Collection Of Personal Data: Commission Replies

12 Dec 2013

Forum reply on The Straits Times, 12 Dec 2013

BIRTH dates on their own do not qualify as personal data, as defined in the Personal Data Protection Act, since they cannot be used to identify specific individuals ("OK for stores to record IC data?" by Mr Francis Cheng; Dec 4). However, a person's NRIC number would qualify as personal data as it is unique to an individual.

Under the Act, an organisation may collect, use or disclose personal data only for purposes that are considered reasonable and appropriate in the circumstances. An organisation is required to notify individuals of such purposes, and seek their consent accordingly (unless any exception under the Act applies).

So, if an organisation wishes to disclose and use the personal data of its customers for other purposes - such as disclosing the data to third parties - that differ from what it has originally stated, it must obtain the consent of its customers before doing so. Failure to do so could constitute a breach of the Act.

With regard to the security of computer systems, should organisations determine that they need to store and retain the personal data collected because of legal or business needs, the Act requires them to make reasonable security arrangements to protect such data. This is to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.

Amos Tan (Mr)
Director, Communications & Operations
Personal Data Protection Commission

Tags: