Today,
it is common practice for transport services for hire such as taxi services, private
hire car services, and private charter bus services, to deploy In-Vehicle
Recording Devices (IVRDs). However, images, audio recordings and/or video
recordings of identifiable individuals captured by IVRDs in transport vehicles
for hire may contain personal data. For example if the image or voice of an
individual is considered personal data as it can be used to identify him or her.
To
provide organisations with greater clarity on specific requirements and
obligations under the Personal Data Protection Act (PDPA), the Personal Data
Protection Commission (PDPC) has published
a set of advisory guidelines, which were developed in consultation with the
Land Transport Authority (LTA).
The
guidelines also take into consideration feedback from taxi and car rental
companies, the National Private Hire Vehicles’ Association, the National Taxi
Association and the Vehicle Rental Association through a series of closed-door
consultation sessions.
According
to the latest advisory guidelines issued by PDPC, organisations that use IVRDs
to capture personal data are required to comply with provisions under the PDPA.
As such, organisations must put in place the necessary policies and practices
to meet these obligations. For example, organisations that lease vehicles to
drivers to provide transport services for hire should also ensure that drivers,
as data intermediaries, are aware of and exercise proper data practices and security
arrangements involving the collection, use and disclosure of personal data
captured by IVRDs.
Key requirements of the advisory guidelines
by PDPC
When
collecting personal data via IVRDs, organisations must:
(1)
Notify individuals of the purposes for
collecting, using and disclosing their personal data captured by IVRDs
For
example, a prominent notice should be placed on the passenger door and/or in
the vehicle such that individuals are made aware, prior to boarding the
vehicle, that IVRDs are deployed in the vehicle and the purpose of deployment
(2)
Ensure that the collection, use or disclosure of
personal data are only for purposes that are reasonable, such as to ensure the
safety and security of the driver and the passengers or to deter fare evasion
(3)
Cease the use or disclosure of individuals’
personal data in the in-vehicle recording upon withdrawal of consent by the
individual after using the transport service, although they need not delete the
recording upon withdrawal of consent, and may retain it if there are any legal
or business purposes
(4)
Grant individuals access to the personal data in
their possession or control and provide information about how such personal
data has, or may have been used or disclosed by the organisation in the past
year, unless the burden or expense incurred for providing access would be
unreasonable
(5)
Make reasonable security arrangements to protect
the personal data captured by the IVRDs to prevent unauthorised access,
collection, use, disclosure, copying, modification, disposal or similar risks
To raise
public awareness on the latest advisory guidelines and personal data protection,
PDPC and LTA have jointly produced an accompanying handbook that illustrates
common scenarios of transport services for hire and highlights key data
protection obligations for organisations and drivers.
Hardcopies
of the handbook have been distributed to drivers through the car rental companies,
taxi companies and associations.
Feature image: Sergey
Solom/ CC BY-SA 3.0