A-Z of data protection - P is for ...

A-Z of data protection: terms you need to know

P

passive data collection
• the act of collecting data automatically as a user browses a site or uses an app, usually through cookies or web beacons, rather than asking a user to explicitly provide or input his/her data through a form. Passive data collection is often done without the user’s knowledge

persistent cookies
• cookies that exist on a user’s device until a defined expiration date, which could be minutes, months, or even years later

Personal Data Protection Act (PDPA) [SG]
• an Act to govern the collection, use, disclosure and care of personal data by organisations in Singapore
• establishes the Do Not Call (DNC) Registry that allows Singaporeans to opt out of receiving telemarketing messages

Personal Data Protection Commission (PDPC) [SG]
• Singapore’s main authority in matters relating to personal data protection, which administers and enforces the Personal Data Protection Act, and develops Advisory Guidelines to help organisations understand and comply with the PDPA

Personal Information Controller (PIC) [PH]
• refers to a person or organisation who controls* the collection, holding, processing or use of personal information, including a person or organisation that instructs another person or organisation to collect, hold, process, use, transfer or disclose personal information

*”control” means that the person or organisation decides what information is collected and to what extent it is processed

• excludes a person or organisation who performs such functions as instructed by another person or organisation

Personal Information Processor (PIP) [PH]
• refers to any individual, organisation or body to whom a Personal Information Controller (PIC) may outsource or instruct the processing of personal data

pharming
• a type of phishing done by hijacking the DNS server. When the DNS server is hacked, typing a website address in your browser will lead you to a malicious lookalike site instead of the legitimate one. If you unsuspectingly log in, you would be giving away your login credentials

Philippine Data Privacy Act (DPA)
• officially known as the Philippine Republic Act No. 10173, or the Data Privacy Act of 2012, the DPA is a law that seeks to protect all forms of information, be it private, personal, or sensitive
• covers both natural and juridical persons involved in the processing of personal information
• also covers those who, although not found or established in the Philippines, use equipment located in the Philippines, or those who maintain an office, branch, or agency in the Philippines

Philippine Privacy Trust Mark (PPTM)
• a voluntary privacy certification renewable every three years, issued by the National Privacy Commission (NPC) of the Philippines
• accorded to Personal Information Controllers (PICs) and Personal Information Processors (PIPs) that demonstrate operational compliance with the Philippine Data Privacy Act and have proper organisational, physical, and technical security measures to ensure data protection
• the PPTM aims to increase trust and confidence in businesses and public offices, as the mark offers the highest level of assurance in the Philippines on data privacy compliance and secure cross-border data transfers

phishing
• a cyber attack wherein the malicious actor disguises as a legitimate email, website, ad, or text message to trick users into disclosing their personal information, which can then be misused, such as for identity theft

pop-up phishing / malvertising
• a type of phishing attack which embeds a malicious link or code in pop-ups, pop-up notification requests, or ads

preference cookies
• a type of cookie that improves an individual’s browsing experience by remembering a user so that the experience can be customised

privacy notice
• statement made to a data subject that describes how the organisation collects, uses, retains and discloses personal information
• differs from a privacy policy, which is an internal documentation that guides company employees on how to handle personal data

privacy policy
• internal documentation that defines the organisation’s practices regarding personal information, used to guide employees who handle personal data
• differs from a privacy notice, which is an outbound statement written to inform data subjects on how their data is being collected, used, stored, etc.

Professional Evaluation and Certification Board (PECB)
• the certifying body for professionals for various ISO standards. The PECB establishes the requirements for certification, provides examinations, grants certificates, and establishes requirements for certificate renewal

protection obligation
• an organisation is responsible for actively securing personal data in its possession from unauthorised access, collection, use or disclosure
• one of the 11 data protection obligations under Singapore's Personal Data Protection Act (PDPA)

purpose limitation
• personal data must be collected, used, or disclosed only for purposes that are reasonable to provide the product or service, and for which the individual has given consent
• processing must not be excessive and must be compatible with the specified purpose
• forced or required consent for purposes not necessary to provide the product or service is not allowed
• one of the 11 data protection obligations under Singapore's Personal Data Protection Act (PDPA)