Here is the converted article in Markdown format:
Organizations Must Not Collect Excessive Personal Data
In a bid to protect individuals’ personal data, the Brunei Darussalam government has introduced new regulations that prohibit organizations from collecting more personal data than is necessary and reasonable.
Transparency in Data Collection
Under the proposed Personal Data Protection Ordinance (PDPO), organizations must provide individuals with clear information on the purposes for which their personal data will be collected, used, or disclosed. This includes any other purpose that may arise during the processing of the data. Additionally, fresh consent from individuals is required if their personal data is to be used for a different purpose than originally intended. In cases where minors (individuals under 18 years old) are involved, organizations must obtain consent from parents or legal guardians.
No Transfer Without Protection
The proposed regulations also prohibit the transfer of personal data outside Brunei Darussalam unless adequate measures are taken to ensure that the data will be protected to a standard comparable to that in Brunei. This includes the use of contractual obligations and other safeguards.
Reasonable Security Measures
Organizations are required to protect personal data by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal, or similar risks. The PDPO also applies to data intermediaries, such as those who process personal data on behalf of others. While the regulations do not prescribe specific security measures, the Authority for Info-communications Technology Industry (AITI) has announced plans to issue guidance on the types of security measures that organizations and data intermediaries should adopt.
Breach Notification Mandatory
In the event of a data breach, organizations are required to notify the Responsible Authority within three calendar days if the breach is likely to result in significant harm to individuals or is of a significant scale. The PDPO also requires organizations to notify affected individuals once they have notified the Responsible Authority.
Enforcement and Penalties
The Responsible Authority will be responsible for administering and enforcing the PDPO, with powers to issue directions to organizations and impose financial penalties of up to BND1 million or 10% of an organization’s annual turnover for breaches of the regulations. Additionally, organizations are required to have privacy policies in place, promoting transparency and accountability.
Conclusion
The proposed PDPO sends a clear message that organizations must prioritize the protection of individuals’ personal data and refrain from collecting excessive or unnecessary information. By implementing reasonable security measures, providing transparent consent processes, and notifying authorities of breaches, organizations can demonstrate their commitment to protecting individual privacy.