Hits: 1064
MYTH 1:
“I am a One Man Show / small company, so the PDPA doesn’t apply to me. Only large companies must comply with the PDPA.”
FACT:
The PDPA applies to all organizations, regardless of size. This would include companies, non-governmental organizations, charities, religious organizations, informal associations, private schools, etc.
MYTH 2:
“I can gather as much information as I want from my customers and staff. You never know when the information will come in useful”
FACT:
You may obtain personal information only for legitimate purposes. You also may only collect, use or disclose personal data of individuals for the purpose(s) for which consent has been given.
A useful question to ask: Do I need this personal data?
For instance, it is probably not necessary for business purposes, to collect the date of birth of clients attending a conference.
MYTH 3:
“I can transfer personal data to my headquarters in another country, because we are all part of the same company.”
FACT:
Under the PDPA, if an organisation wishes to transfer personal data outside of Singapore, it must ensure that the personal data being transferred is protected to a same or similar standard (in the other country), as it is protected under the PDPA.
MYTH 4:
As long as a DPO has been appointed, the business is deemed to have already satisfied the requirements of the PDPA.
FACT:
Appointing a DPO is but the first step. The DPO should be adequately equipped with the relevant knowledge, in order to ensure the organisation’s compliance with the PDPA. There should then be audits of data flow within the company and risk assessment, followed by preparing standard operating procedures for the handling of personal data, and development of appropriate standard forms. There needs to be adequate training of all staff and development of a contingency plan in case of a data breach.
MYTH 5:
“I am allowed to collect data about a person such as gender and date of birth, without asking permission, because it is not personal data.”
FACT:
“Personal data” has a broad meaning in the PDPA, and it refers to:
(i) specific data which, on their own, allows an individual to be identified (e.g. name or NRIC), and
(ii) data which, in combination with other pieces of data that are in the possession of the organisation, allow an individual to be identified.
For instance, data such as a person’s height (163 cm), gender (female), race (Indian) and house location (Blk 215 Woodlands Road) may not seem particularly “personal” when viewed in isolation, but when taken together, would enable one to potentially identify the specific individual.