Personal Data Processing Policy

A.   Introduction

The Personal Data Protection Act 2012 (“PDPA”) was introduced as Singapore’s first general data protection law and came into force in 2014. It governs the collection, use, disclosure and care of an individual’s Personal Data (as defined hereinafter) by organisations. It recognises both the rights of individuals to have their Personal Data protected, including having rights of access and correction, and the needs of organisations to collect, use and/or disclose Personal Data for legitimate and reasonable purposes. The PDPA further established the Personal Data Protection Commission (“Commission”) which, among other objectives, promotes awareness of data protection in Singapore and administers and enforces the PDPA.

Institute of Distance Psychology Pte Ltd (the “Company”) is committed to protecting the Personal Data of individuals and to fully complying with the PDPA. Accordingly, all employees of the Company must as part as their job duties comply with this Personal Data Protection Policy (“Policy”) and the procedures set out herein in respect of activities such as collection, use, disclosure or (cross border) transfer of Personal Data.

B.   What is Personal Data?

In this Policy, “Personal Data” means data, whether true or not, about an individual who can be identified (1) from that data or (2) from that data and other information to which the Company has access.

Personal data may inter alia include the following:

  • Name and residential address
  • Age
  • Profession
  • Family status
  • information with respect to psychological counselling
  • NRIC (National Registration Identity Card) Number or FIN (Foreign Identification Number)
  • Passport number
  • Photographs or video images of an individual
  • Mobile telephone number
  • Personal email address
  • Thumbprint
  • DNA profile

Personal Data should not be confused with Business Contact Information, which is not covered by the PDPA and this Policy. “Business Contact Information” means an individual’s name, position name or title, business telephone number, business address, business email address or business fax number and any other similar information about the individual, not provided by the individual solely for his personal purposes.

C.   How is the PDPA relevant for the Company?

The Company is a provider of psychological counselling services. Personal Data may be collected from its clients/customers, business contacts, employees, directors and other individuals, and such Personal Data may be used and/or disclosed by the Company from time to time in the course of its business.

D.   Collection, Use and/or Disclosure of Personal Data

The Company will only collect, use and/or disclose Personal Data in accordance with this Policy and in compliance with the PDPA.

The Company may collect Personal Data especially (but not exclusively) in the following situations:

  • when an individual accesses the Company’s website or performs an online transaction;
  • when an individual requests to be included in the Company’s mailing list;
  • when an individual signs up for alerts, newsletters or other marketing material;
  • when an individual makes a purchase or request for services; and/or
  • when an individual applies for a job with the Company.

I.       Consent for Collection, Use and/or Disclosure of Personal Data

The Company will only collect, use and/or disclose Personal Data with the respective individual’s knowledge and consent (save where the exceptions set out in the PDPA apply).

1. Deemed consent and exceptions to the consent obligation

a. Deemed consent

No consent needs to be obtained if consent is deemed to be given by virtue of law.

This is the case where

  • an individual, without actually giving consent, voluntarily provides the Personal Data to the Company for the purpose for which the Company intends to collect, use and/or disclose such information; and
  • it is reasonable that the individual would voluntarily provide the Personal Data.

If an individual gives, or is deemed to have given, consent to the disclosure of Personal Data about him/her by one organisation to another organisation for a particular purpose, the individual is deemed to consent to the collection, use and/or disclosure of the Personal Data for that particular purpose by that other organisation.

b. Exceptions to the consent obligation

Consent from the individual is not required for the collection, use and/or disclosure of Personal Data under the circumstances pursuant to the Second, Third and/or Fourth Schedule of the PDPA respectively (as set out in Annex II).

In particular, consent of an employee is not required where the Company collects, uses and/or discloses Personal Data of an employee only for the purposes of managing or terminating his/her employment. Insofar as the Company intends to collect, use and/or disclose Personal Data for purposes other than the management or termination of employment, consent is in general required (save where other exceptions apply).

2. How is consent to be obtained

Where consent is required, such consent should in general be obtained in writing. Please refer to the notice to be given in accordance with section II. 1. below.   

3. Withdrawal of consent

An individual may at any time withdraw his/her consent (or deemed consent) for the collection, use and/or disclosure by the Company of his/her Personal Data for any purposes. He/she may do so by giving the Company reasonable notice of the withdrawal. Upon receiving such notice, the Company will inform the individual of the consequences of withdrawing consent, and thereupon cease (and cause its data intermediaries and agents to cease) collecting, using and/or disclosing the Personal Data, as the case may be, unless the collection, use and/or disclosure of the Personal Data is required or authorised under the PDPA or other written law.

II.      Purposes of Collection, Use and/or Disclosure of Personal Data

The Company will only collect, use and/or disclose Personal Data for purposes that a reasonable person would consider appropriate in the circumstances, and where the individual has been notified.

The Company may collect, use and/or disclose Personal Data especially (but not only) for the following purposes:

  • conducting and completing transactions; processing orders and payments;
  • conducting marketing and promotional activities;
  • providing customer services including responding to an individual’s queries and requests and responding to complaints;
  • where an employee’s Personal Data is concerned, for managing a central database of all the company’s employees and for immigration, employment and payroll purposes (especially including determining and reviewing salaries, incentives, bonuses and other benefits; consideration for promotion, career development, training, secondment or transfer, performance monitoring, health and safety administration and security and access control);
  • processing employment applications including pre-employment checks;
  • complying with the compliance and disclosure requirements of any and all governmental and/or quasigovernmental departments and/or agencies, regulatory and/or statutory bodies (e.g. Inland Revenue Authority of Singapore, the Central Provident Fund Board); and/or
  • purposes relating thereto.

An individual shall not be required as a condition of the provision of a product or service by the Company, to consent to the collection, use and/or disclosure of his Personal Data beyond what is reasonable to provide the product or service to that individual. Further, the Company may not obtain or attempt to obtain consent for collecting, using and/or disclosing personal data by (i) providing false or misleading information with respect to the collection, use and/or disclosure of the Personal Data, or (ii) using deceptive or misleading practices.

1. How an individual is to be notified of the Company’s purposes

An individual must be informed of the purposes for the collection, use and/or disclosure of his/her Personal Data, on or before such Personal Data is collected. Such notification shall generally be in writing, and may be given in a form similar to the one set out in Annex I, Part 2.

Where the individual concerned is an employee of the Company and the Company collects, uses and/or discloses his/her Personal Data only for the purpose of managing or terminating the employment relationship, consent for such collection, use and/or disclosure is not required and a mere notification would suffice. Such notification may be contained by including a clause in the respective employment contract (in the form as set out in Annex I, Part 1). All employees should be duly notified of the purposes for which his Personal Data may be collected, used and/or disclosed.

Notification is not required where (i) the individual is deemed to have consented to the collection, use and/or disclosure of his Personal Data (see section I. 1. a. above); or where the exceptions to the requirement for consent (as set out in the Second, Third and Fourth Schedules to the PDPA, see Annex II) apply.

This Policy shall be made available to all employees of the Company. The Company’s board of directors shall ensure that all employment contracts (inclusive of older, already concluded contracts) include clauses incorporating this Policy into their employment agreement and contain clauses in which the employee gives his/her consent to the use, collection and/or disclosure of Personal Data insofar as may be required pursuant to the PDPA.

2. Change in purpose

The Company shall inform the individual and obtain his/her consent (unless consent is not required) where it wishes to use his/her Personal Data for a purpose which it has not yet informed the individual of or for which it has not yet obtained the individual’s consent. This may be done in the form as set out in Annex I, Part 2.  

III. Special treatment of Identification Numbers and Identification Documents

The Company acknowledges that NRIC numbers, FINs, work permit numbers, passport numbers, birth certificate numbers, driver’s licence numbers and similar identification numbers (Identification Numbers) as well as the identification documents containing these Identification Numbers (Identification Documents) are/contain Personal Data of utmost sensitivity. The following section III.1. addresses the collection, use and/or disclosure of Identification Numbers. Where Identification Numbers are referred to such reference shall always apply to copies of Identification Documents, as well. Furthermore, section III.2. addresses the retention of physical Identification Documents.

For the avoidance of doubt, a partial identification number (up to the last 3 numerical digits and checksum) shall not be considered as an Identification Number for the purpose of this document. Still, even partial identification numbers may be Personal Data and consequently be subject to the provisions of the PDPA.

1. Collection, use and/or disclosure of Identification Numbers

The Company will not collect, use or disclose Identification Numbers unless

  • such action is required under the law (see section III.1.a. below);
  • an exception from the consent requirement under the PDPA applies and the collection, use and/or disclosure of the Identification Number is reasonable;
  • such action is necessary to accurately establish or verify the identity of an individual to a high level of fidelity (see section 1.b. below);

The Company furthermore takes the special risks and potential impacts of any unauthorised use or disclosure of personal data associated with Identification Numbers serious and will provide a great level of security to protect the Identification Numbers/Identification Documents in its possession or under its control.

Before collecting, using and/or disclosing an Identification the Company will assess if the purpose it pursues which such action can be achieved by means of collection, using and/or disclosing data less sensitive than an Identification Number.

a. Collection, Use or Disclosure of Identification Numbers which is required under the law

Where the collection, use or disclosure of an Identification Number is required under the law, the Company may do so without the individual’s consent. However, it will still notify the individual of the purpose of such action.

The Company is especially required under the law to collect and keep in its records the identity card number or foreign identification number of each of its employees (within the definition of the Singapore Employment Act). While the Company does not require an employee’s consent for such action, it will inform the employee of the pursued purpose.

b. Necessity to accurately establish or verify the identity of an individual to a high level of fidelity

In certain circumstances the Company may find it necessary to accurately establish or verify the identity of an individual to a high degree of fidelity. In these cases, it may collect, use and/or disclose an individual’s Identification Number with the individual’s consent. The individual has to be notified of the purposes of the collection, use and /or disclosure before consent is obtained.

A necessity to accurately establish or verify the identity of an individual to a high level of fidelity may in general especially exist where a failure to do so would lead to a significant safety or security risk or pose a risk of significant impact or harm (for example of reputational, financial, personal or proprietary nature) to an individual and/or the Company.

Where an individual’s Identification Number (or a copy of the individual’s Identification Document) is collected, used and/or disclosed based on the necessity to accurately establish or verify the identity of an individual to a high level of fidelity, the Company will keep appropriate records documenting such justification. On request of either the concerned individual or the Commission, the Company will make information about the justification available.

2. Retention of physical Identification Documents

The Company will not retain an individual’s physical Identification Document unless such retention is required under the law.

E.    Accuracy

Whenever collecting Personal Data, employees shall ensure that the data collected is accurate and complete, if it is likely to be used by the Company to make a decision that affects the individual to whom the Personal Data relates (for example: Personal Data of job applicants), or is likely to be disclosed to another organisation (for instance other companies in the Company’s group of companies). To ensure the accuracy of Personal Data collected, the PDPO (as defined below) should where appropriate and/or necessary:

(a)        review collected data for obvious discrepancies from time to time;

(b)     request an individual to update his/her Personal Data where such information is obviously outdated;

(c)     request from an individual supporting documents;

(d)     seek a declaration from the individual providing the Personal Data that the information provided is accurate and complete.

F. Retention of Personal Data; Destruction of Personal Data no longer required

The Company shall destroy (such as by shredding physical documents and deleting electronic files of documents containing Personal Data) and cease to retain all documents containing Personal Data and remove the means by which the Personal Data can be associated with an individual, as long as it is reasonable to assume that such Personal Data is no longer required for the purpose for which it has been collected or which is no longer necessary to be retained for legal or business purposes. The same applies to Personal Data pertaining to which consent for the intended collection, use and/or disclosure has been withdrawn.

Generally, no Personal Data shall be retained for a period of longer than seven years after the original purposes, for which the Personal Data was collected, have ceased to be applicable, unless otherwise required by law or other mandatory directions by court or government authorities or for purposes of legal proceedings or other similar proceedings or investigations.

G.   Personal Data Protection Officer

A Personal Data Protection Officer (“PDPO”) shall be appointed by the Company in accordance with the PDPA.

I.       The Company´s PDPO

The Company´s PDPO is Sebastian Blasius.

His contact details are

Email: Sebastian.Blasius@Luther-Lawfirm.com

Tel.: +6564088114

II.      Ensuring compliance with the PDPA

The above named PDPO is an external advisor and shall merely act as a readily reachable contact person for data protection related questions. Within the Company’s organisation, Pavel Khoroshutin shall be responsible for ensuring the Company’s compliance with the PDPA (“PDPA Compliance Officer” or “PDPA CO”) and this Policy. The PDPA CO shall especially (but not exclusively) take over the following day-to-day duties.

1. Maintenance of Personal Data File

The PDPA CO shall be responsible for the digitalisation and/or filing of any collected Personal Data, notices and consents from individuals relating to the collection, use and/or disclosure of their Personal Data in a designated “Personal Data File” together with (i.) the date of collection, (ii.) the period of maximum retention and (iii.) information about how the Personal Data has been used. The PDPA CO should ensure that the Personal Data File is always up to date and be in a position to always reply to inquiries of individuals about the use of their respective Personal Data during the last twelve months. The PDPA CO shall check once a year whether all digitalised and/or filed Personal Data has been filed as described.

2. Security and Protection of Personal Data

The PDPA CO shall further ensure that the Personal Data in the Company’s possession or under its control is protected. The Company is obliged to make reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks. These may include physical measures and technical measures such as the following:

  • Restricting employee access to confidential documents on a need-to-know basis;
  • Marking confidential documents clearly and prominently;
  • Ensuring computer networks are secure;
  • Installing appropriate computer security software and using suitable computer security settings;
  • Updating computer security and IT equipment regularly.

Employees should also set passwords for their respective computer system and activate a self-locking mechanism for the computer screens, if their computers are left unattended for a certain period of time.

In case of any complaint of any individual or if the PDPA CO has been informed by anybody of a possible data breach, he/she must immediately look into the matter. Where the PDPA CO can confirm at least the suspicion of a data / PDPA breach, he/she must inform the board of directors to discuss the necessary measures.

3. Access to Personal Data

The PDPA CO shall on written request of an individual as soon as reasonably possible, in any case no later than 30 days from the date of request, inform such individual about any of his/her Personal Data which the Company has collected, used and/or disclosed and that is in the Company’s possession or under its control. If the Personal Data has been transferred to a data intermediary[1] processing the Personal Data under the Company’s control, the Company must also take into account the Personal Data which is in the possession of the data intermediary. Individuals are also entitled to be informed about the ways in which their Personal Data has been or may have been used or disclosed by the Company within a year before the date of the request.

The written request needs to identify the individual making the request, state which Personal Data and information about its use and/or disclosure is requested.

Before informing an individual, the PDPA CO has to verify the identity of the requesting individual. As for such verification, it is sufficient, if the individual presents his/her passport in person or provides the PDPA CO with a photocopy of his/her passport.

If any of the situations mentioned in section 21 (3) or in the Fifth Schedule of the PDPA (as reproduced in Annex III attached hereto) applies, the PDPA CO shall inform the individual requesting the information that in accordance with the law, no information about any Personal Data will be provided. Where it is possible, to provide the Personal Data without providing any of the aforementioned excluded information, the PDPA CO provides the requesting individual with such information.

The PDPA CO shall not inform any individual that the Company has disclosed his/her Personal Data to a prescribed law enforcement agency, if the disclosure was made without the consent of the individual pursuant to paragraph 1 (f) or (n) of the Fourth Schedule of the PDPA (as reproduced in Annex II, Part 3 attached hereto) or under any other written law.

The Company may charge a reasonable fee for providing the individual access to his/her Personal Data. If such fee shall be charged, the PDPA CO needs to provide the individual with a written fee estimate in advance. No fee shall be charged if the requesting individual has not been informed of the fees prior to the Company retrieving the requested data.

A record in the Personal Data File shall be kept of all access requests received and processed, documenting clearly whether the requested access was provided or rejected.

4. Correction of Personal Data

Upon written request of an individual, the PDPA CO should correct any error or omission concerning any Personal Data the Company holds about the individual as soon as practicably possible unless there are reasonable grounds for this correction not to be made. The Sixth Schedule of the PDPA (as reproduced in Annex IV attached hereto) sets out certain circumstances under which the Company does not need to correct Personal Data. The corrected data should also be sent to any third party to which the Personal Data has been disclosed within a year before the date the correction was made, unless the other organisation does not need the corrected Personal Data for any legal or business purpose.

The written request needs to identify the individual making the request and to state which Personal Data shall be corrected and how. Before correcting an individual’s Personal Data, the PDPA CO should verify the identity of the requesting individual. The identity of the individual may be verified through the following means:

(a)     by him/her providing the PDPA CO with a photocopy of his/her IC or passport, or his IC or passport number; or

(b)          by verifying his/her phone number.

H. Transfer of Personal Data

Personal Data may be transferred by the Company outside Singapore from time to time. However, the Company will not transfer Personal Data outside Singapore unless it is ensured that the recipient complies with the obligations under the PDPA in respect of the transferred Personal Data while it remains in the possession or under the control of the Company and that the Personal Data will be accorded a level of protection which is comparable to the protection under the PDPA. Therefore, no employee or officer of the Company shall transfer Personal Data to a country or territory outside Singapore unless the recipient is bound by legally enforceable obligations to provide to the Personal Data transferred a standard of protection that is comparable to that under the PDPA. In this regard, legally enforceable obligations include obligations imposed on the recipient under:

  • A law to which the recipient is bound;
  • Any contract which requires the recipient to provide to the Personal Data transferred to the recipient a standard of protection that is at least comparable to the protection under the PDPA, and specifies the countries and territories to which the Personal Data may be transferred under the contract;
  • If the recipient is related to the Company: any binding corporate rules according to which a comparable level of protection for any Personal Data transferred is ensured. The binding corporate rules must specify the following:
    • the recipients of the transferred Personal Data to which the binding corporate rules apply;
    • the countries and territories to which the Personal Data may be transferred under the binding corporate rules; and
    • the rights and obligations provided by the binding corporate rules.

For example, legally enforceable obligations are ensured if Personal Data is transferred to a recipient in Germany which has data protection laws which afford a level of protection to personal data which is at least comparable to the standard of protection under the PDPA. If Personal Data will be transferred by the Company to territories other than Germany, the Company should take steps to ensure that the recipient is bound by legally enforceable obligations to provide the transferred personal data with at least a similar level of protection as under the PDPA.

The Personal Data may also be transferred outside of Singapore, if

  • The Company has obtained written consent from the affected individual, provided that:
    • The individual has been provided with a reasonable summary in writing of the extent to which the Personal Data to be transferred to that country or territory will be protected to a standard comparable to the protection under the PDPA;
    • The individual was not required to consent to the transfer as a condition of the provision of a product or service, except where the transfer is reasonably necessary to provide the product or service to the individual; and
    • The Company did not obtain the individual’s consent through false or deceptive means;
  • The transfer is part of the performance of a contract between the Company and the individual;
  • The transfer is necessary for the conclusion or performance of a contract between the Company and a third party which is entered into at the individual’s request, or which a reasonable person would consider to be in the individual’s interest;
  • The transfer is necessary for the use and/or disclosure in certain situations where the consent of the individual is not required under the PDPA (as set out in Annex II) and the Company has taken reasonable steps to ensure that the Personal Data will not be used or disclosed by the recipient for any other purpose; or
  • The Personal Data is in transit or publicly available.

I.   Overview

The table below sets out short overview of the obligations discussed above and the relevant sections of the PDPA (and, where applicable, the Personal Data Protection Regulations 2014).

 

Notification required?

Consent required for collection?

Consent required for use?

Consent required for disclosure?

Access Personal Data and correction

Cross Border Restrictions?

Security / accuracy and retention restrictions apply?

 

Relevant PDPA Sections

S 20

S 13 to 17

2nd Schedule

S 13 to 17

3rd Schedule

S 13 to 17

4th Schedule

S 21 & 22

5th & 6th Schedule

S 26, Part III of Personal Data Protection Regulations 2014

23, 24 & 26

5th & 6th Schedule

 

J.    Do-Not-Call List

According to the PDPA, any company that wants to engage in telemarketing activities needs to comply with the Do-Not-Call provisions under the PDPA. If the Company wishes to send marketing messages (which includes calls as well text messages) to a Singapore telephone number, it should first obtain the clear and unambiguous consent of the individual. In the absence of such consent, the Company will check and ensure that the telephone number is not on a Do-Not-Call register maintained by the Commission.

K.    Data Protection Breaches

Any discovered or suspected breach of personal data protection law must immediately be brought to the attention of the PDPO.

L.   Consequence of Non-Compliance

All employees of the Company must ensure compliance with this Policy. Any breach thereof may lead to disciplinary actions, including summary dismissal.

[1]Data intermediary” means an organisation which processes personal data on behalf of another organisation but does not include an employee of that other organisation.

Annex I

Part 1: Notification to be included in employment agreements

Notification that shall be included in all employment agreements:

In the course of this employment, the Employer will be collecting, using and/or disclosing personal data of the Employee. In this regard, personal data shall mean data about the Employee, through which the Employee can be identified, whether on its own or when used together with other information, to which the Employer has access (‘Personal Data’). Personal Data shall only be collected, used and/or disclosed for the purpose of managing the employment hereunder, in particular for payroll, tax compliance, insurance, immigration and performance evaluation purposes whereby such evaluation shall include the evaluation as to whether the Employee is suited for being assigned to customer projects. The Employer will always assess the reasonableness of the Personal Data collection, use and/or disclosure. The Employer will only retain Personal Data for as long as the same is required for the purpose of managing the employment hereunder or for such duration as required under applicable laws.

The Employee understands and acknowledges that the Employer will be using and disclosing his Personal Data to other entities of the Employer’s group of companies (“Employer’s Company Group”), and such other persons as may be necessary for the purposes of managing a database of employees of the Employer’s Company Group, and the Employee hereby agrees to the use and disclosure of his personal data for the purposes set out above.”

Part 2: Consent (example)

This passage could be used to obtain the consent of any individual for the collection, use and/or disclosure of his/her Personal Data or to obtain the consent of an employee for the collection, use and/or disclosure of his/her Personal Data for purposes other than managing his employment.

“I understand and acknowledge that Institute of Distance Psychology Pte Ltd will collect and use my personal data and disclose it to […name of 3rd party to whom the personal data will be disclosed…].

This happens for the following purposes: [… if data is collected/used/disclosed for different purposes, it might be recommendable to set out which data is collected/used/disclosed for which purpose…].

I hereby agree to the collection, use and disclosure of my personal data for the purposes set out above. I understand that this consent can be withdrawn by me at any time.

 

____________________

[Name of individual/employee]

Date: [Date]”

Annex II

Part 1: SECOND SCHEDULE OF THE PDPA – Collection of personal data without consent

An organisation may collect personal data about an individual without the consent of the individual or from a source other than the individual in any of the following circumstances:

  • the collection is necessary for any purpose that is clearly in the interest of the individual, if consent for its collection cannot be obtained in a timely way or the individual would not reasonably be expected to withhold consent;
  • the collection is necessary to respond to an emergency that threatens the life, health or safety of the individual or another individual;
  • the personal data is publicly available;
  • the collection is necessary in the national interest;
  • the collection is necessary for any investigation or proceedings, if it is reasonable to expect that seeking the consent of the individual would compromise the availability or the accuracy of the personal data;
  • the collection is necessary for evaluative purposes;
  • the personal data is collected solely for artistic or literary purposes;
  • subject to paragraph 2 of this Schedule, the personal data is collected by a news organisation solely for its news activity;
  • the personal data is collected for the organisation to recover a debt owed to the organisation by the individual or for the organisation to pay to the individual a debt owed by the organisation;
  • the collection is necessary for the provision of legal services by the organisation to another person or for the organisation to obtain legal services;
  • the personal data is collected by a credit bureau from a member of the credit bureau to create a credit report, or by a member of the credit bureau from a credit report provided by the credit bureau to that member in relation to a transaction between the member and the individual;
  • the personal data is collected to confer an interest or a benefit on the individual under a private trust or a benefit plan, and to administer such trust or benefit plan, at the request of the settlor or the person establishing the benefit plan, as the case may be;
  • the personal data was provided to the organisation by another individual to enable the organisation to provide a service for the personal or domestic purposes of that other individual;
  • the personal data is included in a document —
  • (i) produced in the course, and for the purposes, of the individual’s employment, business or profession; and
  • (ii) collected for purposes consistent with the purposes for which the document was produced;
  • the personal data is collected by the individual’s employer and the collection is reasonable for the purpose of managing or terminating an employment relationship between the organisation and the individual;
  • subject to the conditions in paragraph 3 of this Schedule, the personal data —
  • (i) is collected by an organisation, being a party or a prospective party to a business asset transaction with another organisation, from that other organisation;
  • (ii) is about an employee, customer, director, officer or shareholder of the other organisation; and
  • (iii) relates directly to the part of the other organisation or its business assets with which the business asset transaction is concerned;
  • the personal data was disclosed by a public agency, and the collection is consistent with the purpose of the disclosure by the public agency; or
  • the personal data —
  • (i) was disclosed to the organisation in accordance with section 17(3) of the PDPA; and
  • (ii) is collected by the organisation for purposes consistent with the purpose of that disclosure.

 

Part 2: THIRD SCHEDULE OF THE PDPA – Use of personal data without consent

An organisation may use personal data about an individual without the consent of the individual in any of the following circumstances:

  • the use is necessary for any purpose which is clearly in the interests of the individual, if consent for its use cannot be obtained in a timely way or the individual would not reasonably be expected to withhold consent;
  • the use is necessary to respond to an emergency that threatens the life, health or safety of the individual or another individual;
  • the personal data is publicly available;
  • the use is necessary in the national interest;
  • the use is necessary for any investigation or proceedings;
  • the use is necessary for evaluative purposes;
  • the personal data is used for the organisation to recover a debt owed to the organisation by the individual or for the organisation to pay to the individual a debt owed by the organisation;
  • the use is necessary for the provision of legal services by the organisation to another person or for the organisation to obtain legal services;
  • subject to the conditions in paragraph 2 of this Schedule, the personal data is used for a research purpose, including historical or statistical research; or
  • the data was collected by the organisation in accordance with section 17(1) of the PDPA, and is used by the organisation for purposes consistent with the purpose of that collection.

Part 3: FOURTH SCHEDULE OF THE PDPA – Disclosure of personal data without consent

An organisation may disclose personal data about an individual without the consent of the individual in any of the following circumstances:

  • the disclosure is necessary for any purpose which is clearly in the interests of the individual, if consent for its disclosure cannot be obtained in a timely way;
  • the disclosure is necessary to respond to an emergency that threatens the life, health or safety of the individual or another individual;
  • subject to the conditions in paragraph 2, there are reasonable grounds to believe that the health or safety of the individual or another individual will be seriously affected and consent for the disclosure of the data cannot be obtained in a timely way;
  • the personal data is publicly available;
  • the disclosure is necessary in the national interest;
  • the disclosure is necessary for any investigation or proceedings;
  • the disclosure is to a public agency and such disclosure is necessary in the public interest;
  • the disclosure is necessary for evaluative purposes;
  • the disclosure is necessary for the organisation to recover a debt owed by the individual to the organisation or for the organisation to pay to the individual a debt owed by the organisation;
  • the disclosure is necessary for the provision of legal services by the organisation to another person or for the organisation to obtain legal services;
  • the personal data is disclosed by a member of a credit bureau to the credit bureau for the purpose of preparing credit reports, or in a credit report provided by a credit bureau to a member of the credit bureau in relation to a transaction between the member and the individual;
  • the personal data about the current or former students of the organisation, being an education institution, is disclosed to a public agency for the purposes of policy formulation or review;
  • the personal data about the current or former patients of a healthcare institution licensed under the Private Hospitals and Medical Clinics Act (Cap. 248) or any other prescribed healthcare body is disclosed to a public agency for the purposes of policy formulation or review;
  • the personal data is disclosed to any officer of a prescribed law enforcement agency, upon production of written authorisation signed by the head or director of that law enforcement agency or a person of a similar rank, certifying that the personal data is necessary for the purposes of the functions or duties of the officer;
  • the disclosure is for the purpose of contacting the next‑of‑kin or a friend of any injured, ill or deceased individual;
  • subject to the conditions in paragraph 3 of this Schedule, the personal data —
  • (i) is disclosed to a party or a prospective party to a business asset transaction with the organisation;
  • (ii) is about an employee, customer, director, officer or shareholder of the organisation; and
  • (iii) relates directly to the part of the organisation or its business assets with which the business asset transaction is concerned;
  • subject to the conditions in paragraph 4, the disclosure is for a research purpose, including historical or statistical research;
  • the disclosure is for archival or historical purposes if a reasonable person would not consider the personal data to be too sensitive to the individual to be disclosed at the proposed time; or
  • subject to the conditions in paragraph 5 of this Schedule, the personal data —
  • (i) was collected by the organisation in accordance with section 17(1) of the PDPA; and
  • (ii) is disclosed by the organisation for purposes consistent with the purpose of that collection.
  • Annex III

    Part 1: Section 21 (3) PDPA

    An organisation shall not provide an individual with the individual’s personal data or other information under subsection (1) if the provision of that personal data or other information, as the case may be, could reasonably be expected to —

    • threaten the safety or physical or mental health of an individual other than the individual who made the request;
    • cause immediate or grave harm to the safety or to the physical or mental health of the individual who made the request;
    • reveal personal data about another individual;
    • reveal the identity of an individual who has provided personal data about another individual and the individual providing the personal data does not consent to the disclosure of his identity; or
    • be contrary to the national interest.

     

    Part 2: FIFTH SCHEDULE OF THE PDPA – Exceptions from access requirement

    An organisation is not required to provide information under section 21(1) of the PDPA in respect of —

    • opinion data kept solely for an evaluative purpose;
    • any examination conducted by an education institution, examination scripts and, prior to the release of examination results, examination results;
    • the personal data of the beneficiaries of a private trust kept solely for the purpose of administering the trust;
    • personal data kept by an arbitral institution or a mediation centre solely for the purposes of arbitration or mediation proceedings administered by the arbitral institution or mediation centre;
    • a document related to a prosecution if all proceedings related to the prosecution have not been completed;
    • personal data which is subject to legal privilege;
    • personal data which, if disclosed, would reveal confidential commercial information that could, in the opinion of a reasonable person, harm the competitive position of the organisation;
    • personal data collected, used or disclosed without consent, under paragraph 1(e) of the Second Schedule, paragraph 1(e) of the Third Schedule or paragraph 1(f) of the Fourth Schedule, respectively, for the purposes of an investigation if the investigation and associated proceedings and appeals have not been completed;
    • the personal data was collected or created by a mediator or arbitrator in the conduct of a mediation or arbitration for which he was appointed to act —
    1. under a collective agreement under the Industrial Relations Act (Cap. 136) or by agreement between the parties to the mediation or arbitration;
    2. under any written law; or
    3. by a court, arbitral institution or mediation centre; or
    • any request —
    1. that would unreasonably interfere with the operations of the organisation because of the repetitious or systematic nature of the requests;
    2. if the burden or expense of providing access would be unreasonable to the organisation or disproportionate to the individual’s interests;
    3. for information that does not exist or cannot be found;
    4. for information that is trivial; or
    5. that is otherwise frivolous or vexatious.

     

     

    Annex IV

    SIXTH SCHEDULE OF THE PDPA – Exceptions from correction requirement

    Section 22 of the PDPA shall not apply in respect of —

    • opinion data kept solely for an evaluative purpose;
    • any examination conducted by an education institution, examination scripts and, prior to the release of examination results, examination results;
    • the personal data of the beneficiaries of a private trust kept solely for the purpose of administering the trust;
    • personal data kept by an arbitral institution or a mediation centre solely for the purposes of arbitration or mediation proceedings administered by the arbitral institution or mediation centre; or
    • a document related to a prosecution if all proceedings related to the prosecution have not been completed.
Information from this website cannot be used
for self-therapy and self-diagnostics.
OOO Tekhnologii Ideala, Center for Research Psychology
TIN 5406976032 / PSRN 1175476058801

8 (800) 550-99-36

8 (383) 362-46-88

info_ru@7spsy.com