Data Protection Principles (“DPPs”)
Data Protection Principles (“DPPs”) of PD(P)O with examples when collecting, handling, using personal data.
DPP1
Purpose, accuracy and manner of the collection of personal data
-
Personal data must be collected in a lawful and fair way, for a purpose directly related to a function/activity of the data user.
-
Data subjects must be notified of the purpose and the classes of persons to whom the data may be transferred.
-
Data collected should be adequate but not excessive.
Example: Prior to collecting students/ employees’ personal data, a personal information collection statement (“PICS”) should be provided
DPP3
Data use principle
-
Personal data must be used for the purpose for which the data is collected or for a directly related purpose.
-
Personal data shall not, without the voluntary and explicit consent of the data subject, be used for a new purpose.
Example: The personal data collected from employees and students should only be used for the purposes it stated in the privacy notice.
DPP5
Openness principle
-
A data user must make personal data policies and practices known to the public regarding the types of personal data it holds and how the data is used.
Example: Privacy notice is made available to the public on university website.
DPP2
Accuracy & retention principle
-
Personal data must be accurate and should not kept for a period longer than is necessary to fulfil the purpose for which it is used.
Example: The personal data collected should be disposed, when it reaches the retention period mentioned in the PICS
DPP4
Data security principle
-
A data user needs to take practical steps to safeguard personal data from unauthorised or accidental access, processing, erasure,
loss or use.
Example: Sharing and access to students and employee’s personal data should be provided in a need-to-have or need-to-know basis only.
DPP6
Data access & correction principle
-
A data subject must be given access to his/her personal data and allowed to make corrections if it is inaccurate.
Example: Employees have access to own personal data at Workday. Students have access to own personal data at students portal.
Key Definitions under PD(P)O
Personal Data means information of a living individual. It must also exist in a form which access to or processing of is practicable.
Data Subject is the individual who is the subject of the personal data.
Data User is a person who, either alone or jointly with other persons, controls the collection, holding, processing or use of personal data.
Data Processor is a person who processes personal data on behalf of another person (a data user), instead of for his/her own purpose(s). Data users are required to, by contractual or other means, ensure that their data processors meet the applicable requirements of the PDPO.