Database

The Personal Data Protection Act requires organisations to delete personal data after retention of the data is no longer necessary.

In 2016, Singapore’s Cyber Security Agency proposed to cut off all government computers from the global internet, so that they may only communicate with each other. Employees for whom access to the internet is a fundamental part of their functions, such as communications, human resources and research, can do so but only on separate personal or agency-issued devices. Accordingly, this means that all public administration data is to be held only on local servers owned by the relevant agencies. Although a full public sector air-gap was due to be instituted in May 2017, in March of that year, only a handful of government agencies were cut off from the internet.

An organisation may only transfer personal data outside Singapore if it has taken appropriate steps to ensure that:
- it will comply with the Personal Data Protection Act (PDPA) obligations in respect of the transferred personal data while it remains in its possession or under its control; and
- the recipient outside of Singapore is bound by legally enforceable obligations to provide a standard of protection to the personal data transferred that is comparable to that under the PDPA.
An organisation will be taken to have satisfied the second requirement if the individual consents to the transfer of the personal data to the recipient in that country.

The "Personal Information Controller" of an organisation must appoint an individual or individuals who shall be accountable for the organisation's compliance with the Data Privacy Act and the identity of such individual(s) must be disclosed to the data subjects upon the latter's request.

Under the Data Privacy Act, the processing of sensitive personal information and privileged information is prohibited except where:
- the data subject has given his or her consent;
- the processing is provided for by existing laws and regulations;
- the processing is necessary to protect the life and health of the data subject or another person, and the data subject is not able to give consent;
- the processing is carried out for limited non-commercial purposes by public organisations and their associations;
- the processing is necessary for purposes of medical treatment; or
- the processing is necessary for court proceedings or legal claims, or is provided to the government or a public authority.

A general principle of the Data Privacy Act requires personal information to be retained only for as long as necessary, as needed for legal claims or legitimate business purposes, or as provided by law.

According to the Circular No. 899, offshore outsourcing of bank's domestic operations is permitted only when the service provider operates in jurisdictions which uphold confidentiality. When the service provider is located in other countries, the bank should take into account and closely monitor, on continuing basis, government policies and other conditions in countries where the service provider is based during risk assessment process.

The Bangko Sentral (the Central Bank of Philippines) examiners shall be given access to the service provider and those relating to the outsourced domestic operations of the bank. Such access may be fulfilled by on-site examination through coordination with host authorities, if necessary.

According to the Privacy Act, every public and private sector agency must have at least one data privacy officer.

The Telecommunications Information Privacy Code 2003 prohibits the retention of telecommunications information for longer than is required for the purposes for which the information may be lawfully used. The Code was enacted under the Privacy Act 1993 in order to amend the information privacy principles in the Act with regard to telecommunications agencies. The Code affects all telecommunications agencies (including telephone companies, publishers of telephone directories, Internet service providers, mobile telephone retailers and call centers) in their handling of personal customer information.

Consent is not required for the transfer of data to third countries, subject to compliance with the Information Privacy Principles. However, both the Privacy Act and the Health Information Privacy Code continue to apply to personal information and health information even when it is transferred out of New Zealand.

The Privacy Commissioner is given the power to prohibit a transfer of personal information from New Zealand to another state, territory, province or other part of a country by issuing a transfer prohibition notice.

New Zealand’s Inland Revenue Service issued a “Revenue Alert” stating that companies were required to store business records in data centers physically located in New Zealand in order to comply with the Inland Revenue Acts.

Penalties for data privacy violation vary from a warning notice to fines up to 320,000 days of the minimum daily wage in Mexico City (about to 1.4 million USD) and imprisonment ranging from three months to five years. These penalties may double in the case of sensitive personal data.

As of today, there have not been enforcement actions or sanctions.

The Mexican Law requires the data controller to appoint a data protection officer.

When personal information is no longer necessary for the fulfillment of the objectives set forth in the privacy notice and applicable law, personal information must be deleted. Information relating to non-performance of contractual obligations must be deleted after 72 months from the day on which the non-performance arose.

The Mexican Federal Telecommunications and Broadcasting Law entered into force in August 2014 compels telecom providers to retain, for two years, the details of who communicates with whom, for how long, and from where.