Mr Trevor Hughes, IAPP President and CEO,
Commissioner Raymund Liboro, my co-speaker and counterpart from the Philippines,
Fellow personal data protection and privacy colleagues,

1. I am honoured for the opportunity to address a gathering of data protection professionals, and for Singapore to play host to this annual exchange of knowledge and experience.

Data Landscape Shaped by Frontier Technologies such as Artificial Intelligence (AI)

2. Singapore has embarked on a new phase of its digitalisation journey with the recent launch of the Digital Economy Framework for Action. The ability to use and share personal data innovatively, and responsibly can translate into a competitive advantage for businesses. Infusing AI into business operations can accelerate digital transformation.

3. According to a McKinsey study, global investment in AI during 2016 was US$26 –  39 billion, with tech giants accounting for US$20 – 30 billion. Locally, IMDA is working with different sector agencies to create AI adoption strategies to help businesses embrace this transformative technology. As industry adoption of AI grows, we have to promote responsible use of both AI and data, so that we engender a high level of consumer trust and willingness to make use of AI-empowered apps and services.

4. Progressive policies are key enablers of data-driven innovations. Stringent data protection laws may earn a country the reputation of consumer empowerment but this may be at the expense of business friendliness, and may stifle innovation. Too laisse faire an attitude is not conducive either. Consumer adoption of emerging technology may be slow, if silence from the data protection authority results in low public trust and confidence.

5. Singapore believes that there is a viable middle ground. Our assessment is that AI as a technology is still developing but more importantly, businesses have only just begun to explore how AI can be used to enhance their products and services. We need to give both technology and businesses the room to explore and grow. However, consumer concerns must be acknowledged and addressed. The PDPC is not ignorant about these issues nor can we ignore consumer concerns.

6. One key concern is cybersecurity. This is why PDPC continually emphasises the need to adopt a Data Protection by Design approach to building systems. Incorporating data protection elements into the very architecture of systems will be more effective in protecting the personal data they hold. The Data Protection Impact Assessment is an effective tool to identify risks, and how to address them. I should also emphasise that good accountability practices have to be part of an organisation’s operational processes, and cannot be a one-off effort. In an increasingly connected world, we must always remain vigilant.

7. IMDA announced our collaboration with AI Singapore last November to develop the AI ecosystem, and drive industry adoption. Last month, Minister for Communications and Information announced a set of initiatives for the governance of AI and data use that is intended to support Singapore’s growth as a hub for AI development and innovation. I take this opportunity to explain how these initiatives work together.

i) Establishing an Advisory Council on Ethical Use of AI and Data

8. The Advisory Council on ethical use of AI and Data is formed to provide guidance on complex ethical issues arising from new business models and innovations in the AI space. It brings together AI technology providers, businesses that use AI and representatives of consumer interests. It will host conversations with industry and consumers. The Council serves as an effective barometer of business needs and ground sentiments to shape the Government’s plan for a sustainable AI ecosystem, by producing model frameworks and voluntary industry codes.

ii) Proposed Framework on Fostering Responsible Development and Adoption of AI

9. The PDPC issued a paper proposing an accountability-based framework for responsible development and adoption of AI. This is meant for stakeholders to discuss ethical, governance and consumer protection issues in a systematic and structured manner. Ethical concerns relating to algorithmic decision making are addressed in a pragmatic manner in the proposed framework. The governance model can be adopted to manage issues like how data is used in a responsible way when AI is used in decision-making. The framework also provides guidance on how consumer relationships can be managed.

10. The PDPC will be working with the Advisory Council to convert this into a model framework in the coming months.

iii) Research Programme on the Governance of AI and Data Use

11. Singapore Management University (SMU) School of Law has been appointed to establish an independent research centre to conduct scholarly research on complex issues relating to AI and data use. The intention is to build up a body of knowledge of the legal, policy and governance issues concerning AI and data use. At the same time, we will also develop a pool of experts knowledgeable in these issues. The research centre will complement existing initiatives to strengthen scientific AI academic research and the professional training programme, to build a robust AI ecosystem.

Making Singapore A PDP Training Hub for the Region

12. I turn now to speak about how we are supporting Data Protection Officers. One initiative that the PDPC recently commenced is to create RegTech solutions to help with data protection compliance. IMDA launched an Open Innovation Platform just three weeks ago to crowd source for ideas and leverage on the expertise of ICT solution providers. PDPC contributed two data protection problem statements that will hopefully provide DPOs with practical tools that we can all use back in our offices. One of them is the Personal Data Asset Inventory Tool, and the other is the Data Protection Impact Assessment Tool. We will be asking for DPOs to volunteer to help us shape the requirements. Our intention is to make these tools available open source so that other service providers can enhance them and integrate them into full-featured suites.

13. We continue to emphasise the importance of training and upgrading our knowledge. Today, I have the pleasure of announcing several new initiatives that make available high-quality training programmes for data protection practitioners.

i) Enhancing DPO Excellence - Practitioner Certificate for Personal Data Protection

14. The PDPC had previously developed a basic data protection course which has become the staple of data protection basic training. I am pleased to announce that we will be rolling out an intermediate course that will lead to the ‘Practitioner Certificate for Personal Data Protection (Singapore)’. The intermediate course teaches pragmatic skills on how to develop and adapt accountability practices in our organisation. These accountability skills will be applicable regardless of which jurisdiction we operate in.

15. I am pleased to share that IAPP is developing the examination content for the certificate. DPOs taking the examination can expect IAPP’s standard of rigour in the examination questions. The course is scheduled to commence this October, and we have appointed SMU Academy to be our first training provider for the course.

16. The intermediate course will raise the baseline for data protection training, while supporting industry efforts in developing more advanced training. Just last week, SMU Academy launched an Advanced Diploma in Data Protection and Operational Excellence, the first in the Asia-Pacific region. Students who have completed the intermediate course will be given credits towards the Advanced Diploma.

ii) Building Competency – SMU & NUS to Offer Undergraduate Law Courses on Personal Data Protection

17. In the span of just four years since PDPA came into force, we now have two data protection law text books and three years’ worth of PDPC enforcement decisions. I am excited to announce that the National University of Singapore (NUS) and the Singapore Management University (SMU) will both start offering personal data protection law courses this academic year. PDPC supported the development of these courses. If anyone of you are interested, I am glad to inform that these courses will be open to both undergraduate and postgraduate students.

Conclusion

18. PDPC is labouring hard to make Singapore a training hub for personal data protection expertise in the region. The annual IAPP Asia Privacy Forum holds an important place in our annual training calendar. Last year, we changed the format of PDPC’s annual Personal Data Protection Seminar to expand it into a full day event with hands-on workshops on practical topics in the afternoon. Previously by coincidence but recently by design, we have twinned both of these annual programmes to run consecutively. Our Personal Data Protection Seminar takes place on Wednesday, after the end of IAPP and I look forward to seeing some of you at our event.

19. Let me end by thanking IAPP for inviting me to deliver the keynote address, and by wishing all of you a fruitful two-days of education and catching up with old friends. Thank you.