What every organization should know about the purpose limitation obligation
The Personal Data Protection Act of 2012 (PDPA) governs organizations’ collection, use, and disclosure of individuals’ personal data in a way that recognizes both the right of individuals to protect their personal data and the need of organizations to collect, use, and disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances.
Apart from the duties imposed on organizations by the PDPA, the Personal Data Protection Commission (PDPC), the data protection authority, has generally pushed for a culture of accountability. For example, in 2019, the PDPC developed the Data Protection Trustmark Certification, a voluntary enterprise-wide certification program for organizations to demonstrate accountable data protection procedures.
The PDPA recently underwent its first comprehensive revision since its enactment in 2012, as part of the Personal Data Protection (Amendment) Bill 2020, which was passed on November 2, 2020, and formally enacted as the Personal Data Protection (Amendment) Act of 2020. The majority of the Amendment Act’s provisions took effect on February 1, 2021. Most notably, a mandatory data breach notification regime was implemented, which requires organizations that experience a data breach to notify the PDPC and impacted persons of the data breach unless an exception applies.
PDPA’s Purpose Limitation Obligation
The obligation of organizations to collect, use and disclose personal data for the limited purposes specified in section 18 of the PDPA is referred to in these Guidelines as the Purpose Limitation Obligation.
Under Section 18 of the PDPA, it limits the purposes and extent to which an organization may collect, use, or disclose personal data. Specifically, section 18 provides that an organization may collect, use or disclose personal data about an individual only for purposes:
a) that a reasonable person would consider appropriate in the circumstances; and
b) where applicable, that the individual has been informed of by the organization (pursuant to the Notification Obligation).
The primary goal of the Purpose Limitation Obligation is to ensure that organizations only collect, use, and disclose personal data relevant to the goals and that they do so for legitimate purposes to fulfill their obligations. Purpose limitation obligations are in line with notification obligations in that they limit the purposes for which personal data may be collected, used, or disclosed to those that have been communicated in writing to the individuals involved in accordance with notification obligations (where applicable).
When determining the reasonableness of an objective for the purposes of Section 18 (and as specified in that section), the question is whether a reasonable person would consider it appropriate in the circumstances. Therefore, the specific circumstances surrounding the collection, use, and disclosure must be taken into account when determining whether the purpose of such collection, use, or disclosure is legitimate. It is unreasonable for a reasonable person to view an objective that violates the law or is damaging to the one being pursued to be appropriate.
Also Read: Understanding the mandatory data breach notification of Singapore
Breach of Purpose Limitation Obligations by Neo Yong Xiang
The recent incident involving Neo Yong Xiang underscores the importance of exercising the Purpose Limitation Obligation. After breaching the Purpose Limitation Obligation, Neo Yong Xiang was made to pay a whopping S$21,000 fine.
Between January 2020 and November 2020, there were 3,636 Do Not Call (DNC) complaints from persons who received specified messages even though their telephone numbers were registered with the DNC register. Further analysis revealed that 1,379 of the messages were sent from 98 SIM cards registered at Yoshi Mobile (YM).
When consumers purchased pre-paid SIM cards from a Geylang Road mobile phone shop, they had no idea their personal information would be utilized to register more SIM cards for illicit sale. Regrettably, this was the case for at least 78 persons who acquired pre-paid M1 SIM cards from Mr. Neo Yong Xiang (“NYX”), the sole proprietor of Yoshi Mobile (“YM”).
The Commission’s investigations established that NYX abused the sim card registration procedure by using customers’ personal information without their consent to register for multiple pre-paid M1 SIM cards that the consumers had not intended to purchase.
NYX acknowledged throughout the investigation that he registered the illicit SIM cards with the intent of selling them to gain additional money. NYX believed that he earned around $15,000 in three years of selling such unlawful SIM cards to unknown walk-in customers.
Personal data obtained and used by NYX to register illicit SIM cards include, but are not limited to, the following: 78 people’ personal data (used to register 94 SIM cards):
- (a) the customers’ names;
- (b) the customers’ addresses; and
- (c) the customers’ NRIC numbers and/or work permit numbers.
The Commission’s investigations established that NYX abused the sim card registration procedure by using customers’ personal information without their consent to register for multiple pre-paid M1 SIM cards that the consumers had not intended to purchase.
On the facts of this case, NYX breached both the Consent Obligation and the Purpose Limitation obligation by using his customers’ personal data to register the illicit SIM cards for sale to anonymous buyers beyond the reasonable purpose and without the affected people’s consent. With this, the organization was made to pay a whopping S$21,000.
What we can get from this case is the importance of making sure that Organizations only collect, use, or disclose personal data of individuals for a purpose that a reasonable person would consider appropriate and applicable. As based on how the case was decided, when the Purpose Obligation was not complied with, a hefty fine can be imposed to the Organization.
With this, it is a must that Organizations collect, use, or disclose personal data of individuals based on the Purpose Limitation obligation or else face a whopping fine.
Also Read: Guarding against common types of data breaches in Singapore
0 Comments