How much information do you really need to disclose when you sign up for services and promotions? Here’s what we found out from the Personal Data Protection Commission Singapore.
You spot a good deal on a website – just $18 for a massage at a spa. When you arrive, they pass you a lengthy form to fill up, including your full name, address, phone number, identity card (IC) number and your medical history. And they want to make a photocopy of your IC too. You don’t feel comfortable with it and protest. “It’s company policy. You have to give us your full details,” insists the therapist. Or perhaps, you fill in a lucky draw coupon that promises a grand prize of a new car. You didn’t win it. However, you soon find yourself receiving all sorts of marketing e-mails and even calls, urging you to accept one-week free trials at the gym, for hair loss, even slimming treatments. Sometimes, they call you even when you’re abroad, racking up your phone bill unnecessarily. How did they get your contact? “We cannot disclose the source but it was from a database,” says the telemarketer. Chances are, you “willingly” gave away that information when you filled up that lucky draw form or the spa’s “compulsory form”. If you had paid attention to the small print, you might have read the line that you have also consented to sharing your details to receive other marketing information. So, are there guidelines about how much information you really need to provide? We get the low-down from a spokesperson from the Personal Data Protection Commission Singapore (PDPC).
Q: What is the bare minimum we must disclose?
Under the Personal Data Protection Act (PDPA), organisations can request for your consent for the collection, use and disclosure of personal data that’s required to provide a product or service. Organisations are not allowed to withhold their products or services if you refuse to provide consent, where such personal data is not reasonably required. For example, when signing up for a spa package, a spa may ask for data such as your name and contact number so that they can call you to remind you of your appointments. “However, the spa cannot force you to agree to further conditions, such as having to share your personal data with third parties in order to provide you a service, as it would not be reasonable,” says the PDPC representative.
Q: Can we say no to shops that insist on getting excessive personal information?
As good practice, organisations should avoid over-collecting personal data, including IC numbers, and consider whether there may be alternatives available that can equally address their requirements. As a consumer, you may ask the organisations why the collection of your personal data is necessary.
Q: Last year, karaoke chain K Box made the news when their member database was hacked into. As consumers, what are our rights? What are companies liable for in such cases?
Under the PDPA, organisations are required to make reasonable security arrangements to protect the personal data in their possession or control.
Q: What actions can we take if we suffer loss of privacy due to a security breach? Can we sue?
Any individual who suffers loss or damage directly as a result of a data protection contravention by an organisation can take the organisation to court through civil proceedings. Individuals affected by hacking incidents may also wish to consider lodging a report with the police to determine if an offence had been committed under the Computer Misuse and Cybersecurity Act or any other applicable laws.
Q: Many of us include e-mail addresses or phone numbers on social media websites. Can companies use that information to “legally” contact us, since it’s on a public platform?
Under the PDPA, organisations generally have to seek consent for the use, collection and disclosure of your personal data. However, if you put your e-mail address or telephone number on social media platforms that are open to the public, this is considered publicly available information that anyone can use. If an organisation wants to send telemarketing messages to your telephone number, they cannot do so if your telephone number is registered on the Do Not Call (DNC) Registry unless they have an ongoing relationship with you or have asked you for consent to do telemarketing. This obligation applies even if the organisation had collected your telephone number from a publicly available source. To register, go to www.dnc.gov.sg
By Stella Thng, Simply Her, March 2015