Data Protection in the Practical Context: Strategies and Techniques [1 ed.] 9789811133763

Table of contents :
Chapter 1 The Context of Protecting Personal Data
Chapter 2 The Practical and Conceptual Framework
Chapter 3 The Concept of Personal Data
Chapter 4 Notification Obligation
Chapter 5 Consent Obligation
Chapter 6 Purpose Limitation Obligation
Chapter 7 Data Protection by Design and Default
Chapter 8 Access and Correction Obligations
Chapter 9 Care of Personal Data
Chapter 10 Transfer Limitation Obligation
Chapter 11 Other Notable Provisions in the European Union
Chapter 12 Looking Ahead

Citation preview

MONOGRAPH SERIES

Data Protection in the Practical Co t xt Strategies and Techniques Hannah YeeFen Lim

~ Academy ~ Publishing

DATA PROTECTION IN THE PRACTICAL CONTEXT Strategies and Techniques

ABOUT TH EM ONOGRAPH SERIES

The se1ies aims to publish treatises providing in-, 2.66, 2.82, 9.38

C Central Depository (Pte) Ltd and Toh-Shi Printing Singapore Pte Ltd (2016) SGPDPC 11... .................................. 2.62, 2.66, 2.90, 9.37, 9.46 Challenger Tech nologies Ltd and Xirlynx Innovations [201 6) SGPDPC 6 .............................................................. 2.61, 2.66, 9.37, 9.46 Chua Yong Boon Justin (2016) SGPDPC 13 .................................................... 9.83 Cellar Door Pte Ltd, The, and Global Interactive Wo rks Pte Ltd (2016) SGPDPC 22 ..................................... 2.44, 7. 1, 7.34, 9.44 College van burgemeeste r en wethouders van Rotterdam v MEE Rijkeboer C-553/07, ECLI:EU:C:2009:293,Judgment of 7 May 2009 ....................... 8.61, 8.62, 8.63, 8.67, 8.71 Comfort Transportatio n Pte Ltd and CityCab Pte Ltd [2016) SGPDPC 17 ..................................................................................... 3.128

D Duck v Bates (1884) 13 QBD 843 ................................................................... 5. 110

l1•••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••i::: •••••••••••••••••••: ::.:\~ xxxii

xxxiii

Table of Casp,s

-----

E Erin Andrews v Marriott International Inc, et a.I IIC-48311 (Tenn Ci r' Davidson Co ' 20 16) ................. 1.8, 1.17, 1.18 ' 283 . •7-21

F Fci Fah Medical Manufacturing Pte Ltd [2016] SGPDPC 3 ....................................................... ...... .......... 2.10, 2.44 2 66 2.89, 9.35 Fu Kwec Kitchen Catering Services and Pixarl Ptc Ltd ' .15 [2016] SGPDPC 14 ............................................................2.14, 2.45, 2.46 2 S2 , 2.53, 2.66, 7.33

9'

93

Full House Communications Pte Ltd ' ·6 [2016] SGPDPC 8 ..................... ................. ....................... .. 2.57, 2.66, 6.60, 6, 63

Table of Cases Para

p

Recdcrci Karl SchlOtcr Gmb!-1 & Co and pamm crl vA]penhof v Heller Join ed Cases C-585/08 ]-lol.C . I C- 111. /09, ECLl:EU:C:2010: 740 .......... .... ...... ................................ ...... . I. 7r." an~ Breyer v Bundesrepublik Deutschland, Pat;c ; 11, Opinion of Advocate General Campos 582 Sanchez-Bordona of 12 May 2016 ........................ ............. 3.37, 3.15, 3.16, 3.47 ealty Pte Ltd [2017] SGPDPC I ................... ............... ... ......... ........ 2.55 propne X R '

R R,..flles Town Club v Lim Eng Hock Peter , [201 3] l SLR 374 ....... ............................ ........................ ........ ..................... 5.1 13

s

G

GMM Technoworld Pte Ltd [2016] SGPDPC 18 .... ........... ...2.15, 2.51, 2.52, 2.SS 2.66, 7.33 9 36 Google Spain SL and Google In c v Agencia Espanola ' · de Proteccion de Datos (AEPD) and Mario Costeja Gonz.ilez, C-131/ 12,.Judgmen l of 13 May 2014 •······················ ···················1.80

I Instituti on of Engineers Singapore, The [20 16] SGPDPC 2 ............................................. ......... 2.43, 2.55, 2.66, 2.90, 9.3S

Singapore Computer Society [2016] SGPDPC 9 ·······:···....... 2.54, 2.55, 2.66, 9.37 Smiling Orchid (S) Pte Ltd, T2 Web Pte Ltd, Cybers1te Services Pte Ltd and East Wind Solutions Pte Ltd [2016] SGPDPC 19 .................................................................... 2.15, 2.47, 2.48, 2.50, 2.52, 2.66, 7.33, 9.36 Spandeck Engineering (S) Pte Ltd v Defence Science & Technology Agency [2007] 4 SLR(R) I 00 ..... ........................................................................... .... 1.50 Spear Security Force Pte Ltd [2016] SGPDPC 12 .................................. . 2.57, 2.66

T

J

Telstra Corp Ltd v APRA (1997) 191 CLR 140 ............................... ............... 5.110

JP Pcppcrdine Group Pte Ltd [2017] SGPDPC 2 ........................... .........2.55 9 36 Jump Rope (Singapore) [2016] SGPDPC 21 ................................. 2.59, 2.66,'2.95, 6.34, 6.35, 6.36, 6.37, 6.40, 6.41, 6.42, 6.43, 6.44

Universal Travel Corp Pte Ltd (2016] SGPDPC 4 ........................ 2.39, 2.40, 2.66, 4.7, 5.9, 9.37

K

y

K Box Entertainment Group Pte Ltd and Finantech Holdings Pte Ltd [2016] SGPDPC I ................ ............. ...2.41 2 42 2 66 2 88 2.90, 2.91, 9.35, 9.46 Maximillian Schrems v Data Protection Commissioner C-362/ 14, ECLl:EU:C:2015:650, Judgment of ' 6 October 2015 ············································· ·····················...············· .......... l0.22

Yestuition Agency [2016] SGPDPC 5....................................................... 2.58, 2.66

u

M Metro Pte Ltd [2016] SGPDPC 7 My Digital Lock Pte Ltd [20l ] SGPDPC· 6

...........................2.54, 2.55, 9.35 20········ ·································2·60, 2.66, 2.82, 5.127, 5.171, 9.37

x.xxiv

XXXV

CHAPTER

1

The Context of Protecting Personal Data

1.1

In the business-friendly economic climate of Singapore, the Government resisted introducing any regulations on personal data protection for well over a decade. The commonly heard unofficial reason was that such regulations would increase compliance costs for businesses, especially for small and medium enterprises. Indeed, this was also a concern echoed in the Public Consultation Issued by Ministry of Information, Communications and the Arts: Proposed Consumer Data Protection R.egi,me for Singapore, where it was stated that "[o]rganisations may not necessarily incur high costs in order to comply with the proposed general DP regime". 1 In fact, the final end-product of Singapore's Personal Data Protection Act 2012 2 ("the Act") is a relatively light-touch regime that would not, in effect, have a huge impact on costs for organisations in meeting compliance obligations. 1.2

The pragmatic view is that without strong personal data protection practices, organisations will incur even greater costs and losses under other statutes, at common law and equity as a result of personal data breaches and other mishandling of personal data. Organisations sho':11_d not view practising good personal data protection as incurring additional and unnecessary compliance costs, but rather, the more

2

Ministry of Information , Communications and the Arts Public Consultation Issued uy Ministry of Information, Communications and' the Arts: Proposed Consumer Data Protection Regi,me for Singapore ( 13 September 2011) at para 3.3; see also generally paras 3.3-3.5. Act 26 of 2012.

Data. Protection in the Practical Context The Context of Protecting Personal Data

helpful approach would be to view it as part of good or a . . processes and essential costs that need to be incurred . g nisationaJ . . in niuch same way that costs are mcurred m protecting other as b the sets elo . to the organisations. nging

1.3 The stated intentions at the early stages of the development f was "to create a balance between the need to protect in°d. t~e Act IVIduaJs, . . . , personal d ata agamst orgamsauons need to obtain and pro .. cess such 3 data for legitimate and reasonable purposes". It was acknowled that personal data had become increasingly valuable for business ged more easily collected and processed with infocomm technolo es and gy and . hence, the proposed personal data protection regime sou h ' . d"1vi'd u al s ' personaI d ata agamst · · 1 g t to safeguard m misuse. The Minist Information, Communications and t11e Arts ("MICA") stated tha7t:C personal data protection regime was intended "to protect the interes~ of consumers and deliver economic benefits for Singapore"" with the result that this "will strengthen and entrench Singapore's position as a trusted hub for businesses, a key national economic strategy for Singapore". 6 1.4 These were the ideals at the early stages of the consultation process. However, by the time the Act was passed, section 3 of the Act stated a much narrower intention: 7 The purpose of this Act is to govern the collection, use and disclosure of personal data by organisations in a manner tha~ recognises both the right of individuals to protect their personal data and the need of organisations to collect, use or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances.

3

4

5 6

7

Ministry of Information, Communications and the Arts, Public Consultation Issued l,y Ministry of Information, Communications and the Arts: Proposed Consumer Data Protection Regi,me for Singapore ( 13 September 2011) at para 1.2 and Ministry of Information, Communications and the Arts, Public Consultation Issued l,y Ministry of Information, Communications and the Arts: Proposed Personal Data Protection Bill (19 March 2012) at para 1.1. Ministry of Information, Communications and the Arts, Public Consultation Issued l,y Ministry of Information, Communications and the Arts: Proposed PersonalDataProtection Bill (19 March 2012) at para 1.2. . Ministry of Information, Communications and the Arts, Public Consuttatum Issued l,y Ministry of Information, Communications and the Arts: Proposed PersonalDataProtection Bill (19 March 2012) at para 1.1. . Ministry of Information, Communications and the Arts, Public eonsuttatio;; Issued l,y Ministry of Information, Communications and the Arts: Propose PersonalDataProtection Bill (19 March 2012) at para 1.2. Personal Data Protection Act 2012 (Act 26 of2012) s 3.

2

5 . " u oses mat a reasonable person ~he words at the end of secu~n 3~h: c?:cumstances", wholly delimits would consider appropna~ed i: protection regime, rendering ilie Act the purpose of the per~ona ; t at ersonal data protection. Th_e a rawer schizophrernc atte t~d for the protection of personal data IS standard that we Act has adop af ding individuals' personal data no longer the lofty one of s e~arthe rights of individuals only for . s b t ne of protecung . • ..... against misuse u O Id consider appropnate m u,e able person wou d bl and uncertain standar • Purposes that a reason. h'ch is a weak, mova e . h ..... circumstances, ~ i_ dard of ri ht or wrong against wh1c u1e There is no obJecuve stan b g erridden by expediencies: ilie protections are sou?ht. ~-farmse~:ut e u:der the exemptions for the large number of situauon~ s Second Third and Fourth Schedules of requirement of consent 1_11 e ' the Act is testimony to t111s. 1. 6 . f h k harms that personal data This chapter outlmes some o t e ey . rotection law in general aims to address so as to raise awarenes~ of ilie ~ultifaceted issues involved in protecting personal ~ata. It will also ound lucid reasons for organisations to achieve a level of exp . . . s· compliance above that required by the legislation m mgapore.

A.

IDENTIFYING THE HARMS

1.7 There are numerous types of harms that can follow from breaches of personal data protection and some of these have been played out in other jurisdictions. It is instructive to examine some scenarios that have taken place.

1.

The

Erin Andrews case

1.8 An ideal first scenario to consider is the US case of Erin Andrews v Marriott International Inc, et af ("Erin Andrews") . 10 Whilst the case itself 8

9

10

Ministry of I~ormation, Communications and the Arts, Public Consuliation Issued l,y Ministry of Information, Communications and the Arts: Proposed Personal Data Protection Bill (19 March 2012) at para 1.2. llC-48311 (Tenn Cir, Davidson Co, 2016). 1;_es Bieler, "Erin Andrews awarded $55 million in peephole lawsuit" , 'he Washington Post (7 March 2016).

3

Data Protection in the Practical Conlext The Context of Protecting Personal Data

was not litigat ed on grounds of p e rso nal d ata _protect'.on law, the facts would fit squarely ~t.hi~ personal data protecuon law if the s~me set of facts were to occur 111 Smgapore. Th e US case was argued pnmari)y on negligence and tJ1e same facts would arguably also support a negligence claim in Singa pore. 1.9 Erin Andre':s is sportscaster and t~I_evi~ion host who was stalked by Michael DaVJd Barrett 111 three U~ ~Jties_111 2008. Barrett was convicted for the stalking offences. In the CIVIi suit, Andrews su ed the operators of the Nashville Marriott Hotel and Barrett. In response to questions that Barrett posed , e mployees of the hote l h ad confi rme d to Barrett tJrnt Andrews was a guest at th e hotel. The e mployees h a d initially granted his request for a room next to Andrews but Barre tt was later informed that the room was not available. Ba rre tt then we nt to the hotel restaurant and used a house phone to as k to be co nnected to Andrews' room. When Barrell was connected , the house phone displayed Andrews' room number on the pho n e . Knowing in which room Andrews was staying, Barrett then we nt to tJ1e front d esk to book the room next to Andrews. 11 1.10 Whilst staying in the room n ext to Andrews ', Ba rrett used a camera phone to digitally film Andrews while she was getting dressed in her room without her knowle dge or consent. In his d e position, Barrett admitted to removing the peephole from Andrews ' door so he could film her naked. 12 Barrett initially tried to sell the videos but was unsuccessful; he then uploaded the nude videos of Andrews onto the Internet. 13 Andrews filed a civil lawsuit alleging negligence, negligent infliction of emotional distress and invasion of privacy against the operators of the hotel and similar claims against Barrett. 11

I.ll . compute i· scie n ce professo r testified th at a n esti ~ate 1 At the tna ,6a8 million Jeople had viewed some of th e video o nlm e, of at least. 1 . 1 11 · bsit es "' Evidence was also tendered . 1 cling on pornograp I C we . . ,nc '.' J .al I13 t Andrews "suffere d and continues to. suffer senous dunng t 1e tn t · 1 d . t ss 1s re •, · · d horrible m ental a nguish and e mot10na . · · ells e motional me ntal u-uury an · luding sleeplessn ess, depress10n, a nxiety, crym g sp , . inc b rsts nightmares, unpleasant m e ntal reactions, fright, horr?r, gnef, out 11 • h ·n disappo mtme nt sham e, humiliation , emb an--a.ssme nt, anger, c agn , , ·ry" 16 Ii1 short as a direct result of what h a ppe n e d, Andrews a n d WOI . ' 17 sulTe red a m edical or psychiatric disorder. 1.12

Davidson County Circuit Court judge Gayden found that the op~rators of the hote l were pa rtia lly liable a nd left it to th e jury to ~ e te rmme the apportionment of liability. The jury fo und Barre tt 51 % hable and ~e operators of the hote l liable for 49% of the US$55m compensauon awarded to Andrews . 18 1.13

This case highlights a number of significant aspects of p e rsonal data protection law. First, the liability of the employer for the mishandling of personal data by its employees is real and can be quite substantial. The hote l e mployees had disclosed to Barrett that Andre ws was a guest at the hotel, which clearly constitute d disclosure of p e rsonal data about Andrews without consent. 1.14

Second, the internal hotel telephone system was not set up to protect the personal data of its guests, and this too was a breach of personal data protection that the hotel had to be held accountable for. The

15 11

12 13 14

Des Bieler, "Erin Andrews awarded $55 million in peephole lawsuit" The Washington Post ( 7 March 2016) . Deposition video, Erin Andrews Civil Trial Day 4 Part 3 02/ 29/16, available at https://v."MY.youtube.com/ watch?v=6mIS3jKBGes&noredirect=l (acce=d 1July2016) . Frank Rosario & Danika Fears, "Erin Andrews' stalker revealed his creepy peephole_ technique" Page Six Magazine (29 Febrnary 2016). . LexisNex1s Le~l Newsroom Litigation, "Erin Andrews Files Civil Suit for ln~ion_of Pnvacy, Negligence" (28 July 201 0) available at https: / / ~ lexisnex.is.com( legalnewsroom/ litigation/ b/ new-lawsuit-filings/ a~chive/ 2010/ 07/ 28/ enn-andrews-files-civil-suit-for-invasion--0f-privacy-neghgence. aspx (accessed I July 2016).

4

16

17

18

'Jury sees nude Erin Andrews videos, expert estimates that 16.8 million people have seen clips" New York Daily News (26 Febrnary 2016). LexisNexis Legal Newsroom Litigation, "Tennessee Jury Finds Marriott Franchisee Aided Privacy Invasion" (9 March 2016) available at (accessed 1 July 2016). Lex1sN~x1s Le~l New~room Litigation, "Tennessee Jury Finds Marriott Franchisee Aided Pnvacy Invasion" (9 March 2016) available at (accessed 1 July 2016). LexisN~x.is Le?31 Newsroom Litigation, "Tennessee Jury Finds Marriott Franc~1see Aide~ Privacy Invasion" (9 March 2016) available at (accessed 1 July 2016) .

5

Data Protection in the Practical Context The Context of Protecting Personal Data

·ntemal house phone disclosed personal data about Andrews na l · 1 · ' rne1 her room number, and this was also disc osure without her consent. Y

l.15 This case is significant as often times, especially in large scale d breaches, although tJ1ere has been a data breach, it is not necessa~~ roven that the data breach caused actual harm. As legal scholars h Y P · ave noted: 19 Early data-breach cases were often dismissed on the grounds that plaintiffs had not yet suffered any harm , because they cou ld not show that their data had yet been improperly used. l.16 Organisations and especially employers need to be mindful of ilie full extent of meir legal liability in the event of a breach. Remedies would often lie not just in personal data protection law but could well fall under tort law and contract law and oilier areas as well, depending on the circumstances. Compliance with personal data protection laws would assist organisations in greatly reducing tJ1eir exposure to liability. Hence, employers should be vigilant. to ensure tl1at their employees are well trained in the proper handling of personal data and to put in place checks that personal data is properly handled by employees. The practices, processes and systems of ilie organisations also need to be compliant wiili personal data protection laws.

1.17 The third point to note about me Erin Andrews case is ilie type of harm. Whilst it is probably more common for personal data breaches to involve ilieft of personal data such as credit card numbers and bank account numbers, iliereby causing pecuniary loss, the Erin Andrews case shows that non-economic damage can arise, and arise on an equally large scale. In iliis regard, it is pertinent to note mat ilie Act in Singapore contains a right of private action for individuals who have suffered loss or damage directly in respect of a contravention of the personal data protection provisions. 20 Indeed, in a case like the Erin Andrews case, a plaintiff would find it easier to claim for damages under personal data protection law ilian under ilie tort of negligence, which requires examination of me duty of care and breach of the standard of care.

I.lS .i.. t·I e Erin Andrews case underscores the sometimes unspok~n Fouru, , -1 11· h · · k in • le of personal data protection law, w 1c 1s its wor ·1 · h t rauona . • .i.. dignity of the person. It is not necessan y _a ng t o protecung w e . . . h h· • p btit pnvacy er se ., ratlier , an expectation of every ind1V1dual to ave . 1s or her dignity as a human person protected and respected, and not ~o be shamed and embarrassed in the way that Andrews was and sull • tiJC nude videos and the screcnshots therefrom contmuc to IS as . . · on u1e Internet. As Andrews herself testtfied dunng ilie court rema111 . · ·1 proceedings, ''You don't really realise how long four mmutes 1s unu it's your naked body." 21 To exacerbate the shame_ and embarrassment, Andrews concedes that the video will remain on ilie Internet )ermanently accessible by all who cares to search for it. Altho~gh ~ndrews has obtained the copyright to the video, even so, enforcing the copyright will not be completely effective in removing ilic video. Anyone who has viewed the video could have downloaded a copy to weir computer and re-upload it at any time. 22 It is not necessary to examine here the content of the expectation of dignity - the personal data protection law is already in place in Singapore and ilirough the provisions, ilie dignity of ilie person is already, by and large , protected. Of course, as ilie subsequent chapters will reveal, the protection can always be set at a higher level. 1.19

Lastly, one of the key reasons why ilie protection of personal data is so fundamental is ilie fact that personal data, like any oilier kind of data, once released or disclosed, is nearly impossible to control or rein in, and certainly cannot be "recovered" like tangible property, as ilie data will always be "out there" once disclosed. Hence, personal data laws are essential to at least curb some personal data handling activities such as collection and disclosure and iliereby minimise the misuse of personal data. If the hotel operators had not disclosed in various manners ilie room number of Andrews and facilitated Barrett to stay in ilie room next to Andrews, ilie collection of ilie abominable personal data, iliat is, the nude videos, would not have been possible. Personal data protection laws attempt to give individuals some semblance of control over their personal data even iliough absolute control is not possible.

21 19 20

Joshua Fairfield & Christoph Engel, "Privacy as a Public Good" (201 5) 65 Duke Law Journal 387 at 425-426. Personal Data Protection Act 2012 (Act 26 of2012) s 32.

22

Ahiza Garcia, "Why .is the Erin Andrews nude video still online?" CNN Money (6 March 2016). Ahiza Garcia, "Why is the Erin Andrews nude video still online?" CNN Money (6 March 2016).

7 6

Data Protection in the Practical Context The Context of Protecting Personal Data

2.

Cybersecurity

1.20 At the core of personal data law is its role in curtailing cyber . . . securih, breaches. The relattonsh1p between cybersecunty and personal ·, protection is one that cannot be separated. Good personal data protection practices will engender good cybersecurity, a fundam data ~~ . . fact not appreciated by many. T h e. starttng point of this discourse q. th e acknowledgemen t that accumulattng large pools of personal data . . 'all . over time and from many different sources 1s potent.I y tmac.2'.l

. . tured the credi t card information o f 56 millio n Depot cash registers cap card holders. 2G 1.24 They concluded that:27 Hacks are increasing in frequency and impact because the ~:~s da~ . . . d b companies continue to grow. Because more . stoic y d. . le leak hackers have a greater incentive to mst1gate mpro1rnse 111 a s111g ' • · 'th co k As a result merely accumulating data m connection _w 1 I suchI a_ e:om. merce creat~s a toxic buildup of incentives to steal and misuse regu a, e~ that data. [references in original omitted)

::n

1.21 Computer security and cryptology expert, Bruce Schneier, has said:21

Data is the pollutio~ of the infor'.nation age. It's a natural by-product of every computer-mediated 111teracuon . It stays around forever, unless it's disposed of: It is valuable when r~used, b~t It must be done carefully. Otherw1se, its after-effects are toxic. And JUSt as 100 years ago peopl ignored pollu_tion in our rusl~ to build the _Industrial Age, today we'r: ignoring data 111 our rush to build the Information Age. 1.22 Schneier's central thesis is that personal data is pollution. It is a kind of pollution that will remain permanently unless active steps are taken to remove the pollution. Hence, we should be conscious of the existence of the pollution and remove it. This is the utility of personal data laws, they are necessary to stop and reduce the pollution. Secondly, Schneier admits that personal data is valuable when reused but he also warns that reuse must be done with prudence and care, otherwise great harm will ensue. 1.23 Fairfield and Engel demonstrated the truth of Schneier's thesis by comparing the increase over the years and decades of the scale, 25 frequency and potential financial damage of personal data breaches. They cited some of the recent incidents such as the 2013 data breach at the US retailer, Target, that saw 40 million customers' credit and debit card details stolen and the personal data of some 70 million customers stolen; then in the September 2014, malware on Home

23 24 25

Joshua Fairfield & Christoph Engel, "Privacy as a Public Good" (20l 5) 65 Duke Law Journal 387 at 399-406; Jane R Bambauer, "The New Intrusion" (2012) 88 Notre Dame Law Review 205. Bruce Schneier, "The Tech Lab: Bruce Schneier" BBC (26 February 2009). 5 Joshua Fairfield & Christoph Engel, "Privacy as a Public Good" (20l ) 65 Duke Law journal 387 at 399-406.

~~~ed , large data sets are a prime target_for hackers: especially if 1 the data sets contain personal data relattng to credit or finance information. However, credit information is not the only target, those intent on committing nefarious acts such as Barrett will find use for any piece of personal data. Whilst Barrett engaged in extreme acts of stalking, he did not inflict direct physical harm on Andrews, although personal data can, of course, be used to inflict_physical bodi!y harm on victims, in addition to financial and psychological harms. It 1s for these reasons that the holding of a centralised deposit of information on individuals is in itself a hazardous activity. Many precautions need to be taken for the use and protection of the personal data, and organisations need to be mindful of this. :

1.26 It is perhaps for this very reason that Singapore's Prime Minister Lee Hsien Loong announced in June 2016 that from May 2017, all computers used by the public service will be disconnected from the Internet. The reason the Prime Minister gave was that "[i]n terms of security, safety of our systems, safety of our citizens and information concerning them, it's absolutely necessary". 28 Like all governments, the Singapore government necessarily holds much personal data on its citizens and the only way to minimise hacks and data security breaches is to isolate the systems from the rest of the Internet and to remove all remote access.

26 27

28

Joshua Fairfield & Christoph Engel, "Privacy as a Public Good" (2015) 65 Duke Law Journal 387 at 400-401. Joshua Fairfield & Christoph Engel, "Privacy as a Public Good" (2015) 65 Duke LawJournal 387 at 401 . Charissa Yong, "Delinking Internet access necessary to keep Govt data secure: PM Lee" The Straits Times (9June 2016) .

9

8

Data Protection in the Pmctiwl Context

l.27 Coupled witJ1 th e initia tive to delink govcrnm~nt con_1pn~e rs, Deputy Prime Ministe 1· Thannan Shanmugaratna m a_lso highlighted "th criticality of catastroph e insurnn_ce_ an_d cyb e1· insurance".29 He als~ noted that th e "frequency, soph1sucat1on and the sheer audacity of cybe r attacks is growing", as are the 111creas111g costs of cyber attacks.lO The De puty Ptime Ministe r aptly summed up th e situauon: 31 It "~ll pose huge costs to our eco nomics, and to c01·po rate and personal

privac)'. The demand for protection will grow, not .JUSl the need to insure against losses but also th e demand fro1_11 busmesses who wish to strengthen their resilience and to recover mo re qm ckl)' fro m secunty breaches.

l.28 The re is no doubt that incidents of cyber attacks will increase and other than cyber-terrorism, the main target: for cyb e r attacks is data, and often the data will be personal data. In July 2016, Singapore's Minister for Communications and Information Dr Yaacob Ibrahim boldly said: "Data is the n ew 'oil' of the 21st century ... It is no longer an option to treat data protection as an afterthought." 32 In order to further protect this new "oil", Singapore will b e tabling a standalone Cybersecuri ty Bi!J in 2017 to ensure active steps a1·e taken to secure systems and report incidents, especia!Jy those concerning critical information infrastructure.33 l.29 In summary, "toxic data accumulation" 34 is an ill to be avoided. Personal data is pollution, even if it does not currently appear to be so. Personal data should not be amassed in an uncontrolled manner, instead, restrictions should be in place so that personal data is collected only when it is necessary to do so or where there is a defined legitimate purpose for doing so . Depositories of personal data should be protected with layers of protection and rules need to be in place to govern tl1e appropriate use of tl1e personal data.

29 30 31 32 33 34

Rachael Boon, "Cyber insurance a 'major growtl1 area' amid hacker woes" The Straits Times (14June 2016). Rachael Boon, "Cyber insurance a 'major growth area' amid hacker woes" The Straits Times (14June 2016). Rachael Boon, "Cyber insurance a 'major growth area' amid hacker woes" The Straits Times (14June 2016). Irene Tham, "When in doubt, shred documents containing personal data, says Singapore privacy watchdog" The Straits Times (20 July 2016). "Parliament New Cybersecurity Bill to be tabled next year to strengthen Singapore's on line defences" The Straits Times (11 April 2016). Joshua Fairlield & Christoph Engel, "Privacy as a Public Good" (20l 5) 65 Duke Law jou:mal 387 at 399.

IO

Thr Context of Prof.er.t ing Per.rn-nal Data

J.

Big data

J.30 . e nvironm e nt has e nabled far greater The n c 1.wo 1·ked co mp11ung . . I natching of p e rson a l data, all of collection, use and man1pullauon_aln~. ptoLcntial of p e rsonal (accessed 23 May 2016) . Urban Redevelopment Authority, (accessed 1June 2016). EU Article 29 Data Protection Working Party, WP216, opinion 05/2014 on Anonymisation Techniques (adopted on 10 April 2014) at p 16.

98

95

96

97

EU Article 29 Data Protection Working Party, WP216, opinion 05/ 2014 mAnonymisation Techniques (adopted on 10 April 2014) at p 16. EU Article 29 Data Protection Working Party, WP216, opinion 05/ 2014 mAnonymisation Techniques (adopted on 10 April 2014) at p 18. EU Article 29 Data Protection Working Party, WP216, opinion 05/2014 mAn~ymisation Techniques (adopted on 10 April 2014) at p 18. EU Article 29 Data Protection Working Party, WP216, opinion 05/ 2014 mAnonymisation Techniques (adopted on 10 April 2014) at p 24.

99

/Jain Prolrclion in the Pmrticnl Conlr.xl

Is Singling out still a risk?

The ConrP/JI nf Personal/)"'"

Is Linkability still a risk?

Is lnfcrc

s

till

. nc~ a l'lsk?

Pscudon)'lllisation

Yes

Yes

Yes --------

Noise addition

Yes

May 1101

May ~

Pe1m111ation

Yes

Yes

May ~

Aggregation or K-anonpnity

No

Yes

Yes

!Aiver.;ity

No

Yes

May ,~

Differential privacy

May not

May not

May 1101

--------

--

-------

3.98 . From the table, it is clear that there is no ~ne particular anonymisation technique that satisfies an three cntena and the_ wi:29 Went lo great details to present instances of each techmq~e s weakness. Pseudonymisation is probably the most pronounced m this regard. The WP29 cited recent research at Massachus~tts Institute of Technology which found that from a pseudonym1sed data set of 15 months of spatial-temporal mobility coordinates of 1.5 million people on a territory within a radius of 100km, it was possible to single out 95% of the population with four location points. Even more alanning was that just two points were sufficient to single out more than 50% of the data subjects.98 3.99 As for noise addition, the WP29 highlighted its failure with the well-known Netflix incident Netflix released a database of over 100 million ratings on a scale from 1-5 of 18,000 movies, expressed by nearly 500,000 users. It was "anonymised" according to an internal privacy policy and all customer identifying information were removed except the ratings and dates. Noise was added on the ratings so that they were slightly increased or decreased. After analysing the geometric properties of the data set and comparing it with a publicly available data set, researchers found that 99% of user records could be uniquely identified in the data set using eight ratings and dates with 14- h. nder tl1e Act, ra tl1er . i is uld also include taking steps such as permanently destr , '. \lf 0 course, w~ th no legal or other reasons for the data Ying the data 1f · ere are lo be retained .

u

3.119

. . . e costs for organisations in the eveilt In order to m1mm1s . . . th . f tlle deceased attempt to exerose any of the at representatives o Othe . . 11ts on behalf of tlle deceased, such as the ti h r g l of . .. data protection ng . ..... d ta records could be d1giused and fields be insert correcuon, Ule a .· . . ect lo signal if tlle data subject is known to be deceased. This Will be discussed in more detail in chapter 7.

D.

HISTORICAL RECORDS

3.120

.

tl1e data protecti Th e Act contains an interesting exclus10n from . d. on eoime in excluding all personal data contame m a record that h r 011 0 c· ..... as been in existence for at least 100 years. 1ven . . u,at average life expectancy in Singapore is well below 90 years: 1t is_ not entirely clear why mis exclusion is needed. Personal data m tl11s category would generally be excluded anyway, as it is not common for there to be personal data created and contained any record ~ tlle person has not yet been born. Given tlle average life expectancy 1s under 90 years, most personal data in tllis category would not fall witllin the ambit of tlle Act as a person who dies at tlle age of, for example, 85, would have most of tlle protection ceasing upon deatll and all protection ceasing 95 years after tlley were born.

!n

-----

The Concept of Personal Data

oLJSINESS CONTACT INFORMATION

E.

3.J22 nt exclusion from the operation of th e h 1(r) of I h e Seco11d Sch edule .a llows personal data th . at was. paragra~ in the circumsta11ces se t 011 1. 111 the_ Fo~rt.11 Schedule to be 1 0,sciosc II · ted witho u t tl1e co11sen t o f th e 111d1V1dual for llurpose5 · 11 ~ · yahc Y · ~. 11 tJie p11 rposc o f the disclosure. ·s1cnt ,,,.1. cons• .

5.58

al data coll ecLed prio r to th e comme ncemcnL of the

. . . . I . F0 r person al data protecuo n prov1s1o ns 111 t. 1e circumstances sel out in ilie

perso~ Schedule, these can a lso be used and disclosed:'5 Under Secon h 3 of m e T hird Schedule, all su ch pe rsonal data is deemed paragraP been collected in accordance with paragraph I(]) of the II 10 have . d Schedule. This means t.llat a perso nal data collected in the . Tlur · h S eco n d S c h e cl u Ie pnor to the . tances se t out 111 l e c1rcurns . . rnencement o f t.lle pe rsona l d a ta pro tectio n regune can be used ~:;purposes consistent with th e purpose o f the collection. Similarly, aragraph 5 of t.lle Four~1 Sch edule dee1~s all such personal data ~o have been collected 111 accord ance Mlh paragraph l (s) of the Fourth Schedule. This m eans t.llat all personal data collected in the circumstances set out in th e Second Sch edule prior 1.0 t.llc commencement of t.lle person al d ata p rotection regime can be disclosed for purposes consiste nt with the purpose of the collection. Lastly, paragraph 4 of t.lle Second Sch edule deems all personal data disclosed prior to t.lle comme n ceme nt of t.lle personal da ta protection provisions in the circumstances set ou t in ilie Fourt.11 Schedule to have been collected in accordance wit.11 pa ragraph I (r) of the Second Schedule, so iliaL su ch data can con tinue to be collected for consistent purposes.

5.59 As will be seen below, t.lle re appears, h owever, to be a gap in the exemption for personal data t.llat was gen erated or produced but not disclosed prior to t.lle commen cem e nt of t.lle personal data protection provisions.

5.57 In addition, t.lle circumstances in the t.llree Schedules have a cumulative effect. By virtue of paragraph I(;) of t.lle Third Schedule, 43 44

Personal Data Protection Act 2012 (Act 26 of2012) s 17. Personal Data Protection Act 2012 (Act 26 of2012) ss 20(3)(b) and 17.

142

45

Pe~onal Data Protection Act 2012 (Act 26 of20l2) Third Sched, para 3.

143

Consent Obli at ion

Dnt11 Protection in the Prncticnl Context .

5.60 An issue to consider here is whether personal data that falls Wit! . 1111 . · an d Four th Sc h edules that do lh e orcumstances of the Second, Third require consent from individuals for collecuon, use or disclosu nor . . d' 1 . re ca have the consenL over its collecuon, us\or ~sc _osure w1thdrawn. 'fhn wording of section 16(1) would suggest t at IS 1s not poss1blc:1" e

an individual may at an)' time withdraw any consent. given or de, ... . . f ' cn1cc1 t have been given under this Act, in respect o t.11e collection o · · I d b l · · · ' disclosure by that orga111sat1on of persona ata a out t 1c 111d1vidual iuse or or an , purpose. )

5.61 The withdrawal of consent provision only appli es to withdrawing " consent given, or deemed to have been given under this Act". It dany . . cl . . h oes not state that withdrawal 1s perm1tte 111 111stances w ere co nsent is . not required as in the secuon 17 references to the Second, Third and Fourth Schedules.

5.62 This interpretation appears to be supported by th e Comm ission, which has said, in relation to t11e exemption to the requirement of consent for "publicly available" personal data iliat appears in all three Schedules referred to in section 17: 17 For avoidance of doubt, the withdrawal of consent would not affect the collection, use or disclosure of personal data that is publicly available. In such cases, an organisation that receives a withdra,val of consent may wish to cease further use or disclosure of the photographs or video recordings in question as a good practice.

'sk for individu als, le t alo ne t11 eir use and d'

1sc 1osurc , . . cl cunty n . c!P se . g purposes. 1 111s 111 eccl presents a chall r ,1s . .rangtn e nge ,or 1 for

w1c c ecurity.

CJ'bcrs

5•65

. ections will examin e t11 e breadth of some of th k e cy 0 wing s r1tc fo.11 ntained in the t11rce Schedules and will elucidate tl uons co · f . . 1e cscJllP . ns t hrough exampl es. o s11.uat1ons covered by the catego . _ . nes. 00 cicJllP . is not to proVIdc co mp1 e hcns1ve coverage of all th •ntcnuon · . . . e r1tc 1 . . the three Schedules. Ind eed , some of the circumstanc uons 111 . . es cxcJllP broad in scope and expressed 111 very general terms that . k . dare so 1tstc ~ cts arc hith erto un nown. tl1eir trUC c e

1.

Evaluative purposes

5·66 collection, use or disclosure is necessary for evaluative If [he 1s then no consent nor notification is required for the urposes, P . n use or disclosure of th e personal data. This is one of the

collecuo . , . . . far-reaching exemptions of the Consent Obhgauon. The term ~;~~uative purposes" is d efin ed very broadly in section 2 (I) of the Act to encompass many situations.

5.67 In relation to the purpose of determining th e suitability, eligibility or qualifications of ilie individual to _w hom the data relates, "evaluative purposes" would include the s1tuauons of evaluation for the purposes

of:49

5.63 This is clear indication that under the Singapore personal data protection regime, it is not possible to withdraw consent for !he collection, use or disclosure of personal data that falls within !he situations set out in the Second, Third and Fourth Schedules.

(a) employment or appointment to office; (b) promotion in employment or office or for continuance in

This, unfortunately, leaves individuals with little control over their personal data, a "no escape" situation and, as will be seen below, an almost losing proposition. Whether an individual likes it or not, !he three Schedules give wide ambit for their personal data to be collected, used or disclosed. The resulting conglomeration of personal data is in

employment or office; (c) removal from employment or office; (d) admission to an education institution; (e) the award of contracts, awards, bursaries, scholarships, honours or other similar benefits; (f) selection for an athletic or artistic purpose; (g) grant of financial or social assistance , or the delivery of appropriate health services, under any scheme administered by a public agency;

46

48

5.64

47

Personal Data Protection Act 2012 (Act 26 of 2012) s 16(1 ). Personal Data Protection Commission, Advisary Guid£lines on the Pers()flfll DataProtectionAafor Sel£cted Topics (reui&d on 20 December 2016) at para 4.27.

144

49

Pe~onal Data Protection Act 2012 (Act 26 of 2012) Second Sched, para 1(/) ; Third Sched, para 1(/) and Fourth Sched, para l(h) . Prnonal Data Protection Act 2012 (Act 26 of2012) s 2(1).

145

Consent Obli ation Data Protection in the Practical Context (h)

dctennining wh ethe r any contract, award , bursary, schola . honour or other similar benefit should be continu ed rn dl'Ship, ' 0 !fi ~ deciding wheth er to i1~sure any individual . or property or continue or renew th e msuran ce of any md1V1dual or pro to Pen,.,, an d

m=~~

(i)

Ul

other similar purposes as may be prescribed by tJ1 c minister.

5.68 The list of situations tJ1al come witJ1in t.h c evaluative pul'J . . loses exception is quite broad and encompasses a W1dc variety of setti ngs 'd I b . . . 1 Some of these will now be cons1 e rec, egmnmg w1t 1 one of th e mor~ prominent situations in tJ1e above hst, tJ1al of th e employment context or appoinunent to office. (a)

Employment context

5.69 Under paragraph 1(/) of the Second Schedule of the Act/•0 tJ1ere is no need to obtain consent from individuals befo re collecting personal data from them or from any other source if it is necessary for detennining tJ1e individual's suitability, eligibility or qualifications for employment or appoinunent to office. This would ce rtainly cover the situation where the individual submits a job application, but it would also cover situations even where the individual is not actually looking to be a candidate for employment or appointment to office. Thus, the exception would allow employers to conduct searches and compile lists of potential candidates without having to first obtain consent from tl1e individuals. 5.70 Of course, background checks can also be conducted on potential employees. There are many available sources of personal data from which employers can do this, ranging from social media networks to simple searches that trawl the whole Internet for information about individuals. There also appears to be no limits on the methods one can employ. So, for example, if an employer wishes to "friend" a person on the social media network Facebook, using a fictitious name in order to look into the person's private or personal life, including access 10 photos or posts that may be restricted, it would appear that the employer may do so under this evaluative purposes exception. 50

Personal Data Protection Act 2012 (Act 26 of 2012) s 2(1) aocl Second Sched, para 1 (/).

146

da ta tha t ca n be collected and cove recl

d

5 7I f pers0 1la] un er · w0cs Ouon data such as th e . 'fhC •1r a re extre mely broad:. personal . . e"emP education and qualifica uons; employment history i]JIS -•'s fonna I f ·1 . ' . dividu;u

misconduct o r a1 ures dunng any tenure of · th . d' 'd l' . · infonnauon o n e m !VI ua s mtegnty or morality " enl any tJ · 1· 'd l' .,,ployr» ' elevant to 1e me 1V1 ua s standing as a model Ci" . hl be r . . . . ]!al m1g co nV1cnon s; and even any mformauon on the 1 · I bb'1cs and family · background, ·r tyle, likes and d'1sl'k I es, 10 c,nploycc·', any ·ct al sh all es . . . d' 'd ' iodi1~ u be factors d c tc rmmmg an m !VI ual s suitability for 1csc may as tl 1ovinent. 1

,n. chtdtO · g any . 1

et1

P r

5,72

from th e foregoing, the types of personal data that can be Ken . As can d 1d accumulated without consent are extensive, so nccte a1 . . be co_ th e mployers can readily bmld a complete profile of an s1ve at • e~ten albeit for th e purpose of evaluauon for employment or indiVldual , . tJllCOL to office . appo1n

5:73. aragraph 1(/) o f the Third Schedule allows the use of 1 p Sunilary, . ct·!VI'd ua I concerne d ,or r ta without co nse nt o f th e m al da · 1 Person . urposes.5 1 This means iliat after accumulaung a compete evaluauve p .ning wide-ranaing pe rsona I d ata on an m . d'IV!·ctua,I th ·e tal ~e~ I o· . or nisation may use tJ1 c personal d~ta any ~~y -~at 1s relat~d to_the ga · u·o n of the individual's smtab1hty, ehgib1hty determma . or quahficauons r plovment or appoinunent to office. As menuoned above, one of ,or em , ... • 1· d the biggest harms has already ?ccurre? when there 1s a ccntra 1se deposit of information concermng an md!Vldual. Once the. p~rsonal data has been collected in one place, aliliough the uses are hm1ted by the specific purposes, th e practical e nforcement_ and restrictio~ of the use to the specified purposes are often challengmg. For orgamsauons, they would need to clearly define th e permissible purposes attached to each piece of personal data they hold and to set systems, procedures and practices in place to limit ilie personal data to such purposes.

!~

5.74 Furmermore, paragraph l (h) of the Founh Schedule permits th e disclosure of personal data for evaluative purposes without the consent of the individual.52 This means that the complete profiles that have 51 52

Personal Data Protection Act 2012 (Act 26 of 2012) s 2 (l) all ' ' -purposes, so th at in . d !VI ' ·d ua Is will know th Wn or S11111 expan ded . . . e scop tent of purposes.•00 This 1s parucularly useful when provid' c an d ex . .. ral ·- c . 1nga layered notice to md1~duals. Gene Ju1orm~uon can be provided in tlie first instance about tJ1e overall purpose, details in th C . aJ witli furtlier . layers. By breaking down tl1e ~ur:roses, It so assists tliose processin data on its behalf to know tlie hm1ts of tlie purposes and not to proce! beyond tJie purposes. For example, tlie purpose of processing an . individual's application for an Internet sefVlce could be divided 0 "broken down"' into verifying the individual's identity, carrying ou: various eligibility checks such as age checks and location checks and so on. 101

.

arnbit o f all tha t must be

,·hgc rnost . . u of the 1 •• of tJ1C . whe n o rgamsatJo ns profil e individual 102 . eg1t11nacy onc.,rcfll ent is oses Profilin g individuals based o s, especially fo r qt1 urp · · n gend re r''eung P 1 in 111 a ny pa rts o f the EU. Indeed pr Iii ' er, race or a ~ . ·11 ega , o 1 mg I 111i·gion 1s I o f personal data that fall under the s . 1 )ased on re, types . pcc1a cat . ~ of thC (sensitive data ) 111 Article 9 of the EU C cgoncs ao, 0 0 al c1ata 103 h encral D crs .gulation 201 61679 s ould be avoided. ata or P uon Re protcC

11 1

ed that the processing of data i 6,92 Wf29 e)( plicitly warn . . • . . or purposes fhC ult in d1scn111inato ry practJces ts prohibited 1~1 1.h . ..,.,ay res . . · us 1t tJ1at ,.. !ear mat orgamsauons would not be able t ' Id be c . . o profile wou al based on race o r rehg10n or any other criteria t h vidU s c . d ' 'd I f o c arge wer prices 1or in !VI ua s rom tliat group or cl in di Th' . her or Io . d. ass. 1s . for issuance of 1scounts, so tliat Asian custome r h1g _, apP11es . . rs, ,or ais 0 hould not receive discount vouchers that are worth • ample, s more 10 ex -Asian customers. " t11an non

6·93 WP also gave many examples of how to apply tlie compatibility 29 The ment 10& and prefaced tlie examples witli tlie caveat tJiat tJie assess ies are • merely to ill ustrate •u1e 1. th.m ki ng process, and are not exam . P . ded to provide a cone1us1ve assessment of .1. we cases described mten · They emphasised tliat tli~ examples we:e. _merely to illustrate the method in which tlie mulu-factor compatibility assessment should be carried out as any slight differences in the fact scenario may greatly change tJie outcome.

EU Article 29 Data Protection Working Party, WP203, Opinion 03/2013 on Purpose Limitation (adopted on 2 April 2013) at p 51. 97 EU Article 29 Data Protection Working Party, WP203, Opinion 03/2013 on Purpose Limitation (adopted on 2 April 2013) at p 52. 98 Personal Data Protection Act 2012 (Act 26 of 2012) s 20(4) (a). 99 Personal Data Protection Act 2012 (Act 26 of 2012) s 20(4) (a) ; Ministry of Information, Communications and the Arts, Public Consultation !SS1lld l,y Ministry of lnfarmation, Communications and the Arts: Proposed Pmonol DataPr?t,ectionBill (19 March 2012) at para 2.69. 100 EU Article 29 Data Protection Working Party, WP203, Opinion 03/2013 on Purpose Limitation (adopted on 2 April 2013) at p 53. 101 EU Article 29 _Data Protection Working Party, WP203, Opinion 03/20J3 on Purpose Limitation (adopted on 2 April 2013) at p 53.

.

wide . . cons1dc I 1 6,9 thC f tecri ti macy, o rga111sat1ons need t · re( for the 0 · ·vc!l t o d . • o he p . G1 ·reffl cn tl purposes o no t involve any illc . . an1cularly 11 t 1e . git11nat c purposes. re.q1 ot tJ1a cornrn o n purposes that may fall fo I

107

96

240

102 EU Article 29 Data Protection Working Party, WP203, Opinion 03/2013 on Purpose Limitation (adopted on 2 April 201 3) at pp 54-55. 103 EU General Data Protection Regulation 2016/ 679, Art 9. . . 104 EU Article 29 Data Protection Working Party, WP203, Ofrinwn 03/2013 on Purpose Limitation (adopted on 2 April 2013) at p 54. .. 2013 !05 EU Article 29 Data Protection Working Party, WP203, Ofrinwn 03/ on Purpose Limitation (adopted on 2 April 2013) at p 54. .. 3 106 EU Article 29 Data Protection Working Party, WP203, Ofrinwn o3/ZOl onPurp?se Limitation (adopted on 2 A~ril 2013) Annex 4. . . 0312013 107 EU Article 29 Data Protection Workmg Party, WP203, Opinion on Purpose Limitation (adopted on 2 April 2013) at P 56.

241

Dnln Protectio11 in the Prnctical Context

6.94 . . cain amples given was ti1a l of a sec11nty AmongsL tlle ex . . 1 era i al Lhe main entrance to a b\llldmg. 08 A 8 . nsla.lie,, an emp Ioyer . . dgn s y h., ·ty camera was m operation for security p ti ") · urp 0la.tcc1 lat . tJ1c seen n 8 . from ilie securiLy camera also showed that th es. -1•1 recordmgs . e rec . le ePlion· iently away from her desk and engaged m lengthy was freql . Th . . conv 1st oking near ilie entrance a1 ea. e1e might I ersatio . wIu 1e sm . .. a so b ns cVJ'd cnce stICh as complaints mat . she often . . failed . . to ans,ver leie oth er 'ch was one of her duties. Momtonng the emp[ eph call s, wh1 . . oyce th 0••c tl1c security camera would be a different purpose from th roligh se of security and it is also an unrelated purp c 0 rigin, state d pUrpo . . . · ose. 1-Ic • vould not be compauble w1th t11e purpose of secunty. The W nce, it 'gave various factors iliat would furtl1 er indicate tl1at such use wP29 also . 0 •mco mpau'ble, factors such as. tl1e potenual negative im pact u1d be . 0 employee as discipEnary action woul~ be_ poss1~le. The reas n ~c 0 behind mis is mat smce tl1e purpose 1s fo1 secunty, such n1ng . . 1 a purp would noL ~on_na~y . 1mpl_1cate. an . emp oyee such. as a tele h Osc receptionist m d1sc1plinary mvesugat1ons and proceedmgs.109 P 0ne h

oata rt1

inirnisation principle

. imisaLion principle requires that p 96 6,1 e data rn1n)osed must be "adequate, relevant ersonal data coll 'f I disc and r • ectcd cd, or . elation lO the purposes for which th trnitcd to wh .' 1s f'/ 111 r . . ey arc at 1s 1 ,1eccssa with tl1is is w e reqmrement that personal data processcd".113 C011 ptcd than necessary to acco mplish th . should not h 11eid Jong~:t.a retention, and this will be discuss:d ~irposeli·1 Which i~ chapter 9. ~Ia1cd to

1

6.95 It would appear from ilie 20 or so examples given by the WP 29110 th very few indicated a further use was compatible; of those th at . . . 1d d h at were found to be compatible, 1t me u e one w ere personal data had b properly anonymised, which would, by definition, not be personal ;en any more.111 In another example where compatibility was found thata · d .112 Th e examp les seem to indicate, there was fresh consent obtame . ~ b m given all ilie reasomng processes u,at must e undertaken, it would be extremely difficult to find different or separate purposes to be compatible.

108 EU Article 29 Data Protection Working Party, WP203, Opinion 03/2013 on Purpose Limitation (adopted on 2 April 2013) at p 56. 109 EU Article 29 Data Protection Working Party, WP203, Opinion 03/2013 on Purpose Limitation (adopted on 2 April 2013) at p 56. 110 EU Article 29 Data Protection Working Party, WP203, Opinion 03/2013 on Purp~se Limitation (adopted on 2 April 2013) at pp 56-70. 111 EU Article 29 Data Protection Working Party, WP203, Opinion 03/2013 on Purpose Limitation (adopted on 2 April 2013) at p 66, example 15. 112 EU Article 29 .Da_ta Protection Working Party, WP203, Opinion 03/20l 3 on Purpose L1m1tatum (adopted on 2 April 2013) at p 60, example 7.

242

6,97 . . le is not present in the Singapo 1 . . pnnc1p . . re egislati flJiS tion would reqmre great discipline and on and its ~t.a .. ~ Th · · inlPl~ bare m'.mmum person_al data required for the e aim 1s to idcJ!U~ ,.., collecuon, use and disclosure to that purpose and 'f!Jll u,e . . personal d ta 10 lI r nisations to comply W1th this, they would need a only. for O gad assessment of the adequate and minimum lo make a ne amount and ki d reas0 al data needed and t11en test this. One . ns r person . . . . . . way this can b o . d is for me orgamsatlon to gwe JUSUfications for h h e achieve . f Id . w y t cy need . d every piece o persona ata, this way it would b each an d . ' e relal!vely identify and wee out any duplicates in the data th . e'IS'/ to . f sets, at is o or more pieces o personal data are purported( d d ' where tw . . Ynee e for the same reason. Usually, t11e only lime where two or more pieces of perso nal data . might be needed for ilie same reason . is where th ey nee d to be combmed. Al~ough such an assessment 1s a tedious task, it is methodical, systematic and t11orough.

we

6.98 As for the requirement of "adequate", this addresses the situation where an incomplete set of personal data is collected and processed, thereby giving an inaccurate picture of the true circumstances. So, for example, given ilie EU General Data Protection Regulation 2016/ 679 now requires parental consent for minors under the age of 16 before some services can be validly offered to ilie minors,115if an organisation provides a social network facility on ilie Internet targeted at young teenagers in ilie EU, it should collect information about the age group of those who sign up, so iliat it can determine if parental or guardian consent is required. Failure to enquire if the individual is under

ll3 EU General Data Protection Regulation 2016/ 679, Art 5(1)(c); see also EU Data Protection Directive 95/ 46/EC , Art 6(l)(c) , which issiri~ia ll 4 EU General Data Protection Regulation 2016/ 679, Art 5(I)(e), Protection Directive 95/ 46/ EC, Art 6(1) (e). 115 EU General Data Protection Regulation 2016/679, Art 8·

243

Data Protection in the Practical Context

f

16 years o a been met.

ge would mean the "adequate" require= .. ,ent

has n0l

6.99 . d th cl . . . m1mm1sation p1_. . 1.11C WP29 has also cons1dere . e ata . , 111c1p\ . . be 1n lh e contex t ofbl·g data and the Internet ofThmgs, and thes e Will Cbrieny · considered. (a)

Data minimisation principle and big data

6.100 Tl1e WP29 has expressed the view that the data minimisatio 11 . · W1th · big · data. In 201 4, the · WP29 issued · Plln . is not incompatible S Ctple ,rb· da a late on the impact of the deve!,opment 01 ig ta on the protection or. d' . ll!ent . oifh' . the EU ("St~zn1v1d1s with regard to the processing t ezr personaldata in Ua . d . . aIl!l'IUnt') 116 It noted that the real value of big ata remams to be pro · . .. . . . . ven and . reiected suggestJons that the pnnoples of purpose limitation tl ~ . . ti d and data minimisation, or the reqmremenlS 1at ata must be ad · · 1 · · equate relevant and not excess1:e .111 :e ~non to . 1LS purpose, should • 11 substantially reviewed at this time 111 hght of big data. 7 be 6.101 The WP29 acknowledged that the challenges of big data might require innovative th!n~ng on how ~om~ of th:se (and other) key data protection pnnc1ples are applied 111 practice. It reaffirmed that the data protection principles enshrined in the EU Data Protection Directive 95/ 46/ EC118 are still valid and appropriate in the age and development of big data, subject to further improvements to make them more effective in practice. 119

n . in line with the development f 61 O• . ]dog is . o the • . 1)1111 reaffirm ed 111 the EU G consent pn· . fl11s been . . eneral O nc1ple t 11as 2016/679, especially m relation to th . . ata Prote . i11a .011 f . e utihsa . ct1on ,,111au This Statement urther impresses u lion of cook' Reb- 1·teS, . . pon tho ies ,~ebs . and data analytics, especially on th se engaged . o0 ·01ng EU 1 gal . e Int in Jlll . dful of the e reqmrements of d ernet, to k d••IJI ·aJIY rnin . ata m· 1. . 'le ,,peCI t is certa111ly no longer the "wild w " in m1sation 120 ..., tcrne . . est that . fhe Jn some would hke to thmk_ 121 Just beca . cannot be tcd as b . d use the inf ,ego Ia•iable and can be o tame on the Internet, often very 0 nnation . is aval an it is legal to do so. easily so, ot 1ne does n

Data minimisation principle and Internet of Things fb) 3 6.I0 14 the WP29 also adopted Opinion 8/2014 h 2 In /ofiO ~ts on the Internet of Things 122 ("IOT Op:i~ :) Recthent Deue mendations of wh'1ch h ave b een 111corporated . in the EUnG' e recoIJlrn tection Regulation . 2016/ 679 . enerai Data PrO 6.104 0 . . . d th The WP29 in th~ IOT . pm1on reiterate a_t p_ers?nal data collection and processing 1s r~stn~ted_ ~y the purpose hm1tat1on principle which is aimed at informmg 111d1V1duals how and for what purposes their ersonal data will be used and to enable the individuals to decide ~hether to entrust an organisation with their data. 123 This requires stakeholders to be sure of their business requirements before they engage in the collection of data. These purposes must be defined before the data collection and processing takes place, which will exclude sudden changes in the key conditions of the processing.121 120 EU Article 29 Data Protection Working Party, WP221, Statnnent on the

116

EU Article 29 Data Protection Working Party, WP221, Statement on the impact of the deuewpment of big data on the protection of individua/s with regard to the processing of their personal data in the EU (adopted on 16 September

2014), 117 ~U Article 29 Data Protection Working Party, WP221, Statement on the impact of the deue[qpmmt of big data on the prot,ection of individua/s wz th rega rd to the processing of their personal data in the EU (adopted on 16 September 2014) at p 2. 118 EU Da',:1 Protection Directive 95/ 46/ EC, Arts 7 and 8. the 119 EU Article 29 Data Protection Working Party WP221, Statement an d ' ' of individua/s ' zmpact of the deueli>pment of big data on the protection wzffi"b to the processing of their personal data in the EU (adopted on 16 Sep tern er 2014) at p 2.

244

impact of the develhpment of big data on the protection. of individuals with regard to the processing of their personal data in the EU (adopted on 16 September

2014) at p 2. . . 121 In the 1990s when the World Wide Web was m its early da~, many commentato;s used the "www" in web addresses to stand for "wild wild west" to describe the Internet as they thought that the Internet was not possible to regulate. , , 8/2014 on !22 EU Article 29 Data Protection Working Party, WP223• OpinlrSeptember the Recent Deve!,opments on the Internet of Things (adopted on 2014) . · · 8/2014 123 EU Article 29 Data Protection Working Party, WP223, Opinwn 124 on the ~cent Develhpments on the Internet f Things at ~~ 23 Opiniun 8/2014 EU Article 29 Data Protection Working Party, on the Recent Deve!,opments on the Internet of Things at P 16·

245

Data Protection in the Practical Context

~

6.105 . . . . l Regarding tlle data minirmsauon pnnc1p_e, tl'.e WP2g Was m 01 der to ll . 0 f llie . th al where personal data 1s_ not necessary . . rov1cte Vie,., . e 10 nm on the Intel net of Thmgs, tJ1e data subie a spe . se[Vlc . J ct sho Ctfic t be offered t11e opportumty lo use the service a UId at ti very leas . · nony le i1.; Perso nal data should certainly not be collected just be cat!Se ll. lllotis)" . ,. useful later. The WP29 addre~se~ tJ1e oft_ held vi ew that llltght be minimisation principle can hm1t potenu~l opportunities the data Internet of Things, because the potential benefit f". of th . s Ion e 1 ana 1ys1s of data wh· l data Processing comes from the. exp oratory d d T ich a· find non-obvious correlauons an tren s. he argument . 1111s 10 data minimisation principle would thereby be a barrier for _is lllat the d inno,,., . . . The WP29 did not share th 1s View an reaffirmed that •nlton. minimisation principle needs to be respected. 126 The reas th e data . ons ll for this are centred on the msecure nature of tJ1e com . gave meiliods for ilie Internet of Things devices when transferrinmtdinication g ata. 6.106 The WP29 noted tllat devices operating in the Internet of Th' 1 difficult to secure, boili for technical and business reasons 127 ~gs are • · wi n the technical level, ilie components of th e d eV1ces usually use . . . commumcanons I"nfras tru ctu re an d are ch aractensed by . reless . 11m1ted . resources in terms of energy and computmg power, renderin th devices vulnerable to physical_ attacks, eavesdro~ping or proxy atta~ks_ The more secure technologies, such as Pubhc Key Infrastructures 119 cannot be easily implemented on Internet of Things devices because.of ilie lack of computing power needed to cope with ilie required processing tasks.130

!

1

6.107 At the business level, ilie Internet of Things involves a complex supply chain wiili multiple stakeholders who assume different degrees of

125 EU Article 29 Data Protection Working Party, WP223, opinion 8/2014 on the Rei:ent Devewpments on the Internet of Things at p 17. 126 EU Article 29 Data Protection Working Party, WP223, opinion 8/2014 on the Rei:ent Devewpments on the Internet of Things at p 16. 127 EU Article 29 Data Protection Working Party, WP223, opinion 8/2014 on the Rei:ent Devewpments on the Internet of Things at p 18. 128 EU Article 29 Data Protection Working Party, WP223, opinion 8/2014 on the Ret:ent Devewpments on the Internet of Things at p 18. . 129 For furthe~ infonnation, see Yee Fen Lim, Cyberspace Law: Commenta~ and Materials (Oxford University Press, 2nd Ed, 2007) ch 5 an at pp 221-246. 14 130 EU Article 29 Data Protection Working Party, WP223, opinion 8120 on the Ret:ent Deveihpments on the Internet of Things at p 18.

246

. . A secu1ity breach can originat f o11sib1hlY· to the machine to machine e rom any one f O the esP due . enV!r r cciiillY _ f data among deV1ces_ 131 In this c onn1en1s bas d m, 0 ntext t•sJl · o · . h c on ' w ere red . change apacity may spawn nsks in ins e~ ·ng c ecurc Uced •1pt1ll . n tJ 1e WP 29 stressed that it is e and inern . ,01• jcauo , . . . . ven mor . c1cn1 auon principle and e important coollllunwi t11 the data mm1rn1s_ . . restri to rflPIY . in parucular its storage on ilie d . ct Processing f co nal data, eV!ce, to llle . . o pc~~ d il2 m1n1mum rcqil1re . also raised the special vulnerabilities as . . sociated · h designed to be accessed directly via the Internet Wit devices tl1at arc figured by the user.133 These may provide Which are not s con I an easy ace ~ll'aY d rs if users do not change the default setting 131 F ess path ·ntJ1l e no network resmcuons . . tot in place every WJ. s. or exa mp1e, ••ere are . ' re1ess netw k th 1 ifu ccts to can potenually open doors to the pe or e conn rsonaI data Th user ggcsted that by defa_ult, non-critical functionali'u• h · e wP29 su es s ould be and tlle use of untrusted software update source h disabeI d ssoudbe . . 1 d which . would 11m1t. malware attacks bas ed on code 1evente , P . n Such pnvacy protecuons should be built in fro th ~terauo · . m e very usmg ilie Privacy by Design or Data outset of the device's . development, . . 1 35 1 Protec tl·on by Design pnnop e.

6108

· wP29

1]le

6.109 The WP29 urged that when the purpose can be achieved using aggregated data, developers should n~t access ilie_ raw data. It strongly encouraged developers to follow a Pnvacy by Design approach, which would minimise the amount of collected data to that required to provide the service.136 This Privacy by Design and by Default approach has now been enshrined in Article 25 of the EU General Data Protection Regulation.137 This is discussed in more detail in chapter 7.

131 EU Article 29 Data Protection Working Party, WP223, Oftiniun 8/2014 rm the RecentDevelopments on the Internet of Things at pp 18--19... 132 EU Article 29 Data Protection Working Party, WP223, Oftinwn 8/20!4 rm the Rei:ent Developments on the Internet of Things at pp 18--19. 133 EU Article 29 Data Protection Working Party, WP223, Oftiniun 812014 rm the Rei:ent Developments on the Internet of Things at P 19. .. 134 EU Article 29 Data Protection Working Party, WP223, Oftinwn 8/ 2014 rm the Ret:ent Developments on the Internet of Things at P 19 · .. 14 135 EU Article 29 Data Protection Working Party, WP2 23 , Oftinwn 8120 19 · Opi . 8/2014 136 rm the Recent Developments on the Internet of Things at P 223 EU Article 29 Data Protection Working Party, WP , nwn 23 137 cm the Ret:ent Developments on the Internet of Things at9P ·25 EU General Data Protection Regulation 2016/ 67 , Art ·

247

Data Protection in the Practical Context

. by Design approach or data protection by d . The Pnvacy . d . . . . es 1g . k way of implementing the ata mm1m1salion p 11. ~ '} a t dat ·10 order to influence consumer b e haV1our.- · a 7.46 For Singaporean organisations mat are in th e business of k' ma 1ng Internet of Things devices, whether consum er goods O . any • • i wcarab1 devices for tracking healtl1, mey need to be cogmsant that I·r e · I the·1 devices collect personal data when 111 t 1e EU, tl1 ey would cert.a· r 1111 caught by the jurisdictional reach of m e EU Gene ral Data p Y_ be rotecuon . Regulation 2016/679 and need to comply w11.h the EU regul . . . .. auons Hence, personal data col1ecung aCUV1Ues as well as the process· · .i.. ·1· . d' . mg of . Personal data, sue h as. . wose uu. 1s111g pre 1cuve analytics , sconng systems or health cond1uon targeung, would all not be allowed uni explicit and unequivocal consent is first obtained . ess

c~ApTER

A

f'lcces

8

s and Correction Obligations

8.1 ·ght for 111 · d'1V1'd ua Is to have access to personal d ta th The n . a at organisations hold ab_ou~ them 1s a key _fac~t. of a good personal data tection system. This nght would give md1V1duals the ability to check pro d b .i.. . ersonal data hel a out w em 1s correct and whether it is being if p 'h I · handled in accordance Wll t 1e reqmrements of data protection laws. The right to access is mus a foundation upon which individuals can exercise other rights, such as me righ t to have inaccurate personal data corrected. 8.2 The challenge in the Singapore personal data protection landscape, however, is the lack of a clear rationale for the Access and Correction Obligations. The rights are articulated in the legislation but they do not appear to be fully committed rights and, as such, the gaps are glaring, so glaring that it is uncertain what positive effects the Access and Correction Obligations actually have.

59

Montgomery, Jeff Chester & Katharina Kopp, Health Wearable Devices in the Big Data Era: Ensuring Privacy, Security, and Consumer 1 available at (accesse

Kathryn

Pro~~/

15 December 2016) .

264

8.3 In many jurisdictions, me right of access to personal data is ~ased . d confidenuahty. 011 th e nouons of transparency, account.a b'I' 1 1ty an . . d · c rrnauon on how Bemg able to access one's own personal data an mio tbe personal data has been or is being processed provides trans~arency to th • th ·nfonnauon on e processing of personal data. HaVIng e .1 d to third whether and how one's personal data has been disclose al daia Parties also empowers data subiects to ensure that th e person f'·" pra · ~ ·ality Coming Uil . Cllces do adhere to me principles of confidenu · b se the Circle th bi!' well ecau ' e transparency will provide account.a ity as '

265

Data Protection in the Practical Context

. . n will need to answer to the data subject if ti organisa0o . h th le Per . are not in accordance wit e law. sonaJ d pracuces a1a

8.4 · Obi'1gauons .. ccess and Correcuon are t:I1c first of tl . Tl1e A th p . ie sub . hts over personal data that e ersonal Data Protecti sta,ltiv ng "Act") crives to m . d'tVl'd uaIs. i Tl1ey operate togeth on A.ct 20Jsc (tJ~ ~ ,, 'f tt ~ C . d' 'duals witJi some ab1hty to ven y and correct their ProVid m ivi . I . Person I c heId by an organisation. The ng 1tsb toI request access and corra data . . . gapore are however, not a so ute and are siib' ection m 5m • . . . . ~ect lo exceptions that render these nghts to be 1ather diluted. lllany 8.5 . . need to pr . For both these Obligations, orgamsauons .would . . Ovtde a nd correction not only for personal data that 1s under its Cccss a · d · 2 possess· but also personal data that 1s un er its conu·ol. This mean th ion . . has transferre d person al d ata to a data mtermedia . s at if an orgamsaaon is processing tl1e personal data under the control of the orga _ry ~hat tlle organisation must .me Iude sue h person al d ata .m meeting itsn1sauon A. , and Correction Obligations. A "data intermediary" is an orga . c~ess n1sation which processes personal data on b e half of another organisation does not include an employee of that oilier organisation 3 Th but . . e~~ "processing" is widely defined m tlle Act and means me canving · ·, · out of . . . any operation or set of operauons m re 1anon to me personal data . 1· f . h , and includes a non-exhausuve 1st o operauons sue as recording, holdin 1 adaptation or alteration, combination and transmission. g, 8.6 Data intermediaries need not be described as such in tlie contractual documents and tlie definition is intended to cover a wide range of organisations. 5 Hence, for example, if an organisation has transferred its payroll operations to a data intermediary, and transfers personal data such as me names of employees, residential addresses of employees, duration of employment, salary and bank account numbers in order for tlle data intermediary to execute payment of salaries every montll to tlle employees, all such personal data would still be under the control of me organisation and would need to be accounted for in

1

2 3 4

5

Personal Data Protection Act 2012 (Act 26 of 2012) ss 21 and 22. Personal Data Protection Act 2012 (Act 26 of 2012) ss 2l(l)(a) and 22(1). Personal Data Protection Act 2012 (Act 26 of2012) s 2(1). Personal Data Protection Act 2012 (Act 26 of 2012) s 2(1). Personal Data Protection Commission, Advisory Guidelines on Key euncepts in the Persona/Data ProuctionAct (revised on 15 July 2016) at para 6·21.

266

rection requests. IL should be noted i . Or cor ccss d' ..;es do not have any Access and C n th,s rcga , ~ C· c 1a.. , r, orre · rl1tha inl ·nter(ll d ta intermediary.' Cl1on Obiig . t O~I~ I Jc as a a alions ·ts ro ill I

,-.ccEs

s osUGA TION

Obligation requires an organisation t 8, 7 cess . d ' 'd I o act only ""1e 1\c quest by an m ivi ua , The organisau· upon the ,, , Of a re . . ., on should ,,.ceipt bl possible, provide the md1V1dual with p , as soon na Y • ersonal data 1c . "' reas 0 tegOiies. Ftrst, personal data about th . d' . allmg ., , twO ca e m Ivtdu I th control of the organisau· 7 a at is 11;d11n ossession or under me . . on and in r)le P, about the ways m which such personal d second, ...,,auon d' I d ata has be info,,.. b en used or 1sc ose by the organisati . . en or have e H Th' , on Within a y date of me request. 1s nght to request ac . ear 01ay ~ ~~~ before many excepuons mat render it a very d'l1 ever, b' ect to · uted nght s11 I , , ns may, as witll the consent requirement h · o..aan1saUO ' Unt for an •o- , n as a first step. eXcepoo 1•

,

1,

Procedural requirements for Access Obligation

8·8 20 1~ (the "Regulations")9 , Regu Iauons , The Personal Da~ Protection provides some guidance on the procedural reqmrements for making a ralid request as well as oilier aspects of me request process, The request must be made in writing and should clearly enable the organisation to identify the applicant making the request and tlle personal data and use and disclosure information requested by the applicam. 10 The Personal Data Protection Commission (the "Commission") has cautioned tllat organisations should exercise due diligence and adopt appropriate measures to verify an individual's identity and organisations are also encouraged to have documentary evidence to demonstrate mat it is in compliance witll tlle Act, and minimise any potential disputes.1' The corollary of giving access to an individual who

6 Personal Data Protection Act 2012 (Act 26 of2012) s 4(2). 7 Personal Data Protection Act 2012 (Act 26 of2012) s 2l(l)(a), 8 Personal Data Protection Act 2012 (Act 26 of2012) s 2l(l)(b). 9 S362/ 2014, I) IO Personal Data Protection Regulations 2014 \S 362/ ~0l 4) reg~ ConaPts 11 Personal Data Protection Commission, Advisory Guide/mes on !5 12 in the Personal Data Prot,ection Act (revised on 15 July 2016) at para · ·

267

Data Protection in the Practical Context

• not entitled to have access is tJ1at the organis~ . . n~( breach of tJ1c Act by reason of 1ts wrongful disclosure. l1 ll be in

IB

est19 or if the request is h ot Cr.vis . , inter . xceptions Wlll be considered be! · C frivol ous or ~ '[he e ow.

·d11 al s

. div! 111 ·otJS· ,1:."''u

8.9 The request must be sent to ilic organisation by send' . . ffi . tng I[ organisation 's data protccuon o · 1cer m accordance with lo lhe · · 11(5) ofthetheb11s1ness · contact infonnauon provi'de d un d er section Alternatively, the request can also be made in ace d Act.ii . A 13 h ' h or anc section 48A of the lnterprctauon ct, w 1c deals with ti e With . . . al s, partners h'1ps an d body corporatle selv'j cc of documents on md1vidu . . . es, or i oilier manner stipulated by th c orgamsauon to be acceptable. 11 n any 8.10 15 Regulation 4 of the Rcgulations allows the organisation . . f to proVid d access to the personal ata m a vancty o ways such as provid' e of ilie personal data and use and disclosure info~ng. a copy r if tl . . . . bl a1:1on 1. documentary 1onn, or us 1s 1mpracuca e such as where . n be extracted from a special machine, by allowing the a ll .cannot · to examme · th c personal data andPP11cant a reasonable opportumty 'nf . . th r use and disclosure I onnauon, or m any o er 1orm requested b th 16 applicant as is acceptable to the organisation. AI;, will be see 11 by e 1 eow fue fonna_t of the perso~al .~ata can sometimes prevent it from bein' made available to the md1VIdual. For example, if the docum g . . ~m mfonnauon requested could reasonably be expected to r al . ,., , . eve person al data about ano th er mwvidual, the organisation is pennitted to provide the individual with the requested information. ~ot 8.11 The obligation to provide access also covers personal data contained in unstructured fonns such as personal data embedded in e-mails.'s However, there arc exceptions that enable organisations to refuse to provide access if the burden or expense of providing access would be unreasonable to ilie organisation or disproportionate to the

. ·on is unable to comply with the re . . qu1reme . Obligation . h' nt Hnposcd the organi· wu in 30 calendar bf u rece1 . . sa1:1on i after inform tlle applicant m writing of th . must, Within da) rraine, 21 e time by h' that tirJJe nd to the request. w ich it ,,,·11respo gl2 h A 01 saU · 0rga .th respect to t e ccess 0 lf\e f.ct WI .Vl•ng an access request,

t1 exceptions contained in the Act and th R . · . l to ie . e eguiatio sub]Cc . •s required to respond to each access requ ns, an .5auon I est as accu 1 tely as necessary and reasonably possible 22 H rate Y 0~ 01 of!IP1e · owever :i0d c . may refuse to confirm or may deny th . ' an isauon . e existence of organ al data or tlle use of personal data wiiliout consent c ~on d' 'f ,1.. • • • 1or any pe . tion or procee mgs, 1 we mvesugauon or proceedin s 2 3 invesur ppeals have not been completed. This is subject ~ :d

st3

°

relat~b'U~on in section 21 (4) , which stipulates iliat organisation e roh1 1 . . s must vide me requested mformauon to the individual if h not pro 'b d I t e . e was made to a prescn e aw enforcement agency with disclosur . . . out 21 nt of me md1VIdual. the co nse

P

8.14 . . Organisations ar~ permitted to c~arge an applicant a reasonable fee for services proVIded to the applicant to enable the organisation to respond to ilie access request. However, organisations must first provide a written estimate of tlle . fee to ilie applicant and if organisations wish to charge a fee higher than ilie written estimate provided, it must also notify the applicant in writing of the higher fee. Organisations need not respond to the access request unless the applicant agrees to pay the fee .25

19 Personal Data Protection Act 2012 (Act 26 of 2012) Fifth Sched,

12 13 14 15 16 17 18

Personal Data Protection Regulations 2014 (S 362/ 2014) reg 3(2)(b) . Personal Data Protection Regulations 2014 (S 362/ 2014) reg 3(2)(a). Personal Data Protection Regulations 2014 (S 362/ 2014) reg 3(2)(c). Personal Data Protection Regulations 2014 (S 362/ 2014) . Personal Data Protection Regulations 2014 (S 362/ 2014) reg 4(2). Personal Data Protection Act 2012 (Act 26 of 2012) s 21 (3) (c). Personal Data Protection Commission, Advisory Guidelines on Key Concef!ts in th£ PersonalDataProtection Act (revised on 15 July 2016) at para 15.9.

268

para I (J) (ii). 20 Personal Data Protection Act 2012 (Act 26 of 2012) Fifth Sched, para l(J)(v) .

11 Personal Data Protection Regulations 2014 (S 362/ 2014) reg 5. ~ Personal Data Protection Regulations 2014 (S 362/ 2014) reg 4(1). Personal Data Protection Regulations 2014 (S 362/ 2014) reg 6• 24 Personal Data Protection Act 2012 (Act 26 of 2012) 5 21 (4); Pwona1 25 Data Protection Regulations 2014 (S 362/2014) reg 6. Personal Data Protection Regulations 2014 (S 362/ 201 4) reg 7·

269

Access and Correctian Obli ation.s

Data Protection in tlw Practical Context

8.15 The Commission opin es tJ1aL if the personal data re individual can be retrieved by the indi,~dual direCLI que sted by . Ie LI1rougI1 an· on 1·me we IJS1te · lllade y, 5.t1ch as Whthe iL is access1b . . . . . r ava1labJ trc e by ih orgamsauon, the orgamsauon may 111,orm the indivi I . . . . d 26 Al I . c Ual of I t mformauon may be 1eLneve . · t. 1011gh tJ11s avenue d . tow 11 to be in the Act, it would lighten the load of tli ocs not appelt . c1· ·c1 I e Oro,, . ar However, given tJ1al not every 111 m ua has access to or k b"n1sation access the Internet, it would appear 1J1at if Lhe ind·1 .dnows how,·0 · . vi Ual · unable Lo access tl1e requested mformauon by him or is rca11 Access Obligation still imposes an obligation 011 the O herself, th; provide the information to tJ1e individual directly.21 rganisation 10

2.

Ways in which personal data has been used or d'iscosed 1

(a)

Disclosures to organisations

8.16 According to the Commission, the requiremem in section 21 concerning infonnation on tJ1e ways in which personal data h O)(b) used or disclosed in the past one year can be satisfied with a s: list of all possible third parties to whom personal data may hav \ d disclosed by tJ1e organisation. This is an acceptable altema~v een10 pro,~ding the specific set of third parties to whom t11e personal ~ has been disclosed.28 This reduces tJ1e efficacy of the Access Obligatio~ cons1de1~bly and does not app~ar to be m tlle spmt of section 2l(l)(b). The ordmary meamng ofsecuon 2l(l)(b) would entail that a specific list of tJ1ird parties to whom tlle personal data has been disclosed should be provided to the individual and not a generic list. In addition to this, if there might have been otller tllird parties who were recipients as well, t11is is where the standard list of all possible third parties to whom personal data may have been disclosed by lhe organisation could be used to satisfy tllis requirement.

tt

8.17 Although the Commission was careful to recommend that organisations should individually identify each possible third part)', instead of simply providing general categories of organisations such as 26 27 28

. " 29 tJ . npanies , 11s means iliat the ind· 'd . al co l 1vi ual · • f111acc11U~ to directly approach all the possible t1 . dis Sil 1I 'pJ1,1 ··'1 )la\llng tJ e list which, being a generic list may b Hr party " 1"1" n 1 c a Ion r1st ' . . 101 'SlluoI1s 0 _, 0 work through. Tl11S 1s not conduciv _g. ,,r,1n1 ..1 duai L . . c to ass1sttn . ising 1.he1r nghts of access and correcti 010· ind1~ g , ran . e)(c, c on. ,o . ·d11als I0

illch\11

HoW pers

anal data has been used or disclosed

(bi roviding information on how personal data h b 8,18 eel to P . I d . h as ecn Ith respave bee11 used or disc m t e past year, the Comm·1ss1on . . . ose . \\ or fTlaY 11d that specific acUV1Ues . need not be specified, instead, h;Jl s1ate_ rnay provide information on Ule purposes.lo Howeve 't . uons r, 1 rgan1sa ich would also depend on the specific request.3' For 0 d that rnt . ,_c organisation may uu:orm an employee who makes an 00tc csample, ant that the employee's personal data was disclosed to lhe reques access ny for me purposes of annual updates of key productivity nt pa spec1fymg · · t h e num ber of d'1scIosures or the context of ·t1iout pare corn outputs WI the actual uses.

J.

Prohibitions and exceptions to Access Obligation

. s.1 9Access Obligation 1·s su b'~e_ct t~ many exce~uons The wh'~ch are broad . ture There are also s1tuauons m which granung access is 111 na · prohibited. Organisati?ns c?uld well use these exceptions and prohibitions as the starung pomt. (a)

Prohibitions against granting access

8.20 The main prohibitions against granting access are contained in section 21.32 The first group of prohibitions deals with instances where granting access could reasonably be expected to threaten harm of some sort to persons. Access must be denied, for example, if it could

Personal Data Protection Commission, Advisary GuidelintS cm Kty C,onapl< in the Personal Data Protection Act (revised on 15 July 2016) at para 15.JO. Personal Data Protection Act 2012 (Act 26 of2012) _s 21 (1). C,onupts Personal Data Protection Commission, Advisory Guidebn,s cm 10 15 J" in the PmonalData Protection Act (revised on 15July 2016) al para · '·

29 Personal Data Protection Commission, Advisory Guideli'fl£S tm Key Concepts in the PersrmalData Protection Act (revised on 15July 2016) at para 15.15. 30 Personal Data Protection Commission, Advisory Guide/in,s tm Key umcepts in the PersrmalData Protection Act (revised on 15 July 2016) at para 15.16. 31 Personal Data Protection Commission, Advisary Guidelin,s tm Key ~cmcepts in the PersrmalData Protection Act ( revised on 15July 2016) at para h I7. 32 Personal Data Protection Act 2012 (Act 26 of 2012) ss 21(3), 21(4) and21(5).

270

271

Access and Carrection Obii ation.s Data Protection in the Practical Context

reasonably be expected to threaten the safety or 11 51. . d .. d 1 ' ' .f · 1 p Y ca1 or m health .of another 111 1V1 ua , · or 1 ll. cou d reason al I · . h ) Ybe . en,,411 1 cause 11nmed1ate or grave am1 to t 1e safe ty or tO CJ0D d 77 we date the correction was ma e.

~

. . . h . \\~en the recipient orgamsauon receives t e nouce of a correction of per1onal data, it also has the same choice as the first organisation as to whether to correct its records. 78 If it does not make the corrections, it musl also annotate the personal data in its possession or under its con[ol with the correction that was requested but not made. 79 8.47

There are numerous exceptions to the Correction Obligation. The first iconlained in section 22(6), which exempts organisations from having 10 correct or olheIWise alter an opinion, including a professional or an expert opinion. The remaining exceptions are expressed in i1 Personal Data Protection Act 2012 (Act 26 of2012) s 22(1). Personal Data Protection Act 2012 (Act 26 of2012) ss 22(2) and 22(5).

13

;] Personal Data Protection Act 2012 (Act 26 of2012) s 22(5). i Personal Data Protection Act 2012 (Act 26 of2012) s 22(2)(a). 6 i7 Personal Data Protection Act 2012 (Act 26 of2012) s 22(2)(b). ;g Personal Data Protection Act 2012 (Act 26 of2012) s 22(3). ig ;ersonal Data Protection Act 2012 (Act 26 of2012) s 22(~). ersonal Data Protection Act 2012 (Act 26 of2012) s 22(o).

281

Access and CrJTTection Obli alions

Data Protection in the Practical Context section 22(7) and listed in th e Sixth Schedule so Tl 1 subset of the exceptions which arc found i;1 ti ese arc a . . . f 1c Fifth s,llalJ excmptmg orgamsauons rom the Access Ob . . Schcct Sixth Schedul e states that the Correction Obligation d hgat1on. ·rlllc • s1 oes n0 he the followmg: t apply to (a.) (b)

( c) (d)

(e)

opinion d_ata ~ept solely for an evaluative purpose; any exam111auon condu cted by an education institutio scnpts and, pnor to the release of examination resul n, examinati results· ts, exam·1 0n ' na1i 0 the personal data of the beneficiaries of a private t n the purpose of administering tJ1 e trust; ru st kept soJcJn personal data kept by an arbitral institution or a , . or solel)' for the purposes of arbitration or mcdiat~cd,ation centr · · d by th earb"1tra1111sutuuon · · · or mediation ion pro cccdingc adm1111stere s . if all proceedincentre·' 0r a document re 1ate d to a prosecution prosecution have not bee n co mpleted. gs related to the

8.48 The procedural matte rs in relation to a correction request . ~~ 0111 in the Regulauons and they are the same as for the access request s2 The only differences are that under regulation 5, 83 the tim f · i · .• " e ramc for a response_ or a( c)o!recuon re_qu~st 1s as soon as practicable" and 7 4 unde r regulauon , an orgamsatJon cannot charge a fee under th Correction Obligation. e 8.49 From the foregoing, a number of points can be made about the Correction Obligation. First, the obligation to correct is only limited to errors and omissions, and thus constitute relatively narrow grounds on which corrections can be requested. 8.50 Secondly, the Correction Obligation is by no means a strict obligation to correct when the organisation has the power to decide that a correction should not be made, albeit on reasonable grounds. This carries both positive and negative repercussions. One negative effect is that erroneous, false or incomplete personal data can continue to_be held about an individual. Although an annotation of the correc~on requested is required, if this is not done properly, it may be possible

80 81

82 83

84

Personal Data Protection Act 2012 (Act 26 of 2012) s 22(?) ao d Sixth Sched. Personal Data Protection Act 2012 (Act 26 of 2012) Sixth Sched, paras 1 (a)-1 (e) . . ) re 2. Personal Data Protection Regulattons 2014 (S 362/201 4 g 4 Personal Data Protection Regulations 2014 (S 362/201 ) reg 5?( 4). Personal Data Protection Regulations 2014 (S 362/ 201 4) reg

282

the erroneous, false or inco mplete ers [IJturc, , onal data 1·r it was true and accurate · Th·1s p. t11c mtght 1 On as jn )icd up cs for the individual. For exa _cad to 11,11 re uenc mp 1e 111 h i)' bC conseCJ consider a former employee, Sarah h ' l e 1 11 ·ve ntcxt, , w o reqt c,:JIJ cnt co d ration of employment with her fo~ tests i •· 0)'111 her u .... er ernplo ,111pl . n of t number of years to be seven years Th yer •· cu0 orrcc · e form ,0rrc ct t11c c does not change the personal data be . ~r eOc wcvcr, . cause it is 10 , er, hO ry since Sarah 1s no 1onger an employee d JoY cessa d . . , an th e c111P d unne f service on rccor 1s left unchanged ngth o . , at seven 01c dee 00s Je tation made to Sarah s personal data was . ne th ann° simply err ., 5 If e f service requested to be changed but chang gth o . . es were 10nu• · " il das Jen. t being specific and statmg the actual numb f ia1e ,, withoU . . er o s 1 "'adc . which an orgamsatJon seems to be permitted to do .,. thing 00 tafS• sofll~ 22 (5), the fact that Sarah was~ loyal employee for seven 00 lun def secube os.t If in the future a potential employer contacts the I rea,,"'(llay player to conduct background. checks on Sarah , the , filler ern ,o ·on he id by the former employer will not indicate that Sarah .. r0rrnau years but was an uncommitted 11•· a JoyaI employee for seven . had been ho only stayed with her former employer for seven .,,pJoyee w

eX-C"' J1100th 5•

8,51

. tions the power given to an organisation to not correct In sorne sta may' work to the advantage of the individual, although personal atae more likely to be uncertain. If an organisation holds 1h effects ar . . . e al d ta on individuals that are maccurate or mcomplete, then m pe rson a b fl " lhe event ofa security breach, the data set may e o 1ttle or less use. to data for h Wl·sh to ·utilise the accumulated personal (hose wo . . nefanous purposes. However , this cannot be a truism to be relied . upon as •mte11·1gen t personal data thieves will know how to combme . data s.ets and will be able to determine that the personal data 1s outdated, incomplete or wrong but will, nevertheless, be _use~ to create an even fuller profile of the individual with the h1stoncal or erroneous personal data, whichever case it may be. 8.52 The third point to be made about the Correction Obligation goes to the heart of the obligation itself. If personal data is in _error or incomplete and the individual has requested correcnon, ~e rectification ought to be made unless it is trivial or insignificant, m which case the individual would probably not have requ~ ste? th_e correction in the first place. The way the Correction Obhganon is designed is problematic. By imposing a requirement on the

283

----

Access and C1JTTectirm, Obli ations

Data Protection in the Practical C · ontext

organisation to send tl1e correcled perso . 1 ----------, na dala ~ organisation 8" or a subsel thereof 86 to wli' h . lo evn . , IC ll h '-1)' personal data m lhe pasl one year may . as disc1 °ther ' create I Oscd over-inclusiveness. This means thal too man l_ie Probl the informed, some of which may not need the y ~rgan,sations Cll) or co, reeled . lllay L such as where the need for them to have tJie Person >e . . corrected a1da no longer exists, for example, 1f the orga • . Person ¼, . nisauon a1d company and the delivery has been completed . Was a d . ai. . . . or tf th . e11ve provides service for warranty purposes and lli e organ·1 ~. e warra sati expired.s1 nty Period on 1

. 88 as well as opinion data kept •ruons, . so1cly r ert op1 Id appear that the main bulk of or evaluative of c~P es- ;'9 it wou . could b e 1.equeste d are those fpersonal data for ,110s ,r,cauon . 'd al h I o a factu I 1 r11•r recU . . the ind1vi u w o 1as the vested . a nature. tl IS . . . . . interest t0 ·ch ,,I11 since rsonal data 1s without error or om· . ensure ,1 11 cc, . . 1ss1on ind·1 . 1er pc r>c his or 1. at least t11is mm1mum amount of c ' viduals 1J1it 1d bC given ontrol over their sl1011 al datll· pC~ofl

EAN UNION POSITION

EURO P

h