Protection of personal data is a major concern in several jurisdictions. Our overseas clients often ask us about their obligations with respect to personal data they may have compiled, whether intentionally or inadvertently, with respect to their employees, customers, clients, or service users. Unfortunately, it is a common misconception that Thai law offers no protection to personal data. On the contrary, there are many sources of law that protect personal data and prohibit its disclosure, in certain circumstances.
As a foundation, the 2007 Constitution provides that a person’s family rights, dignity, reputation, and the right of privacy shall be protected. The assertion or circulation of a statement or picture in any manner whatsoever, to the public, which violates or affects a person’s family rights, dignity, reputation, or the right of privacy, shall not be made, except for the case which is beneficial to the public. Personal data of a person shall be protected from the seeking of unlawful benefit as provided by law. The coverage of this clause was expanded from the 1997 Constitution.
With respect to personal data maintained by the government, the Official Information Act protects personal information of Thai people and foreigners who have residences in Thailand. The Act defines personal data quite broadly, to include information relating to all the particulars of a person, such as education, financial status, health record, criminal record, and employment record, which contain the name of such person or contain a numeric reference, code, or such other indications identifying that person, including fingerprints. The law specifically includes tapes or discs, on which a person’s sound is recorded, photographs, and information on those who are deceased. The Act sets out requirements for personal data systems operated by the government, establishes restrictions on the disclosure of personal data, and empowers data subjects to request correction of personal data maintained by the government.
The Penal Code also addresses the disclosure of secrets by those who acquire them in the context of their functions as government officials or as practitioners of certain professions, including doctors, pharmacists, midwifes, nurses, priests, lawyers, and auditors. Specifically, these individuals are prohibited from disclosing such secrets in a manner likely to cause injury to any person. These obligations also apply to assistants to such professionals, as well as to persons undergoing training for these professions.
There are also a variety of industry-specific regulations applicable to personal data collected or maintained by certain participants in those industries. For example, telecommunications licensees are subject to special regulations relating to personal data of their service users, and for procuring the compliance of third parties contracted to process such data. There are also specific requirements that relate to personal data under the Financial Institutions Act, the Credit Information Business Operation Act, and the National Health Security Act. They set out additional obligations and, in some cases, provide comprehensive frameworks for data protection, applicable only within those industries, or to those who use such information.
The Personal Data Protection Bill, which has been under consideration for a number of years, would provide a comprehensive regulatory structure for personal data, applicable to virtually all government and private sector entities. Based on the latest Bill we have reviewed, the concept of personal data is essentially the same as that used in the Official Information Act. The Bill would establish a Personal Data Protection Board, and would set numerous obligations for data controllers. It takes the general approach that a data controller may not collect, use, or disclose any personal data, without the consent of the data owner, except as authorized by law. The Bill contains an outright prohibition on collection of data relating to sexual conduct, criminal history, health, national origin, race, political opinion, or religious beliefs; data that is detrimental, impairs one’s reputation, or causes any sense of discrimination; and as otherwise may be prescribed in ministerial regulations, though it would also provide a number of exceptions to this prohibition.
The Bill would require that data owners’ consent only be sought honestly, and would establish a framework for regulating this. It would also empower data owners to revoke their consent at any time, subject to the requirements of applicable law and other agreements, though revocation of consent would not be effective with respect to personal data that has been properly anonymized. Data controllers would also have the obligation to ensure that proper security measures are in place, so as to protect personal data against loss, alteration, or modification, and they would also be obligated to ensure that the data used or disclosed (when permissible) is correct, complete, and current. Moreover, if a data controller wishes to use or disclose personal data for a purpose beyond that for which the data owner has given consent, it would almost always be necessary to seek the data owner’s further consent. Subject to some exceptions, it would also be necessary to seek consent to transfer personal data overseas, and a process would be established for consideration of whether the intended recipient country’s personal data protection laws are sufficiently stringent.
In addition to the foregoing, business operators would be subject to additional requirements. These would include the obligation to set out appropriate policies and to communicate them when seeking consent, to procure the compliance of their employees (through terms in employment agreements, as well as through training), to properly indentify employees who collect personal data (through name badges), and to file reports with the Personal Data Protection Board. There are also special obligations when winding up a business, so that personal data would still be sufficiently protected or properly disposed. So as to aid in consumer understanding, the Bill would also establish a certification program, which would allow ‘good’ data controllers to display a certification mark to their customers.
Current laws guard against disclosure of personal data, particularly when such disclosure would be damaging in some way, and higher levels of protection already exist in certain sectors. The Personal Data Protection Bill, when it is enacted, will provide additional protection for consumers, but will also present businesses with greater compliance responsibilities.