first inform the individual of the purposes for which his or her personal data will be collected, used or disclosed. These purposes have to be what a reasonable person would consider appropriate in the circumstances.

Consent obtained via the following ways does not constitute valid consent for the purpose of the PDPA:

  • where consent is obtained as a condition of providing a product or service, and such consent is beyond what is reasonable to provide the product or service to the individual; and
  • where false or misleading information is provided, or deceptive or misleading practices are used, to obtain or attempt to obtain the individual’s consent for collecting, using or disclosing personal data.

 

The PDPA stipulates that consent is deemed to have been given in certain circumstances, specifically:

  • Deemed consent by conduct: where an individual voluntarily provides his or her personal data to the organisation for a particular purpose, and it is reasonable that the individual would voluntarily provide his or her personal data.
  • Deemed consent by contractual necessity: where the disclosure of personal data from organisation A to organisation B is necessary for the conclusion or performance of a contract or transaction between the individual and organisation A. This deemed consent by contractual necessity also extends to disclosure by B to another downstream organisation C where the disclosure by B (and collection by C) is reasonably necessary to fulfil the contract between the individual and A.
  • Deemed consent by notification: subject to the organisation’s fulfilment of pre-conditions such as the conduct of an assessment to determine that the proposed processing of personal data is not likely to have an adverse effect, an individual may be deemed to have consented to the organisation’s collection, use or disclosure of his or her personal data for a purpose that he has been notified of. In this deemed consent by notification, the organisation must provide a reasonable period for the individual to opt-out before it proceeds to collect, use or disclose the personal data. Consent for the collection, use or disclosure of personal data is deemed to be given only after the opt-out period has lapsed.

 

While consent is generally required, the First and Second Schedules to the PDPA provide for specific situations where personal data can be collected, used or disclosed without the individual’s consent. Such exceptions to consent include those relating to:

  • vital interests of individuals;
  • public interests;
  • legitimate interests;
  • business asset transactions;
  • business improvement purposes; and
  • research.
Legitimate processing – types of PII

Does the law impose more stringent rules for specific types of PII?

The PDPA does not expressly distinguish between the types and sensitivities of personal data. However, as a number of the Data Protection Provisions adopt a standard of reasonableness, the sensitivity of the personal data in question could, in practice, affect the regulatory outcome concerning a contravention of the relevant provision.

For instance, section 24 of the PDPA requires that an organisation would need to make ‘reasonable security arrangements’ to protect personal data in its possession or under its control, to prevent:

  • unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks; and
  • the loss of any storage medium or device on which personal data is stored.

 

The Personal Data Protection Commission (PDPC) has noted that organisations should take into account the sensitivity of personal data when deciding on the appropriate level of security arrangements needed to protect it.

Notably, the PDPC imposes more stringent guidelines concerning National Registration Identity Card (NRIC) numbers and other national identification numbers. According to the rules in the Advisory Guidelines on the PDPA for NRIC and other National Identification Numbers (issued on 31 August 2018), organisations are generally not allowed to collect, use or disclose NRIC numbers and other national identification numbers unless such collection, use or disclosure is required under the law (or an exception under the PDPA applies), or is necessary to accurately establish or verify the identity of the individual to a high degree of fidelity.

Data handling responsibilities of owners of PII

Notification

Does the law require owners of PII to notify individuals whose PII they hold? What must the notice contain and when must it be provided?

The obligation to notify individuals stems primarily from the process of seeking valid consent for the processing of personal data. In particular, organisations are obliged to inform individuals of:

  1. the purposes for the collection, use or disclosure of his or her personal data, on or before collecting the personal data;
  2. any other purpose for the use or disclosure of personal data that has not been notified to the individual under (1), before such use or disclosure of personal data; and
  3. on request by the individual, the business contact information of a person who can answer the individual’s questions about the collection, use or disclosure of the personal data on behalf of the organisation.

 

Only after the above information has been notified to the individual can he or she be considered to have validly given his or her consent to the collection, use or disclosure of his or her personal data under the purposes made known to him or her.

While the Personal Data Protection Act 2012 (No. 26 of 2012) (PDPA) requires that such notice be provided to the individual on or before the collection, use and disclosure of his or her personal data, there is no prescribed manner or form in which such a notice must be given.

Exemption from notification

When is notice not required?

The First and Second Schedules to the PDPA set out respectively certain circumstances where an individual’s consent need not be obtained for the collection, use and disclosure of his or her personal data. Accordingly, the requirement to notify the individual would generally not apply under such circumstances.

However, section 20(4) of the PDPA is an exception to the rule. An organisation, on or before collecting, using or disclosing the personal data about an individual for the purpose of or concerning the organisation:

  • entering into an employment relationship with the individual or appointing him to any office; or
  • managing or terminating an employment relationship with, or appointment of, the individual, must notify the individual of that purpose (despite the fact there is no requirement to seek consent).

 

Moreover, under section 20(5) of the PDPA, the organisation is also required to, upon request, provide the business contact information of a person who can answer questions about such processing of personal data.

Control of use

Must owners of PII offer individuals any degree of choice or control over the use of their information? In which circumstances?

The PDPA is primarily a consent-based regime. Individuals are provided with the right under section 16 of the PDPA to withdraw consent (including deemed consent) given to an organisation in respect of the collection, use or disclosure of personal data about the individual by that organisation for any purpose. The individual would need to give reasonable notice to the organisation before a withdrawal of consent. Upon receipt of such notice, the organisation would need to inform the individual of the likely consequences of the withdrawal of consent, and cannot prohibit the individual from withdrawing his or her consent. After the individual has withdrawn his or her consent, the organisation would be required to inform its data intermediaries and agents to similarly cease collecting, using or disclosing the personal data of this individual.

Data accuracy

Does the law impose standards in relation to the quality, currency and accuracy of PII?

Yes, section 23 of the PDPA generally requires that organisations make a reasonable effort to ensure that the personal data they collect is accurate and complete if the personal data is likely to be used by the organisation to make a decision that affects the individual or is likely to be disclosed by the organisation to another organisation. This is regardless of whether the personal data is collected directly by the organisation or on behalf of the organisation.

The Personal Data Protection Commission, in its Key Concepts Guidelines, has stated that an organisation must make a reasonable effort to ensure that:

  • it accurately records the personal data it collects (whether directly from the individual concerned or through another organisation);
  • the personal data it collects includes all relevant parts thereof (so that it is complete);
  • it has taken the appropriate (reasonable) steps in the circumstances to ensure the accuracy and correctness of the personal data; and
  • it has considered whether it is necessary to update the information.
Amount and duration of data holding

Does the law restrict the amount of PII that may be held or the length of time it may be held?

Yes, section 25 of the PDPA provides that organisations (including data intermediaries) should cease to retain personal data, or remove how it can be associated with particular individuals, as soon as it is reasonable to assume that such retention no longer serves the purposes for which the data was collected, and retention is no longer necessary for legal or business purposes. Such legal or business purposes may, for example, include situations where the personal data is required for an ongoing legal action involving the organisation, where retention of the personal data is necessary to comply with the organisation’s obligations under other applicable laws, or where the personal data is required for an organisation to carry out its business operations, such as to generate annual reports or performance forecasts.

Finality principle

Are the purposes for which PII can be used by owners restricted? Has the ‘finality principle’ been adopted?

Yes, the purposes for which personal data can be used or disclosed by organisations are restricted to the purposes for which the individual concerned has been informed of and given his or her consent (if applicable). Further, an organisation may collect, use or disclose personal data about an individual only for purposes that a reasonable person would consider appropriate in the circumstances.

Use for new purposes

If the finality principle has been adopted, how far does the law allow for PII to be used for new purposes? Are there exceptions or exclusions from the finality principle?

Generally, fresh consent would need to be obtained where organisations are seeking to collect, use or disclose personal data for different purposes from those to which the individual concerned had given his or her consent.

Law stated date

Correct on

Give the date on which the information above is accurate.

10 May 2021