Address by Mr Tan Kiat How, Commissioner of PDPC, at the PDP Seminar 2017 on Thursday, 27 July 2017, at the Sands Expo and Convention Centre, Marina Bay Sands
28 Jul 2017
Dr Yaacob Ibrahim, Minister for Communications and Information,
Speakers,
Distinguished Guests,
Ladies and Gentlemen,
1. The Digital Economy provides exciting opportunities for businesses and workers. We have seen the rise of platforms in domains such as e-commerce, social media and e-payments, and the growth of vibrant digital ecosystems around these platforms. In these ecosystems, data is the currency of exchange and the basis on which enterprises innovate business models, products and services. Trust is a key lubricant that enables the entire system to function.
2. A robust data protection regime is important to engender trust in our ecosystem and enable our companies to seize growth opportunities. That is why since the last seminar, we have been ramping up data protection capabilities among organisations.
Current Data Protection Landscape
3. We are making steady progress. From our recent industry survey, the number of organisations with some data protection policies and practices in place has increased to 96%. This is up from 70% the year before.
4. Of these, half had appointed a Data Protection Officer, or DPO. While this is a marked improvement over the previous year’s 40%, we cannot stress enough that appointing a DPO is mandatory. More importantly, it is a decision that should not be taken lightly. As the champion within the organisation, the DPO plays an important role. He takes the lead on putting in place internal policies, designing processes and inculcating the right data protection culture. On our part, the PDPC will continue to develop programmes and schemes to support and elevate the DPO in his role.
5. It has been three years since the data protection provisions have come into force We have investigated over 300 enforcement cases since then, with a majority of the cases receiving an advisory notice. For the more serious cases, we issued over 30 full-length decisions where many of the organisations in breach had to pay financial penalties and carry out other directions to strengthen their data protection policies and practices.
6. Our firm enforcement actions aim to drive home the message that personal data protection is important. As we strive towards a Digital Economy, data protection cannot be just about compliance; it must be about accountability. Accountability is an organisation’s promise to customers that their personal data will be handled carefully. It is about being able to demonstrate to customers that the organisation has put in place measures that pre-emptively identify and address risks to the personal data of their customers.
7. In a recent survey that we conducted among some 1,500 consumers, 93% of respondents trusted that, with the PDPA in place, their personal data would be protected from misuse by organisations; four out of five respondents had noticed an improvement in organisations’ data protection practices; and 73% of the respondents was willing to provide their personal data to these organisations for products, services and other perks. It’s a significant change from last year, where only about half of them indicated a willingness to do so. This suggests greater trust in the organisations here.
8. This trust is an asset that all of us, as stakeholders in our local ecosystem, have a collective responsibility to preserve and protect.
Building a Culture of Trust in the Data Protection Ecosystem
9. Let me elaborate how PDPC will help companies make this transition from compliance to accountability.
10. Later this year, PDPC will be producing two guides – the first on how to implement a Data Protection Management Programme, or DPMP; and the second on how to conduct Data Protection Impact Assessments, also known as DPIAs. These are accountability and data protection by design tools, which adopt sensible, risk-based approaches towards data protection.
11. A DPMP sets out the organisation’s management policies, application of processes and practices, and roles and responsibilities of staff in the handling of personal data. Developing a DPMP within an organisation takes careful planning and considerations of all aspects of data collection and use, and the DPMP guide will help organisations put in place a practical and robust personal data protection programme regime.
12. To help DPOs make strategic decisions on where and what to focus their efforts on, PDPC will be introducing a PDPA Assessment Tool for Organisations. It is an interactive online tool that helps the DPO to review the organisation’s data protection policies and processes, identify gaps, provide actionable suggestions and recommend relevant resources – such as the PDPC’s advisory guidelines – to improve data protection measures. This tool will be free and made available on PDPC’s website.
13. The second guide is on the conduct of DPIAs. It will be a useful resource for the DPO as he sets about reviewing systems or processes to identify where personal data may be at risk. This guide can also be used when designing new systems or processes. DPIAs should ideally be conducted once before the design of the system or process is finalised, and again to ensure that the solutions to address the risks are properly implemented before the system or process goes ‘live’. The integration of DPIAs within an organisation’s business processes is a crucial step towards adopting a Data Protection by Design approach.
Supporting our SMEs
14. We foresee that some companies may need a bit more guidance. This will be especially true for SMEs who may not have an experienced DPO on staff. To support them, we will be implementing a few measures.
15. First, the Data Protection Starter Kit. This is expected to be introduced later this year. It will be a step-by-step guide that highlights nuggets of useful information and resources, such as sample clauses, forms and templates in an easy-to-understand manner. This will be available first as an online and hardcopy resource, and will be followed by a mobile app.
16. Second, PDPC will be appointing a panel of Data Protection Advisors to provide targeted help for SMEs. The advisors can guide SMEs on the implementation of data protection processes and systems that are tailored to the organisation’s operational needs. This advisory service will allow SMEs to have a better understanding of their obligations under the PDPA, identify data protection gaps within the organisation and point them to relevant resources. Advisors will also be able to identify available grants that SMEs may tap on, types of courses their employees can attend, and connect them to external data protection service providers.
17. I have spoken about the tools and guides that we will be introducing this year as the first stage of our journey from compliance to accountability. In the next stage, we plan to develop the DP Trustmark. We aim to do so by end 2018. The DP Trustmark is a clear recognition that an organisation has put in place accountability practices that go beyond a checklist approach to compliance. Over the coming year, we will be seeking views on key features of the Trustmark, for instance the certification criteria. We plan to start the industry consultation by end of the year.
Learning from One Another
18. The PDPC has been actively issuing enforcement decisions for about 15 months now. There are always lessons we can draw from each situation.
19. Let me give you an example. We received a complaint against the Singapore Institute of Management (SIM) concerning the alleged disclosure of the complainant’s NRIC image to a third party over the institute’s online portal. While processing applications, a staff erroneously uploaded the complainant’s scanned NRIC image to another applicant’s online records. This human error resulted in the disclosure of the complainant’s personal data to the third party. Upon notification of the incident, SIM immediately removed the image from the portal. The staff who committed the error was also counselled.
20. The key issue is whether the organisation has made reasonable security arrangements to protect their applicants’ personal data. After investigation, we determined that the sample documentary checks that SIM had instituted were adequate in providing reasonable assurance of the correct tagging of applicants’ scanned documents. Hence, we were satisfied that SIM had adequately discharged its Protection Obligation and decided that there was no breach.
21. This case is one of the many that we have compiled in a Personal Data Protection Digest. With a Digital Economy, the discourse on data protection laws and practices will only grow deeper. The Personal Data Protection Digest deals with practical issues faced by data protection practitioners in the course of their work, and cover a variety of topics.
I hope that it will provide helpful guidance to DPOs, as well as lawyers and in-house legal counsels who advise on data protection. Our aim is for this effort to contribute to the growing knowledge and experience in this area.
22. At this time, I would like to acknowledge the contributions of the Data Protection Advisory Committee. Their sound advice and industry insight have informed the Commission's decisions. This volume is very much their product as well.
Conclusion
23. We believe that data protection and data innovation goals are not mutually exclusive. In fact, a robust data protection regime is an important foundation for which data innovation can thrive. All of us have a shared responsibility to build up the trust quotient needed to enable the smooth functioning of this ecosystem, which enable businesses to seize opportunities and reap the rewards of data innovation.
26. I hope many of you will benefit from today’s event.
27. On that note, I would like to thank Minister Yaacob for gracing our event once again, and wish everyone an engaging and fruitful day.
Tags: