The Personal Data Protection Act (or “PDPA”) is only concerned with data of an individual. Under the Act, an individual is “a natural person, whether living or deceased”. This means that the PDPA only applies to data of a human being, and does not apply to other legal persons or unincorporated entities (e.g. a company or a registered society). As such, protection under the PDPA is only accorded to personal data of natural persons.
The term “individual” would also include both living and deceased individuals. However, the PDPA applies to a limited extent in respect of the personal data of deceased individuals.
The term “personal data” covers all types of data from which an individual can be identified, regardless of whether it is accurate or false or whether it is in electronic or other form.
The key point to remember is that the PDPA only applies to personal data and that personal data has to be data about an individual. Some data will, on its own, relate to an individual e.g. an individual’s name. Other data may not, on its own, relate to an individual. The latter type of data would not constitute personal data unless it is made to relate to a particular individual. For example, a residential address by itself may not relate to an individual because there may be several individuals residing there. However, if the residential address is associated with a particular identifiable individual. it would be considered personal data.
It is important to note that in determining whether a particular data which an organisation possesses is Personal Data, one must not only look at the data itself but also the other data which the organisation can access.
Generic information that does not in themselves relate to a particular individual may however still constitute personal data protected under the PDPA if an individual can be identified when combined with other information. For example, generic information such as “male and aged 21″ is provided as part of a membership form which also identifies the individual’s full name. Such general characteristics will also constitute part of the individual’s personal data because the generic information read with other information would have been related to the specific individual.
Hence, even if the information is not directly identifying data, it may still be considered personal data if the organisation has access to other information that when taken together with the data will allow the individual to be identified. For example, if a company anonymises data collected from a customer survey by replacing the respondents’ names with randomly generated number tags, but the company still holds the key that can reverse the randomisation process, the collected data will still be able to identify individuals with the aid of the key and will thus be considered personal data.
Some obvious examples of personal data listed in the PDPA Guidelines include an individual’s full name, NRIC number, passport number, photograph, video image (including CCTV image), mobile telephone number, personal email address, thumbprint, DNA profile and, name when used in conjunction with a residential address.
If you are in possession of such data, then you will have obligations which apply to you under the PDPA.
For more information on the Personal Data Protection Act and what steps you need to take, please read our blog post on the six steps organisations should take to comply with the PDPA. Alternatively, you may wish to consider signing up for our PDPA Quick-Start Programme.
Should you have any queries or comments on the above note, kindly contact firstname.lastname@example.org.
If you like to continue receiving our regular updates, please “like” our Facebook page at https://www.facebook.com/gluu.asia or drop us an email to indicate your wish to subscribe at email@example.com.
Important Notice: The contents of this note are owned by its author and subject to copyright protection and, through international treaties, other countries. No part of this note may be reproduced, licensed, sold, published, transmitted, modified, adapted, publicly displayed, broadcast (including storage in any medium by electronic means) without the prior written permission of Gluu.
While the information in this note is correct to the best of the author’s knowledge and belief at the time of writing, it is only intended to provide a general guide to the subject matter and should not be treated as legal advice or a substitute for specific professional advice for any particular course of action. Should you intend to rely on the contents of this note, please seek legal advice applicable to your specific situation.