PROPOSED ADVISORY GUIDELINES ON THE PERSONAL DATA PROTECTION ACT FOR SELECTED TOPICS PHOTOGRAPHY 16 MAY 2014



Similar documents
9.4 Example: Photo-taking by an individual acting in a personal or domestic capacity

ADVISORY GUIDELINES FOR THE HEALTHCARE SECTOR 11 SEPTEMBER 2014

Conditions for transfer of personal data overseas

Submission of feedback should reach LIA via at by 4 October 2014

DATA PROTECTION POLICY

PERSONAL DATA PROTECTION CHECKLIST FOR ORGANISATIONS

SAMPLE CLAUSES FOR OBTAINING AND WITHDRAWING CONSENT 08 MAY 2015

Personal Information Protection and Electronic Documents Act

Impact of Personal Data Protection Laws in Clinical Trials. 25 July 2014 Rebecca Chew Partner, Rajah & Tann LLP

GUIDE TO DIRECTORS DUTIES UNDER THE BVI BUSINESS COMPANIES ACT 2004

PERSONAL DATA PROTECTION POLICY RELATING TO CIGNA EUROPE INSURANCE COMPANY S.A.-N.V. SINGAPORE BRANCH

To this end ERCI fully endorses and adheres to the Principles of Personal Data Protection Act (2012). 1. The Purpose:

FINANCIAL ADVISERS ACT (CAP. 110)

Special Reports See section 9623 for interpretations of this section.

If a Client and a Freelancer enter an independent contractor relationship, then this Freelancer Agreement ( Freelancer Agreement ) will apply.

From: SFE Corporation Limited ABN REQUIREMENTS FOR SUBMISSION OF REPORTABLE POSITION FILES AND OMNIBUS ACCOUNT REPORTING

FINANCIAL ADVISERS ACT (CAP. 110)

Personal Data Protection Bill

Access to Information by Succeeding Auditors

WHEN BUSINESS GETS PERSONAL A QUICK GUIDE TO THE PERSONAL DATA PROTECTION ACT 2012 FOR ORGANISATIONS PERSONAL DATA PROTECTION COMMISSION

Penalty Fares Rules. 55 VICTORIA STREET, LONDON SW1H 0EU TEL May 2002

the Financing of Terrorism

Association With Financial Statements

28 April 2006 DATA ROOM RULES AND PROCEDURES

COLLECTIVE INVESTMENT LAW DIFC LAW No. 2 of 2010

NATIONAL UNIVERSITY OF SINGAPORE STUDENT DATA PROTECTION POLICY

ADVISORY GUIDELINES ON THE PERSONAL DATA PROTECTION ACT FOR SELECTED TOPICS ISSUED BY THE PERSONAL DATA PROTECTION COMMISSION ISSUED 24 SEPTEMBER 2013

Register of People with Significant Control. Guidance for Companies, Societates Europaeae and Limited Liability Partnerships

Communications Between Predecessor and Successor Auditors

Data controllers and data processors: what the difference is and what the governance implications are

ASIC Class Order [CO 05/1122] Proposed class order relief for providers of generic financial calculators. Regulation impact statement (RIS)

THE DUALIST SYSTEM FOR THE ADMINISTRATION OF JOINT STOCK COMPANIES

TIPS, GRATUITIES, COVER AND SERVICE CHARGES. Call for evidence SEPTEMBER 2015

Hong Leong Asia Ltd.

REGULATIONS. on Working with Intermediaries. Fédération Internationale de Football Association

Agreed-Upon Procedures Engagements

**YOU MUST REFRESH THE SCREEN BEFORE READING TO ENSURE YOU HAVE SIGHT OF THE LATEST VERSION** Stoke-on-Trent Safeguarding Children Board PROTOCOLS

TOOLBOX. ABA Financial Privacy

Consolidated and Separate Financial Statements

SOCIAL MEDIA POLICY FOR VOLUNTEERS TEMPLATE

Personal Data Act (1998:204);

PREPLY PRIVACY POLICY

DEALERSHIP IDENTITY THEFT RED FLAGS AND NOTICES OF ADDRESS DISCREPANCY POLICY

IBA Guide on Shareholders Agreements

FLASH DELIVERY SERVICE

Data Protection Consent Clause and Policy Background

Unsolicited Electronic Messages Act 2007

THE FORTY RECOMMENDATIONS OF THE FINANCIAL ACTION TASK FORCE ON MONEY LAUNDERING

EXPLANATORY GUIDANCE TO THE PRIVATE HOSPITALS AND MEDICAL CLINICS (PHMC) (PUBLICITY) REGULATIONS

Knowledge is power. Consumer Protection Act Series #1

DRIVER ADDENDUM TO SERVICES AGREEMENT. Last update: October 20, 2015

singapore american school

PRIVACY POLICY USER INFORMATION. Information you provide to us

NOBLE TRUST COMPANY LTD. GENERAL TERMS OF BUSINESS. The following definitions and rules of interpretation shall apply:

Copyright Law An Introduction

The Supreme Court. Decision OFFICE TRANSLATION. Case no. rendered in Stockholm on April 4, 2016 Ö Applicant. Stockholm District Court

IRAS e-tax Guide. GST: Guide for Advertising Industry

Privacy fact sheet 17

This TEPL Data Protection Policy is effective from 2 July Updated on 31 Jul 2015

TPS Corporate Services Personal Data Protection Policy

CONSIDERATIONS WHEN SELECTING AN AUSTRALIAN FINANCIAL SERVICES (AFS) LICENSEE

Guidelines for Legal Practitioners who act as Mediators

GymSports NZ Incorporated. Membership Data Regulation. Commencement Date 23 January Issued 23 January 2009

GENERAL SALES CONDITIONS

Tokio Marine Life. Questions in relation to objectives and principles of proposed DP framework:

Florida Division of Emergency Management ITB-DEM Disaster Recovery Services Questions and Answers (ANSWERS IN BOLD)

UNIVERSITY OF SOUTHAMPTON DATA PROTECTION POLICY

INTERNATIONAL STANDARD ON AUDITING 580 WRITTEN REPRESENTATIONS CONTENTS

Frequently Asked Questions About Recruitment Advertisements

INTERNATIONAL STANDARD ON AUDITING 610 USING THE WORK OF INTERNAL AUDITORS CONTENTS

Protection. Code of Practice. of Personal Data RPC001147_EN_D_19

Compilation of Financial Statements

ATMD Bird & Bird. Singapore Personal Data Protection Policy

PIPA and the Hiring Process

Consolidated Financial Statements

DISCLOSURE AND ADVISORY PROCESS REQUIREMENTS FOR ACCIDENT AND HEALTH INSURANCE PRODUCTS

Daltrak Building Services Pty Ltd ABN: Privacy Policy Manual

COMMENTARY Scope & Purpose Definitions I. Education. II. Transparency III. Consumer Control

MyNextConsultant.com Privacy Policy. Last updated: October 01, 2013

Guide for Local Government Pension Scheme employers and admission bodies

Letters for Underwriters and Certain Other Requesting Parties

MONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY

STATUTORY INSTRUMENTS. S.I. No. 336 of 2011

Personal Data Protection Regime Singapore 21 January 2014

Representing Yourself In Employment Arbitration: An Employee s Guide

STARBUCKS CORPORATION CORPORATE GOVERNANCE PRINCIPLES AND PRACTICES FOR THE BOARD OF DIRECTORS

Terms of Use & Privacy Policy

BENEFIT PLAN CLIENT: CLIENT ID: EFFECTIVE DATE: MONTHLY PAYMENT DUE DATE:

Business Credit Consulting Agreement

INTERNATIONAL FRAMEWORK FOR ASSURANCE ENGAGEMENTS CONTENTS

Freedom of Information Act 2000 (FOIA) Decision notice

Financial Advisers (Amendment) Bill

Information Technology - Switzerland

Records Management. 1. Introduction. 2. Strategic Plan Desired Outcomes

Financial Markets Authority Website:

ADELAIDE BRIGHTON LIMITED ACN

privacy Requirements of Lanyon Services

Risk management systems of responsible entities: Further proposals

PUBLIC CONSULTATION ISSUED BY THE PERSONAL DATA PROTECTION COMMISSION

Electronic Commerce ELECTRONIC COMMERCE ACT Act. No Commencement LN. 2001/ Assent

Transcription:

PROPOSED ADVISORY GUIDELINES ON THE PERSONAL DATA PROTECTION ACT FOR SELECTED TOPICS PHOTOGRAPHY 16 MAY 2014

PART I: INTRODUCTION... 3 1 Introduction... 3 PART II: SELECTED TOPICS... 4 2 Photography... 4 Does a photographer need to obtain an individual s consent to take a photograph of the individual?... 4 Does a photographer need to obtain an individual s consent to take a photograph of the individual in a public place?... 5 How may an individual s consent be obtained for photo-taking at a private event/space?... 6 Is a photographer required to obtain consent from individuals in the background when a photograph is taken?... 7 Do professional photographers need to sign contracts with the event organiser before they can provide photography services at an event?. 7 Does the exception for collection of personal data solely for artistic or literary purposes apply to the taking of individuals photographs?... 9 Can individuals withdraw consent for the publication of photographs, or request under the PDPA for the removal of photographs that have been published?... 9 Does the PDPA affect the copyright in a photograph?... 11 2

PART I: INTRODUCTION 1 Introduction 1.1 The Personal Data Protection Act 2012 (the PDPA ) establishes a general data protection law in Singapore which governs the collection, use and disclosure of individuals personal data by organisations. The Personal Data Protection Commission (the Commission ) is established under the PDPA with the key functions, amongst others, of promoting awareness of data protection in Singapore and administering and enforcing the PDPA. 1.2 These Guidelines should be read in conjunction with the document titled Introduction to the Guidelines and are subject to the disclaimers set out therein. 1 1.3 It should be noted that the examples in these Guidelines serve to illustrate particular aspects of the PDPA, and are not meant to exhaustively address every obligation in the PDPA that would apply in that scenario. 1 Available at http://www.pdpc.gov.sg/resources/advisory-guidelines. 3

PART II: SELECTED TOPICS 2 Photography 2.1 Photography is an increasingly ubiquitous activity. Not all photographs may capture personal data, but some clearly do. While the Commission does not expect that the PDPA will greatly affect existing practices with regard to photography, the Commission considers it useful to provide guidance on certain applications of the Data Protection Provisions in the PDPA to photography. Accordingly, the following sections and examples outline certain concepts and the application of some of the Data Protection Provisions in the PDPA to photography. It should be noted that the scenarios provided address particular aspects of the PDPA, and are not meant to exhaustively address every obligation in the PDPA that would apply in that scenario. Does a photographer need to obtain an individual s consent to take a photograph of the individual? 2.2 An image of an identifiable individual captured in a photograph is personal data about that individual. Among other obligations, the Data Protection Provisions require consent from the individual to be obtained for the purposes of the collection, use or disclosure of his personal data. Exceptions to this Consent Obligation may apply depending on the circumstances, for example where the photographer is acting in his personal or domestic capacity (such as an individual taking photographs for his own personal purposes at a gathering for family and friends). 2.3 A professional photographer who takes a photograph of an identifiable individual in the course of his business will be required to obtain consent unless he is taking the photograph on behalf and for the purposes of another organisation pursuant to a contract in writing. In such a situation, the other organisation will be required to comply with the Data Protection Provisions. Similarly, if the photographer is an employee acting in the course of his employment with an organisation, he will not be required to comply with the Data Protection Provisions and instead his employer will be required to comply 2. In this regard, it would be advisable for employers to put in place systems and processes to prevent employees from engaging in conduct that could cause the organisation to breach the Data Protection Provisions. 2 Section 53(1) of the PDPA provides that any act done or conduct engaged in by a person in the course of his employment shall be treated as done or engaged in by his employer as well as by him, whether or not it was done or engaged in with the employer s knowledge or approval. In reality, whether the individual is acting in the course of employment may not always be clear and may require a highly factual inquiry. 4

2.4 Example: Photo-taking by an individual acting in a personal or domestic capacity Diana, an employee of Organisation XYZ, attends Organisation XYZ s corporate social responsibility event. At the event, she meets her friend Dawn. During a break in the programme, they have a personal chat and catch up on each other s personal lives. During the chat, Diana takes a photograph of the two of them to update her friends of the encounter via social media. Diana then uploads the photograph and displays it on her personal social media page. In this instance, Diana would likely be considered to be an individual acting in a personal or domestic capacity, and would not be required to comply with the Data Protection Provisions in respect of the photo-taking and subsequent disclosure of the photograph via her social media account. 2.5 Example: Photo-taking by an individual acting as an employee Eric, another employee of Organisation XYZ, is tasked by the management of Organisation XYZ to take photographs at the corporate social responsibility event and publish them on Organisation XYZ s webpage. In this instance, as Eric is an employee acting in the course of his employment with Organisation XYZ where he takes photographs for his assigned purpose, he would not be required to comply with the Data Protection Provisions. Organisation XYZ would be required to comply with the Data Protection Provisions instead, although Organisation XYZ may, as a practical measure, assign Eric to ensure its compliance with certain obligations, such as obtaining consent from the individuals that Eric takes photographs of. Does a photographer need to obtain an individual s consent to take a photograph of the individual in a public place? 2.6 The PDPA sets out various exceptions to the Consent Obligation. An organisation may wish to evaluate whether any exception applies in respect of its particular circumstances. In particular, there is an exception for the 5

collection, use and disclosure of personal data that is publicly available 3. For example, when the individual appears at an event or location that is open to the public, taking a photograph of the individual would likely be collection of personal data that is publicly available for which consent is not required. In this regard, the Commission has set out that a location or event would be considered open to the public if members of the public can enter or access the location with few or no restrictions, and generally a location would less likely be considered open to the public if there are more restrictions to access. Further, there can be private spaces within public spaces, and a location is not open to the public merely because members of the public may look into the premises or location. Please refer to the Key Concepts Guidelines for a more detailed discussion on this exception. How may an individual s consent be obtained for photo-taking at a private event/space? 2.7 The Data Protection Provisions do not prescribe the ways in which consent may be obtained for photo-taking. As set out in the Key Concepts Guidelines, consent can be obtained in various ways. Generally, as a good practice, an organisation should obtain consent that is in writing or recorded in a manner that is accessible for future reference, for example, if the organisation is required to prove that it had obtained consent. 2.8 In addition, organisations may wish to note that consent may be deemed to have been given by an individual in situations where the individual voluntarily provides his personal data to an organisation for a purpose, and it is reasonable that he would voluntarily provide the data. In the context of phototaking, deemed consent may potentially apply where the individual voluntarily permits a photograph to be taken of him. 2.9 Please refer to the Key Concepts Guidelines for further elaboration on the Consent Obligation. 2.10 Example: Deemed consent for photo-taking at private function Organisation ABC holds a private function for a select group of invited clients and wishes to take photographs of attendees for its internal newsletter. If Organisation ABC intends to rely on deemed consent, measures that Organisation ABC may take to better ensure that the attendees are aware of (and accordingly, more likely to be deemed to have 3 Under the PDPA, publicly available, in relation to personal data about an individual, means personal data that is generally available to the public, and includes personal data which can be observed by reasonably expected means at a location or an event (a) at which the individual appears; and (b) that is open to the public. 6

consented to) the purpose for which their photographs are collected, used and disclosed, could include: a) Clearly stating in its invitation to clients that photographs of attendees will be taken at the function for publication in its internal newsletter; or b) Putting up an obvious notice at the reception or entrance of the function venue to inform attendees that photographs will be taken at the event for publication in its internal newsletter. 2.11 Example: Posing for photo-taking Kevin attends Organisation ABC s private function. During the function, Organisation ABC s photographer informs Kevin that she is taking photographs for publication in Organisation ABC s internal newsletter, and asks Kevin to pose for his photograph to be taken. By voluntarily posing for his photograph to be taken, Kevin would be deemed to have given consent for the photograph to be collected, used or disclosed for the stated purpose. Is a photographer required to obtain consent from individuals in the background when a photograph is taken? 2.12 As noted above, consent will generally be required for taking a photograph of an identifiable individual although consent may be deemed to have been given, or an exception may apply, depending on the circumstances. This is true as well for identifiable individuals who are in the background when a photograph is taken. It should also be noted that where an individual in the background is not identifiable from the photograph, the photograph will not constitute personal data of that individual. Do professional photographers 4 need to sign contracts with the event organiser before they can provide photography services at an event? 2.13 The PDPA does not prescribe the contractual arrangements that organisations may wish to enter into in order to ensure that they comply with their obligations under the PDPA. Where they do enter into such a contract, the PDPA provides that the performance of a contractual obligation shall not be an excuse for contravening the PDPA 5. 4 The term professional photographer in this section encompasses self-employed individuals as well as organisations that provide professional photography services. 5 Section 4(6)(a) of the PDPA. 7

2.14 The Act does not require a professional photographer to enter into a contract with an event organiser. However, it would be a good practice for the parties to enter into a contract. Generally, if a professional photographer is engaged by an organisation to take photographs of identifiable individuals and wishes to be considered a data intermediary processing personal data on behalf of and for the purposes of the organisation pursuant to a contract that is evidenced or made in writing 6, the photographer should enter into such a contract, which may set out (among other things) each party s responsibilities and liabilities, including whether the photographer is to process personal data on behalf of and for the purposes of the organisation that engaged him. The organisation on whose behalf the photographer is taking the photographs may also wish to provide in a contract for what the photographer should do in order to ensure that the organisation does not contravene its obligations under the PDPA. 2.15 Where the photographer is not a data intermediary processing personal data on behalf of and for the purposes of the organisation pursuant to a contract that is evidenced or made in writing, he would be subject to the obligations under the Data Protection Provisions, unless any relevant exception applies. For example, the photographer would be required to obtain consent on or before taking a photograph of an identifiable individual, unless an exception to the Consent Obligation applies. 2.16 Example: Whether a professional photographer is a data intermediary processing personal data on behalf of and for the purpose of another organisation pursuant to contract evidenced or made in writing Abel, a freelance photographer, is hired by Organisation ABC to be its photographer at its private function. Abel and Organisation ABC sign a contract that clearly states (among other things) that Abel will be taking photographs at the function on behalf of and for the purposes of Organisation ABC, and that Organisation ABC will obtain consent from the attendees. In such an instance, Abel will be considered a data intermediary processing personal data on behalf of and for the purposes of another organisation pursuant to a contract that is evidenced or made in writing, and Abel need not obtain consent from the individuals he takes photographs of at the event. After the function, Abel selects some of the photographs and publishes them on his webpage to promote his work. Abel will not be considered a data 6 In such instances, the professional photographer would only be required to comply with the Protection Obligation and Retention Limitation Obligation, and would not be required to comply with the remaining obligations under the Data Protection Provisions (including the Consent Obligation). 8

intermediary processing personal data on behalf of and for the purposes of another organisation pursuant to a contract that is evidenced or made in writing in relation to such publication, and will be required to comply with the Data Protection Provisions, including obtaining consent from the individuals in the photographs in order to use or disclose the photographs for this purpose. Does the exception for collection of personal data solely for artistic or literary purposes apply to the taking of individuals photographs? 2.17 In accordance with paragraph 1(g) of the Second Schedule, an organisation is permitted to collect personal data about an individual without the individual s consent if the personal data is collected solely for artistic or literary purposes. Such collected data may also be used or disclosed for purposes consistent with the purpose of collection. 2.18 The terms artistic and literary are not specifically defined in the PDPA. The Commission is of the view that it would likely be in line with the purpose of the PDPA for these terms to take their ordinary meanings. However, the Commission notes that the parameters as to what would constitute artistic purposes may be strongly subjective. Accordingly, while organisations taking photographs solely for artistic or literary purposes may rely on the exception, where it is feasible for organisations to obtain the individual s consent before taking a photograph of the individual or where it is uncertain that an organisation s purpose would be considered solely artistic or literary, the Commission would advise organisations to do so as a best practice. Can individuals withdraw consent for the publication of photographs, or request under the PDPA for the removal of photographs that have been published? 2.19 The PDPA provides that individuals may at any time withdraw any consent given or deemed to have been given under the PDPA for the collection, use or disclosure of their personal data for any purpose by an organisation by giving reasonable notice to the organisation 7. An organisation that receives notice of the withdrawal of consent must (among other things) cease, and cause its data intermediaries and agents to cease, to collect, use or disclose the photographs, as the case may be (unless an exception applies). 2.20 Where an organisation has already collected the personal data, the withdrawal of consent will only apply to its continued use or future disclosure. 7 Please refer to the sections in the Key Concepts Guidelines relating to withdrawal of consent for more details. 9

However, this does not affect an organisation s collection, use and disclosure of personal data without consent where this is required or authorised under the PDPA or other written law. In such cases, organisations may decide to consider refraining from any future collection, use or disclosure of the personal data as a matter of discretion. 2.21 Where photographs of an identifiable individual have been taken (for example, where a photograph is used for marketing purposes) but have yet to be published in a publicly available manner, the individual may withdraw consent for the collection, use or disclosure of the photographs in accordance with the PDPA. The withdrawal of consent would affect all continued use and future disclosure. 8 2.22 The PDPA does not provide a right for individuals to request that an organisation ceases to retain their personal data per se. Thus, an organisation which receives a notice of withdrawal of consent for publication of a photograph is not necessarily required to delete that photograph from all its records and documents, and may retain personal data in accordance with the Retention Limitation Obligation (e.g. where retention is necessary for legal or business purposes). However, where the organisation s activities involving the personal data are in breach of the Data Protection Provisions, the organisation may be directed by the Commission to (among other things) cease retaining such personal data. 2.23 Example: Withdrawal of consent for publication in annual report Organisation ABC publishes a photograph of a client, Mr Y, in its annual report distributed to shareholders and clients. Mr Y subsequently withdraws his consent to the publication of the photograph. Organisation ABC is required under the PDPA to cease future publication of the photograph, unless such disclosure without Mr Y s consent is required or authorised under the PDPA or other written law, for example, if the photograph is already publicly available. However, it is not required to recall copies of its annual report, which had been circulated prior to the withdrawal, so as to remove the photograph. It may also be able to continue to retain the photograph subject to the Retention Limitation Obligation. 8 When the personal data is publicly available, the organisation may wish to cease use or disclosure as a good practice. 10

2.24 Example: Collection in breach of Data Protection Provisions Jessie informs Organisation XYZ that it had collected her personal data without her consent by taking an identifiable photograph of her, and asks it to destroy the photograph. Organisation XYZ determines that its collection (and any subsequent use or disclosure) of Jessie s personal data may have been in breach of the Data Protection Provisions. In this case, Organisation XYZ should cease any further use or disclosure of Jessie s personal data. Where continued retention of Jessie s personal data constitutes a breach of the Data Protection Provisions 9, Organisation XYZ should also cease such retention. 10 Does the PDPA affect the copyright in a photograph? 2.25 The Data Protection Provisions do not affect any right or obligation by or under other laws, including the Copyright Act. Hence, the PDPA does not affect when copyright subsists in a work or the rights of a person who owns copyright under the Copyright Act. Nevertheless, organisations must comply with the Data Protection Provisions when collecting, using or disclosing personal data in such a work. For example, an organisation that seeks to take a photograph of an individual would need to comply with the Consent Obligation, unless an exception under the PDPA applies (as discussed above). END OF DOCUMENT 9 The Retention Limitation Obligation requires an organisation to cease to retain its documents containing personal data, or remove the means by the which the personal data can be associated with particular individuals, as soon as it is reasonable to assume that (a) the purpose for which the personal data was collected is no longer being served by the retention; and retention is no longer necessary for legal or business purposes. 10 To be clear, Organisation XYZ s ceasing to retain Jessie s personal data does not necessarily absolve Organisation XYZ of any breach of the Data Protection Provisions, nor preclude the Commission from taking action against Organisation XYZ if the Commission determines that Organisation XYZ had indeed breached the Data Protection Provisions. 11

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information