Keynote Speech by Mr Yeong Zee Kin, Deputy Commissioner of PDPC, at the 39th International Conference of Data Protection and Privacy Commissioners on Thursday, 28 September 2017, at the Kowloon Shangri-La Hotel, Hong Kong

28 Sep 2017

Mr Stephen Kai-yi Wong, Privacy Commissioner for Personal Data, Hong Kong,
Distinguished Guests,
Ladies and Gentlemen,

Singapore’s Personal Data Protection Philosophies – Pivoting from Compliance to Accountability to Support Innovation

1. The ICDPPC is the premier forum to discuss data protection and privacy issues bringing together regulators, policy makers and industry. It is a privilege for me to address you today on the topic of “Data Protection in Asia”. There is no better place than Hong Kong for us to juxtapose the data protection philosophies of the Eastern and Western hemispheres. I am delighted to be able to share Singapore’s perspectives with this august audience.

2. Briefly, there is a bundle of common law rights and statutory torts that collectively form an incipient branch of law on privacy in Singapore. For example, the right to seclusion is probably covered by the statutory tort in our Prevention of Harassment Act; and the right to prevent publication of private communication is likely to be a common law tort. A key feature of privacy law in Singapore is that it is enforceable by private civil action in the courts. The Commission administers and enforces our data protection law and it is to this topic that I devote the bulk of my speech to.

Personal Data Protection Built on Economic Fundamentals

3. Economies in Asia have diverse cultural, political and legal traditions. But even in the midst of diversity, there is a significant degree of similarities. One that comes immediately to mind is our drive for advancement in the economic sphere. Another is that our students always seem to do well in mathematics and science.

4. It is important to integrate our pursuit of personal data protection into our national economic agenda. This provides the impetus for consumers and businesses to start a dialogue about the expected standards for personal data protection. This dialogue should be constructive; data protection authorities have a role to play in facilitating the conversation and contributing to building a positive reinforcement loop. The ultimate goal is often the same with other economies that have different privacy traditions. We all strive to permit the innovative use of data that leads to better products and services for customers, while concomitantly providing assurance to consumers that their personal data are handled with utmost care and respect.

5. Singapore recognises that a robust data protection regime is an important foundation for the Digital Economy. In the Digital Economy, data is a strategic asset for companies. Data can help companies optimise the way they operate, improve existing products and services, or to innovate new ones. We believe that amplifying the level of trust between consumers and businesses is crucial for promoting innovation. In order to build an ecosystem of trust, we must reach beyond pro forma compliance with data protection laws, which is a necessary condition but no longer a sufficient condition in today’s competitive and data-driven landscape.

Pivoting from Compliance to Accountability  

6. We have started our pivot from compliance to accountability. In our view, accountability is an organisation’s promise to customers that their personal data will be handled respectfully and carefully. It is about being able to demonstrate to customers that measures which pre-emptively identify and address risks to personal data have been put in place. We see our pivot from compliance to accountability to encompass the following:

  • We have to move towards a regime that places paramount emphasis on the integration and observance of data protection standards as part of its business-as-usual processes and practices. This requires a fundamental shift in corporate cultural. 
  • To provide practical assistance to businesses and non-profit organisations, we will promote the adoption of accountability tools like risk assessments, data protection management programmes and consent registers. These tools will assist in the translation of concept to practice.
  • We see the corporate-and-consumer dialogue to be an important component of accountability. Businesses can communicate with their customers through multiple channels. We believe that a data protection trust mark is both a statement and a promise to customers. When data breaches happen, we view consumer breach notifications as a way that businesses can speak directly to their customers. In addition to email, online forum and chat bots, we believe that online dispute resolution can be an effective way of neutral-assisted dialogue to resolve customer dissatisfaction.
  • Prevention is better than cure, as the saying goes. Thus, we will be promoting and encouraging the adoption of data protection by design practices and privacy enhancing technologies in system and process design.
  • Ours is a system that relies on consent as the basis for processing. This has resulted in some less than ideal practices. In cases we have investigated, we have come across broad consent clauses. In one published decision, we did not allow a company to hide behind a broadly drafted consent clause. We need to de-emphasise and discourage reliance on broad ex-ante consent and provide parallel bases for the collection, use and disclosure of personal data.

7. In July 2017, Singapore’s Minister of Communications and Information, Dr Yaacob Ibrahim, announced a three-stage process to help companies along this journey from compliance to accountability.

First stage – Guides and Tools on Data Protection Management Programme and Data Protection Impact Assessments

8. In the first stage of the pivot towards accountability, the Commission will be producing guides and an online assessment tool to assist companies. We are finalising our guides to assist companies to put in place Data Protection Management Programmes and to help businesses conduct Data Protection Impact Assessments.

9. These are accountability and data protection by design tools. But it is equally important for organisations to discover where the gaps are before they start using these tools. To assist with the gap analysis, we are making available a PDPA Assessment Tool for Organisations. This is a free online resource that organisations may use to identify gaps in their data protection management. The Assessment Tool will provide suggestions and recommend resources, such as our advisory guidelines and other guides, that Data Protection Officers may refer to. When used in conjunction with the DPMP guide, a DPO will be able to make strategic decisions about what interventions are necessary to bridge the gaps that have been identified.

Second stage – Data Protection Trust Mark

10. In the second stage, we will launch a Data Protection Trust Mark certification scheme by the end of 2018. In a survey conducted last year, we found that 4 in 5 consumers would be more confident transacting with an organisation that holds an accreditation for meeting personal data protection standards. The Trust Mark can be seen as a recognition that an organisation has put in place accountability practices that go beyond a checklist approach to compliance. We will also recognise adoption of DP by Design practices. We have plans to integrate the APEC CBPR and PRP registrations into the Trust Mark application. We hope that this will encourage and assure the flow of data between trusted companies, both domestically and globally, thereby creating a network of trust.

Third stage – PDPA Review

11. In the third and final stage of our journey to accountability, the Commission plans to allow for a more progressive approach to collecting, using and disclosing personal data, while also providing greater transparency when data breaches occur. We have recently initiated the first phase of the review of our Act, to ensure that the regulatory environment remains relevant as technological developments have significantly changed how personal data is generated and collected today. When we first started to put our Act together, user-provided personal data formed the majority; today, user-provided data forms a diminishing set that sits alongside data generated by user activity and observable data, both of which are growing at an increasing pace.

12. Our ongoing public consultation solicits feedback on proposed enhancements to our framework for the collection, use and disclosure of personal data, and a mandatory data breach notification framework. There will be other consultations as we work towards the amendment.

Regulatory sandbox

13. I have shared that our view of accountability encourages dialogue between business and consumers. It will be hypocritical if we do not also engage in conversation. Therefore, the Commission is prepared to work with companies who have adopted accountability practices to create regulatory sandboxes so that they are not held back from deploying technological and business innovations. Working with consumers, stakeholders and businesses to construct sandboxes will allow us to understand how our proposed changes to the Act might work in practice. This in turn informs us as we fine-tune the details before the Act is amended. This should help us craft a set of amendments to our Act that will be relevant in the Digital Economy.

14. Details of the regulatory sandbox may be found in a recently released guide to data sharing. This guide sought to debunk the myth that the Act prohibits data sharing and also provided a framework for applications to the PDPC to exempt data sharing arrangements from specific obligations under the Act.

Conclusion

15. The ultimate goal of our shift from compliance to accountability is to establish a high level of consumer trust as the bedrock of our data protection regime, thereby enabling data innovation in Singapore’s Digital Economy. We look forward to working with businesses to build a trusted ecosystem to optimise the opportunities and rewards of data innovation.

16. On this note, I would like to thank the ICDPPC and the Government of the Hong Kong Special Administrative Region, China for the opportunity to speak, and for the successful organisation of the 39thConference. I wish you all a most thought provoking conference ahead.

Tags: