Opening Address by Mr Leong Keng Thai, Chairman of PDPC, at the Data Privacy Asia Conference 2015, Tuesday, 25 August 2015, at the Grand Hyatt Singapore

25 Aug 2015

Fellow speakers,

Distinguished guests,

Ladies and gentlemen,

  1. It is a great honour to be invited to deliver the Opening Address for Data Privacy Asia 2015, an event attended by data protection and privacy experts from Asia and beyond, some of whom have had operated in the sphere far longer than I have.

  2. This morning, I shall be sharing with you Singapore’s experience in developing a personal data protection regime, and how we have crafted the regulatory framework to complement the country’s transformation into a Smart Nation.

  3. The need for a personal data legal framework in a highly connected society

  4. The Singapore we know today is a highly connected island state. As of 2014, smartphone penetration rate was more than 90% and business broadband adoption stood at 86%.

  5. Such pervasive connectivity, boosted by intensified use of social media and over-the-top applications, amplifies the economic value of data to organisations, making it the new currency of this decade. It is therefore timely that Singapore establishes a legal framework to govern the management of personal data by organisations, as a measure to safeguard such information from misuse.

  6. Where we are today?

  7. Since the establishment of the Personal Data Protection Commission in January 2013, the Commission has focused its efforts on raising awareness, building personal data protection capabilities of organisations, and developing advisory guidelines that provide clarity on the interpretation of the Personal Data Protection Act, or PDPA in short.

  8. The PDPA covers two main sets of provisions – data protection and the Do Not Call Registry – that organisations are required to comply with. The Act, which governs the collection, use and disclosure of personal data by organisations, is built on the key principles of consent, purpose and reasonableness.

  9. I am pleased to share that a recent industry survey showed a 92% awareness level of the Act amongst organisations polled. It also showed that 86% of organisations had some compliance measures in place and 77% of these organisations were able to comply with the Act with ease. These statistics demonstrate that organisations are mindful of the importance of personal data protection, and are taking progressive steps in making Singapore a trusted business hub.

  10. Enforcement as a necessary tool

  11. While the Commission’s preferred approach is to educate, instil good personal data governance and seek compliance, we understand that effective enforcement is often necessary for the Act to yield results. To date, the Commission has brought two organisations to court for Do Not Call-related offences, and has issued advisory notices to about 2,000 organisations with minor isolated breaches.

  12. In considering the appropriate enforcement measures to be pursued in each case, the Commission takes into account various factors, such as the severity of the breach, the degree of isolation between incidents, the number of complaints against the organisation, and its cooperation after being informed of objectionable practices. Organisations are largely cooperative when confronted, and would avidly review and adjust their data protection policies and practices in compliance with the Act. The Commission is cognisant that the Act is still in the early phase of implementation and organisations require more guidance in achieving compliance.

  13. Working with partners

  14. Industry engagement is essential in securing broad compliance with the Act. Last year proved to be a fruitful year for the Commission, in terms of collaborative efforts to engage and educate. Besides working with the Consumers Association of Singapore (CASE) and Singapore Mediation Centre (SMC) to set up mediation bodies for the resolution of personal data protection disputes between organisations and individuals, we also teamed up with industry leaders such as the Ministry of Health (MOH), Council for Estate Agencies (CEA) and National Council of Social Services (NCSS) to release sector-specific advisory guidelines. Furthermore, we collaborated with, Infocomm Development Authority of Singapore (IDA), Singapore Workforce Development Agency (WDA) and various schools to conduct PDPA courses and trainings for organisations and individuals.

  15. It gives me great satisfaction to report that through our proactive outreach to trade associations and their members, since the establishment of the Commission we have helped more than 22,000 corporate representatives from the finance, retail, telecommunication, healthcare, social service and education sectors, among others, to build up their in-house personal data protection capabilities.

  16. Importance of striking a balance between innovation and personal data protection in building a Smart Nation

  17. Innovation has contributed significantly to the creative use of personal data and the advent of big data analytics. We see the birth of e-commerce, social media, and technological devices designed to facilitate convenience in daily lives and enhance connectivity for communications and productivity.

  18. Recognising an increased global focus on the value of Smart Cities – particularly along the recurring themes of “Intelligence, Liveability and Sustainability” – Singapore Prime Minister Lee Hsien Loong announced the country’s intention to become the world’s first Smart Nation in November last year.

  19. Two important trends drive Singapore’s Smart Nation vision: Big Data, which provides useful insight for urban planning, and the Internet of Things, where everyday devices are web-connected to make business processes more efficient and lives better.

  20. The context of Smart Nation, Big Data and Internet of Things underlines the need for organisations and individuals to be pre-emptive in personal data governance and protection. Data points relating to behaviours and preferences of individuals have become a competitive advantage many organisations recognise, culminating in an inevitable growth in the volume of personal data held by them.

  21. Personal data protection is thus a critical enabler of business activities in Singapore’s economy. Without the assurance that such information is protected, individuals will not have confidence and trust in the organisations’ use of their personal information.

  22. The extraction and analysis of Big Data can yield enormous benefits for society. Yet it can also pose inherent risks, such as unintended associations, automated decision making and re-identification risks.

  23. Big Data’s perspective of personal data as information to be used, as opposed to data protection regulators’ perspective of personal data as information to be protected, could be the basis for a divergence in their approaches to data governance.

  24. In the context of Big Data, the key challenge lies in enabling the use and disclosure of data to support the progress of technology and innovation, whilst protecting personally identifiable information, to allay privacy concerns.

  25. It thrives on data proliferation, through which benefits are derived from the analysis of large amounts of personal data collected. There is also a conflict with the application of purpose limitation obligation, since its use of personal data is not always well-defined.

  26. In spite of the apparent dichotomy between Big Data and personal data protection, both values remain important to Singapore and the Commission strongly believes that balancing them is not only possible but crucial. Organisations need to recognise that only with good data governance could trust be gained, and individuals would then be willing to share personal data that is essential for innovation and an interconnected lifestyle.

  27. Risks and mitigating measures

  28. I wish to highlight that personal data protection is not just a concern for consumers; a survey conducted by the Information Systems Audit and Control Association (ISACA) in 2015 indicates that 83% of organisations surveyed listed cyber attacks as one of the top 3 threats they face. The growing importance of cyber security is a global phenomenon. Organisations need to understand the kind of threats they face, evaluate resources in coping with incidents, and strengthen protection of critical assets. In this regard, firm data protection laws can influence the incorporation of personal data governance in organisations’ risk management practices. Data breaches should also be managed and reported immediately depending on their severity, so that relevant authorities can address the issue in a timely manner.

  29. Data transfer across borders is inevitable in an increasingly globalised economy. The huge volume of electronic data being transferred internationally and the ease and speed in which they could be transmitted amplify the challenges posed to the regulation of personal data transfers.

  30. Cross-border data flows are further complicated by the lack of interoperability between data protection jurisdictions. To start off with, not all jurisdictions have data protection regimes. Between the jurisdictions that do, the legislative environments remain fragmented, with different interpretation of what the law covers and the level of compliance required.

  31. As such, it is imperative for regions to establish broad frameworks that countries could agree on for the regulation of cross-border transfers of data.

  32. Regionally, the Association of Southeast Asian Nations, or ASEAN, has taken a strong interest in personal data protection. ASEAN recognises the importance of having a region-wide data protection regime to support its goal of regional economic integration.

  33. In 2013, ASEAN partnered with the United Nations Conference on Trade and Development (UNCTAD) to conduct a study on how the region could develop a harmonised data protection regime in the context of supporting regional e-commerce growth. The findings were encouraging. Most of the ASEAN Member States was noted to have some form of domestic data protection laws, with the rest in the process of developing one. This highlighted the common view of all ASEAN Member States on the need to safeguard personal data, particularly against the background of ubiquitous use of social media and growing Internet economy.

  34. Going forward, under the new ASEAN ICT Masterplan 2016-2020, the region will be looking at how it can further strengthen personal data protection and work towards a harmonised regime.

  35. Conclusion

  36. Personal data protection will continue to be an issue of great interest for both organisations and individuals alike. With that said, we also recognise the importance to keep pace with developments in other parts of the world, particularly Europe, United States and the Asia-Pacific, on discussions around issues relating to cloud computing, big data, mandatory breach notifications, to name a few.

  37. It is important for Singapore to keep abreast with international developments for our policies to stay relevant. This is fundamental in positioning Singapore as a trusted hub for data management and processing activities in this new digital age.

Tags: