Data Controller Guidelines cover

Data Controller Guidelines

Data Controller Guidelines: Department of Physical Education

Guidelines for Data Controller Operations In Compliance with the Personal Data Protection Act (PDPA)

Announced on June 1, 2022

The Department of Physical Education (hereinafter referred to as the "Department") has established an operational framework defining the procedures for the Data Controller. This framework references Section 37 of the Personal Data Protection Act (PDPA) concerning the duties of a Data Controller, which comprises 5 clauses as follows:

Section 37 (1): Security Safeguards

"Provide appropriate security measures for preventing the unauthorized or unlawful loss, access, use, alteration, correction, or disclosure of Personal Data, and such measures must be reviewed when it is necessary, or when the technology has changed, to efficiently maintain the appropriate security and safety, which shall be in accordance with the minimum standards specified and announced by the Committee."

The Department defines the security of Personal Data through the following three dimensions:

  1. Confidentiality

  2. Integrity

  3. Availability

To prevent the unauthorized or unlawful loss, access, use, alteration, correction, or disclosure of Personal Data, the Department implements the following security safeguards and procedures:

1. Administrative Safeguards

1.1 Formulation of regulations and procedures to control access to Personal Data, as well as data storage and processing equipment, with due consideration to operational utility and security. This includes mandatory entry/exit logs for restricted areas, security personnel screening authorized entrants, and an explicit list of authorized personnel.

The stringency of these measures shall correspond to the level of risk or potential damage that might arise if Personal Data is unlawfully leaked, modified, copied, or destroyed.

1.2 Establishment of user responsibilities regarding authorization and access rights to Personal Data. This is categorized into various levels of authorization, such as rights to view, edit, supplement, disclose, publish, audit data quality, and erase or destroy data.

2. Technical Safeguards

2.1 Implementation of mechanisms enabling traceability (audit trails) regarding the access, alteration, erasure, or transfer of Personal Data, appropriate to the methods and media used for collecting, using, or disclosing Personal Data.

2.2 Access control restricting Personal Data access solely to authorized personnel based on data management privilege levels, including data ingestion, alteration, correction, disclosure, and erasure or destruction.

2.3 Provision of data backup and disaster recovery systems to ensure the business continuity of information systems and/or services.

3. Physical Safeguards

3.1 Physical access control governing Personal Data and its storage or processing equipment based on usability and security. This includes physical area access logs, area security guards, CCTV surveillance systems, and access control systems for authorized personnel only.

The stringency of these measures shall correspond to the level of risk or potential damage that might arise if Personal Data is unlawfully leaked, modified, copied, or destroyed.

3.2 Identification and authorization of personnel permitted to access Personal Data storage or processing hardware according to their roles and responsibilities. This prevents unauthorized access, disclosure, awareness, or illicit duplication of Personal Data, theft of storage or processing hardware, and unauthorized movement of equipment in or out of facilities.

Section 37 (2): Third-Party Data Sharing Operations

"Where the Personal Data is to be provided to other persons or juristic persons apart from the Data Controller, take steps to prevent such persons from using or disclosing such Personal Data unauthorizedly or unlawfully."

The Department implements the following operational procedures:

1. Pre-Transmission Assessment

1.1 Verify the rights, authority, duties, and legal bases invoked by the requesting third-party person and/or juristic person.

1.2 Inquire about the purpose of data utilization to assess the appropriate level of data granularity to be provided. (e.g., whether a full date of birth or house number is required, or if the birth year and postal code suffice; and whether personally identifiable information, such as full name and 13-digit National ID, is necessary, or if substituting identifiable data with anonymous unique identifiers would satisfy the objective).

2. Upon Transmission of Data

2.1 Prepare a new dataset processed from raw data, containing only the minimum necessary details required for the specified purpose.

2.2 Deliver the data and log the recipient’s name, contact information, date of transmission, the legal basis for accessing the Personal Data, and the stated purpose of use.

2.3 Notify the recipient (person or juristic person) that upon receiving the dataset, they shall assume the obligations of a Data Controller for that specific dataset, strictly within the scope and purposes previously declared.

3. Post-Transmission Monitoring

3.1 Conduct periodic tracking (e.g., every 3, 6, or 12 months) to record the latest status of data utilization. If the data is no longer required for the originally stated purpose, formally notify the recipient to erase or destroy the dataset.

3.2 Establish methods to keep the utilized data continuously updated, such as using automated software interfaces (APIs) to synchronize data between the source and destination in real time.

Section 37 (3): Data Retention and Erasure System

"Provide an audit system for the erasure or destruction of Personal Data upon the expiration of the retention period, or where such data is unrelated to or beyond the necessity for collection, or as requested by the Data Subject, or where the Data Subject has withdrawn consent, except where the retention is for freedom of expression, purposes under Section 24 (1) or (4) or Section 26 (5) (a) or (b), the establishment, compliance, exercise, or defense of legal claims, or compliance with the law. The provisions of Section 33 paragraph five shall apply mutatis mutandis to the erasure or destruction of Personal Data."

The Department implements the following operational procedures:

  1. Conduct regular monitoring (e.g., weekly or monthly) to verify whether any Personal Data or datasets under the Department’s custody (as Data Controller) have exceeded their retention period as stated in the Privacy Notice or as consented to by the Data Subject. This is done to initiate erasure, destruction, or anonymization of the Personal Data, as applicable.

  2. In cases where a Data Subject exercises their right to erasure (or withdraws consent) and the Department relies on Consent as the legal basis for collection, the Department must promptly erase, destroy, or anonymize the Personal Data.

  3. Data erasure, destruction, or anonymization may be exempted if the Department demonstrates compelling legitimate grounds that override the rights of the Data Subject, such as:

3.1 Achieving purposes relating to historical documents, archives for public interest, scientific or historical research, or statistical purposes.

3.2 Performing a task carried out in the public interest within the scope of the Data Controller’s duties.

3.3 Assessing the working capacity of the employee, medical diagnosis, the provision of health or social care, medical treatment, or the management of health or social care systems and services.

3.4 Public health protection against dangerous communicable diseases or epidemics that may spread into the Kingdom, or controlling the standard or quality of medicinal products, medical supplies, or medical devices.

Such exemptions must incorporate appropriate and specific measures to safeguard the rights, freedoms, and interests of the Data Subject, particularly regarding the confidentiality of Personal Data in accordance with professional duties or ethics.

Section 37 (4): Data Breach Notification

"Notify the Office of any Personal Data breach without delay and, where feasible, within 72 hours after having become aware of it, unless such Personal Data breach is unlikely to result in a risk to the rights and freedoms of persons. If the breach is likely to result in a high risk to the rights and freedoms of persons, notify the Data Subject of the breach and the remedial measures without delay. The notification and the exemption shall be in accordance with the rules and methods specified and announced by the Committee."

The Department implements the following operational procedures:

  1. Designate responsible personnel and clear reporting channels for data breach notification to Department representatives, such as via email and telephone, for severe and urgent breaches.

  2. Establish standard operating procedures that require Department representatives to notify the Office of the Personal Data Protection Commission (PDPC) within 72 hours of becoming aware of a breach.

  3. Breach notification may be exempted if the incident poses no risk to the rights and freedoms of individuals. Examples of risk assessment regarding rights and freedoms include:

3.1 Low-Risk Scenario (Exempt from Notification): Personal Data is strongly encrypted (unreadable without a password), and a Ransomware attack encrypts the system, rendering it inaccessible, but no data exfiltration/theft has occurred. Furthermore, the Data Controller maintains a robust backup system that ensures business continuity. This scenario is considered a low risk to individual rights and freedoms. The Data Controller is only required to maintain an internal record of the incident; notifying the PDPC or the Data Subjects is not required.

3.2 High-Risk Scenario (Mandatory Notification): An online job recruitment website is breached by an attacker who plants malware to access online applications (detected 1 month after installation). Although the data consists of general recruitment information, it is considered a high risk to individual rights and freedoms. In this case, the Data Controller must log the incident internally, notify the PDPC within 72 hours, and also notify the affected Data Subjects along with remedial measures without delay.

Section 37 (5): Appointment of a Representative

"If the Data Controller is a Data Controller under Section 5 paragraph two, appoint in writing a representative of the Data Controller who must be in the Kingdom and authorized to act on behalf of the Data Controller without any limitation of liability concerning the collection, use, or disclosure of Personal Data according to the purposes of the Data Controller."

  • Status for the Department: The duty of the Data Controller under this clause is not currently applicable to the Department of Physical Education.