To provide protection for an individual’s personal information to be processed for the purposes of commercial transactions.
All individuals and organizations that process personal data in their dealings must comply with the rules set out in the Personal Data Protection Act 2010. The Federal Government and the State are exempted.
What Are the Rules?
- General Principle
- Notice and Choice Principle
- Disclosure Principle
- Security principles
- Retention Principle
- Data Integrity Principle
- Access Principle
Any information/data or a chain of information that allows a living individual to be identified are covered under the Personal Data Protection Act. Below are some examples of data that can be considered as personal data:
- Name and address
- Identification card number
- Passport number
- Health Information
- E-mail Address
- lmages recorded by the closed-circuit television (CCTV)
- Information contained in personal files
- Collecting data through forms, by phone or via the web
- Publishing data
- Selling data
- Using administrative data
- Using data for marketing purposes
- Recording data
- Disclosing or providing data to other organizations
- Destroying data
- Processes personal data, or
- Has control over the processing of personal data, or
- Allows processing of personal data
Data subjects are given the following rights:
- The right to be told whether their data is processed by an organization
- The right to access personal data
- The right to rectify personal data
- The right to withdraw consent to process personal data
- The right to prevent processing likely to cause damage or distress (distress)
- The right to prevent processing for purposes of direct marketing
Under the Personal Data Protection Act, sensitive personal data means any data consisting of information as to an individual’s physical or mental health condition, political opinions, religious beliefs and other beliefs of a similar nature. In addition, the commission or alleged commission by the individual of any offense is also a sensitive personal data.
The Act does not allow the processing of sensitive personal data except for the purposes specified in the Act and must be with explicit consent of the data subject.
Individuals who feel that their personal data have been processed in breach of any provision of the Act may make a complaint to the Personal Data Protection Commissioner.
The Act does not provide for a specific right to claim for damages.
Remedies under the Personal Data Protection Act is in the form of a criminal offense. The Act has created several new criminal offenses. Among them are the following:
- Processing of personal data without a certificate of registration
- Processing of personal data after the revocation of registration
- Non-compliance with the Personal Data Protection Principles
- Processing of personal data after consent is withdrawn
- Processing of sensitive personal data not in accordance with the conditions that have been set
- Selling or offering to sell personal data
- Failure to comply with the requirements of the Personal Data Protection Commissioner to comply with the notice on direct marketing.