PDPA compliance for the social service sector
When an organization, such as voluntary welfare organizations (VWOs), collect, use, or disclose an individual’s personal data, they are obliged to comply with the provisions of the PDPA unless they are in the course of acting on behalf of a public agency, or else they will be imposed with a hefty fine.
PDPA compliance for the social service sector: Consent, Purpose Limitation, and Notification Obligations
As laid out in the Revised Advisory Guidelines for the Social Service Sector of 2014, it provides that whenever an organization undertakes activities relating to the collection, use, or disclosure of personal data, they are required to acquire consent from the individuals and notify them for such collection, use and disclosure of personal data, unless exceptions apply.
Under the revised guidelines for PDPA compliance for the social service sector, the PDPC does not state any specific manner of obtaining consent from individuals, which means that it is in the discretion of the Organization as to how they acquire it.
PDPA compliance for the social service sector: Considerations in obtaining consent
According to the Revised Advisory Guidelines for the Social Service Sector of 2014, in relation to the consent obligations of VWOs prior to the collection, usage, or disclosure of personal data of individuals, these VWOs should consider:
a) Whether the individual (or a person who has the legal authority to validly act on behalf of the individual) had been notified of the purposes for the collection, use, or disclosure of his personal data and had given consent to such collection, use, or disclosure;
b) If consent had not been given, whether consent can be deemed to have been provided by the individual (or a person who has the legal authority to validly act on behalf of the individual) for the collection, use, or disclosure of his personal data for the purpose; and
c) Whether the collection, use, or disclosure without the consent of the individual is required or authorized under the PDPA or any other written law, in particular, assessing whether the circumstances fall within any of the exceptions from the Consent Obligation in the Second, Third or Fourth Schedules to the PDPA.
Also Read: The DNC Singapore: Looking At 2 Sides Better
PDPA compliance for the social service sector: Access and Correction Obligation
As provided under Section 21(1) of the PDPA, upon the request of the individual, the PDPA compliance for the social service sector also includes providing the following:
a) personal data about the individual that is in their possession or under the control of the Organization; and
b) information about the ways in which that personal data has been or may have been used or disclosed by the Organization within a year before the date of the individual’s request.
Furthermore, under Sections 22(1) and 22(2) of the PDPA, individuals may request a correction of their personal data or its omission from possession of the Organization. The Organization must make the necessary corrections upon its receipt of the correction request unless the Organization is satisfied on reasonable grounds that the correction should not be made.
Hiring a Data Protection Officer (DPO) and PDPA compliance for the social service sector
Organizations that collect, use, and disclose data are covered under the PDPA. From what we have learned from the PDPC decision and undertakings, if there is a breach, regardless of its cause (i.e. if it was just a mere mistake of its employee), the Organization could be made to pay a hefty fine of up to S$1,000,000. To avoid this, the appointing of a DPO comes to play.
The DPO’s importance lies in ensuring that all the compliance with the PDPA is met. For every Organization covered by the PDPA, they are required to appoint DPOs to ensure that no breach will happen any time in the future.
This is because the DPO is tasked to do the following responsibilities to limit any data breach:
a. Putting together a personal data protection policy that sets out the purposes for which personal data may be collected, used, or disclosed by the VWOs, as well as other data protection practices to ensure compliance with the PDPA and making information about this policy available to all stakeholders;
b. Raising awareness and fostering a culture of data protection among staff and key personnel
c. Developing and implementing policies and processes for the proper handling and management of personal data protection-related queries and complaints (e.g., access and correction requests) and making information about the complaints process available on request; and
d. Alerting the VWOs to any risks that might arise concerning the collection, use, or disclosure of personal data.
Also Read: The necessity of a data protection plan for businesses in Singapore
0 Comments