Online
feedback for Singapore's proposed data protection law closed last week, marking
another step closer to the start of the country's data protection regime.
Outlining enforcement rules and penalty for
organizations, the proposed framework seeks to protect consumers' personal data
through regulating the collection, use, disclosure, transfer and security of
such data.
The data protection bill, however, excludes
the public sector. As ZDNet Asia blogger and Singapore lawyer, Bryan Tan,
points out, an "eye-catching point" is that government use of
consumer information isn't covered in the proposed law. The government's
rationale for this is that public sector rules already offer similar levels of
protection for personal data as the proposed data protection bill.
I wonder, however, if these "rules"
also outline measures citizens can take should the government leak, as a result
of weak IT security systems or practices, confidential personal data it
collected.
I wonder also if these public sector rules
apply to affiliated government agencies and their subsidiaries that may, or may
not be strictly involved in national policies and related matters. And that's
the question returning Tech Podium guest blogger, Ngiam Shih Tung, asks in his
post today.
An engineering manager for an aerospace
maintenance, repair and overhaul (MRO) company, Shih Tung is a Singaporean who
has been closely following data privacy issues in the country and had urged in
his previous blog for the public sector to be included in the data protection
law.
While I understand the need for some
government entities to be exempted from such legislation, for instance, to
facilitate the sharing of essential data such as electronic medical records to
provide better healthcare services, this "privilege" of exemption
should be applied sparingly and only when it concerns citizens' welfare. And by
welfare, I most definitely do not mean information-sharing for marketing
purposes, promotional events or customer loyalty programmes that any affiliated
government organization may be involved in, and certainly, not some dating
service agency that targets university graduates.
Like Shih Tung, I doubt our government would
reconsider its stance and include itself in the final data protection law. But
I am hoping that with sufficient, and persistent, public feedback, Singapore's
lawmakers will eventually realize the need to do so and make the right decision
to stand alongside its global counterparts that have already done so.
My company recently decided to send its
leadership team for a team-building activity organized by Outward Bound
Singapore (OBS), and we were required to fill in OBS' course registration form
which contained the usual disclaimers. Buried in the consent clause was this
statement: "I also authorize the Outward Bound Singapore to disclose my
personal information to its employees/agencies as it is necessary for official
purposes in connection with the People's Association (including PAssion Card)
Programmes."
Why should I give my personal information to
the People's Association (PA) as a condition of taking part in an OBS
programme? A bit of background here: OBS is the licensee of Outward Bound
International in Singapore and is operated by the PA, which is a government
agency that was set up to promote racial harmony and social cohesion. It does
this through a network of Community Centres, so-called "grassroots
organizations", and even a discount card programme, the PAssion Card,
which was referred to in the disclaimer.
In my previous post here, I speculated that
the public sector would be excluded from Singapore's proposed data protection
(DP) law and unfortunately, I was proved correct when the Ministry of
Information, Communication and the Arts (MICA) released its consultation paper
on the proposed regime. According to the ministry, the public sector should be
excluded from the law because "public sector rules accord similar levels
of protections for personal data as the proposed DP law".
Insofar as they apply to the private sector,
MICA's data protection proposals do appear to be consistent with international
norms such as the OECD Guidelines and APEC Privacy Framework. Among the
principles MICA has accepted is the principle of consent, stating that
organizations must gain the consent of individuals before processing that person's
data. Quoting MICA's consultation paper: "An organization may not, as a
condition of supplying a product or service, require an individual to consent
to the collection, use or disclosure of personal data beyond what is necessary
to provide the product or service."
How then is it necessary for OBS to release my
personal data to PA and the PAssion Card programme just to enroll me in a
one-day team-building activity? There also was no check-off box for me to agree
or disagree to the disclosure of my data to third parties--there was just a
single omnibus consent clause.
The Singapore government has never revealed
its internal rules for handling personal data but suffice to say, either OBS is
not following the rules or the government's rules do not in fact provide the
same level of protection as the DP Act is intended to provide in the private
sector.
In any case, I struck off the part about
disclosing data to PA and wrote in an additional "NO DISCLOSURE TO
PA" for good measure on the form. We shall see whether I'll start
receiving promotional mailings or phonecalls from PA anyway, despite my
admonition to OBS not to disclose my data to PA.
In an interview with local English daily The
Straits Times, PA's former head Tan Boon Huat admitted that grassroots leaders
may be given access to the profiles of PAssion Card members. In the Singapore
context, "grassroots leaders" refers to some 30,000 office-holders in
grassroots organizations around Singapore.
While grassroots members are officially
volunteers, they have close ties to ruling party Members of Parliament and
their children receive preferential admission to schools in their district. Tan
says that grassroots leaders have to follow the same confidentiality rules as
PA staff but the fact is that grassroots leaders are volunteers--there is no
contractual relationship between the PA and grassroots members. Hence, whatever
rules PA may have are not legally binding on the grassroots leaders.
Furthermore, because there is no employer-employee relationship between the PA
and grassroots volunteers, PA is not legally responsible for the actions of a
grassroots leader. According to the PA's Web site, there are 1,023,258 PAssion
Card members today.
Quite apart from this specific case, there is
a broader problem with the government's claim that its internal rules provide
sufficient protection for personal data. The basic fact is that internal rules
are not the same as legislation. They can be changed at any time and even if
the government were to break its own rules, affected individuals would have no
legal recourse.
Internationally, in a survey of 78 countries
in Privacy Laws and Business International Report, all but Malaysia and India
either included the public sector in their DP laws or had separate legislation
for the public sector. The United States and Thailand do not have comprehensive
privacy laws for their private sectors, but have privacy laws covering their
public sectors.
Singapore, therefore, seems to be out of step
with international trends in excluding its public sector from the country's
data protection legislation.
I am not optimistic that the government will
change its mind for this first iteration of the DP Act. However, I expect there
will be enhancements to Singapore's DP regime in the future, and we can
continue to urge the government to extend coverage of DP legislation to the
public sector in Singapore in the near future.
Eileen Yu
Business & Investment Opportunities
YourVietnamExpert is a division of Saigon Business Corporation Pte Ltd, Incorporated in Singapore since 1994. As Your Business Companion, we propose a range of services in Consulting, Investment and Management, focusing three main economic sectors: International PR; Healthcare & Wellness;and Tourism & Hospitality. We also propose Higher Education, as a bridge between educational structures and industries, by supporting international programs. Sign up with twitter to get news updates with @SaigonBusinessC. Thanks.
No comments:
Post a Comment