All individuals within an organisation have a right to access personal data

Page contents

Answer

When someone requests access to their personal data, your company/organisation must:

  • confirm whether or not it is processing personal data concerning them;
  • provide a copy of the personal data it holds about them;
  • provide information about the processing (such as purposes, categories of personal data, recipients, etc.)

Your company/organisation  must provide the individual with a copy of their personal data  free of charge.  However, a reasonable fee can be charged for further copies.

The exercise of the right of access is closely linked to the exercise of the right to data portability – to allow the individual to transmit their data to another organisation.

It is important that, in your company/organisation's Privacy Notice, there is a clear distinction between the two rights.  Therefore,  both rights need to be briefly mentioned separately.

Example

Your company/organisation provides an online social networking service whereby individuals can exchange messages and pictures. A user requests to access their personal data and to verify what personal data which concerns them is processed by your company/organisation. Your company/organisation  must confirm that it is processing personal data which concerns them and provide a copy (such as  name, contact details, messages and pictures exchanged). Your company/organisation must also provide them with information about the processing – usually that would be in the privacy notice of your service.

This article shall examine the key points in the Personal Data Protection Act (“PDPA”) and the practical measures required when the PDPA comes into full force on 1 July 2014. The law governing the Do Not Call Registry came into effect on 2 January 2014.

How Well Do You Understand the Personal Data Protection Act and its Practical Implications?

Scope of PDPA 

What is the PDPA About?

The purpose of the PDPA (Personal Data Protection Act) is to balance the commercial need of organisations to use individuals’ personal data and the right of individuals to protect their personal data.1

Who are Governed by the PDPA?

Organisations that collect, use or disclose an individual’s personal data are regulated by the PDPA. There are three types of “organisations” governed by the PDPA. They include: (i) “an individual” carrying on a business (not in a personal or domestic capacity eg self-employed consultant); (ii) a body corporate; and (iii) a body unincorporate (eg a society or association).2 So long as an organisation handles customers’ and employees’ personal data, it is caught under the PDPA. This covers virtually all businesses in Singapore.

Who is Protected Under the PDPA?

All personal data belonging to an individual (living or deceased) is protected under the PDPA. It is interesting to note that only individuals who are deceased for 10 years or more are exempt from the PDPA.3 Hence, the PDPA protects three groups of individuals: (i) customers; (ii) employees; and (iii) others (eg company directors).

Who is Not Protected Under the PDPA?

Data belonging to non-individuals (eg companies) is not protected under the PDPA (eg B2B businesses). Personal data belonging to an individual deceased more than 10 years ago is also not protected under the PDPA.

What Information is Protected Under the PDPA?

All “personal data”4 belonging to an individual is protected under the PDPA. Hence the following data which identifies an individual will be considered “personal data”: full name, NRIC Number, passport number, photographs and CCTV images, personal mobile telephone number, personal e-mail address, name and residential address. Certain information on its own such as: “To the occupant of #15-01, Block 1000A, Marine Parade Road” will not be considered “personal data”. Interestingly, personal data in a business name card belonging to an individual is not governed (hence not protected) by the PDPA if it is not used for personal purposes.5 Hence, if Mr Tan leaves his business name card at a seminar for the purpose of being included in the organiser’s mailing list to attend future similar seminars, his personal data will not be protected under the PDPA.

What About Personal Data Collected Before 2 July 2014?

All personal data collected by an organisation before the Appointed Date (2 July 2014) will still be valid unless the individual has withdrawn his consent or objects to the use of his personal data.6

The Nine Organisation Obligations 

The nine organisation obligations (“nine obligations”) that will be discussed herewith constitute some of the core provisions of the PDPA.7 These are important legal obligations every organisation must comply with. Organisations must start to comply with these obligations from 2 July 2014.

1. The Consent Obligation

Briefly stated, an organisation must obtain an individual’s consent before it collects, uses or discloses his personal data.8 There are two types of consent: express consent and deemed consent. An express consent includes consent in writing. There are two types of “deemed consent”. First, an individual is deemed to have given his consent if he voluntarily provides his personal data to an organisation and it is reasonable for the individual to do so.9 For instance, an individual sending his CV to an organisation in response to an advertisement for a job vacancy. Second, an individual is deemed to have given his consent to the disclosure of his personal data by one organisation to another organisation for a particular purpose.10 For instance, if A buys an insurance life policy from Organisation A, he is deemed to have consented to Organisation A disclosing his personal data to Organisation B for re-insurance of A’s insurance policy.

What would constitute a valid consent?

There are two conditions for valid consent. First, the organisation must notify the individual of the purpose of the consent.11 For instance, an organisation is having a lucky draw, the participants must be informed that the personal data is for the purposes of that lucky draw. Second, the personal data required must be reasonable.12 For instance, it is wrong for a TV vendor to ask the buyer for his entire family’s personal data. Third, the organisation must not use false, misleading or deceptive means to obtain an individual’s personal data.13 For instance, advertising for jobs that are non-existent to obtain personal data from applicants.

Collection, use and disclosure without consent

a. PDPA Exemptions (Second, Third & Fourth Schedules)

An organisation can collect, use and disclose an individual’s personal data without his consent if it falls within the circumstances stipulated in the Second, Third and Fourth Schedules.14 These are very useful exemptions available to an organisation in handling customers’ or employees’ personal data without obtaining their consent.

For instance, the HR department of an organisation need not obtain an employee’s consent for evaluative purposes.15 The term “evaluative purpose”16 includes: “(a) for the purpose of determining the suitability, eligibility or qualifications of the individual to whom the data relates – (i) for employment or for appointment to office; (ii) for promotion in employment or office or for continuance in employment or office; (iii) for removal from employment or office”.

Hence an organisation does not need to obtain: (i) a job applicant’s consent to collect, use or disclose his personal data to assess his suitability for the job; or (ii) an employee’s consent for his promotion purpose or to terminate his employment. HR departments may also like to note that an organisation can also collect an employee’s personal data without his consent for the employee’s employment, business or profession.17

b. Required or authorised under PDPA or other written law

An organisation can collect, use or disclose an individual’s personal data without his consent if it is required or authorised under other written law. For instance, a bank need not obtain a customer’s consent if it discloses his personal data to a third party pursuant to the Third Schedule, Banking Act.

2. The Purpose Limitation Obligation

An organisation may only collect, use or disclose an individual’s personal data if it informs the individual of the specific purpose (which must be appropriate or reasonable).18 An organisation is prohibited from using the personal data collected for a different purpose. For instance, a modelling agency cannot advertise for models and use their photos for pornographic websites. However, it is acceptable for the modelling agency to use the models’ personal data to send them greeting cards or to inform them of new modelling opportunities.

3. The Notification Obligation

In order to obtain an individual’s consent, an organisation must inform or notify the individual the purpose for use or disclosure of his personal data.19 Hence, the “purpose” obligation and the “notification” obligation are closely connected. These are two obligations that an organisation will find rather onerous as it handles customers’ and employees’ personal data on a daily basis.

What must an organisation notify an individal of?

An organisation must notify the individual of the purpose of the collection, use or disclosure of his personal data and also of other purposes.20 For instance, an insurance company needs to inform its clients that their personal data may be disclosed to a re-insurance company for re-insurance purposes.

When should an organisation do this?

An organisation must notify the individual the specified purpose on or before it collects his personal data.21

Practical implication of Consent, Purpose and Notification Obligations

First, an organisation must set up a formal procedure to comply with these three obligations. It should specify the circumstances where it can collect, use and disclose the personal data without consent by checking against the Second, Third and Fourth Schedules.

Second, it should design a standard form to incorporate the three obligations. This standard form may be labelled “Consent Form”. This form should include: the purpose of collecting the personal data, third parties the personal data may be disclosed to, withdrawal of consent, signature etc. In drafting such a form, care must be taken to avoid the use of language that is too vague or general which may invalidate the use of such a form.

4. The Access and Correction Obligation

This is another important obligation an organisation must comply with and  manage on a daily basis.

a. The Access Obligations

Every individual has the right of access to his personal data.22 Hence, an organisation must grant an individual access to his personal data which it has in its own possession or under its control (eg outsourced to a Data Intermediary).23 This request is called the “Access Request”. An organisation must disclose all personal data belonging to an individual and how it has been used for the past one year.24

How to exercise an Access Request?

An organisation should design a standard Access Request form to facilitate and manage the ongoing Access Requests by customers and employees. This standard form should contain the full identity of the individual requesting for access.

How soon should an organisation respond to an Access Request?

An organisation should respond to an Access Request within 30 days.25 If it is not reasonable or possible to provide the personal data within 30 days, the organisation shall disclose the personal data to the individual at the “reasonably soonest time”. 

What fees can an organisation charge for an Access Request?

The PDPA does not provide a fixed fee or a maximum fee (unlike the UK) for an Access Request. It can charge a minimum fee to recover the costs and time spent in acceding to the Access Request.26

Offences relating to access obligation

Individuals should take note that it is a criminal offence for a person to make an Access Request on another individual’s personal data without his authority.27 The penalty for such unauthorised access is a maximum fine of $5,000 or an imprisonment term not exceeding 12 months or both.28 Organisations should also take note that it is a criminal offence to alter, falsify, conceal or destroy any record containing an individual’s personal data to avoid complying with an access request.29

When would an individual’s request for access be denied?

First, an organisation may refuse or deny any individual from accessing his personal data if the circumstances fall within the Fifth Schedule of the PDPA.30 For instance, an employee has no right to access any HR record concerning himself (eg for promotion purposes), because this would relate to “an opinion data solely for evaluative purpose”.31 Pursuant to item 1(j), Fifth Schedule, an organisation can reject an individual’s Access Request for the following reasons: 

1. “Unreasonable interference” with the organisation’s operation because of its repetitive nature (eg customer asking for the same or almost the same personal data every week);

2. “Burdensome” to the organisation or “disaproportionate to the individual’s interest” (eg customer wanting to view the CCTV footage over the past one year instead of a specific date(s));

3. “Trivial” information (eg check on his address postcode); or 

4. “Frivolous or vexatious” (eg disgruntled ex-employee repeatedly asking for the same personal data to annoy an organisation).

Second, an organisation can also deny an access request to a person’s personal data if it would reveal the personal data of another individual. For instance, a CCTV footage that captures both the individual image together with another third party.

b. The Correction Obligation

Every individual has the right to correct any error in his personal data. Hence, an organsation must allow an individual to correct any error or omission in his personal data that is in the possession or under the control of the organisation.32 This request is called the “Correction Request”. If the organisation has disclosed the personal data to an organisation within a year before the correction request, it must also send the corrected personal data to the other organisation.33 If an insurance company (A) has corrected the personal data of its insured (Mr X), it must also inform company B (its re-insurance company) of Mr X’s corrected personal data.

How to exercise a Correction Request?

The PDPA does not provide for a standard Correction Request. Each organisation should design its own standard “Correction Request Form”. In this form, it should include the identity of the individual and the particulars of the personal data to be corrected.

How soon should an organisation respond to a Correction Request?

The response time is also 30 days upon receiving the Correction Request.34

Can an organisation charge any fee for a Correction Request?  

Unlike an Access Request, there is no provision in the PDPA to impose any fee on a Correction Request.35 It would appear that an organisation has no legal authority for any fee to be imposed for a Correction Request.

When can an organisation reject a Correction Request?

First, an organisation need not accede to a Correction Request if the circumstances fall within the Sixth Schedule.36 For instance, an employee cannot ask an organisation to change its promotion or termination report because that is an “opinion data” solely for an evaluative purpose.37 Second, an organisation may deny a customer’s request to alter or correct a professional or an expert opinion.38 For instance, a customer cannot ask his insurance company to correct his medical report submitted by the insurance company’s doctor for his life insurance application.Third, an organisation may refuse to accede to a Correction Request if it has reasonable grounds why a correction should not be made.39 It is unclear what would constitute a “reasonable ground” to justify a refusal to correct an individual’s personal data which does not fall within (a) or (b) above. Perhaps an example may be where the request is made by an individual’s representative and the authorisation or identity of the representative cannot be verified.

What should an organisation do when it refuses to accede to a Correction Request? Does it need to give reasons for its refusal?

This is unclear in the PDPA. If an organisation is refusing on the ground of “‘unreasonableness”, s 22(5) merely states that the “organsation shall annotate the personal data in possession or under its control with the correction that was requested but not made”. This is for internal record purpose but it does not address the issue whether the organisation needs to give reasons for refusing to correct the personal data requested. For practical purposes, it is better to disclose the reason for not acceding to the Correction Request. This is consistent with the Hong Kong practice.

Offences relating to Correction Request

The same offence and penalty relating to Access Request applies to a Correction Request.40

Practical implications of Access and Correction obligations

First, the organisation must set up a formal procedure to handle the regular Access Requests and the Correction Requests. Second, it should design its own “Access/Correction Form”. This form should include: the identity of individual persons requesting for access or correction, personal data to be accessed or corrected and the administrative fee (for Access request) etc.

5. The Accuracy Obligation

An organisation must make a reasonable effort to ensure that the personal data collected is accurate and complete under certain circumstances discussed below.41

When must an organisation undertake this obligation?

As a general rule, an organisation has no legal obligation to check on the accuracy and completeness of the personal data obtained from an individual. However, there are two instances when an organisation must discharge this obligation. First, it is when an organisation is using the personal data to make a decision that affects the individual (eg his employment or promotion).42 Second, it is when the personal data is likely to be disclosed by an organisation to another organisation.43 This would include: re-insurance of life policy, or where personal data of customers collected may be disclosed to the Credit Bureau. 

Practical implication of Accuracy Obligation

To comply with this obligation, an organisation must exercise more care when it handles an individual’s personal data for these two purposes.

6. The Protection Obligation

An organisation must protect the personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification and disposal.44

What security arrangement should an organisation have?

An organisation should: (i) design and organise security arrangements to fit the nature of the personal data held by the organisation and the harm that might result from a security breach; (ii) have reliable and well-trained personnel to ensure the information security; (iii) implement robust policies and procedures to ensure appropriate levels of security; and (iv) be prepared and able to respond to any security breach.45

What types of security arrangements must an organisation have?

The PDPA Commission has recommended three types of security measures: (i) adminstrative measures (includes implementing procedures relating to confidentiality obligations, business continuity plan etc); (ii) physical measures (includes restriction of access by employees, proper disposal etc); and (iii) technical measures (includes securing computer network, encrypting personnel data, access control etc).46

Practical implication of Protection Obligation

An organisation must establish and implement a security system to prevent any unauthorised access or abuse of the personal data in its possession or under its control. It should provide for regular audit of the security system. It must establish contingent plans and remedial measures in the event there is a breach of the security system. If the security system is outsourced to a third party, its contract must contain contractual binding provisions to ensure the outsourced party is able to comply with the Protection Obligations.

7. The Retention Limitation Obligation

An organisation cannot keep the personal data of an individual indefinitely. Whilst there is no fixed retention period, it is limited or fixed by two factors below.

When should an organisation cease to retain an individual’s personal data?

First, an organisation must cease to retain the documents containing personal data or remove the means by which the personal data can be associated with an individual as soon as it is reasonable to assume that the “purpose for which the personal data was collected is no longer being served”.47 For instance, when an individual is no longer an employee of an organisation (ex-employee). Second, when the “retention is no longer necessary for legal or other business purposes”.48 For instance, when an individual is no longer a customer of an organisation (ex-customer).

When would an organisation need to retain personal data for a longer period

An organisation may need to keep for a longer period the personal data of a disgruntled ex-customer or ex-employee because these individuals may sue the organisation. It may also need to retain personal data for a longer period under the requirements of other applicable laws. For instance, under The Corruption, Drug Trafficking And Other Serious Crimes (Confiscation of Benefit Act) (“CDSA”), an organisation is required to keep certain documents containing a customer’s personal data for a minumum of five years after the last transaction.

What should an organisation do at the end of the retention period?

An organisation must “cease to retain the documents” containing the personal data of an individual. This means it must remove, delete or erase the document containing the personal data permanently. Alternatively, the organisation may “remove the means by which the personal data can be associated with an individual”. This means to “annoymise” the identity of the individual. The logic is that if the identity of an individual can no longer be identified, the remaining data no longer constitutes “personal data”.49 Hence the PDPA does not apply.

Practical implication of Retention Obligation

First, an organisation must specify its retention policy and define the retention periods for various classifications of personal data (eg customers and employees). Second, it must specify the circumstances in which the personal data may be retained longer than the retention period. Third, it must specify the method of removal of the personal data (physical and digital) or anonymisation (what method). Fourth, there needs to be a regular review to ensure that there is no “over-retention” of the personal data beyond the Retention Obligation.

8. The Transfer Limitation Obligation

An organisation must not transfer any personal data outside of Singapore unless it provides the same standard of protection under the PDPA.50 This is particularly important when an organisation has to transfer the personal data  to its overseas head office, related offices or to overseas outsourced parties (“Overseas Party”).

How to ensure compliance with the Transfer Limitation Obligation?

The PDPC has recommended two ways.51 First, by entering into a contractual agreement between the organisation in Singapore and the Overseas Party. This “contractual” route is more suitable where the Overseas Party is a third party (eg Data Intermediary). Second, an organisation may adopt the “binding corporate rules” approach for inter-corporate rules (eg code of conduct, corporate policies) which are more suited for a multinational group of companies. These legally binding instruments must contain provisions that provide a comparable standard of protection under the PDPA.

Practical implications of the Transfer Limitation Obligation

The organisation should draft a standard contractual agreement when it transfers personal data to a third party overseas (“Overseas Transfer Agreement”). This agreement should contain all the personal data protection provisions under the PDPA (ie the nine obligations). If the overseas transferee party is a related affiliate of the organisation, it should examine and review that the internal binding corporate rules provided for the personal data protection are comparable to those under the PDPA.

9. The Openess Obligation

Basically, an organisation should provide information on its data protection policies, practices and complaints process to the public upon request.

Practical implication of Openness Obligation

First, an organisation must, in developing its data protection policy and practices, appoint one or more individuals to be the compliance officer(s) under the PDPD (“Data Protection Officer”).52 The contact particulars (“Business Contact Information”) of this officer(s) must be made available to the public.53 Second, an organisation must develop and implement a compliance system to meet its obligations under the PDPA.54 Third, as part of this compliance system, it must develop a process to handle complaints received from individuals (“Complaint Process”).55 Fourth, an organisation must make available to the public, upon request, its compliance policies and practices and its Complaint Process.56 Finally, an organisation must communicate to its employees its compliance policies and practices by conducting internal training.57

Do Not Call Registry

What is the Do Not Call Registry (“DNC Registry”) About?

The DNC Registry is set up to protect individuals from receiving unsolicited marketing messages (“Specified Message”) from organisations. An individual can avoid receiving any unsolicited marketing messages from any organisation by registering with any of the three registers (“No Voice Call”, “No Text message” or “No Fax”) under the DNC Registry. An organisation must not send any marketing messages to any individual whose name is registered under the DNC Registry.

When Did the DNC Registry Commence?

The DNC Registry came into operation on 2 January 2014.

What is the Scope of the DNC Regime?

First, the DNC regime only applies to sending marketing messages to Singapore telephone numbers58 by telephone calls, text messages and faxes. Hence, junk mail stuffed into our letter boxes will not be prohibited. Second, it only applies to “local” marketing messages (ie both sender and recipient of the message must be in Singapore).59 Hence, overseas marketing messages received by a receipient in Singapore are not covered. Third, all marketing messages (eg advertisements) relating to the supply and promotion of goods and services are covered under the DNC regime.60 This would include the sale of all forms of goods, financial products, residential property and supply of services (eg financial services etc).

What Does Not Come Within the DNC Regime?

The DNC regime does not cover the following messages:  it does not cover messages sent by an individual in a personal or domestic capacity.61 Hence, private phone calls, SMS etc are not covered. Also, any message for conducting market research or market survey is not covered.62 Third, any message sent to an organisation is not covered.63 Hence, “B2B” messages are not covered. For the rest of the exemptions, please refer to the Eighth Schedule.

What are the Duties of an Organisation Under the DNC Regime?

There are two statutory duties an organisation must discharge under the DNC regime.

1. Duty to check the DNC Registry.

First, an organisation must check the DNC Registry before sending any marketing messages to an individual.64 It must not send any marketing messages to any individual whose name is registered under the DNC Registry. However, this duty shall not apply where the individual has given “clear and unambiguous consent”.65 For instance, if Miss Tan has signed up with a gym and she ticked the “yes” box in her membership form to receive further information from the gym; this would constitute “clear and unambiguous consent”.

Practical implication

An organisation must first register with the DNC Registry to access the DNC Registry to check the DNC registers.

2. Duty to identify itself.

Second, an organisation that makes a voice call to an individual regarding a marketing message must identify itself. It must not conceal its calling line identity (eg telephone numbers).66    

The penalty for violation of either of these two duties is a fine up to $10,000.67

Practical implication

An organisation must ensure that all telemarketing messages are made with identifiable telephone numbers.

Powers of Commission

Complaint to Commission by individual

What can an individual do if he is dissatisfied with an organisation for: (i) refusing his Access/Correction Request; (ii) charging on “unreasonable fee”; or (iii) taking too long to accede to his Access/Correction Request? The individual can lodge a complaint with the Commission.

What Can the Commission Do?

Upon receiving a complaint from an aggrieved individual, the Commission will review his complaint. The Commission can take any of the following actions: (i) confirm the refusal of the Access Request or direct the organisation to provide access to the complainant within such time specified by the Commission;68 (ii) confirm, reduce or disallow a fee or direct the organisation to make a refund to the complainant;69 (iii) confirm the refusal of the Correction Request or direct the organisation to correct the personal data in such manner and time specified by the Commission.70

What Other Powers does the Commission Have?

If an organisation has failed to comply with Parts III to VI (the nine obligations) of the PDPA, the Commission can give directions to the organisation to: (i) stop collecting, using or disclosing personal data in contravention of the PDPA; (ii) destroy the personal data in contravention of the PDPA; or (iii) pay a financial penalty of an amount not exceeding $1 million.71

Offences, Penalties and Civil Action

Criminal Sanction

Any person guilty of an offence under the PDPA (for which no penalty is expressly provided) is subject to a general penalty of a fine not exceeding $10,000 or to imprisonment for a term not exceeding three years or to both. If it is a continuing offence, there shall be a further fine not exceeding $1,000 per day.72

The Commission may, in its discretion, compound any offences under the PDPA (except for the DNC offences) by accepting a sum less than half of the maximum fine or a sum of $5,000 (whichever is lower).73

It is also important to note that with regard to an Access/Correction Request, it is an offence to: (i) evade such a request by disposing, altering, falsifying, concealing or destroying a record containing personal data; (ii) to obstruct or impede the Commission in the exercise of its power or performance of its duties; or (iii) to knowingly or recklessly mislead the Commission.74 The penalty for an offence under (i) is a maximum fine of $5,000 (for an individual) or $50,000 (for an organisation). The penalty for offences under (ii) and (iii) is a maximum fine of $10,000 (for an individual) or $100,000 (for an organisation).75

Civil Action

Besides criminal sanction, an organisation faces civil action if it violates Parts IV, V and VI (the nine obligations) under the PDPA. If a person suffers loss or damage directly as a result of a contravention of any of the nine obligations by an organisation, he can sue the organisation for damages or seek an injunction (to stop the collection, use or disclosure of his personal data) in a civil action.76 For instance, an employee who lost his job because the HR department wrongly refused to allow him to correct his academic qualification may threaten to sue the organisation.

► Tan Sin Liang
     S L Tan & Co
     E-mail: [email protected]

Notes

1. Section 3.

2 Section 2. 

3 Section 4(b). 

4 See definition of “personal data” in s 2. 

5 See definition of “business contact information” in s 2. 

6 Section 19. 

7 See “Proposed Advisory Guidelines On Key Concepts In The Personal Data Protection Act” issued by the Personal Data Protection Commission (“PDPC”) on 5 Feb 2013 (“Key Concepts Guidelines”). 

8 Section 13. 

9 Section 15(1). 

10 Section 15(2). 

11 Section 14(1). 

12 Section 14(2)(a). 

13 Section 14(2)(b). 

14 Section 17. 

15 Item 1(f), Second Schedule.,1(f), Third Schedule, 1(h), Fourth Schedule. 

16 See definition of “evaluative purpose” in s 2. 

17 Item 1(n), Second Schedule. 

18 Section 18. 

19 Section 20(1)(a). 

20 Section 20(1)(b). 

21 Section 20(1)(2). 

22 Section 21(1). 

23 See definition of “data intermediary” in s 2. 

24 Section 21(b).

25 See “Proposed Regulations On Personal Data Protection In Singapore” by the PDPC, 5 Feb 2013, 3.7 (b)(i) at p 8 (“Proposed Regulations”).

Can I access my personal data held by a company or organisation?

You have the right to get a copy of any personal data which an organisation holds on you. You also have the right to find out if your personal data is being processed. If your personal data is being stored or used (processed), you have the right to know: The reason why it is being processed.

Who will have access to the data and personal information?

Those whom the personal data belongs to, have a right to access their personal data – so you must give out the personal data you have about them if they ask for it.

What is an individual's right to have all of their personal data erased by an organisation also known as?

The right to erasure is also known as 'the right to be forgotten'. The right is not absolute and only applies in certain circumstances. Individuals can make a request for erasure verbally or in writing. You have one month to respond to a request.

Does PDPA apply to individuals?

Scope of the PDPA The PDPA covers personal data stored in electronic and non-electronic formats. It generally does not apply to: Any individual acting on a personal or domestic basis. Any individual acting in his/her capacity as an employee with an organisation.