Organisations Should Avoid Over-Collecting Personal Data
20 Aug 2014
Forum reply on The Straits Times, 20 Aug 2014
UNDER the Personal Data Protection Act, organisations such as mall and building management can collect the personal data of their customers as long as they have a legitimate legal or business purpose to do so, and have obtained their consent for the stated purposes, unless an exception applies ("Why show IC to claim free parking?" by Mr Chew Kai Seng, Aug 6; and "Surrendering ICs at buildings: Set guidelines to protect data" by Mr Francis Cheng, Forum Online, Aug 7).
Organisations should consider the specific circumstances when assessing whether it is reasonable to collect personal data. For example, some organisations may require visitors to provide their NRIC numbers before they are given entry into buildings, for security purposes.
Generally, organisations should avoid over-collecting personal data, including NRIC numbers, for business purposes. The practice described by Mr Chew (recording of NRIC details for free parking redemption) may appear to be an instance of over-collection of data, and we have contacted Mr Chew to follow up with the shopping mall concerned.
Organisations should consider whether there are alternative ways to address their requirements. For instance, for the purpose of free parking redemption, a shopping mall may wish to consider if collecting a customer's name or vehicle licence plate number would suffice.
Organisations should also review regularly if the personal data they collected should continue to be retained.
The Personal Data Protection Commission will work closely with the security and retail associations in Singapore to bring about better understanding of the requirements under the Act within these business communities, and will develop further guidelines to help them comply with the law.
Should individuals have concerns regarding the collection of their personal data by organisations, they can contact the Commission at info@pdpc.gov.sg.
Evelyn Goh (Ms)
Director, Communications, Planning & Policy
Personal Data Protection Commission
Tags: