Last updated: 13 March 2023
Published on: 27 July 2017
9 MINS READ
From compliance to accountability: A robust and progressive data protection framework
Speech by Dr Yaacob Ibrahim, Minister for Communications and Information, at the Personal Data Protection Seminar 2017, at Sands Expo and Convention Centre on 27 July 2017 at 9.35am
Mr Tan Kiat How, Commissioner of the Personal Data Protection Commission,
Mr Leong Keng Thai, Executive Chairman of the Data Protection Advisory Committee,
Since we started this annual seminar, the attendance has grown every year. It goes to show that people recognise the value and importance of data protection. This is especially important given our plan to grow the digital economy and become a Smart Nation.
Earlier this year, Singapore released the Committee on the Future Economy’s report. Building strong digital capabilities was a key recommendation, and one strategy to achieve this is to use data as an engine of growth.
Indeed data has helped to improve our lives. Today, we can save time by finding the fastest routes from A to B. Companies like Grab, Ninjavan and CapitaLand make use of data to serve customers better and offer new services. NTUC is also using machine learning to recommend products to its members.
Technology will make it easier to collect and analyse the vast array of data in the future. But the most important determinant of whether we can realise the potential of data is not technology, but trust – trust that companies collect data sensibly, use them responsibly, and protect them well. Without trust, data sharing will decrease, and data-driven innovation will slow.
Singapore must therefore aspire towards a high standard of data protection that strengthens trust with the public, gives confidence to customers whose data is collected and used, while providing an environment for companies to thrive in the digital economy.
The PDPA provides the framework for data protection and sharing in Singapore. But the PDPA was crafted in an era where the majority of data was provided by users who fill in their personal particulars via physical and online forms. Today, data can be generated and mined through online activities and transactions. Mobile apps can make use of our location information to match us to the nearest car ride sharing apps or food delivery options. IoT devices stream data from health sensors and home cameras so you can keep track of your loved ones through various apps.
In these examples, consent clauses have been used to inform customers and seek their consent on how their personal data will be used. However, most people click through privacy notices or consent clauses without reading them.
A few years ago, British retailer GameStation played an April Fools’ joke on its customers by requiring customers to surrender their souls as a condition of sale – unless they chose to opt-out of this condition. Close to 9 in 10 customers did not choose to opt-out, presumably because they never even read the clause! While this was meant to be a joke, it highlights that the consequences of businesses treating personal data lightly can be very grave.
n Singapore, the PDPC has had to intervene in cases where companies were too lax with personal data. For instance, one company had obtained broad consent from its customers to disclose bank account details in the course of processing an insurance claim. However, the company subsequently shared personal bank details with a healthcare institution that did not require any payment information. The PDPC intervened to limit disclosures to what was required, even though the consent clause was broad enough to permit the sharing.
It is not possible for the PDPC to catch every single breach. Instead, companies must play their part. Organisations must change their mindsets, to not view data protection as a mere compliance exercise, but rather as a responsibility bestowed upon them by their customers, and fully integrated into the organisational culture of stewardship and accountability. This mindset shift is essential to build trust with their customers.
The PDPC has charted a three-stage process to help companies along this journey from compliance to accountability. In the first stage, the PDPC will be introducing later this year an online assessment tool and producing guides to help companies put in place a Data Protection Management Programme and to help businesses conduct Data Protection Impact Assessments.
In the second stage of our journey to accountability, we will launch a Data Protection Trustmark certification scheme by the end of 2018. In a survey conducted last year, PDPC found that 4 in 5 consumers would be more confident transacting with an organisation that has an accreditation for meeting personal data protection standards. The DP Trustmark will be a visible indicator that a business adopts sound practices and keeps its processes updated regularly. In assessing applications for the Trustmark, we will recognise businesses that have made the transition from mere compliance to accountability.
In the third stage of our journey to accountability, we plan to allow for a more progressive approach to collecting and using personal data, while also providing greater transparency when data breaches occur.
It has been five years since the enactment of the PDPA. It is therefore timely to review the PDPA to take on board the lessons that we have learnt, and to ensure that it is updated to reflect our ambitions to becoming a trusted global hub for innovative uses of data.
We will therefore be launching a series of public consultations on proposed amendments to the PDPA. In this first consultation, we will seek comments on proposed enhancements to our framework for collection, use and disclosure of personal data, and a mandatory data breach notification framework.
In particularly in the event of data loss or breaches, it is important that individuals’ interests are protected. This is why the PDPC is proposing the introduction of mandatory data breach notification to replace the voluntary one in place today. Notification will enable affected individuals to better protect themselves by taking some action, and allow affected organisations to receive guidance from the PDPC on how to manage the breach. We will build in thresholds to ensure this requirement does not become an unnecessary burden.
The PDPC is also prepared to work with companies who adopt accountability practices to create regulatory sandboxes to allow us to understand how our proposed changes to the PDPA might work in practice so that we can fine-tune the details before we amend the PDPA. This will enable companies who are ready to continue to be innovative and competitive.
Even as we urge businesses to be accountable for the data they collect and use, we also want to urge them to use the data meaningfully to drive growth and innovation. Data, once collected, can generate value not only for the organisation collecting the data, but also for others far removed from the initial point of contact.
Today, companies already have to share data with others in the ecosystem in order to provide services: an e-commerce shop needs to share customer data with the logistics company that delivers that package to your door step. When we purchase car insurance, our good driving record with one insurance company can be ported over to another insurance company when we switch insurers. The no claim bonus allows good drivers to enjoy a preferential insurance premium.
All of this benefits us as consumers, but these examples merely scratch the surface of what is possible with greater sharing of data. Companies that collaborate can achieve so much more for their customers. Unfortunately, some businesses would cite the PDPA as a reason for not sharing personal data. This is a myth. The PDPA does not prohibit the sharing of personal data. In fact, we want to encourage the responsible sharing of personal data in order to generate value for our economy. This is why the PDPC is publishing a Guide to Data Sharing to provide clarity for companies about how they can share data today.
In the digital economy, data flows do not happen solely within the confines of Singapore’s borders but take place internationally. In 2014, cross-border data flows accounted for almost US$3 trillion of global GDP. The direct value added to Singapore’s GDP of data connectivity in trade is estimated at around 40%. These numbers will only increase in the future. As they do, the international community will demand higher cross-border data protection standards so that customers and businesses overseas can exchange data with Singapore with the assurance that we will use the data responsibly.
I am therefore pleased to announce that Singapore has – this week – submitted our Notice of Intent to participate in the APEC Cross-Border Privacy Rules System and the APEC Privacy Recognition for Processors System – or the APEC CBPR and PRP – and will align our DP Trustmark standards with these. The APEC CBPR system harmonises data standards across participating economies, allowing businesses to share data responsibly across borders more seamlessly. Businesses can enjoy more clarity, save on the cost of ensuring compliance with multiple standards across different economies, and retain consumer confidence in the responsible handling of their data. Companies that obtain our DP Trustmark standards will concurrently be certified under the APEC CBPR.
Data is at the centre of the digital economy. By supporting data sharing for innovation, strengthening business accountability, and facilitating cross-border data flows, we hope to build a trusted, robust AND progressive data protection ecosystem in Singapore that allows us to harness the economic opportunities offered by the digital economy.
On this note, I wish you a fruitful seminar, with valuable insights and exciting exchanges. Thank you.
Pivoting from Compliance to Accountability
Data Protection Trustmark Certification Scheme
Supporting data sharing for innovation
Facilitating Cross-border Flows of Data
 Statistics from McKinsey Global Institute (2016) Digital Globalization: The New Era of Global Flows  Statistics from the APEC Policy Support Unit (2012)
IMDA and United States Federal Communications commission signed MOU to promote bilateral cooperation
The Infocomm Media Development Authority (IMDA) of Singapore and the United States Federal Communications Commission (FCC) have...
Nominations for 3rd edition of 100 Women in Tech list now open
Public invited to nominate women who are making an impact on Singapore’s tech industry “Girls in Tech” category returns for female...
Singapore and the European Free Trade Association launch negotiations on Digital Economy Agreement
Singapore and the European Free Trade Association (EFTA) have launched negotiations on an EFTA-Singapore Digital Economy Agreement...
Singapore and the European Union Sign Digital Partnership
Minister-in-charge of Trade Relations S Iswaran and European Commissioner for Internal Market Thierry Breton signed the...
Singapore firms can now tap on Temus-IMDA's talent conversion programme to fill tech roles
Singapore’s Minister for Communications and Information Mrs Josephine Teo officiated the launch of Temus’ Step IT Up programme...
Enhanced measures against scam SMS
As part of the measures announced by the Infocomm Media Development Authority (IMDA) in October last year, all organisations that...
IMDA and ACMA signed Memorandum of Understanding for enhanced cooperation to combat scam and spam communications
Infocomm Media Development Authority (IMDA) and Australian Communications and Media Authority (ACMA) signed Memorandum of...
The Korea-Singapore Digital Partnership Agreement Enters into force
The Korea-Singapore Digital Partnership Agreement (KSDPA) will enter into force on 14 January 2023. The KSDPA was signed by Second...
IMDA announces a $5 million fund to support Singapore’s media industry to adopt virtual production
To ensure that the local media industry remains competitive as the international partner of choice to create premium IP, the...
20 Industry Digital Plans, which have contributed to the uplifting of more than 85,000 businesses, will be progressively refreshed, with the Food Services Sector being the first to benefit from the refreshed model
The refreshed Food Services Industry Digital Plan will include a refreshed Digital Solution Roadmap, introduction of a roadmap...