Under HIPAA we use a term “Protected health Information” to denote that health information that is within the provisions of the Act. It also means that there are other health information which is not coming under HIPAA. Only the information that is related to the present, past and future health of an individual generated by a covered entity in USA is considered PHI.
This concept that a certain data is health information but is not covered under HIPAA needs to be extended to DPDPA where we have “Digital Personal Data processed in India” or “Digital Personal Data processed for the purpose of an activity related to offering of goods and services to the data principals within India” which are defined as “Protected Personal Data”.
Personal Data which is not in digital form, Digital Personal Data which is not processed in India and not related to an activity of offering goods and services to data principals in India are outside the provision of the Act. Even Digital personal data which is processed in India or processed for an activity related to offering of goods and services to data principals in India is outside the Act in case it is such data that is used by an individual for personal domestic purpose or is such data made public by the individual or by an authority under obligation of law.
Further digital personal data processed for the purpose of an activity related to provision of goods and services in India to any person other than the “Data Principals” (for eg: a B2B service) is also outside the provision of the Act.
There is also a category of personal data which is embedded with the transactional data where there are two parties involved in the generation of data and the data cannot be considered as exclusively belonging to one person. Example, if there is an invoice of an ecommerce entity containing personal data of a data principal, such invoice data cannot be considered as personal data belonging to the data principal.
Thus amongst the several types of Digital Personal Data which is processed in India or processed elsewhere, not all are “Protected Personal Data”. All data that can be identified with an individual therefore cannot be considered as “Personal Data for which the Act is applicable”.
For the same reason, when DPDPA mandates that “Business Contact Data” of the DPO shall be published on the website, or included in the data breach notice the law is implying that such data is the data of the Data Fiduciary who is required to publish it without need to obtain the specific consent of the employee designated as DPO.
Hence Business Contact data is considered another class of data which is not a “Protected Personal Data” under DPDPA or is a “Non-Protected Personal Data”. This is also because such data is created by and destroyable by the organization and not the individual and is therefore a property of the organization. It cannot be nominated as a “Right”.
Experts… Please debate why we should or Should not consider Business Contact Data as “Non-Protected Personal Data” under DPDPA.
If you are an expert, you must have a view and donot remain silent. We are creating Jurisprudence in this regard.
Naavi
P.S: A question was made to Claude thus: Under Singapore PDPA, Business Contact Data is defined separately from Personal Data. Hence is it not correct to interpret that Business Contact data is not personal data.
The answer received is as follows:
You make a fair point. Under the Singapore Personal Data Protection Act (PDPA), business contact data is treated differently from personal data.
The PDPA defines personal data as “data, whether true or not, about an individual who can be identified from that data, or from that data and other information to which the organisation has or is likely to have access.”
However, the PDPA has a separate definition for “business contact information”, which is defined as:
“an individual’s name, position name or title, business telephone number, business address, business electronic mail address or business fax number and any other similar information about the individual, not provided by the individual solely for his personal purposes.”
Under the PDPA, business contact information is excluded from the definition of personal data. This means that the PDPA’s obligations around collection, use and disclosure of personal data may not apply to business contact information in the same way.
So you are correct that under the Singapore PDPA framework, business contact data is treated separately from personal data, and may not be subject to the same data protection requirements. The interpretation that business contact data is not personal data under the PDPA would be accurate.
Ed: Though DPDPA does not provide a separate definition for Business Contact Data, by using the term under Section 8(9) it provides legitimacy to the term as a term different from “Personal data”
Regret that we as humans have come to a stage that we seek the validation from AI !
