Ensure no over-collection of personal data for verification

The Personal Data Protection Commission agrees with Mr Leong Kaiyan that organisations should take security measures to protect personal data in their possession or control, which is one of the obligations under the Personal Data Protection Act ("Still long way to go in beefing up cyber security"; Jan 4).

In addition, when collecting, using or disclosing an individual's personal data, organisations have to notify and obtain the consent of the individual, unless an exception applies.

When providing customer support services, organisations may request that customers provide certain personal data in order to verify their identities. As a good practice, organisations should explain to their customers, when speaking to them over the phone, the purposes for which they require their personal data.

Organisations should also ensure that they do not over-collect personal data during the verification process.

Under the Act, organisations also have to make information about their personal data protection policies, practices and complaint processes available on request.

The Commission has been reaching out to organisations to inform them of their obligations under the Act through briefings, workshops and seminars for the past 18 months, even before it came into full effect in July last year.

Individuals can contact the data protection officers of organisations to find out more about their personal data protection practices. Should they have further concerns, they can contact the Commission at info@pdpc.gov.sg

Evelyn Goh (Ms)
Director, Communications, Planning & Policy
Personal Data Protection Commission

This article was first published on Jan 24, 2015.
Get a copy of The Straits Times or go to straitstimes.com for more stories.