FAQ Feedback
The Commonwealth
Hero Image
Policy Unknown Data Governance
Source
Data Protection Policy

Brunei Darussalam

tag Created with Sketch Beta. Consent Data Data collection Data Protection Data privacy Data User Encryption Personal Data

Definition of Data

All, including personal data in electronic or manual form

Main Focus of Document

Provides for the protection and privacy of data

Target Beneficiaries or Sector

citizens, non citizens

Key Elements

The aim is to ensure that personal data is protected and privacy is maintained. The policy makes provision for a policy administrator to promote and ensure data and privacy is protected. Any data user breaching the policy may be subject to disciplinary action. 

Notable sections include:
Policy Scope and Exemptions 
 4.1. This policy sets out the minimum requirements for the protection of data, whether in electronic or manual form, by all Government Ministries, Departments, Educational Institutions and Statutory Boards. This policy is subject to any existing applicable legislation. 
 4.2. Agencies are allowed to develop internal policies, guidelines and procedures to meet their specific circumstances, as long as the requirements specified in this policy are met, provided that the further extension to this policy does not contravene with any other government policy or any national legislation. 

11. Principle IV – Collection of Data 
 11.1. The collection of data, including personal data, shall be limited to that which is necessary for the purposes specified by the Agencies. 
 11.2. Data is to be collected by fair and lawful means. 
 11.3. Collection beyond purposes specified is permitted in the following circumstances: 
 11.3.1. When all of the following apply: 
 (a) the collection is clearly in the interest of the Individual; (b) it is impracticable to obtain the consent of the Individual to that collection; and (c) if it were practicable to obtain such consent, the Individual would be likely to give it. 
 11.3.2. the Individual gives consent. 
 11.3.3. collection beyond purposes specified is for legal, medical or security reasons. For example, when data is being collected for the detection and prevention of fraud or for law enforcement. 
 11.3.4. if data collection assists the Individual to fulfil a statutory requirement. 
 11.3.5. data is being collected in an emergency that threatens the life, health or security of an Individual. 
 11.3.6. collection of data which is generally available to the public. 
 11.3.7. collection of data is necessary to render a service for which the Individual has applied. 
 11.4. Agencies shall not collect data indiscriminately. Both the amount and the type of data collected shall be limited to that which is necessary to fulfil the purposes identified. 

12. Principle V – Use, Disclosure and Retention of Data 
 Data Protection Policy 
12.1. Data shall not be used or disclosed to a third party for purposes other than those for which it was collected, except with the consent of the Individual or as required by law. 
12.2. Data shall be retained only as long as necessary for the fulfilment of the purposes for which it was collected unless required by legislation to retain this data for archival purposes. 
 12.3. Use or disclosure beyond the purposes for which data were collected is permitted in circumstances such as the following: 
 12.3.1. When all of the following apply: (a) The use or disclosure is clearly in the interest of the Individual; (b) it is impracticable to obtain the consent of the Individual to that use or disclosure; and (c) if it were practicable to obtain such consent, the Individual would be likely to give it. 
 12.3.2. use or disclosure of the data is for legal, medical, or security reasons, for example, when data is being used or disclosed for the detection and prevention of fraud or for law enforcement. 
 12.3.3. if data use or disclosure assists the Individual to fulfil a statutory requirement. 
 12.3.4. data is being used or disclosed in an emergency that threatens the life, health or security of an Individual. 
 12.3.5. use or disclosure of data which is generally available to the public. 
 12.3.6. use or disclosure of data is necessary to render a service which the Individual has applied for. 
 12.3.7. disclosure is made to an institution whose purpose is the conservation of records of historic or archival importance and disclosure is for such purpose. 
 12.4. If Agencies use the data for a new purpose it shall document this purpose in accordance with the Specifying Purposes principle (refer to clause 9.2). 
 12.5. The Agencies are allowed to develop internal policies, guidelines and procedures with respect to the retention and destruction of data. Data that has been used to make a decision about an Individual shall be retained long enough to allow the Individual access to the data after the decision has been made. 

14. Principle VII – Safeguards for Data 
 14.1. Agencies must ensure that all data shall be protected by appropriate security safeguards. 
 14.2. The security safeguards shall protect the data against accidental or unlawful loss, as well as unauthorised access, disclosure, copying, use, or modification. Agencies shall protect the data regardless of the format in which they are held. 
 14.3. The nature and extent of the safeguards will vary depending on: 
 14.3.1. the sensitivity of the data that have been collected; 
 14.3.2. the amount, distribution, and format of the data; 
 14.3.3. the method of storage; 
 14.3.4. the state of technological development; and  
 14.3.5. the cost and reasonableness of implementation of the safeguards. 
 14.4. The methods of protection should include one or more of the following: 
 14.4.1. physical measures, for example, secured filing cabinets and restricted access  to offices; 
 14.4.2. organisational measures, for example, security clearances and limiting access on a "need-to-know" basis; 
 14.4.3. technological measures, for example, the use of passwords and encryption, as may be available, appropriate and reasonable from time to time. 
 14.5. Agencies shall make employees aware of the importance of maintaining the confidentiality of data. 
14.6. Reasonable care shall be used in the disposal or destruction of personal data, to prevent unauthorised parties from gaining access to the data. 
 14.7. Safeguards for data protection shall be assessed by the Administrator from time to time, as and when required. 

15. Principle VIII – Openness about Data Protection Policies and Procedures 
15.1. Agencies shall make available information about its policies, guidelines and procedures for handling data including personal data. 
 15.2. Agencies shall be open about their policies, guidelines and procedures with respect to the management of data. Individuals should be able to acquire information about the Agencies' policies, guidelines and procedures without unreasonable effort, for example through the Agencies' websites. Such information shall be made available in a form that is generally understandable. 
 15.3. The information made available shall include: 
 15.3.1. the contact details to whom complaints or inquiries can be forwarded; 
 15.3.2. the means of gaining access to data held by Agencies; 
 15.3.3. a description of the Agencies policies, guidelines or standards which make clear that data held by the Agencies or which are made available to other parties are necessary for the purposes of fulfilling a legal or regulatory requirement or for delivering a public service; and 
 15.3.4. procedures for an Individual to obtain more detailed information on data held by the Agencies or shared with other agencies for Individual cases, including any fees applicable for such a request. 

Policy/Regulation Mirrors

n/a