170103 ________ To have the law on personal data protection enacted.
advertisement
170103 (Translation) PRINCIPLE AND RATIONALE FOR DRAFT PERSONAL DATA PROTECTION ACT B.E. _______ ________ Principle To have the law on personal data protection enacted. Rationale Section 28 and Section 34 of the Constitution of the Kingdom of Thailand provide for the protection of a person’s family right, dignity, reputation, or right of privacy. Assertion or circulation of a statement or picture in any manner whatsoever to the public, which violates or affects the person’s family rights, dignity, reputation or right of privacy shall not be made except for the case of public interest. It is, therefore, necessary to provide a mechanism for the protection of personal data, which may be processed and disseminated to a large number of people easily, conveniently, and quickly by a modernized information technology. For such protection, a personal data commission shall be established to set policy and supervise the protection of personal data. Therefore, this act is enacted. d:\219545963.doc 2 Draft1 PERSONAL DATA PROTECTION ACT B.E. ________ _________ ___________________ ___________________ ___________________ _____________________________________________________________________ __________________________ Whereas it is expedient to have the law on personal data protection enacted. _____________________________________________________________________ __________________________ Section 1. This Act shall be called “Personal Data Protection Act B.E. ___”. Section 2. This Act shall come into force upon the lapse of one hundred and eighty days as from the date of its publication in the Government Gazette. Section 3. A person shall be protected with regard to his personal data as provided in this Act, except where any law or any regulation with the force of law specifically provides the rules on the protection of personal data in any respect and the assurance for justice and standards thereof is not lower than the one provided by this Act. The provision of paragraph one shall not apply to the appeal or argument proceeding as provided by law. Section 4. In this Act: “Personal data” means facts which relate to a person from which such person can be identified, either directly or indirectly. “Personal data record” means document, data base, picture or anything that demonstrates the picture of a person in other form, excluding printed matter made public or document stored in library, art gallery, or museum, for the purposes of reference, education, exhibition, or document in commemoration, or letter or any other material sent in usual business of the postal service, except as otherwise indicated by the context. “Code of ethics” means rules and practices made in writing relating to the protection of personal data. “Commission” means the Personal Data Protection Commission. 1 As approved by the National Information Technology Board on 3 October 2001. d:\219545963.doc 3 “Competent official” means the competent official of the Personal Data Protection Commission. “Minister” means the minister in charge of the enforcement of this Act. CHAPTER 1 PROTECTION OF PERSONAL DATA _____________ Section 6. The collection, use, disclosure, alteration, erasure of, or any act made to, personal data may be made only in compliance with the rules provided in this Act. Section 7. made, except: The collection of personal data for record or publication shall not be (1) where it is made for lawful purposes relating directly to the activities of the collector; and (2) collection. where it is made only to the extent necessary for the purposes of the Section 8. Where the collection of personal data shall be made for record or publication, the collector shall communicate to relevant persons at the relevant time or immediately after the completion of the collection of such personal data, the following details: (1) the purposes of the collection; (2) the provisions of law that allow or require the collection; (3) the person or agency to which the collector has the duty to disclose the personal data. Section 9. The collection of personal data regarding race, ethnicity, political opinions, doctrinal, religious or philosophical beliefs, sexual behavior, criminal records, health records, or any other data, which are sensitive to the feeling of other persons or the public, as prescribed in its notification by the Commission, shall not be made without consent of the personal data subject or relevant person, except where: (1) a person; d:\219545963.doc it is made for the prevention or suppression of danger to life, body or health of 4 (2) it is made by a non-profit organization, provided that such personal data relate to members of such organization and such members have been informed before or at the time of the collection that such data shall not be disclosed without their consents; (3) it is made for the purposes of study and research, [and] statistical analysis with regard to science or public health. Section 10. Where the data collector collects personal data for record or publication, if such data are public information, the data collector shall take steps to assure relevant person that the collection is compatible with the specified purpose, up-to-date, complete, and does not encroach or interfere with private life of the relevant person. Section 11. following: The possessor or controller of personal data record shall do the (1) to have security measures to prevent the loss of, access to, use, alteration, change, unauthorized disclosure, or abuse of the personal data, and (2) where the personal data record shall be given to other person, to take steps to prevent such person from using or disclosing the personal data record without authority. Section 12. The possessor or controller of personal data shall prepare descriptions of the following for verification by the data subject or the Commission, except where otherwise provided by law: (1) the nature of the personal data to be collected for record; (2) the purposes of each type of record; (3) the classes of persons who maintain the data; (4) the duration for maintaining of each type of data; (5) the conditions for the person entitled to access the personal data, and the conditions to the access to such data; (6) the steps to be taken when a request for access to the personal data is filed. Section 13. A relevant person shall be entitled to access personal data record relating to such person possessed by the possessor or controller of such personal data record, except where it is contrary to or inconsistent with the provisions of other laws. Section 14. The possessor or controller of personal data record shall alter, erase, or supplement the personal data in order to make such personal data accurate, up-to-date, complete, and not misleading, except as otherwise provided by law. Where the possessor or controller of personal data record fails to alter, erase, or supplement as requested by relevant person, and in absence of the law requiring the alteration, such person shall keep record of the statement of the person who requests the alteration, erasure of, or supplement to, the personal data with such data. d:\219545963.doc 5 Section 15. The possessor or controller of personal data record shall not use or disclose the personal data under his possession or control to a third party without consent of the data subject, which has been given prior to or at such time, except for the following cases: (1) the use of the personal data in usual practice within the purposes of the collection of the personal data, or as may be necessary for the benefit that directly relates to the purposes of the collection of the personal data; (2) the disclosure of the personal data to a State agency that has the authority with regard to planning or statistics or census who has the duty to keep the personal data but not to disclose to others; (3) the release of the personal data for the purposes of study and research without specifying the name or part that can be identified as personal data relating to any person; (4) the disclosure of the personal data to a State official for the purpose of preventing the violation of or non-compliance with the law on investigation, examination, or filing of a case, regardless of the type of the case; (5) the release of the personal data to the extent as necessary for the prevention or suppression of danger to life, body or health of a person; (6) the provision of the personal data to a Court, or a State official or a State agency, who has the power under law to ask for such personal data. In the case of the use or disclosure under (2) through (6), the possessor or controller of the personal data shall enter a record of such use. In the use of the personal data under paragraph one, the possessor or controller shall take reasonable steps to verify the accuracy, up-to-date-ness, and completeness of the personal data. The person or agency obtaining the personal data by virtue of the disclosure under paragraph one shall not use or disclose the personal data for the purpose other than the purpose for which the personal data are first obtained. Section 16. The sending or transfer of personal data to any country that has no provisions for personal data protection at the level materially equal to the provisions of this Act shall not be made, except for the following cases: (1) where consent of the data subject has been obtained; (2) where it is necessary for the performance of obligations under a contract to which the data subject is a party or of a contract between an agency and other person for the benefit of the data subject; (3) d:\219545963.doc where it is made for the benefit of a person who is unable to give consent. 6 Section 17. Where the data collector proceeds wrongfully, violates any provision of this Act, or collects the data in excess of what is necessary, the data subject shall be entitled to request the data collector to erase, or suspend the use of, or alter the personal data so that the data shall be in the unidentified form. In the case under paragraph one, the data subject may submit a request to the Commission to order such the data collector to do as required. CHAPTER 2 ETHICS IN PERSONAL DATA PROTECTION _______________ Section 18. In the collection or publication of personal data under this Act, the person or agency may compile code of ethics to set the guidelines for the protection of personal data, provided that the standards thereof shall not be lower than the rules provided in this Act. Section 19. The Commission may prescribe any measures against any agency that fails to comply with the code of ethics for the protection of its personal data. Section 20. The Commission may compile guidelines for the persons or agencies in relation to the enforcement of the code of ethics for the protection of personal data. The Commission may publish the guidelines in paragraph one for dissemination to the public or proceed by other means as the Commission may deem appropriate. Section 21. The code of ethics for the protection of personal data shall be registered with the Commission under the procedures prescribed by the Commission. The provision of the preceding paragraph shall also apply to the amendment to the code of ethics for the protection of personal data. d:\219545963.doc 7 CHAPTER 3 PERSONAL DATA PROTECTION COMMISSION __________ Section 22. A commission called “Personal Data Protection Commission”, consisting of the Prime Minister, or a person designated by the Prime Minister, as a chairman, and seven qualified persons as members appointed by the Council of Ministers from consumers, operators of business relating to personal data, representatives of relevant State agencies, and academics, shall be established, and the Secretary-General shall be a member of, and the secretary to, the Commission. The secretary may appoint no more than two assistant secretaries. Section 23. The person to be appointed as the Commission member shall be specialized in law, engineering, computer science, economics, social science, commerce or finance and banking, and shall meet any one of the following requirements: (1) being in the government service or used to be in the government service at the level not lower than the director-general or the equivalent; (2) having been or used to be an instructor of relevant law in a State educational institution at the university level for not less than five years; (3) being knowledgeable and capable in the field of computer technology or computer network system; (4) being knowledgeable and used to be engaged in the work that involves the protection of personal data, or having skill and capability that will be beneficial to the Commission’s mission. Section 24. A Commission member shall hold office for a term of four years. The Commission member who vacates office at the end of the term shall continue to perform his duty until a new member takes office. In order that the new Commission member shall take office at the end of the office term of the former member, the selection and election process for the new member shall be made sixty days prior to the end of the term of the former member. Where the Commission member vacates office before the end of the term, the replacing member shall hold office for the remaining period of the term of the former member he replaces. The member that vacates office at the end of the term shall be eligible for reappointment, but may not hold office for more than two consecutive terms. d:\219545963.doc 8 Section 25. In addition to the vacation of office at the end of the term under Section 24, the Commission member shall vacate office upon: (1) death; (2) resignation; (3) being dismissed by the Minister on the ground of misconduct. Section 25. At a meeting of the Commission, if the chairman does not come to, or is not present at, the meeting, the Commission members present shall elect a member to preside over the meeting. A decision at the meeting shall be made by a majority of the votes. One member shall have one vote. In the case of tie votes, the chairman over the meeting shall cast another vote as a casting vote. Section 27. Any Commission member who has any interest, either directly or indirectly, in any matter to be considered by the meeting shall inform the Commission of his interest prior to the meeting and such member shall not attend the meeting to consider such matter. Section 28. The Commission shall have the following authorities: (1) to set any policy, measures, and guidelines with regard to the protection of personal data; (2) to monitor in order to ensure that the protection of personal data shall be as provided in this Act; (3) this Act; to recommend to the Council of Ministers to enact royal decrees pursuant to (4) to recommend to the Council of Ministers to amend the law or regulations being in force as may be relevant and appropriate; (5) to give advice on any proceeding for the protection of personal data of either State agency or private agency with regard to the compliance with this Act; (6) to promote and support the development of skills in learning understanding the protection of personal data to the public; (7) to promote and support the research for development of technology relating to the protection of personal data; (8) to inform, advertise, disseminate the information relating to the proceeding for the protection of personal data that may cause damage or be detrimental to the rights of relevant persons; d:\219545963.doc 9 (9) to monitor and accelerate the competent officials, government agencies, or other State agencies, to exercise the power and perform the duties as provided by law, and to accelerate the competent officials in relation to the prosecution of the offense of violation of the law on the protection of private data; (10) to review complaints of relevant persons pursuant to this Act, and to decide disputes among relevant parties; (11) to conduct legal proceedings in the case of violation of any provision of this Act upon request or as it may deem appropriate; (12) to appoint sub-committees or competent officials to do any act pursuant to this Act as it may deem necessary and appropriate; (13) to prepare reports regarding the implementation of this Act for submission to the Council of Ministers from time to time as may be appropriate at least once a year; (14) to issue rules, regulations or to do any other acts in order to implement the purposes of this Act. In the performance of its duties under this Act, the Commission may designate the Private Data Protection Office to perform or to prepare recommendations for the Commission to take further actions. Section 29. In the implementation of this Act, the Commission shall take into account the necessity, possibility, and consistency with the law, provisions of the Constitution and other laws, potential impact, and burden or difficulty to the people or persons subject to this law. The Commission shall recommend to the Council of Ministers to review or improve the rules under this Act every five-year interval, or in the case where any dispute or problem in connection with the implementation of this Act could arise. Section 30. The Commission may appoint sub-committees or competent officials to consider any matter or to perform any acts as designated by the Commission. Section 31. The Commission members and sub-committee members shall receive remuneration in the form of meeting allowance, traveling expenses, and other compensation according to the rules and rates as provided in a royal decree. Section 32. The Commission shall have the power to order any person to deliver documents or information relating to the matter under a complaint or any matter relating to the protection of relevant person’s rights. In this regard, it may also call any person to come to give statements in person. Section 33. In the performance of its duties under this Act, the Commission shall grant opportunity to the accused or suspected of violation of the provision of this Act to clarify the facts, give opinion, and provide arguments and produce evidence as may be reasonable, except for the case of necessity and urgency. d:\219545963.doc 10 The provision of paragraph one shall not apply to the following cases, except as otherwise deemed appropriate by the Commission: (1) in the case of urgency where its delay will cause severe damage to any person or affect public interest; (2) delayed; where it will cause the period of time prescribed by law or regulation to be (3) in the case of the fact given in the complaint, answer or statement by the party; (4) where it is clear in itself that the granting of such opportunity cannot be made; (5) other cases as prescribed in its notification by the Commission. In the prescription or issuance of any order on any matter pursuant to this Act, the Commission shall take into account the damage that may be incurred by relevant persons and, where it is appropriate, the Commission may prescribe conditions or provisional measures for the enforcement of such order. Section 34. The Commission and the competent official who perform pursuant to this Act shall be the official under the Penal Code. In performing his duty every time, the competent official shall present his identity card t to relevant person. Section 35. The Personal Data Protection Office shall be established as a State agency to function as the secretarial office for the Commission, and it shall have a status of a juristic person under the supervision of the Ministry of Science, Technology and Environment. For the flexibility purpose, the Office shall have its own administrative system that is different from the government system, and the Office shall comply with the rules, regulations and stipulations as prescribed by the Commission. Section 36. The Office shall have the authorities to do any act to implement resolutions of the Commission and to do other things pursuant to the purposes of this Act, which shall include: (1) to take charge of secretarial work for the Commission; (2) to manage and use the budget provided by the government for maximum benefit to the administration or pursuant to the regulations prescribed by the Commission; (3) to acquire, own, lease, take lease, sell on hire-purchase, borrow, lend, and exchange, transfer, take transfer, and sell or dispose of, by any means, immovable property, including securities and intellectual properties, and to accept any property delivered or given by any person; (4) to enter into agreement and cooperate with any organization or agency, either in or out of the country, in activities relating to the protection of personal data; d:\219545963.doc 11 (5) to accept complaints or appeals relating to the protection of personal data of relevant persons and the processing of personal data for submission to the Commission; (6) to study, compile, and analyze the processing of personal data and other information that may be helpful to the performance of the Commission, and to give assistance and advice with regard to such information, and to publicize the result and knowledge to and to educate the public; (7) to follow up and monitor the behavior of any agency or possessor or controller of data record who commits any act that constitutes the violation of relevant person’s rights, and to conduct a test or proof regarding the measures and standards for the processing and the safeguard of personal data as may be appropriate and necessary for the protection of relevant person’s rights; (8) to do any acts as designated by the Commission. Section 37. The Office shall have the Secretary-General, appointed by the Council of Ministers upon recommendation of the Commission, as the administrator of the Office pursuant to Section 36, and to do other things pursuant to the policy and resolutions of the Commission or as designated by the Commission. Section 38. The Secretary-General shall hold office for a term of four years, and may be re-appointed for no more than two consecutive terms. The provision of Section 24 shall apply to the vacation of office of the SecretaryGeneral mutatis mutandis, and the Secretary-General shall vacate office upon being disqualified or subject to the prohibitions pursuant to Section 25. Section 39. The Secretary-General shall have the qualifications and not be subject to the prohibitions pursuant to Section 25 and shall meet the following requirements: (1) being able to perform his work full time for the Office; (2) being no more than 65 years of age; (3) not being a bankrupt; (4) not being an incompetent person or a quasi-incompetent person; (5) not holding a political position, a member of a local assembly, a local administrator, a member, or an executive, or an official of a political party; (6) not being an employee, a government servant holding regular position or receiving regular salary, an employee or temporary staff of a state enterprise or state agency or a local administration body; (7) not holding a position, or being in charge, or having interest relating to the undertaking that deals with personal data for commercial purpose. d:\219545963.doc 12 Section 40. The law on labor protection with regard to the payment of compensation and payment to the workmen’s compensation fund, the law on labor relations, and the law on state employee’s relations shall not apply to the Secretary-General, employees and temporary staff of the Office. CHAPTER 4 COMPLAINT AND APPEAL ___________ Section 41. Where there is any reasonable ground to suspect that any proceeding relating to personal data may cause damage to relevant person, the Commission may order the data collector or the possessor or controller of personal data record to conduct the proof on such proceeding. If the data collector or the possessor or controller of the personal data record fails to conduct the proof on such proceeding or delays in doing so without reasonable ground, the Commission shall have the proof conducted on the expenses of the data collector or the possessor or controller of the personal data record. If the proof finds that the proceeding relating to personal data of any agency or data collector or possessor or controller of personal data record may cause damage to any relevant person or other person, and it is unable to prevent the damage that may be caused by such proceeding under this law or other law, the Commission shall have the power to issue an order prohibiting such proceeding and, if it deems appropriate, the Commission may order the agency or data collector or possessor or controller of personal data record to do anything under the conditions as prescribed by the Commission. Where any proceeding in relation to personal data cannot be altered, the Commission may order the agency or data collector or possessor or controller of personal data record to destroy or have it destroyed on the expenses of the agency or data collector or possessor or controller of personal data record. Where it is necessary and urgent, if the Commission deems that there is reasonable ground to suspect that any proceeding in relation to personal data may cause damage to relevant person or other person, the Commission shall have the power to issue an order prohibiting any such proceeding relating to personal data under paragraph one or two. The order prohibiting the proceeding relating to personal data under paragraph one or two shall be published in the Government Gazette. Section 42. If the rights of relevant person under this Act are affected or may be affected, the complaint shall be filed with the Commission to enforce the rights of such relevant person. Rules and procedures for the filing of the complaint under paragraph one shall be according to the regulations prescribed by the Commissions. d:\219545963.doc 13 Section 43. For the purposes of the facilitation to for the public, the economy and efficiency of the proceeding, the Commission shall prescribe regulations with regard to the rules, time, and hearing procedures as may be appropriate for the circumstance, provided that they shall not be contrary to the rules provided under this Act. Section 44. When the complaint is filed pursuant to this Act, the Commission shall complete the procedures without delay, and shall grant to the person filing the complaint, or relevant person, an opportunity to give statements and produce evidence supporting his statements as may be reasonable. When the Commission issues an order not accepting or closing any matter, the person filing the complaint shall be notified of the order and the reasons for not accepting or closing the matter. Section 45. A person shall be entitled to file a complaint with the Commission pursuant to the provisions of this Act. The complaint pursuant to this Act shall not bar the rights of such person to take action pursuant to other laws. Section 46. In the implementation of this Act, the competent officials shall have the following authorities: (1) to inspect the premise relating to the complaint, subject to reasonable advance notice to the owner or occupant of such premise; (2) to seize or attach the property, documents, or things relating to the commission of offense under this Act for the purpose of inspection or legal proceeding; (3) d:\219545963.doc to perform other acts as designated by the Commission. 14 CHAPTER 5 CIVIL LIABILITY ___________ Section 47. Where any proceeding relating to personal data in any manner causes damage to relevant person, the data collector or the possessor or controller of personal data record shall be obligated to make compensation therefor, irrespective of whether the proceeding is conducted with intent or in negligence by the data collector or the possessor or controller of personal data record, except where such person can established that such proceeding is caused by: (1) the force majeure; (2) the compliance with an order of the government or government officer; (3) the act or omission of that relevant person or other person; (4) the compliance in full with the code of ethics prepared by itself. The compensation under paragraph one shall include all expenses as actually paid by the government in order to prevent such incurred damage. CHAPTER 6 PENALTY ________ Section 48. Whoever commits any act relating to personal data for the unlawful benefit of himself or other person, or to cause damage to others, shall be subject to an imprisonment not exceeding three years, or a fine not exceeding sixty thousand Bahts, or both. If the act under paragraph one is a dissemination of data in specific manner or by disclosure of such data, the person who commits the act shall be subject to an imprisonment not exceeding five years, or a fine not exceeding one hundred thousand Bahts, or both. Section 49. Whoever, for the benefit of himself or other person, or in order to cause damage to others, disseminates personal data in specific manner or by disclosure in violation of the provision of Section 15, shall be subject to an imprisonment not exceeding d:\219545963.doc 15 three years, or a fine not exceeding sixty thousand Bahts, or both, except where such offense is a grave offense. If the act under paragraph one causes damage to others, [the person who commits the act] shall be subject to an imprisonment not exceeding five years, or a fine not exceeding one hundred thousand Bahts, or both. Section 50. Whoever violates or fails to comply with the regulations, guidelines, measures or notifications prescribed by the Commission pursuant to the provisions of this Act, shall be subject to an imprisonment not exceeding three years, or a fine not exceeding sixty thousand Bahts, or both. Section 51. Whoever violates or fails to comply with the order issued by the Commission pursuant to the provisions of this Act, shall be subject to an imprisonment not exceeding five years, or a fine not exceeding one hundred thousand Bahts, or both. Section 52. Whoever knows the business of another person by reason of his performance pursuant to the authorities under this Act and then discloses the same to others shall be subject to an imprisonment of one year, or a fine not exceeding twenty thousand Bahts, or both. The provision of paragraph one shall not apply to the disclosure in the following cases: (1) it is the performance of duty; (2) it is made for the purpose of investigation or legal proceeding; (3) it is made in connection with the offense under this Act; (4) it is made for the purpose of remedy to be consistent or meet the standards or measures prescribed by the Commission; (5) It is made to a state agency, in or out of the country, in connection with such (6) a consent in writing of the person has been obtained. matter; Section 53. Whoever requests the alteration to the personal data resulting in its becoming materially misleading shall be subject to an imprisonment not exceeding three years, or a fine not exceeding sixty thousand Bahts, or both. Section 54. Whoever gives false statement or omits to disclose facts that should be disclosed to the Commission, or the competent official, which may cause damage to a relevant person, shall be subject to an imprisonment not exceeding six months, or a fine not exceeding ten thousand Bahts, or both. d:\219545963.doc 16 TRANSITORY PROVISION _________ Section 55. The provisions of Section 7, Section 8, Section 10 and Section 15 shall apply only to personal data that are collected after this Act comes into force. The provisions of Section 11 through Section 14 shall apply to personal data under the control of an agency irrespective whether the collection of such data is made before or after this Act comes into force. Section 56. During the five-year period after this Act comes into force, the National Electronics and Computer Technology Center, National Science and Technology Development Agency, shall function as the Personal Data Protection Office and the DirectorGeneral of the National Electronics and Computer Technology Center shall function as the Secretary-General. Countersigned by: ____________________ Prime Minister d:\219545963.doc