Personal Data Protection Act: Trivia Quiz

1. Sarah goes for a medical check-up at a clinic. For the purposes of the check-up, the clinic will be conducting a series of tests which include measuring her height and weight. Sarah is aware that such tests will be conducted as the clinic has provided this information on the registration form that Sarah filled out and submitted prior to the tests. QUESTION: Is it consider that Sarah did consented to the collection of her personal data?

Yes

No

I don't know

CORRECT RESPONSE: Yes

Sarah will be deemed to have consented to the collection of her personal data by submitting to the tests even though she did not directly provide the data to the clinic.

Explanation

CORRECT RESPONSE: Yes

Sarah will be deemed to have consented to the collection of her personal data by submitting to the tests even though she did not directly provide the data to the clinic.

2. Sarah signs up for a membership at a gym. The application form contains an extract of the most relevant portions of the Data Protection Policy in a physical document. For example, it states that Sarah's address details will be used for sending her a gym membership card and other communications related to her gym membership. The sales representative of the gym informs her that the full Data Protection Policy is available on the gym's website and provides her with relevant information to locate it. QUESTION: According to PDPA did the gym properly informed Sarah about the purpose of collection of personal information?

Yes

No

Not enough information

CORRECT RESPONSE: YES

In this case, the gym has informed Sarah of the purposes for which her personal data will be collected, used or disclosed.

Explanation

CORRECT RESPONSE: YES

In this case, the gym has informed Sarah of the purposes for which her personal data will be collected, used or disclosed.

3. Nick will be attending an adventure camp for his company's team-building purposes. The adventure camp operator obtains relevant health check-up records from his company to determine whether Nick is sufficiently fit to participate in the adventure activities. The records were from eight years ago when Nick first joined the company. QUESTION: Should the adventure camp company request for an update of the health check-up records?

Yes - This is their responsibility

No - It is Nick's or his company's responsibility

I don't know

CORRECT RESPONSE: Yes they have to request for an update

In this scenario, the adventure camp company should consider requesting that Nick or his company updates his health check-up records.

For more information please contact us: [email protected]

Explanation

CORRECT RESPONSE: Yes they have to request for an update

In this scenario, the adventure camp company should consider requesting that Nick or his company updates his health check-up records.

For more information please contact us: [email protected]

4. Sarah fills up an online form. The following clause is directly above the "Submit" button. I would like to receive information about promotions and offers by: a. Phone [ ] b. SMS [X] c. Email [X] d. Mail [ ] Sarah checks the boxes SMS and Email and submits the online form. QUESTION: Can we consider that Sarah have given clear and unambiguous consent?

Yes

No

Not enough information

CORRECT RESPONSE: YES

Sarah would be considered to have given clear and unambiguous consent.

Explanation

CORRECT RESPONSE: YES

Sarah would be considered to have given clear and unambiguous consent.

5. QUESTION: From the list bellow which information could be seen as Personal data under the PDPA?: • Full name • NRIC or FIN number • Passport number • Photograph or video image of an individual • Mobile telephone number • Personal email address • Thumbprint • DNA profile • Name and residential address

Only Full name, NRIC, FIN number, Passport number, Email Address

All of the information

Name and residential address & telephone number

I don't know

CORRECT RESPONSE: All of the information

All the information can be seen as Personal data under the PDPA

For more information please contact us: [email protected]

Explanation

CORRECT RESPONSE: All of the information

All the information can be seen as Personal data under the PDPA

For more information please contact us: [email protected]

6. Organisation ABC is a market research firm that has been engaged by Organisation XYZ. The written contract specifies that ABC has been engaged to collect personal data on behalf of XYZ and produce a report, exclusively for the use of XYZ, which illustrates the correlation between investment habits and income, profession and marital status of at least 1000 working Singaporeans aged 25-40. In addition to types of investments made, income, profession and marital status, the contract specifies that ABC has to collect the NRIC number and residential address of each person surveyed. The contract neither specifies the methods or processes ABC should undertake to collect the data and produce the report, nor the specific individuals that ABC are to survey. However, all raw data collected is to be given to XYZ and ABC is not permitted to keep any copies of the data or use it for any other purpose. In this situation, ABC may still be considered a data intermediary of XYZ insofar as it is processing personal data for the sole purpose of producing the report for XYZ. QUESTION: Does the ABC company has any obligation under Personal Data Protection Act (PDPA), since it doesn't keep any copy of the data, and ABC is the company that is processing the data?

Yes

No

I don't know

CORRECT RESPONSE: YES

ABC company has to comply with PDPA.
As ABC is XYZ’s data intermediary, XYZ has the same obligations under the PDPA in respect of the personal data processed by ABC. Hence, it may wish to include additional requirements in its contract to ensure that ABC fulfils XYZ’s obligations under the PDPA.

For more information please contact us: [email protected]

Explanation

CORRECT RESPONSE: YES

ABC company has to comply with PDPA.
As ABC is XYZ’s data intermediary, XYZ has the same obligations under the PDPA in respect of the personal data processed by ABC. Hence, it may wish to include additional requirements in its contract to ensure that ABC fulfils XYZ’s obligations under the PDPA.

For more information please contact us: [email protected]

7. Does your organization have in place policies and procedures with regard to ensuring compliance with the Act?

Yes

No

I don't know

CORRECT RESPONSE: Yes we have policies in place

According to the PDPA:

An organization shall develop and implement policies and practices that are necessary for the organization to meet the obligations of the organization under this Act.

For more information please contact us: [email protected]

Explanation

CORRECT RESPONSE: Yes we have policies in place

According to the PDPA:

An organization shall develop and implement policies and practices that are necessary for the organization to meet the obligations of the organization under this Act.

For more information please contact us: [email protected]

8. Nick applies for a credit card from a bank, and two years later, Nick applies for a home loan from a bank. The bank has not made any checks during the two years that Nick's personal data is accurate and complete. When the bank received the home loan application, the bank showed Nick their records of his personal data and asked Nick to make a fresh declaration that the record is accurate and complete. In addition, noting that the supporting documents previously obtained for the credit card application are now dated two years back, the bank asked Nick to provide a copy of his most recent payslip and proof of employment. QUESTION: Does the bank has made reasonable effort to ensure the accuracy of personal data collected from Nick?

Yes

No

Not enough information

CORRECT RESPONSE: YES

In
this scenario, the bank has made a reasonable effort to ensure that the personal data collected from Nick is accurate and complete.

Explanation

CORRECT RESPONSE: YES

In
this scenario, the bank has made a reasonable effort to ensure that the personal data collected from Nick is accurate and complete.

9. Sarah calls a taxi operator's hotline to book a taxi. The customer service officer asks for her name and number in order to inform her of the taxi number, which Sarah provides voluntarily. QUESTION: With her response did Sarah have consented to the taxi company using her name and number?

Yes

No

I don't know

CORRECT RESPONSE: Yes

Sarah is deemed to have consented to the taxi company using her name and number to call or text her when her taxi arrives.

Explanation

CORRECT RESPONSE: Yes

Sarah is deemed to have consented to the taxi company using her name and number to call or text her when her taxi arrives.

10. A supermarket conducts a survey of shoppers on its premises to find out ways to improve customer experience. It collects personal data such as the names and contact details of the shoppers. It clearly and legibly states at the top of the survey form, "Your personal data may be used by the supermarket or its appointed survey company for analysis of survey responses, or to contact survey respondents for follow-up queries on the survey responses." QUESTION: Could we consider the supermarket to have provided appropriate notification in this scenario?

Yes

No

I don't know

CORRECT RESPONSE: Yes

As a best practice, organizations should ensure that the notification is provided in a form that is readily accessible and easy for the individual to comprehend. The notification should also be clear and concise, and provide appropriate information on the purposes for which consent is sought.

For more information please contact us: [email protected]

Explanation

CORRECT RESPONSE: Yes

As a best practice, organizations should ensure that the notification is provided in a form that is readily accessible and easy for the individual to comprehend. The notification should also be clear and concise, and provide appropriate information on the purposes for which consent is sought.

For more information please contact us: [email protected]

11. Did you already hear about the PDPA (Personal Data Protection Act in Singapore? What can you explain to me about this new Act?

Yes I know about it

No, I don't know about it

Unsure about my knowledge

CORRECT RESPONSE: Yes - You should know about it According to the PDPA: "An organization is responsible for personal data in its possession or under its control." For more information please contact us: [email protected]

Explanation

CORRECT RESPONSE: Yes - You should know about it According to the PDPA: "An organization is responsible for personal data in its possession or under its control." For more information please contact us: [email protected]

12. Organisation XYZ has been selling databases containing personal data. This would be considered a disclosure of personal data and not a reasonable existing use under Section 19. QUESTION: After the appointed day, does XYZ needs to ensure that consent has been obtained before selling these databases again?

Yes

No

I don't know

CORRECT RESPONSE: Yes

After the appointed day, XYZ needs to ensure that consent has been obtained before selling these databases again.

Explanation

CORRECT RESPONSE: Yes

After the appointed day, XYZ needs to ensure that consent has been obtained before selling these databases again.

13. ABC also calls John to gather information for the report. After John finishes answering all the questions related to the report, ABC asks if John would consider purchasing one of ABC's market reports. In this case, ABC's call is not for the sole purpose of market research or market survey as one of the purposes of the call is to offer goods or services to John. QUESTION: Does the organisation required to comply with the Do Not Call Provisions in relation to the sending of that message?

Yes

No

I don't know

CORRECT RESPONSE:

ABC would be considered to have sent a specified message to John.
The organisation will be required to comply with the Do Not Call Provisions in relation to the sending of that message.

Explanation

CORRECT RESPONSE:

ABC would be considered to have sent a specified message to John.
The organisation will be required to comply with the Do Not Call Provisions in relation to the sending of that message.

14. Sarah signs up for a spa membership over the Internet. She is directed to the terms and conditions page. There is a check box on the first page next to a line which says "click here if you wish to receive information about our products and services, including special offers we may have from time to time, by SMS". Sarah checks the box. QUESTION: Can the spa allow to send such SMS to Sarah without any additional confirmation actions?

Yes

No

No enough information

CORRECT RESPONSE:

Sarah would be considered to have given clear and unambiguous consent.

Explanation

CORRECT RESPONSE:

Sarah would be considered to have given clear and unambiguous consent.

15. A retailer retains billing information, including personal data, collected from its customers beyond the Point of Sale for the purposes of accounting and billing administration. QUESTION: Is a valid purpose for retaining the personal data?

Yes

No

I don't know

CORRECT RESPONSE: Yes

As the retailer is retaining the personal data for a valid purpose, it is not required to cease to retain the data under the Retention Limitation Obligation.

Explanation

CORRECT RESPONSE: Yes

As the retailer is retaining the personal data for a valid purpose, it is not required to cease to retain the data under the Retention Limitation Obligation.

16. An adventure camp company records emergency contact information for all the participants in the adventure camp. This emergency contact information comprises the name, address and telephone number of the individual whom the organization will contact in the event of an emergency. Bernie's emergency contact is her husband, Bernard, and she provides his contact details to the company as her emergency contact information. QUESTION: Does the company is holding any personal data about one or more individual?

Yes - Bernard's information only

Yes - Bernie and Bernard's information

No - Not considered as Personal Data

I don't know

CORRECT RESPONSE: Yes - Bernie and Bernard's information

Bernard’s name, address and telephone number form part of the personal data of Bernie. As well as Bernie's data. The company is holding personal data about two individuals.

When obtaining Bernard’s personal data from Bernie, the organization would need to consider if they are required to obtain Bernard’s consent or whether one or more of the exceptions provided in the PDPA may apply.

In addition, since Bernard’s personal data also forms part of Bernie’s personal data (specifically, the details of her emergency contact), organizations would need to protect it as part of Bernie’s personal data.

For more information please contact us: [email protected]

Explanation

CORRECT RESPONSE: Yes - Bernie and Bernard's information

Bernard’s name, address and telephone number form part of the personal data of Bernie. As well as Bernie's data. The company is holding personal data about two individuals.

When obtaining Bernard’s personal data from Bernie, the organization would need to consider if they are required to obtain Bernard’s consent or whether one or more of the exceptions provided in the PDPA may apply.

In addition, since Bernard’s personal data also forms part of Bernie’s personal data (specifically, the details of her emergency contact), organizations would need to protect it as part of Bernie’s personal data.

For more information please contact us: [email protected]

17. An electronics store sells products online through its website. It informs individuals purchasing products through its website of the purposes for which it will be collecting, using and disclosing personal data, including that the contact details provided by the customers will be disclosed to other companies in its corporate group and its outsourced marketing company for the purpose of marketing their products to the individual from time to time. QUESTION: Does the store provide appropriate enough details of its purposes for the individual to determine the reasons for collecting, using or disclosing personal data?

Yes

No

I don't know

CORRECT RESPONSE: Yes

In this case, the electronics store would be considered to have stated a sufficiently specific purpose.
In stating its purposes, an organization should provide appropriate and specific details of its purposes for the individual to determine the reasons for which the organization will be collecting, using or disclosing his personal data.

For more information please contact us: [email protected]

Explanation

CORRECT RESPONSE: Yes

In this case, the electronics store would be considered to have stated a sufficiently specific purpose.
In stating its purposes, an organization should provide appropriate and specific details of its purposes for the individual to determine the reasons for which the organization will be collecting, using or disclosing his personal data.

For more information please contact us: [email protected]

18. A fashion retailer makes it a condition for every customer who wants to participate in the lucky draw it is administering to provide his mobile telephone number for the purpose of being contacted in future for promotions. QUESTION: Can the fashion retailer has the right the participant to the lucky draw to provide their mobile telephone number?

Yes it can

No it cannot

I don't know

CORRECT RESPONSE: Yes

As the lucky draw is not tied to a provision of a product or service, the fashion retailer can require that customers who want to participate in the lucky draw provide their mobile telephone numbers.

Explanation

CORRECT RESPONSE: Yes

As the lucky draw is not tied to a provision of a product or service, the fashion retailer can require that customers who want to participate in the lucky draw provide their mobile telephone numbers.

19. John Tan is a male Singaporean of 21 years of age. By themselves, general characteristics such as "male", "Singaporean" and "21 years of age" are not able to identify a particular individual. John Tan fills up a membership form which asks for his full name, gender, nationality and age. QUESTION: Does the information provided by John considered as Personal Data?

Yes- All the data

Yes - Partially

No

I don't know

CORRECT RESPONSE: Yes- All the data

In this case, all the information on the form, including the general characteristics, constitutes personal data of John Tan.

For more information please contact us: [email protected]

Explanation

CORRECT RESPONSE: Yes- All the data

In this case, all the information on the form, including the general characteristics, constitutes personal data of John Tan.

For more information please contact us: [email protected]

20. A real estate agency places a guest book at the reception counter in a show flat and requests individuals who visit the show flat to provide their name and contact details in the guest book. However, the purposes for collecting the individuals' personal data are not stated anywhere in or near the guest book. QUESTION: Does the real estate may be considered to have provided appropriate notification in this scenario?

Yes

No

I don't know

CORRECT RESPONSE: No

Individuals could have provided their personal data for a variety of different reasons – e.g. for the purpose of being contacted in relation to their visit to the show flat, to receive information about other properties marketed by the agency, or for other purposes.
In addition, different individuals who provide their personal data in this manner may have different purposes in mind. The real estate agency should specify the purposes in order to provide appropriate notification to the individuals from whom it would be collecting personal data.

For more information please contact us: [email protected]

Explanation

CORRECT RESPONSE: No

Individuals could have provided their personal data for a variety of different reasons – e.g. for the purpose of being contacted in relation to their visit to the show flat, to receive information about other properties marketed by the agency, or for other purposes.
In addition, different individuals who provide their personal data in this manner may have different purposes in mind. The real estate agency should specify the purposes in order to provide appropriate notification to the individuals from whom it would be collecting personal data.

For more information please contact us: [email protected]

21. Sarah needs to got the airport. A taxi operator runs a limousine service and wanted to use Sarah's information to market this service to her. The customer service officer asks for her name and number in order to inform her of the taxi number for booking a taxi. QUESTION: Can the taxi company use Sarah's personal data for marketing purpose?

Yes

No

I don't know

CORRECT RESPONSE: No

Sarah would not be deemed to have consented to the use of her personal data for this purpose.
This is because Sarah provided her personal data for the purpose of booking a taxi for a single trip, and not for the purpose of receiving marketing information about the limousine service.

Explanation

CORRECT RESPONSE: No

Sarah would not be deemed to have consented to the use of her personal data for this purpose.
This is because Sarah provided her personal data for the purpose of booking a taxi for a single trip, and not for the purpose of receiving marketing information about the limousine service.

22. A dance school has collected personal data of its tutors and students. It retains and uses such data (with the consent of the individuals), even if a tutor or student is no longer with the dance school, for the purpose of maintaining an alumni network. QUESTION: Is this a valid purpose to retain the personal data?

Yes

No

I don't know

CORRECT RESPONSE: No

As the dance school is retaining the personal data for a valid purpose, it is not required to cease to retain the data under the Retention Limitation Obligation.

Explanation

CORRECT RESPONSE: No

As the dance school is retaining the personal data for a valid purpose, it is not required to cease to retain the data under the Retention Limitation Obligation.

23. John picks up a photograph from his friend's table which clearly shows the image of an individual. QUESTION: Is the picture considered as holding any personal data?

Yes - We can identify the person on the picture

No - The picture doesn't have any name

No - The picture below to a friend of John

I don't know

CORRECT RESPONSE: Yes - We can identify the person on the picture

John is holding the personal data of that individual even though he does not know his name.

For more information please contact us: [email protected]

Explanation

CORRECT RESPONSE: Yes - We can identify the person on the picture

John is holding the personal data of that individual even though he does not know his name.

For more information please contact us: [email protected]

24. A shop in the shopping center receives a request from an individual to view a photograph of him taken by the official photographer at a private event held recently that the individual was invited to. The individual provides the shop with sufficient information to determine when the event was held. QUESTION: Does the company has to provide access to the photo?

Yes has to provide access to the photo

No obligation to provide access to the photo

I don't know

CORRECT RESPONSE: Yes

The provision of access in this case would be reasonable and the shop should provide the photo which the individual requested.

The burden or expense of providing access would be reasonable to the organization.

For more information please contact us: [email protected]

Explanation

CORRECT RESPONSE: Yes

The provision of access in this case would be reasonable and the shop should provide the photo which the individual requested.

The burden or expense of providing access would be reasonable to the organization.

For more information please contact us: [email protected]

25. Sarah makes a visit to a spa for a facial treatment. After the treatment is completed, she makes her way to the cashier to make payment. The cashier tells her that the facial will cost her $49.99. She hands over her credit card to the cashier for the purpose of making payment. QUESTION: Does the cashier need to ask for Sarah's consent to collect, use or disclose her personal data required to process the payment?

Yes

No

I don't know

CORRECT RESPONSE: No

The cashier need not ask for Sarah’s consent to collect, use or disclose her credit card number and any other related personal data (e.g. name on credit card) required to process the payment transaction.

Sarah would be deemed to have consented to the collection, use and disclosure of her credit card number and other related personal data for processing of the payment as she voluntarily provided the personal data and it is reasonable that Sarah would provide the personal data to pay for her facial. Sarah’s deemed consent would extend to all other parties involved in the payment processing chain who collect or use Sarah’s personal data.
These parties could include, for example, Sarah’s bank, the spa’s bank and its processers and the payment system provider.

Explanation

CORRECT RESPONSE: No

The cashier need not ask for Sarah’s consent to collect, use or disclose her credit card number and any other related personal data (e.g. name on credit card) required to process the payment transaction.

Sarah would be deemed to have consented to the collection, use and disclosure of her credit card number and other related personal data for processing of the payment as she voluntarily provided the personal data and it is reasonable that Sarah would provide the personal data to pay for her facial. Sarah’s deemed consent would extend to all other parties involved in the payment processing chain who collect or use Sarah’s personal data.
These parties could include, for example, Sarah’s bank, the spa’s bank and its processers and the payment system provider.

26. As part of a research study, a participant is requested to submit information to the research institute, comprising all of the following: • The participant's name • A general description of the participant, e.g. 30 year old married Chinese female of AB+ blood type; • Educational institutions that the participant has attended; • The participant's occupation The research institute replaces the participant's name with a randomly generated tag in order to safeguard the participant's anonymity. Without the name, the research institute cannot use the rest of the information to identify a specific individual. However, the research institute continues to hold the key that can reverse the randomization and reinstate the participant's name. QUESTION: Are the personal hold by the Institute still seen as Personal Data?

Yes - All of them

Yes but only the participant’s name

No - participant’s name have been removed

I don't know

CORRECT RESPONSE: Yes - All of them

In this case, all the participants’ information held by the research institute would still be personal data held by the research institute.

For more information please contact us: [email protected]

Explanation

CORRECT RESPONSE: Yes - All of them

In this case, all the participants’ information held by the research institute would still be personal data held by the research institute.

For more information please contact us: [email protected]

27. An individual wishes to obtain certain services from a telecom service provider, Operator X and is required by the telecom service provider to agree to its terms and conditions for provision of the services. Operator X can stipulate as a condition of providing the services that the individual agrees to the collection, use and disclosure of specified items of personal data by the organisation for the purpose of supplying the services. Such items of personal data may include the name and address of the individual as well as personal data collected in the course of providing the services such as the individual's location data. The individual provides consent for those specified items of personal data but subsequently withdraws that consent. The withdrawal of consent results in Operator X being unable to provide services to the individual. This would in turn entail an early termination of the service contract. QUESTION: Can an organisation prohibit an individual from withdrawing his consent to the collection, use or disclosure of personal data about the individual himself?

Yes

No

I don't know

CORRECT RESPONSE: No - The Operator X must not prohibit an individual from withdrawing his consent

Operator X should inform the individual of the consequences of the early termination, e.g. that the individual would incur early termination charges.

For more information please contact us: [email protected]

Explanation

CORRECT RESPONSE: No - The Operator X must not prohibit an individual from withdrawing his consent

Operator X should inform the individual of the consequences of the early termination, e.g. that the individual would incur early termination charges.

For more information please contact us: [email protected]

28. Sarah signs up for a spa membership over the Internet. The terms and conditions for the Spa A membership outline and explain how Sarah's personal data will be used and disclosed. For example, it states that Sarah's address details will be used for sending her a Spa A membership card and other communications from the Spa A. Sarah clicks on the "Accept" button at the bottom of the terms and conditions, to indicate her acceptance of, and agreement to, the terms and conditions. In this case, the Spa A has obtained Sarah's consent for collection, use and disclosure of her personal data in connection with the stated purposes. Jane signs up for another spa, Spa B over the internet. Spa B has terms and conditions with a provision which states that "when a member accepts the terms and conditions, he or she also consents to the collection, use and disclosure of his or her personal data for the purposes set forth in the Spa B's data protection policy". However, no information is provided on where the Spa B's data protection policy is located (even if it is available elsewhere on the spa's website) and no means are provided for Jane to view the policy before signifying her agreement to the spa's terms and conditions. QUESTION: Does the consent obtained from Jane by the two Spa A and Spa B valid under PDPA?

Yes for Spa A

Yes for Spa B

Yes for Spa A and Spa B

None of them

CORRECT RESPONE: Only for Spa A

In the case of Spa B, the spa is not considered to have notified Jane of its purposes, and any consent obtained from Jane would not be valid under the PDPA.

For more information please contact us: [email protected]

Explanation

CORRECT RESPONE: Only for Spa A

In the case of Spa B, the spa is not considered to have notified Jane of its purposes, and any consent obtained from Jane would not be valid under the PDPA.

For more information please contact us: [email protected]

29. Jeff is strolling down the aisles in a shopping mall. It would be reasonably expected that his image would be captured by CCTVs installed for security reasons. Jeff subsequently enters a store to make a purchase. It would be reasonably expected for Jeff to be photographed by a photographer engaged by the store if the store did not put up notices on the presence of the photographer. QUESTION: Are we looking at two reasonable scenarios?

Yes for the CCTV, No for the photographer

No for the CCTV, Yes for the Photographer

No to both scenarios

Yes to both scenarios

CORRECT RESPONSE: Yes for the CCTV, No for the photographer

Personal data is observed by reasonably expected means if the individual whose personal data is being observed could reasonably expect their personal data to be collected in that particular manner at that location or event.

For more information please contact us: [email protected]

Explanation

CORRECT RESPONSE: Yes for the CCTV, No for the photographer

Personal data is observed by reasonably expected means if the individual whose personal data is being observed could reasonably expect their personal data to be collected in that particular manner at that location or event.

For more information please contact us: [email protected]

30. Charles wishes to organize a birthday party for his son David. Charles books a private room within a fast food restaurant for the occasion and invites twenty of David's friends and their parents. The private room is right by the general dining area and the interior can be seen by other patrons through the glass windows. The fast food restaurant management puts up a sign at the entrance of the private room which says "Reserved for Private Event: David's 8th birthday party". Charles keeps the door closed at all times and keeps an eye on it to ensure that only invited guests enter. The birthday party would not be considered open to the public because members of the public (who are not invited to attend) are unlikely to be able to gain access to the event. Mary similarly wishes to organize a birthday party for her daughter Jane. She invites twenty of Jane's friends and parents to gather at the same fast food restaurant at a particular date and time but she does not book a private room or area within the restaurant. Her guests occupy a large area within the fast food restaurant's general dining area. Members of the public are not invited to attend this party QUESTION: Is Mary's party considered a private party or open to the public?

Private party

Open to the public

I don't know

CORRECT RESPONSE:

Mary’s birthday party would be considered open to the public even though she did not open attendance to the public, because members of the public may enter the general dining area of the restaurant and may seat themselves close to or even within the area where her party guests are seated. Therefore the personal information would be considered as Publicly available data.

For more information please contact us: [email protected]

Explanation

CORRECT RESPONSE:

Mary’s birthday party would be considered open to the public even though she did not open attendance to the public, because members of the public may enter the general dining area of the restaurant and may seat themselves close to or even within the area where her party guests are seated. Therefore the personal information would be considered as Publicly available data.

For more information please contact us: [email protected]

31. After a business trip Charles returns to Singapore. Shortly thereafter, he receives a specified message from an overseas number. However, Charles discovers that the specified message was sent on behalf of his bank in Singapore which had outsourced part of its marketing operations to an overseas call centre and authorised the call centre to send the message. QUESTION: Does the sending of the specified message by the bank (through the overseas call center) will be subject to the application of the Do Not Call Provisions?

Yes

No

I don't know

CORRECT RESPONSE: Yes

The sending of the specified message by the bank (through the overseas call center) will be subject to the application of the Do Not Call Provisions.

Explanation

CORRECT RESPONSE: Yes

The sending of the specified message by the bank (through the overseas call center) will be subject to the application of the Do Not Call Provisions.

32. A supermarket conducts a survey of shoppers on its premises, with the additional intent of marketing new products to the survey respondents. However, this supermarket only indicates on the survey form, "Your personal data may be used by the supermarket or its appointed survey company for analysis of survey responses, or to contact survey respondents for follow-up queries on the survey responses" and does not make any mention of its marketing purposes. It further attempts to pass off the marketing of new products as following up on survey responses. QUESTION: Is this supermarket to be considered as having provided the required information on its purposes?

Yes

No

I don't know

CORRECT RESPONSE: No

This supermarket is unlikely to be considered as having provided the required information on its purposes in this scenario.
Any consent obtained in such circumstances is invalid and the collection, use or disclosure of personal data relying upon such invalid consent would be a contravention of the Data Protection Provisions.

For more information please contact us: [email protected]

Explanation

CORRECT RESPONSE: No

This supermarket is unlikely to be considered as having provided the required information on its purposes in this scenario.
Any consent obtained in such circumstances is invalid and the collection, use or disclosure of personal data relying upon such invalid consent would be a contravention of the Data Protection Provisions.

For more information please contact us: [email protected]

33. Charles wishes to offer his services as a real estate agent. He engages Mary to promote his services. In the contract between Charles and Mary, it is stated that, "Mary shall not send any message, whether in sound, text, visual or other form, to a Singapore telephone number to offer, advertise or promote Charles' services unless expressly permitted in writing by Charles". QUESTION: If Mary sends SMS messages to a Singapore telephone number to promote Charles' services without Charles written permission, does she comply with the Do Not Call Provisions?

Yes

No

Not enough information

CORRECT RESPONSE: No

If Mary sends SMS messages to a Singapore telephone number to promote Charles’ services without Charles written permission, Charles would not be deemed to have authorised that, as he had taken reasonable steps to prevent Mary from doing so.

Explanation

CORRECT RESPONSE: No

If Mary sends SMS messages to a Singapore telephone number to promote Charles’ services without Charles written permission, Charles would not be deemed to have authorised that, as he had taken reasonable steps to prevent Mary from doing so.

34. A shopping center receives a request from an individual to view all CCTV footage of him recorded at the shopping center over the past year. QUESTION: Does the shopping center need to provide the requested personal data?

Yes

No

I don't know

CORRECT RESPONSE: No obligation

In this scenario, even if the shopping center is able to remove images of other individuals captured in the CCTV footage, reviewing all CCTV footage from the past year to find records of the individual making the request would require considerable time and effort. The burden of providing access would be unreasonable to the shopping center and likely disproportionate to the individual’s interests as the individual is making a general request for all CCTV footage. Hence the shopping center need not provide the requested personal data (if available) under the Access and Correction Obligation.

For more information please contact us: [email protected]

Explanation

CORRECT RESPONSE: No obligation

In this scenario, even if the shopping center is able to remove images of other individuals captured in the CCTV footage, reviewing all CCTV footage from the past year to find records of the individual making the request would require considerable time and effort. The burden of providing access would be unreasonable to the shopping center and likely disproportionate to the individual’s interests as the individual is making a general request for all CCTV footage. Hence the shopping center need not provide the requested personal data (if available) under the Access and Correction Obligation.

For more information please contact us: [email protected]

35. Sharon is signing up for a gym membership. She provides her business name card to the gym staff so that they can record her name and contact details in order to register her for the package. QUESTION: Does the information on Sharon's her business card considered as Personal Data?

Yes - The information were provided for her personal purposes

No - The information were from the business card

I don't know

CORRECT RESPONSE: Yes - The information were provided for her personal purposes

Sharon's her business card are considered as Personal Data.

In this case, the information provided by Sharon would not be business contact information as she is providing it solely for her personal purposes.
The PDPA would apply to the information contained in her business name card.

For more information please contact us: [email protected]

Explanation

CORRECT RESPONSE: Yes - The information were provided for her personal purposes

Sharon's her business card are considered as Personal Data.

In this case, the information provided by Sharon would not be business contact information as she is providing it solely for her personal purposes.
The PDPA would apply to the information contained in her business name card.

For more information please contact us: [email protected]

36. John calls an employee of ABCD Childcare Pte Ltd ("ABCD"), Mary, through her business contact number (which John obtained from ABCD's website) to promote a product which he thinks ABCD would purchase for use at its childcare centers. While talking to Mary, John asks her if she has children and whether she would be interested to buy another product for her personal use. QUESTION: In such a situation, will John need to ensure that he complies with the Do Not Call Provisions?

Yes

No

No enough information

CORRECT RESPONSE: Yes

In such a situation, it was a B2B marketing message, however John would not be able to rely on this exception, and will need to ensure that he complies with the Do Not Call Provisions.

Explanation

CORRECT RESPONSE: Yes

In such a situation, it was a B2B marketing message, however John would not be able to rely on this exception, and will need to ensure that he complies with the Do Not Call Provisions.

37. A company is considering whether an existing employee, John, should be transferred to take on a different role in its IT department. One of the criteria for the transfer is the possession of certain qualifications and professional certifications. The company has information about John's qualifications and professional certifications that was provided by John (which form part of his personal data) when he joined the company five years before. The company asks John to update them with any new qualifications or certifications he may have obtained in the last five years since joining the company but does not ask him to re-confirm the information about the qualifications he provided when he joined the company. QUESTION: Did the company made a reasonable effort to ensure that the personal data collected is accurate and complete?

Yes

No

I don't know

CORRECT RESPONSE: Yes

In this scenario, the company is likely to have met its obligation to update John’s personal data.

Explanation

CORRECT RESPONSE: Yes

In this scenario, the company is likely to have met its obligation to update John’s personal data.

38. Sarah currently has a membership with a spa. Her spa wants to use her personal data for the purposes of sending her greeting cards and the spa's annual newsletter in the post while her spa membership is still active. QUESTION: Does this purposes will be acceptable for using of personal data without requesting her consent?

YES

NO

Not enough information

CORRECT RESPONSE: YES

These purposes would fall within sub-paragraph (a) above, as part of the organisation’s servicing of the existing business relationship with the individual, for which consent would have been previously obtained.

In determining if personal data can be used or disclosed for a particular purpose without obtaining fresh consent, an organisation should determine:

a) whether the purpose is within the scope of the purposes for which the individual concerned had originally been informed, for example, if it would fall within the organisation’s servicing of the existing business relationship with the individual;

Explanation

CORRECT RESPONSE: YES

These purposes would fall within sub-paragraph (a) above, as part of the organisation’s servicing of the existing business relationship with the individual, for which consent would have been previously obtained.

In determining if personal data can be used or disclosed for a particular purpose without obtaining fresh consent, an organisation should determine:

a) whether the purpose is within the scope of the purposes for which the individual concerned had originally been informed, for example, if it would fall within the organisation’s servicing of the existing business relationship with the individual;

39. A business wishes to sell its products to households within a certain area around its location. It engages a service provider to distribute flyers advertising its products to all residential addresses within the area without collecting or using the names or other personal data of individuals living at those addresses. QUESTION: Is the residential addresses seen as personal data?

Yes - Personal data

No - Not personal data

I don't know

CORRECT RESPONSE: No - Not Personal Data

The residential addresses would not be personal data collected and used by the business.

For more information please contact us: [email protected]

Explanation

CORRECT RESPONSE: No - Not Personal Data

The residential addresses would not be personal data collected and used by the business.

For more information please contact us: [email protected]

40. The organisation ABC has been using the personal data of their customers to send them desktop calendars once every year. QUESTION: Does the organisation ABC have to obtain fresh consent after the appointed day?

Yes

No

I don't know

CORRECT RESPONSE: No

This would be considered a reasonable existing use So long as their customers have not indicated to ABC that they no longer wish to receive these calendars (i.e. withdrawing their consent for the purpose of receiving calendars once every year), ABC can continue to do so without obtaining fresh consent after the appointed day.

Explanation

CORRECT RESPONSE: No

This would be considered a reasonable existing use So long as their customers have not indicated to ABC that they no longer wish to receive these calendars (i.e. withdrawing their consent for the purpose of receiving calendars once every year), ABC can continue to do so without obtaining fresh consent after the appointed day.

41. Sarah provides the personal data of her friend Jane to the sales consultant at her spa as part of a members referral programme the spa is running. Before recording Jane's personal data, the sales consultant asks Sarah a few questions to determine if Jane had been informed of the purposes for which her personal data is being disclosed to and used by the spa, and if Jane had provided her consent. After obtaining verbal confirmation from Sarah in the affirmative to those questions, the sales consultant proceeded to collect Jane's personal data. Question: Does the sales consultant is likely to have exercised appropriate due diligence in this situation?

Yes

No

Not enough information to tell

CORRECT RESPONSE: YES

The sales consultant is likely to have exercised appropriate due diligence in this situation.

As a best practice, when contacting Jane for the first time, the sales consultant should inform Jane that her personal data was disclosed by Sarah and verify that Jane had provided consent to do so.

Explanation

CORRECT RESPONSE: YES

The sales consultant is likely to have exercised appropriate due diligence in this situation.

As a best practice, when contacting Jane for the first time, the sales consultant should inform Jane that her personal data was disclosed by Sarah and verify that Jane had provided consent to do so.

42. John wishes to offer his services as a real estate agent and engages Mary to market his services. John does not specify the manner of marketing to Mary. QUESTION who from John and Mary be considered the sender of any SMS messages, and will both be subject to the Do Not Call Provisions?

Only Mary

Only John

Mary and John

Not enough information

CORRECT RESPONSE: Mary and John

John and Mary will both be considered the sender of any SMS messages sent to promote John’s services, and will both be subject to the Do Not Call Provisions.

Explanation

CORRECT RESPONSE: Mary and John

John and Mary will both be considered the sender of any SMS messages sent to promote John’s services, and will both be subject to the Do Not Call Provisions.

43. Sarah wants to signs up for a spa package. The terms and conditions include a provision that the spa may share her personal data with third parties, including selling her personal data to third party marketing agencies. Sarah does not wish to consent to such a disclosure of her personal data and requests the spa not to disclose her personal data to third party marketing agencies. The spa refuses to act on her request and informs her that the terms and conditions are standard, and that all customers must agree to all the terms and conditions. Sarah is left either with the choice of accepting all the terms and conditions (i.e. giving consent for use and disclosure of her data as described) or not proceeding with the sign up. QUESTION: Would Sarah consents for the disclosure of her data to third party marketing agencies, be considered valid?

Yes

No

I don't know

CORRECT RESPONSE: No

In this case, even if Sarah consents for the disclosure of her data to third party marketing agencies, the consent would not be considered valid since it is beyond what is reasonable for the provision of the spa’s services to its customers, and the spa had required Sarah’s consent as a condition for providing its services.

Instead of requiring Sarah to consent to the disclosure and sale of her personal data to third parties as a condition of providing the service, the spa should separately request Sarah’s consent to do so. That is, Sarah should be able to sign up for the spa package without having to consent to the disclosure and sale of her personal data to third parties. The spa is then free to ask Sarah if she would consent, and if she does, would be considered to have obtained valid consent.

Explanation

CORRECT RESPONSE: No

In this case, even if Sarah consents for the disclosure of her data to third party marketing agencies, the consent would not be considered valid since it is beyond what is reasonable for the provision of the spa’s services to its customers, and the spa had required Sarah’s consent as a condition for providing its services.

Instead of requiring Sarah to consent to the disclosure and sale of her personal data to third parties as a condition of providing the service, the spa should separately request Sarah’s consent to do so. That is, Sarah should be able to sign up for the spa package without having to consent to the disclosure and sale of her personal data to third parties. The spa is then free to ask Sarah if she would consent, and if she does, would be considered to have obtained valid consent.

44. Charles subscribes to the services of Operator X, a Singapore telecommunications service provider. He leaves Singapore and starts roaming on the network of an overseas telecommunications provider, Operator A. He receives a specified message from Operator A, a telecommunications service provider in the other country, about Operator A's services. QUESTION: Will the operator A be subject to the application of the Do Not Call Provisions?

Yes

No

I don't know

CORRECT RESPONSE: No

The sending of this specified message will not be subject to the application of the Do Not Call Provisions.

Explanation

CORRECT RESPONSE: No

The sending of this specified message will not be subject to the application of the Do Not Call Provisions.

45. An organization, ABC, is a market research firm that has been engaged to produce a report which illustrates the correlation between investment habits and income, profession and marital status of working Singaporeans aged 25- 40. ABC calls Sarah for the sole purpose of gathering information for the report. QUESTION: Does the ABC organization required to comply with the Do Not Call Provisions in relation to the sending of that message?

Yes

No

I don't know

In Singapore, the Do Not Call (DNC) provisions under the Personal Data Protection Act (PDPA) regulate unsolicited marketing messages sent to individuals. However, if the call made by ABC organization to Sarah is solely for the purpose of gathering information for a research report and not for marketing purposes, then it does not fall under the scope of the DNC provisions. Therefore, ABC is not required to comply with the DNC provisions for this specific purpose.

Explanation

In Singapore, the Do Not Call (DNC) provisions under the Personal Data Protection Act (PDPA) regulate unsolicited marketing messages sent to individuals. However, if the call made by ABC organization to Sarah is solely for the purpose of gathering information for a research report and not for marketing purposes, then it does not fall under the scope of the DNC provisions. Therefore, ABC is not required to comply with the DNC provisions for this specific purpose.

46. A retailer has collected personal data from its customers for the purpose of delivering products purchased by the customers. The retailer subsequently mails a flyer to the customers which states that a customer would have consented to their personal data being used for a different purpose, namely for marketing, unless the customer writes back to the retailer to opt out by a certain date. QUESTION: Can the retailer use the collected personal data being for marketing purpose?

Yes

No

I don't know

CORRECT RESPONSE: No

In this case, the customer’s inaction does not signify consent since it may be due to other reasons not related to a desire to consent (e.g. not having opened the mailbox or read the flyer).

Explanation

CORRECT RESPONSE: No

In this case, the customer’s inaction does not signify consent since it may be due to other reasons not related to a desire to consent (e.g. not having opened the mailbox or read the flyer).

47. Andy had previously given his consent to Y Electronics to collect, use and disclose his contact details (which form part of his personal data) for the purpose of providing him with marketing information and promotional offers on computers and other IT products. Y Electronics discloses Andy's contact details to its outsourced marketing agent and some other third party companies offering computers and other IT products, in each case, for the purpose of marketing computers and other IT products to Andy. Andy changes his mind and submits a notice to withdraw the consent he gave to Y Electronics. Y Electronics is required to notify Andy of the consequences of his withdrawal, in this case, simply that Y Electronics and its marketing agents will cease to send information on computer and IT products to Andy and will not disclose Andy's personal data to any third party after Andy's withdrawal of consent. Y Electronics is also required to cease using Andy's contact details for marketing computer and IT products and to instruct its outsourced marketing agent about the withdrawal of consent (so that it will cease sending marketing information to Andy). QUESTION: Despite the withdrawal request from Andy, can the Organizations retain personal data in its documents and records inaccordance with the Data Protection Provisions?

Yes

No

I don't know

CORRECT RESPONSE: Yes the organization can retain the information

The withdrawal of consent also does not affect Y Electronics’ ability to retain Andy’s personal data that it requires for legal or business purposes. For example, Y Electronics may still retain Andy’s personal data in its database for the purpose of servicing an ongoing warranty, or records of his purchases that are necessary for audit purposes.

For more information please contact us: [email protected]

Explanation

CORRECT RESPONSE: Yes the organization can retain the information

The withdrawal of consent also does not affect Y Electronics’ ability to retain Andy’s personal data that it requires for legal or business purposes. For example, Y Electronics may still retain Andy’s personal data in its database for the purpose of servicing an ongoing warranty, or records of his purchases that are necessary for audit purposes.

For more information please contact us: [email protected]

48. Alan is a member of an online social network that is open to the public. His membership profile which is publicly searchable lists his name, date of birth and the university at which he is currently enrolled. Alan also regularly updates his profile picture. The data (including pictures of him) which Alan has shared on this online social network is very likely to be personal data that is publicly available, since any other user of the social network would be able to gain access to the data, even if they accessed his profile page by accident and any member of public may join the online social network. Bob is a member of the same social network. However, Bob's membership profile is only accessible by a few users who are personally known to him and to whom he has granted permission to access his profile. Bob has also placed restrictions on the re-posting of his profile. QUESTION: Which profile(s) is/are most likely to be under the Personal Data Protection Act?

Bob's profile

Alan's profile

Neither profile

Both profile

I don't know

CORRECT RESPONSE: Bob's profile

The personal data on Bob’s membership profile is less likely to be considered publicly available since access to the data is strictly limited.

For more information please contact us: [email protected]

Explanation

CORRECT RESPONSE: Bob's profile

The personal data on Bob’s membership profile is less likely to be considered publicly available since access to the data is strictly limited.

For more information please contact us: [email protected]

49. Charles subscribes to the services of Operator X, a Singapore telecommunications service provider. He leaves Singapore and starts roaming on the network of an overseas telecommunications provider, Operator A. while Charles is still in the other country, Charles receives a specified message, from his insurance agent who was in Singapore when the message was sent. QUESTION: Does The sending of the specified message by Charles' insurance agent will be subject to the application of the Do Not Call Provisions?

Yes

No

I don't know

CORRECT RESPONSE: Yes

The sending of the specified message by Charles’ insurance agent will be subject to the application of the Do Not Call Provisions. The insurance agent is in Singapore.

Explanation

CORRECT RESPONSE: Yes

The sending of the specified message by Charles’ insurance agent will be subject to the application of the Do Not Call Provisions. The insurance agent is in Singapore.

50. A travel agency collects personal data from Tom about his wife, Jane, when Tom books a travel package for a family holiday. Tom is not subject to the Data Protection Provisions as he is acting in a personal or domestic capacity. QUESTION: Does the information about Jane, Tom's wife, personal Data, and need her approval for collecting it?

Yes

No

I don't know

CORRECT RESPONSE: YES

The travel agency must comply with all the Data Protection Provisions with regard to both Tom and Jane’s personal data, unless one or more exceptions apply. In this case, the travel agency can collect Jane’s personal data without her consent as the exception 1(m) in the Second Schedule applies – that is, the travel agency does not need to seek Jane’s consent because her personal data was provided by Tom to the travel agency to provide a service for Tom’s personal and domestic purposes.

However the travel agency must comply with all its other obligations under the Data Protection Provisions, for example, adopting reasonable security arrangements to comply with the Protection Obligation in respect of Tom’s and Jane’s personal data.

For more information please contact us: [email protected]

Explanation

CORRECT RESPONSE: YES

The travel agency must comply with all the Data Protection Provisions with regard to both Tom and Jane’s personal data, unless one or more exceptions apply. In this case, the travel agency can collect Jane’s personal data without her consent as the exception 1(m) in the Second Schedule applies – that is, the travel agency does not need to seek Jane’s consent because her personal data was provided by Tom to the travel agency to provide a service for Tom’s personal and domestic purposes.

However the travel agency must comply with all its other obligations under the Data Protection Provisions, for example, adopting reasonable security arrangements to comply with the Protection Obligation in respect of Tom’s and Jane’s personal data.

For more information please contact us: [email protected]

51. Damien is a choral instructor who is the sole proprietor of a music studio. He decides to engage a real estate agent to assist him in searching for a suitable property unit as a second branch. Damien passes his contact details to the real estate agent so that the real estate agent can update him from time to time on property units which he might like. The real estate agent shares Damien's contact details with his colleagues, so that more agents can assist Damien with his property search for his business. QUESTION: Does the real estate agent have the obligation to get Damien's consent before sharing his contact information with is colleagues?

Yes

No

I don't know

CORRECT RESPONSE: No

Damien’s consent to the sharing of his contact information is not required because it is business contact information.
As Damien has provided his contact details for the purpose of a property search, this information is considered business contact information and can be passed on by the real estate agent subsequently without Damien’s prior consent.
In turn, other persons can also collect, use and disclose Damien’s business contact information freely, without requiring Damien’s consent.

For more information please contact us: [email protected]

Explanation

CORRECT RESPONSE: No

Damien’s consent to the sharing of his contact information is not required because it is business contact information.
As Damien has provided his contact details for the purpose of a property search, this information is considered business contact information and can be passed on by the real estate agent subsequently without Damien’s prior consent.
In turn, other persons can also collect, use and disclose Damien’s business contact information freely, without requiring Damien’s consent.

For more information please contact us: [email protected]

52. John calls an employee of ABCD Childcare Pte Ltd ("ABCD"), Mary, through her business contact number (which John obtained from ABCD's website) to promote a product which he thinks ABCD would purchase for use at its childcare centers. QUESTION: Is this call considered a specified message for the purposes of the Do Not Call Provisions?

Yes

No

I don't know

CORRECT RESPONSE: No

This B2B marketing messages.
Such a call is not a specified message for the purposes of the Do Not Call Provisions.

Explanation

CORRECT RESPONSE: No

This B2B marketing messages.
Such a call is not a specified message for the purposes of the Do Not Call Provisions.

53. A retailer intends to ask an individual for his name and residential address in order to arrange the delivery of certain products purchased from the retailer by the individual. The retailer may specify that it would like to collect, use and disclose the personal data as necessary for the purpose of delivering the goods bought by the individual. QUESTION: Does the retailer have the obligation to provide detail relating to how the personal data will be stored?

Yes

No

I don't know

CORRECT RESPONSE: No

The retailer need not specify activities relating to exactly how the personal data will be stored and used by the retailer,
for example, that it will be entered into the retailer’s customer database, printed on delivery notes and packaging of the items to be delivered, transmitted to the delivery agent and so on.

Explanation

CORRECT RESPONSE: No

The retailer need not specify activities relating to exactly how the personal data will be stored and used by the retailer,
for example, that it will be entered into the retailer’s customer database, printed on delivery notes and packaging of the items to be delivered, transmitted to the delivery agent and so on.

54. A fashion retailer is conducting a membership drive. It states in the membership registration form that "the purposes for which it may use the details provided by individuals who register including providing them with updates on new products and promotions and any other purpose that it deems fit." QUESTION: IS this statement an reasonable notification to the individual of the purposes for which his or her personal data will be collected, used and disclosed?

Yes

No

I don't know

CORRECT RESPONSE: Not reasonable

In this case, providing updates on new products and promotions may be a reasonable purpose but the fashion retailer’s unqualified reference to ‘any other purpose that it deems fit’ would not be considered reasonable. (As noted in the section on the “Notification Obligation”, this may also be an inadequate notification to the individual of the purposes for which his or her personal data will be collected, used and disclosed.)

For more information please contact us: [email protected]

Explanation

CORRECT RESPONSE: Not reasonable

In this case, providing updates on new products and promotions may be a reasonable purpose but the fashion retailer’s unqualified reference to ‘any other purpose that it deems fit’ would not be considered reasonable. (As noted in the section on the “Notification Obligation”, this may also be an inadequate notification to the individual of the purposes for which his or her personal data will be collected, used and disclosed.)

For more information please contact us: [email protected]

55. A retailer has entered into a contract with a data aggregator under which it has agreed to sell certain personal data about its customers to the aggregator. The personal data involved includes the customers' names, contact details and certain information on products they have purchased from the retailer. QUESTION: On the appointed day, does the contract the data aggregator is valid?

Yes

No

I don't know

However, the retailer did not obtain the consent of the customers to disclose their personal data.
With effect from the appointed day, the retailer must comply with the Data Protection Provisions and cannot assert its contractual obligations to the aggregator as a reason that it does not need to obtain the consent of its customers.

Explanation

However, the retailer did not obtain the consent of the customers to disclose their personal data.
With effect from the appointed day, the retailer must comply with the Data Protection Provisions and cannot assert its contractual obligations to the aggregator as a reason that it does not need to obtain the consent of its customers.

56. Retailer B puts up a sign informing customers who are interested to join their membership programme to obtain an application form from a shelf next to the counter, fill it out, and drop the completed form into an unmanned box next to the shelf. A line in the form with an accompanying tick box states clearly "tick here if you do not wish your personal data to be provided to Company Z to market Company Z's products". The last field of the form requires the customer to provide his signature. The customer signed the form without putting a tick in the tick box and drops the completed form into the box. QUESTION: Can the retailer use the customer's personal data for marketing purposes?

Yes

No

I don't know

CORRECT RESPONSE: Yes

In this case, the customer is more likely to have given his consent to the disclosure of his personal data to Company Z for Company Z’s marketing purposes.

Explanation

CORRECT RESPONSE: Yes

In this case, the customer is more likely to have given his consent to the disclosure of his personal data to Company Z for Company Z’s marketing purposes.

57. Organisation ABC calls Charles for the sole purpose of finding out if he is interested to apply for a vacancy in the organisation. QUESTION: Is this call considered as a "specified message" following under the PDPA regulation?

Yes

No

Not enough information

CORRECT RESPONSE: NO
The call from Organisation ABC would not be considered a specified message.

The Do Not Call Provisions contain obligations which relate to the sending of a “specified message”. Section 37 of the PDPA defines what constitutes a “specified message” for the purposes of the Do Not Call Provisions. Under section 37(1), a message is a specified message if the purpose of the
message, or one of its purposes, is –
a) to advertise, promote or offer to supply or provide any of the following:
i. goods or services;18
ii. and or an interest in land; or
iii. a business opportunity or an investment opportunity;

b) to advertise or promote a supplier/provider (or a prospective
supplier/provider) of the items listed in sub-paragraphs (i) to (iii) above; or

c) any other prescribed purpose related to obtaining or providing information.
In most instances, a marketing message of a commercial nature would be a specified message within the meaning of the PDPA. Section 37(1) is subject to certain exceptions under section 37(5).

Messages sent for a purpose which is not specified in section 37(1) would not be a specified message for the purposes of the PDPA. For example, a message sent solely to promote an employment opportunity, to solicit donations for a charitable cause or to promote a political cause would not be regarded as a specified message.

Explanation

CORRECT RESPONSE: NO
The call from Organisation ABC would not be considered a specified message.

The Do Not Call Provisions contain obligations which relate to the sending of a “specified message”. Section 37 of the PDPA defines what constitutes a “specified message” for the purposes of the Do Not Call Provisions. Under section 37(1), a message is a specified message if the purpose of the
message, or one of its purposes, is –
a) to advertise, promote or offer to supply or provide any of the following:
i. goods or services;18
ii. and or an interest in land; or
iii. a business opportunity or an investment opportunity;

b) to advertise or promote a supplier/provider (or a prospective
supplier/provider) of the items listed in sub-paragraphs (i) to (iii) above; or

c) any other prescribed purpose related to obtaining or providing information.
In most instances, a marketing message of a commercial nature would be a specified message within the meaning of the PDPA. Section 37(1) is subject to certain exceptions under section 37(5).

Messages sent for a purpose which is not specified in section 37(1) would not be a specified message for the purposes of the PDPA. For example, a message sent solely to promote an employment opportunity, to solicit donations for a charitable cause or to promote a political cause would not be regarded as a specified message.

58. Sarah makes an access request to her spa, requesting information relating to how her personal data has been used or disclosed. The request was made on 5th February 2013. QUESTION: How much information the spa is required to provide?

All history from the first record

One year history

As much as the spa estimates appropriate

No obligation to disclose information

CORRECT RESPONSE: One year history

The spa is only required to provide information on how her personal data has been used or disclosed with the past year – that is, the period from 6th February 2012 to the date of the request, 5th February 2013.

For more information please contact us: [email protected]

Explanation

CORRECT RESPONSE: One year history

The spa is only required to provide information on how her personal data has been used or disclosed with the past year – that is, the period from 6th February 2012 to the date of the request, 5th February 2013.

For more information please contact us: [email protected]

59. At the registration booth of a corporate seminar, Sharon drops her business name card into a glass bowl by the side of the registration booth as she wishes to be on the seminar organiser's mailing list for future invitations to similar seminars. Sharon's business name card contains her name, position, business telephone number, business address, business electronic mail address and business fax number. QUESTION 1: Does the company has to seek Sharon's consent to contact her about future seminars through her business contact information? QUESTION 2: Does the seminar organizer is required to care for collected information, and provide access to and correction of the business contact information collected?

1) Yes, 2) Yes

1) Yes, 2) No

1) No, 2) Yes

1) No, 2) No

I don't know

CORRECT RESPONSE: Question 1) No, Question 2) No

As Sharon did not provide her business name card solely for personal purposes, the information on it will be considered business contact information. Accordingly, the seminar organizer does not need to seek Sharon’s consent to contact her about future seminars through her business contact information.

The seminar organizer is also not required to care for such information, or provide access to and correction of the business contact information collected.

For more information please contact us: [email protected]

Explanation

CORRECT RESPONSE: Question 1) No, Question 2) No

As Sharon did not provide her business name card solely for personal purposes, the information on it will be considered business contact information. Accordingly, the seminar organizer does not need to seek Sharon’s consent to contact her about future seminars through her business contact information.

The seminar organizer is also not required to care for such information, or provide access to and correction of the business contact information collected.

For more information please contact us: [email protected]

60. Two companies have updated its policies to reflect new regulation on personal data protection. Company A used the Clause: "you consent to receive information about special offers we may have from time to time, by SMS". Company B used the Clause: "you consent to the use of your personal data for marketing purposes". QUESTION: Which company is using an sufficiently explicit clause?

Company A and B

Company A

Company B

CORRECT RESPONSE: Only Company A

Clause used by company A clearly and specifically notifies the user or subscriber that specified messages would be sent to his or her Singapore telephone number.
Clause used by company B is not sufficiently specific as “marketing purposes” may or may not include
the sending of specified messages which are under the PDPA regulation.

Explanation

CORRECT RESPONSE: Only Company A

Clause used by company A clearly and specifically notifies the user or subscriber that specified messages would be sent to his or her Singapore telephone number.
Clause used by company B is not sufficiently specific as “marketing purposes” may or may not include
the sending of specified messages which are under the PDPA regulation.

61. Retailer A has collected personal data from its customers for the purpose of delivering products purchased by the customers. The retailer subsequently sends an email to all its customers informing them that unless they reply to the email to indicate otherwise, they would be considered to have agreed to Example Clause A above; ("you consent to receive information about special offers we may have from time to time, by SMS"). Retailer A's customer, Jane, did not reply to the email. QUESTION: Does the retailer can assimilate the "no reply" as a clear consent from Jane?

Yes

No

Not enough information

CORRECT RESPONSE: NO

Jane would not be considered to have given clear and unambiguous consent.

Explanation

CORRECT RESPONSE: NO

Jane would not be considered to have given clear and unambiguous consent.

62. Sarah currently has a membership with a spa. Sarah's spa wants to send her information about an affiliate company's hair salon promotions. QUESTION: Does this purpose are applicable to use the personal data without requesting Sarah's consent?

Yes

No

Not enough information

CORRECT RESPONSE: NO

The spa would need to obtain Sarah’s consent before sending information promoting new services that Sarah has not signed up for, as that is unlikely to fall within sub-paragraphs (a) to (c) below.

In determining if personal data can be used or disclosed for a particular purpose without obtaining fresh consent, an organisation should determine:
a) whether the purpose is within the scope of the purposes for which the individual concerned had originally been informed, for example, if it would fall within the organisation’s servicing of the existing business relationship with the individual;
b) whether consent can be deemed to have been given by the individual in respect of use or disclosure for that purpose; and
c) whether the purpose falls within the exceptions from consent in the Third and Fourth Schedules to the PDPA.

Explanation

CORRECT RESPONSE: NO

The spa would need to obtain Sarah’s consent before sending information promoting new services that Sarah has not signed up for, as that is unlikely to fall within sub-paragraphs (a) to (c) below.

In determining if personal data can be used or disclosed for a particular purpose without obtaining fresh consent, an organisation should determine:
a) whether the purpose is within the scope of the purposes for which the individual concerned had originally been informed, for example, if it would fall within the organisation’s servicing of the existing business relationship with the individual;
b) whether consent can be deemed to have been given by the individual in respect of use or disclosure for that purpose; and
c) whether the purpose falls within the exceptions from consent in the Third and Fourth Schedules to the PDPA.

63. An individual wishes to sign up for certain services with a service provider over the telephone. The service provider may request for the individual's consent to the collection and use of his personal data for the service provider's purposes and obtain the personal data from the individual over the telephone. QUESTION: Is the individual's verbal consent by phone enough since the organization is recording the telephone conversation between the organization and the individual?

Yes - This will be enough

No - This won't be sufficient

I don't know

CORRECT RESPONSE: No - This won't be sufficient

The voice recording of the individual is considered as Personal Data.

Where recording the telephone conversation results in the collection of additional personal data, such as the voice recording of the individual, the organization must also notify the individual of the collection and seek his consent.

It would be good practice for the service provider to subsequently contact the individual and confirm his consent in writing, for example, by sending an email to the individual setting out the personal data provided by the individual and recording his consent to collection, use and disclosure by the service provider for the service provider’s purposes (which may be set out in its terms and conditions and/or other information provided in the email).

For more information please contact us: [email protected]

Explanation

CORRECT RESPONSE: No - This won't be sufficient

The voice recording of the individual is considered as Personal Data.

Where recording the telephone conversation results in the collection of additional personal data, such as the voice recording of the individual, the organization must also notify the individual of the collection and seek his consent.

It would be good practice for the service provider to subsequently contact the individual and confirm his consent in writing, for example, by sending an email to the individual setting out the personal data provided by the individual and recording his consent to collection, use and disclosure by the service provider for the service provider’s purposes (which may be set out in its terms and conditions and/or other information provided in the email).

For more information please contact us: [email protected]

64. Andy had previously given his consent to Y Electronics to collect, use and disclose his contact details (which form part of his personal data) for the purpose of providing him with marketing information and promotional offers on computers and other IT products. Y Electronics discloses Andy's contact details to its outsourced marketing agent and some other third party companies offering computers and other IT products, in each case, for the purpose of marketing computers and other IT products to Andy. Andy changes his mind and submits a notice to withdraw the consent he gave to Y Electronics. Y Electronics is required to notify Andy of the consequences of his withdrawal, in this case, simply that Y Electronics and its marketing agents will cease to send information on computer and IT products to Andy and will not disclose Andy's personal data to any third party after Andy's withdrawal of consent. Y Electronics is also required to cease using Andy's contact details for marketing computer and IT products and to instruct its outsourced marketing agent about the withdrawal of consent (so that it will cease sending marketing information to Andy). QUESTION: Does Y Electronics required to inform the third party companies to which it disclosed Andy's contact details about the withdrawal?

Yes

No

I don't know

CORRECT RESPONSE: No the organization can retain the information

Y Electronics will not be required to inform the third party companies to which it disclosed Andy’s contact details, and Andy will have to approach those companies to withdraw consent if he wishes to do.

For more information please contact us: [email protected]

Explanation

CORRECT RESPONSE: No the organization can retain the information

Y Electronics will not be required to inform the third party companies to which it disclosed Andy’s contact details, and Andy will have to approach those companies to withdraw consent if he wishes to do.

For more information please contact us: [email protected]

Personal Data Protection ACT: Trivia Quiz