Under the Personal Data Protection Act ("PDPA"), organisations must notify individuals of the purposes of collecting, using and disclosing their personal data in connection with obtaining the individuals' consent for such processes. However, the PDPA does not prescribe how organisations should notify individuals of the purposes, or what must minimally be included in the notice.
On 11 September 2014, the Personal Data Protection Commission ("PDPC") issued a "Guide to Notification" ("Notification Guide") which provides timely guidance to organisations in complying with the notification obligation under the PDPA.
The Notification Guide provides, among others, examples of good practices as well as specific guidance on lucky draw forms and CCTV signage, that organisations should adopt when providing notification under the PDPA.
A notification should contain relevant information such as:
- types of personal data to be collected, used and disclosed;
- purposes of collection, use and disclosure of personal data;
- recipient of personal data;
- how an individual may withdraw consent and the consequences;
- business contact information of the data protection officer;
- how an individual may access or correct personal data.
The layout of the notification should:
- highlight purposes which may be of particular concern to the individuals (e.g. for marketing purposes);
- use a layered notice (i.e. lists the basic or most important information more prominently).
- use headings, titles and sections;
- use suitable font size;
- manage the length of notification;
- be clear, brief and to the point.
As far as possible, notifications should be easy to understand for the target audience. For example, if the intended audience are teenagers, the language used in the notifications could be simple and in short sentences.
Notifications should be easy for the individuals to locate.
For example, where the notification is a paper document, the most important information should be on the first few pages of the document.
If the notification is on a website, it should be easy for the individual to locate the notification at the landing page. For example, the notification could be accessed through a prominent pop-up box on the webpage.
If the notification is on mobile interfaces, the design of the notification should be suitable and accessible with minimal swipes or taps from the landing page.
If the personal data may be used for purposes beyond conducting a lucky draw, such additional purposes must be clearly stated. Mandatory and optional personal data should also be distinguished in the notification.
If the lucky draw forms cannot set out all terms and conditions due to space constraint, organisations should consider notifying interested participants of the terms and conditions in other ways (e.g. by providing a link in the lucky draw forms that directs participants to the full terms and conditions on a webpage).
If personal data will be published, individuals should be notified of that fact and how their personal data will be published, for example, that names and partial NRIC numbers of winners will be published in the newspapers.
Notices should be placed at locations easily seen by individuals, with the purposes clearly stated (for example, for security purposes). CCTV notifications need not inform individuals of the exact location of the camera(s).
The notice should not just contain an image or graphic of a CCTV as it may not be clear to people what the images mean.