Personal data is defined in the PDPA as:
“data, whether true or not, about an individual who can be identified —
a) from that data; or
b) from that data and other information to which the organisation has or is likely to have access”.
When is data considered “Personal Data”?
Basically, data is considered “Personal Data” if the information is about an identifiable individual.
However, the nature of data is also important.
Certain types of data are more likely to identify an individual,
(i) Data assigned exclusively to an individual (e.g. NRIC, passport number, full name), or
(ii) Data of a biological nature (e.g. DNA, facial image, fingerprint, iris prints).
In general, fewer data elements are required for a dataset to constitute personal data if it contains data points or data elements that are more unique to an individual.
In contrast, more generic information, such as gender, nationality, age, height, weight or blood group, will unlikely be able to identify a particular individual. However, such generic data may constitute part of the individual’s personal data if it is combined with other information.
Example:
Organisation BCD conducts a street survey to look at spending habits of households. Their data fields include, full name, NRIC no., telephone no., age range, gender and average amount spent on household items per month.
The dataset constitutes personal data of the individuals as they can be identified from the dataset.
However, if Organisation BCD only collects information on the average amount spent on household items, gender, and age range, the dataset may not constitute personal data as it is unlikely to identify the individuals.
What are the types of personal data the that PDPA does not apply to?
The PDPA does not apply to the following categories of personal data:
1. Personal data that is contained in a record that has been in existence for at least 100 years; and
2. Personal data about a deceased individual who has been dead for more than 10 years
3. Business contact information, not provided by an individual solely for personal purposes (eg. name, business telephone no., business address/email address)
As such, organisations are not required to obtain consent before collecting, using or disclosing any business contact information or comply with any other obligation in the Data Protection Provisions in relation to business contact information.
Example:
John attends a corporate seminar and drops his business name card (containing his name, position, handphone number, business number, business address, business email address) into a glass bowl at the registration booth as he wants to be on their mailing list to attend future seminars. John did not provide his business name card for personal purposes, hence the information on his business card would not constitute personal data.
