PDPC Notification on Security Standards for Personal Data Controllers Exempted from PDPA
The Office of Personal Data Protection Commission (PDPC) conducted a public hearing on the draft PDPC Notification Concerning the Security Standards for Personal Data under Responsibility of Data Controllers exempted from the enforcement of the Personal Data Protection Act B.E. 2562 (2019) (PDPA) (“Notification”). This public hearing occurred from 17 October 2023 to 31 October 2023.
Under Section 4 of the PDPA, certain data controllers, including public authorities, the media, the House of Representatives, the Senate, the Parliament, the courts, and the credit bureau, are exempted from the enforcement of the PDPA. However, Section 4 paragraph 3 of the PDPA mandates that these exempted data controllers must implement security measures to protect personal data.
The draft Notification sets out the security measures that exempted data controllers must adhere to. These measures are similar to those prescribed in the PDPC’s Notification on Security Measures for the Protection of Personal Data B.E. 2565 (2022). The key measures include:
Implementing organizational, technical, and physical measures to safeguard personal data, regardless of its form (physical or digital).
Ensuring the confidentiality, integrity, and availability of personal data.
Extending security measures to servers, software, or applications for storing or processing personal data.
Implementing access control, identity proofing and authentication, need-to-know basis access, user access management, determination of user responsibilities, and personal data audit trails.
Raising awareness about privacy and security among employees or users with access to personal data.
Adopting pseudonymization or encryption measures to minimize the risk of unauthorized or unlawful processing of personal data.
The enforcement of these measures will be closely monitored once the draft Notification becomes enforced.
The Notification on Protecting User Rights Regarding Personal Data, Rights to Privacy, and Freedom of Communication through Telecommunications Service (“Notification”) was approved by the National Telecommunications Commission. The Notification has been officially published in the Royal Gazette and became effective since September 4, 2023.
Key provisions of the Notification include:
Section 6 stipulates that license holders must obtain separate consent from users before using or disclosing their personal data for purposes other than operating the telecommunications business. License holders must clearly inform users about the scope and objectives of the business, the types of personal information that will be used or disclosed, and any third parties involved. Users must be provided with the option to confirm or revoke their consent. License holders must comply with the conditions specified in the notification and any additional requirements imposed by the NBTC. The language used must be clear and easily understandable, without misleading users about the purpose. Consent may be obtained in writing or through technological means. However, users’ consent or withdrawal should not interfere with their use of telecommunications services.
Section 7 outlines the details regarding sensitive data, which includes race, ethnicity, political opinions, beliefs, sexual behavior, criminal record, health record, disabilities, union information, genetic data, biological data, and any other data specified in the Personal Data Protection Law that may affect users.
Section 10 addresses the notification requirements for collecting personal data. Generally, license holders must inform consumers during or before collecting their personal data. However, when collecting data from other sources, license holders must notify the data subject within 30 days from the collection date. License holders are not required to notify when the collection does not require consent under Sections 6 and 7.
Section 14 states that if a violation poses a high risk to individuals’ rights and freedoms, license holders must immediately notify the NBTC within 24 hours of recognizing the violation. The notification must include a remediation measure for affected users.
Section 20 mandates that license holders must publicly announce their policies to protect users’ rights to personal information, privacy, and freedom of communication through telecommunications. These policies must be in accordance with the notification and the personal data protection law and should be displayed on the license holders’ website, place of service, application form, and service agreement. Additionally, these policies must be approved by the NBTC.
Given these revisions, it is crucial for all license holders to update their practices to ensure compliance with the personal data protection policies. The protection of personal information is of utmost importance, particularly in the telecommunications industry.
This Announcement sets guidelines for 2 main matters with the details as follows:
1.Certified courses and training programs
Agencies or institutions that would like the Office to certify their courses and training programs must apply for the same via an official email at email@example.com. After consideration, the Committee will deliver its opinion to the Secretary-General of the Personal Data Protection Committee (“Secretary-General”) for its final consideration. Those who have been certified will be published to the public.
While the agencies or institutions are registered per item 1, any person who would like to register himself/herself to be a registered instructor can apply for the same via email at firstname.lastname@example.org. If the applicant’s qualifications meet the requirements, the applicant must attend the seminar and take some exams organized by the Office. After that, the registration process will be completed, and his/her name will be announced to the public. The registration will be valid for one year and will need to be renewed by attending further seminars.
This Announcement has been effective as of the date of publication. Currently, there is no civil liability, administrative liability, or criminal penalty applied to the agencies or institutions in case of non-compliance with the PDPA and its guidelines. The Office aims to encourage the agencies or institutions to attend the training programs to understand the provisions of PDPA and then they can distribute their knowledge to the DPO.
New Regulation Governing the Services Related to Digital Identity Proofing and Authentication System
Most people nowadays conduct their transactions through electronic means. Before engaging in such electronic transactions, they must go through the process of verifying the person’s identity, which is currently supported by the digital system and is an important step in assisting the party to know their customers.
The Digital Identity Proofing and Authentication System is designed to provide a secure and efficient process for validating the identity of users who are attempting to access sensitive information. This system employs cutting-edge technology to ensure that only users with legitimate credentials can access the data they need. The system allows organizations to reliably authenticate user identities using a variety of methods such as biometrics, physical documents, government-issued IDs and other types of identification.
The Digital Identity Proofing and Authentication System also features robust data encryption techniques to protect the sensitive information from unauthorized access. This ensures that only users with appropriate credentials can access the data. Additionally, the system has been designed to be tamper-resistant and provide comprehensive reports that allow organizations to track user activity and access history.
In addition to security features, the system includes a range of tools for user management. Administrators can manage user roles, access rights, and account information quickly and easily. They can also enable or disable users in bulk and set temporary passwords for new users.
The main regulations on digital identification include the European eIDAS Regulation, the General Data Protection Regulation, the Identity Theft Prevention Act, the EU Payment Service Directive and the Anti-Money Laundering Directive. These regulations set out requirements for digital identities, such as customer authentication, data protection and fraud prevention. Companies providing digital identification services in EU must ensure compliance with these laws. Additionally, some countries have their own regulations in place that must be adhered to when offering such services.
The Digital Identity Proofing and Authentication System is an essential tool for any organization that needs to maintain accurate records and secure access to sensitive data. It provides a simple yet powerful solution for verifying user identities while also ensuring the security.
In this regard, the Royal Decree on Supervision of Services Related to Digital Identity Proofing and Authentication System B.E. 2565 (2022) (“Royal Degree“) was announced on 23 December 2022 and will be effective 180 days after the announcement (i.e. 21 June 2023) to govern an operation of a legal entity who provides services related to digital identity proofing and authentication systems.
The Royal Degree Decree specifies the characteristics of the service provider who must obtain a license to operate digital identity proofing and authentication, i.e. (1) Identity proofing services, (2) Authenticator, (3) Identity authentication services and (4) services of exchanging the digital proofing and authentication data through the network or system. Furthermore, applicants must be a limited company, public limited company or other legal entity that meets the qualifications defined by Electronic Transactions Development Agency (“ETDA“) by submitting all required documents and information to the ETDA, such as information about the system and technology used to provide services, a risk assessment and management plan, a personal data protection plan and security plans and measures for information systems.
The licensee has duties to report as follows:
Submitting a Business Readiness Assessment Report to Electronic Transactions Development Agency (“ETDA”) within 180 days of receiving a license. Otherwise, EDTA may consider revoking the license.
Notifying ETDA if a third party collects or retains Digital Identity Proofing and Authentication System Information on its behalf. Any changes to such third-party must be reported to EDTA within 15 days of the change.
Notifying ETDA of any changes in registered capital, director, manager or person in charge of operating the services, as well as system and technology that may have an impact on service provision.
Notifying ETDA if they receive a complaint or a lawsuit relating to the licensee’s business operations.
Submitting an annual report to ETDA in the format, content and method prescribed by ETDA.
Inspecting the digital identity proofing and authentication system and report the same to the ETDA.
Notifying ETDA at least 60 days before the expected date of discontinuation of business.
The ETDA shall consider announcing the rules, procedures and conditions concerning the period for business termination, transfer of services to another Licensee, management and collection of information relating to digital identity proofing and authentication and any other matters that ETDA deems appropriate in order to prevent damage, protect service users and ensure that users can continue to use the services.
The service providers who require the license and have been in operation prior to the effective date of this Royal Decree may continue to do their businesses. However, they must apply for a license and submit a business readiness assessment report within 90 days of the Royal Decree’s effective date. Therefore, if you are required to obtain this license, please read this Royal Degree and begin preparing your application, as well as keep up to date on any new sub-regulations that may be announced.
Guideline for Privacy Notice and Collection of Personal Data
By now, Data Controller should be aware that under Section 23 of the Personal Data Protection Act B.E. 2562 (2019) (“PDPA”), the Data Controller is required to notify the Data Subject of the details and purposes of the collection, use, or disclosure of personal data through a Privacy Notice before or at the time of collection. In this regard, the Personal Data Protection Commission “PDPC” has issued a guideline regarding this matter of Privacy Notice and the collection of personal data which the Data Controllers must firstly determine whether there are any specific regulations issued by other regulators governing the same matter before complying with this guideline, respectively. If there are and such regulations do not have lower standard than those of PDPA, the Data Controller must follow those regulations.
Prior to preparation of the Privacy Notice, Data Controller must consider the fairness that Data Subject will receive including considering the consequences after the collection, use and disclosure of personal data and specifying the purpose of such collection in clear and plain language, not deceptive or misleading, plus, the purpose for processing personal data must be obvious, specific and lawful in order for the Data Subject to explicitly understand and aware of, particularly for the section relating the disclosure of personal data to third parties, before giving his or her consent. If there are any cases where other legal basis can be applied to the collection, use or disclosure of personal data, the Data Controller may rely upon those legal basis as well. The guideline also lists down details that should be specified in the Privacy Notice.
Section 25 of PDPA imposes the Data Controller to not collect personal data from other sources apart from Data Subject directly, however, the Data controller may do so if the following exceptions are met.
The Data Controller is required to inform the Data Subject of such indirect collection within thirty days of the collection date in order to request consent from the Data Subject and process such personal data for a new purpose to which the Data Subject had never previously consented. In practice, this Data Controller who receives personal data from other sources in some cases does not need to provide details under Section 23 because the Data Controller collecting data from other sources supposes to notify it to the Data Subject in the first place. However, if Data Controller collecting data from other sources did not do so, the current Data Controller must comply with Section 23 notifying the Data Subject within thirty days as previously stated above.
The current Data Controller is not required to notify the Data Subject of the Privacy Notice and obtain any consent from the Data Subject again if the Data Subject was aware of the purpose and details of personal data collection.
If it is impossible for the current Data Controller to notify the Data Subject, the Data Controller must have an appropriate security system to protect the rights, freedoms and benefits of the Data Subject.
In this regard, the Data Controller shall either make a public announcement and state the necessities of such personal data collection or provide the Data Protection Impact Assessment (DPIA) in order to identify and assess the risk or damage that may result from the use or disclosure of personal data.