Last review date: 15 January 2025

Personal data is defined as data, whether true or not, about an individual who can be identified: (a) from that data; or (b) from that data and other information to which an organization is likely to have access, but this excludes any business contact information.

Last review date: 15 January 2025

Sensitive data includes:

☒  other

The PDPA does not establish a distinct regime for sensitive data, instead deferring to applicable sector-specific laws. The PDPC has issued enforcement decisions that acknowledge certain categories of personal data, such as health and financial data, as being sensitive in nature. Consequently, these categories require a higher standard of protection to safeguard against unauthorized access, collection, use, disclosure, or similar risks.

Under the proposed HIB, sensitive health information contained in the NEHR will be subject to additional access requirements and will not be readily accessible compared to other key health information. Sensitive health information is information that risks subjecting individuals to discrimination or social stigma, such as sexually transmitted diseases, schizophrenia, substance abuse, addiction, etc.

Last review date: 15 January 2025

Do the privacy laws distinguish between controllers/owners and processors/agents? Whereby:

• The controller/owner is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data
• The processor/agent is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Answer: Yes.

The equivalents of controller/owner and processor/agent under the PDPA are "organization" and "data intermediary," respectively. The definitions of "organization" and "data intermediary" are less narrow than those described above (e.g., public authorities are excluded from the application of the PDPA).