Privacy Protection Principles, compare ISO29100, with Singapore and Hong Kong legislations

ISO 29100:2011 Privacy Framework is now a public available document and it offers a comprehensive framework. Hong Kong and Singapore Gov both enacted privacy regulations, I compare both regions’ privacy protection requirements with ISO29100. Below is a summary table. Will write more on each comparison later.

ISO 29001:2011 Eleven Privacy Principles  Singapore Nine Data Privacy Obligations  Hong Kong Six Data Protection Principles 
Clause 5.2 Consent and choice
The Consent Obligation (PDPA sections 13 to 17): An organisation must obtain the consent of the individual before collecting, using or disclosing his personal data for a purpose.
DPP3: unless the data subject has given prior consent, personal data shall be used for the purpose for which they were originally collected or a directly related purpose.
Clause 5.3 Purpose legitimacy and specification The Purpose Limitation Obligation (PDPA section 18): An organisation may collect, use or disclose personal data about an individual only for purposes that a reasonable person would consider appropriate in the circumstances and, if applicable, have been notified to the individual concerned. DPP1: personal data shall be collected for a purpose directly related to a function and activity of the data user; lawful and fair collection of adequate data; data subjects shall be informed of the purpose for which the data are collected and to be used.
Clause 5.4 Collection Limitation The Purpose Limitation Obligation (PDPA section 18): An organisation may collect, use or disclose personal data about an individual only for purposes that a reasonable person would consider appropriate in the circumstances and, if applicable, have been notified to the individual concerned. DPP1: personal data shall be collected for a purpose directly related to a function and activity of the data user; lawful and fair collection of adequate data; data subjects shall be informed of the purpose for which the data are collected and to be used.
Clause 5.5 Data minimization  No direct equivalent requirement  No direct equivalent requirement
Clause 5.6 Use, retention and disclosure limitation The Retention Limitation Obligation (PDPA section 25): An organisation must cease to retain documents containing personal data, or remove the means by which the personal data can be associated with particular individuals as soon as it is reasonable to assume that (i) the purpose for which the personal data was collected is no longer being served by retention of the personal data, and (ii) retention is no longer necessary for legal or business purposes. DPP2: all practicable steps shall be taken to ensure the accuracy of personal data; data shall be deleted upon fulfillment of the purpose for which the data are used.
Clause 5.6 Use, retention and disclosure limitation The Transfer Limitation Obligation (refer to PDPA section 26): An organisation must not transfer personal data to a country or territory outside Singapore except in accordance with the requirements prescribed under the PDPA.

“Prohibition against transfer of personal data to place outside Hong Kong except in specified circumstances” is in legislation but not yet in operation 

Clauses 5.7 Accuracy and quality The Accuracy Obligation (PDPA section 23): An organisation must make a reasonable effort to ensure that personal data collected by or on behalf of the organisation is accurate and complete if the personal data is likely to be used by the organisation to make a decision that affects the individual concerned or disclosed by the organisation to another organisation. DPP2: all practicable steps shall be taken to ensure the accuracy of personal data; data shall be deleted upon fulfillment of the purpose for which the data are used.
Clause 5.8 Opennes, transparency and notice The Notification Obligation (PDPA section 20): An organisation must notify the individual of the purpose(s) for which it intends to collect, use or disclose the individual’s personal data on or before such collection, use or disclosure of the personal data.  
Clause 5.8 Opennes, transparency and notice i)  The Openness Obligation (refer to PDPA sections 11 and 12): An organisation must implement the necessary policies and procedures in order to meet its obligations under the PDPA and shall make information about its policies and procedures publicly available. DPP5: formulates and provides policies and practices in relation to personal data.
Clause 5.9 Individual participation and access d)  The Access and Correction Obligation (PDPA sections 21 and 22): An organisation must, upon request, (i) provide an individual with his or her personal data in the possession or under the control of the organisation and information about the ways in which the personal data may have been used or disclosed during the past year; and (ii) correct an error or omission in an individual’s personal data that is in the possession or under the control of the organisation. DPP6: individuals have rights of access to and correction of their personal data. Data users should comply with data access or data correction request within the time limit, unless reasons for rejection prescribed in the Ordinance are applicable.
Clauses 5.10 Accountability (include data breach notification)  No direct equivalent requirement  No direct equivalent requirement
Clause 5.11 Information Security f)  The Protection Obligation (PDPA section 24): An organisation must protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks. DPP4: all practicable steps shall be taken to ensure that personal data are protected against unauthorized or accidental access, processing or erasure.
Clause 5.12 Privacy Compliance  No direct equivalent requirement  No direct equivalent requirement
This entry was posted in China, Hong Kong, Privacy, Singapore and tagged , on by .

About antonyma

Engineering trained, Antony has the qualifications of CISA, Oracle DBA and BS7799 ISMS assessor. He also received a LLM in Intellectual Property & Information Technology Law from The University of Hong Kong. Founder of travel tech statup Powerdata2go.com Antony was th Chairman of Professional Information Security Association (PISA) from 2009 to 2010. He also joined ISC2 workshop on developing a new cloud security certification. Current positions include: 1. Chairman of Cloud Security Alliance (Hong Kong & Macau Chapter) 2. Convenor of HK OGCIO Working Group on Cloud Security and Privacy 3. Hong Kong delegate to ISO SC 27 committee, which drafts security standards like ISO27001. email : antony.linkedin@gmail.com Specialties Retail Banking System & Process, IT Security, Copyright Law, Audit & Control, Technology Risk Management, Cloud Security

One thought on “Privacy Protection Principles, compare ISO29100, with Singapore and Hong Kong legislations

  1. Pingback: Public available of ISO/IEC 29100:2011 Privacy framework | A-INFOSEC

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s