Data Privacy Updates for Fridays - Your Signature is Personal Information covered by the protection
The Data Privacy Act (DPA) of 2012 defines personal information as “any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.”
In National Privacy Commission (NPC) Advisory Opinion No. 2017-063, Re: Personal and Sensitive Information, the Commission explained that hand-written signatures are considered part of the definition of personal information, as defined by the DPA. The Commission clarified:
"[H]and-written signatures, as may be used to identify an individual, is considered as personal information. In the same manner, unique information relating to an individual or when linked with other information will allow an individual to be distinguished from others, may be treated as personal information. (Citing EU Directive 95/46/EC Working Party Document No. WP 105 noted that “Data relates to an individual if it refers to the identity, characteristics or behavior of an individual or if such information is used to determine or influence the way in which that person is treated or evaluated.”)
Accordingly, username, password, IP address, MAC address, location, cookies and birthday (month and day only), as for its common use, when combined with other pieces of information, may allow an individual to be distinguished from others and may therefore be considered as personal information."
In another Advisory Opinion, the Commission explained:
"It is imperative to determine whether the information being collected in the logbooks are necessary and proportionate to the purpose of collection. Following such determination, the risks and vulnerabilities in the processing should likewise be identified and addressed, and an evaluation of the current security measures being implemented should be made to see if these are reasonable and appropriate to ensure the security and protection of personal information or whether there is a need to improve current practices. These may be accomplished through the conduct of privacy impact assessment.
To observe the principle of transparency to the data subjects, a privacy notice or privacy statement may be displayed alongside the logbook to apprise the visitors of the purpose of collection, recipients of collected information and retention period of stored information, among others.
Singapore’s data protection authority, the Personal Data Protection Commission (PDPC), has decided a complaint in relation to the failure by a security company to safeguard their visitor logbook which resulted to a data breach incident. (Refer to Investigation under Section 50(1) of the PDPA 2012 and MCST 3696. Eagle Eye, Case Number: DP-1610-B0275, 29 June 2017. Available at https://www.pdpc.gov.sg/docs/default-source/enforcement-data-protection-cases/grounds-of-decision---eagle-eye---290617.pdf?sfvrsn=2. [Last accessed 13 December 2017]) The PDPC ruled that the recording and safekeeping of logbooks were considered as activities involving processing of personal data, hence, actual processes, practices and policies must be put in place in order to protect personal data and ensure the safety of the logbook at all times." (See NPC Advisory Opinion No. 2018-003)
With these in mind, how do we apply the principles of legitimate interest and proportionality in the collection and processing of data in our daily work environment? I wonder, how these principles are actually applied, insofar as protection of the general public whose personal information are now being processed daily by public transportation providers, for purposes of contact tracing. It is noteworthy that the NPC specifically states in NPC Advisory No. 2017-063 that "it is mandatory for an organization to clearly establish procedures that allow data subjects to exercise their right to access, rectification, erasure or blocking."