Setting the Background
The PDPA is first and foremost a piece of legislation. When interpreting the law, it is always helpful to look at the purpose for which the law was enacted.
Section 3 of the PDPA provides that the purpose of the Act is to “govern the collection, use and disclosure of personal data by organisations in a manner that recognises both the right of individuals to protect their personal data and the need of organisations to collect, use or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances.”
In other words the Act seeks to balance the rights of the individual (to have their data protected) on the one hand and the need of organisations (to use that data for reasonable purposes) on the other.
This basic premise sets the appropriate backdrop and helps us to understand why the concept of consent is so crucial in this area of the law.
It stands to reason that if one is trying to protect the individual’s right to have their personal data protected, it must necessarily entail obtaining the consent of the individual before one even attempts to collect, use or disclose their data in the first place.
Consent
Consent of an individual can be obtained in many ways:
1. Express consent
the clearest way in which an individual can give his consent
this is usually done in writing where the individual specifically gives his consent by signing a written document or in the case of an electronic platform, clicks or ticks a box which says “I agree to _________” or “I hereby consent to ________”
if consent is provided verbally, it is good practice to make sure that such verbal consent is recorded in written form
2. Implied consent
– this is sometimes referred to and easier to understand as 'consent by conduct'
For example, the terms and conditions of a bank’s typical credit card agreement usually provides that a customer consents to accept the terms and conditions when he uses his credit card for the first time.
3. Deemed consent
– under the PDPA, if certain conditions are satisfied, an individual (regardless of his intention) can be taken, in law, to have given his consent to the collection, use or disclosure of his personal data.
For this to work,
a. the individual must provide the data voluntarily
b. it is reasonable that the data be provided for that purpose
For example, a customer who gives his credit card to the cashier to make payment for an item is deemed to have given his consent for his personal data to be disclosed to the merchant and the bank in order to effect the payment transaction.
It is also important to highlight that the element of consent is inextricably linked to the notification obligation and the purpose limitation obligation.
Basically, in order for the consent of the individual to be valid, the individual must have been informed of the specific purpose(s) for which the personal data is being collected, used or disclosed before the consent is given. The purposes must be specific and the organisation cannot hide behind a “catch-all” provision commonly used in some legal documents.
Withdrawal of Consent
The consent of an individual to an organisation to collect, use or disclose his personal data can be withdrawn at any time. Upon receipt of such a notice of withdrawal, the organisation must, upon reasonable notice:
- explain the consequences of such a withdrawal. For example, that the organisation may not be able to continue to provide certain services.
- stop using the personal data of the individual and in most cases this would also involve deleting the personal data of the individual from the organisation’s system and ensuring that its agents/data intermediaries do the same. A common example of withdrawal of consent is a customer unsubscribing from an email newsletter mailing list.
