October 1, 2015
On 8 May 2015, the Personal Data Protection Commission (PDPC) released three additional advisory guidelines, namely:
- Advisory Guidelines On Requiring Consent For Marketing Purposes
- Guide To Securing Personal Data In Electronic Medium
- Guide To Managing Data Breaches
These Guides do not have the force of law, so organisations should not merely rely on the guides alone, without reference to the provisions of the Personal Data Protection Act 2012 (PDPA). The Guides are available here.
Advisory guidelines on requiring consent for marketing purposes
Under the PDPA, organisations supplying goods and services to an individual are not permitted to require the individual to consent to the collection, use or disclosure of his or her personal data beyond what is reasonably required to provide that product or service to the individual.
This has created difficulties for organisations intending to capitalise on their customer database for marketing purposes, such as the sending of marketing materials to the individuals by post, email, facsimile, text or voice calls, as such collection, use and disclosure of personal data may possibly be considered to be beyond what is reasonable to provide the product or service to the individual.
The Guidelines provide that there are certain instances in which organisations may be able to require the individual’s consent for the collection, use and disclosure of his personal data for marketing purposes.
The following factors will be taken into consideration in determining whether it is reasonable for organisations to require an individual’s consent to the use of his personal data for marketing purposes:-
- the amount and type of personal data for which consent is sought;
- the purpose for which consent is required;
- the nature of the item being provided, including whether there is benefit tied to the item; and
- what a reasonable person would consider appropriate in the circumstances.
The Guidelines set out some examples of circumstances under which it will be permissible to require an individual to provide consent for the use of his personal data for marketing purposes as a condition of organisation providing the individual with certain goods or services.
A departmental store may decide to offer a free gift to an individual, if he or she purchases goods of more than a certain amount. At the same time, it is hoping to be able to collect his or her personal data so as to send him or her promotional e-mails. It is permissible for the store to offer the free gift on the condition that the individual consents to collection and use of his or her personal data for marketing purposes. If the individual refuses to do so, the store may decline to provide the gift, but cannot deny him or her of the primary goods.
- Offering a free mobile application
A technological start-up releases two versions of their mobile applications: a free version, and a paid version. The start-up may decide to make downloads of the free application contingent on the individual’s consent to the collection and use of his or her name and e-mail address for the purposes of sending them marketing e-mails. If the individual declines, the paid product, which does not require an individual’s consent of his personal data for marketing purposes, is still available for purchase.
A supermarket retailer may require customers who wish to participate in the lucky draw to provide their names and email addresses for the purpose of sending them occasional promotional emails. The PDPC believes that this is a reasonable practice, as customers who do not wish to receive such marketing emails can always opt out of the lucky draws.
The common thread in these examples is that it is permissible to require consent for use of the individual’s personal data for marketing purpose only when providing a free product/service.
Organisations must exercise caution if they wish to make the provision of the primary products or services paid for by an individual contingent on the individual’s consent to the collection, use and disclosure of his or her personal data for marketing purposes.
Guide To Securing Personal Data In Electronic Medium
Under the PDPA, organisations are obliged to protect personal data in their possession or under their control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks. To assist organisations in meeting this obligation, the PDPC has released a practical guide for personnel responsible for data protection within an organisation and those who supervise or work with infocommunication technology (ICT) systems and processes.
Some factors that organisations may wish to take into account in determining the appropriate type of security measures include:
- The type of personal data held by the organisation;
- The risk and impact to the individual should such personal data be accessed and used by unauthorised persons; and
- The form of the personal data (e.g. physical or electronic) in the organisation’s possession.
The guide has also provided a series of good and enhanced practices that organisations can adopt as part of their ICT security measures. Such practices were adopted based on observations by the personal data protection agencies in United Kingdom, Canada and Australia. While this guide does not provide an exhaustive list of ICT security measures that organisations may take, it remains a good starting point to ensure compliance with the obligations under the PDPA.
Guide To Managing Data Breaches
The “Guide To Managing Data Breaches” provides a framework for organisations to create a data breach management plan, so as to ensure an organisation’s readiness and responsiveness should data breaches occur.
The PDPC has recommended that the data breach management plan should adopt the following framework:
When an organisation encounters a data breach, it should act as soon as possible to contain the breach. This should include shutting down the compromised system, preventing further unauthorised access to the system, and informing the police if criminal activity is suspected. This first step is vital in ensuring that there is no further breach of personal data.
- Assess the risks and impact
Once the data breach has been contained, organisations should assess the risk and impact on both the individuals and the organisations affected, and determine the severity of all consequences. It should also decide what are the necessary steps needed to be taken to ensure that affected individuals have been informed.
The PDPC regards notification of the data breach to the affected individuals as a good practice. In addition, organisations are advised to notify PDPC as soon as possible of any data breaches that might cause public concern or where there is a risk of harm to a group of affected individuals. Notifications should be made promptly and effectively, detailing how and when the data breach had occurred, and the types of personal data involved.
- Evaluating the response and recovery to prevent future breaches
Organisations should take steps to evaluate the cause of the data breach, its response, and whether existing ICT measures are adequate to prevent its recurrence.
This data breach management plan proposed by the PDPC is a useful framework for organisations to adopt. However, the effectiveness of a data breach management plan is highly dependent on the employees’ responsiveness and vigilance against data breaches. In this respect, we advise organisations to not only prepare a data breach management plan, but ensure that the plans are rigorously tested from time to time.