Keynote Speech by Deputy Commissioner, Mr Yeong Zee Kin, at Know Ahead to Stay Ahead – Leadership’s Engagement in Data Protection at Infocom Media Development Authority on Wednesday, 22 May 2019
22 May 2019
1. Good morning ladies and gentlemen, thank you all for being here this morning; and a special welcome for our guests who have flown in for Privacy Awareness Week. I wish to begin by recognising the hard work put in our partners: the Singapore Business Federation who organised this event with us, and the Law Society for supporting this event.
Supporting Leaders in Innovation
2. We operate today in an increasingly connected and competitive business environment. In a connected world, there is proliferation of personal information as we spend more time online. Concomitantly, smart personal and home devices offer new possibilities by tapping on geolocation sensors, accelerometers and audio-visual sensors. This has caused us to re-examine the internal contours of personal data – how do we provide consumers with more control over personal data that are produced primarily through their activities and effort, while preserving the investment of companies in working with data to derive new insights. Minister Iswaran released a discussion paper on data portability earlier this year when he attended the Mobile World Congress in Barcelona.
3. Today, we take the discussion forward with the release of our third consultation paper, on the topic of data portability and data innovation. Data portability allows consumers to make a request to port user-provided and user-activity data to a new service provider. This is envisioned to incentivise the creation of both new as well as competitive products and services. As a complement to data portability, the Commission intends to clarify that organisations may use personal data which they have already collected for innovation purposes. This will provide organisations with the confidence to use data to enhance their products, improve their services and to know their customers better. In the coming months, we will be engaging with consumers and industry to delve into the operational details of these proposals.
4. Data portability and data innovation are further steps that we are taking along the pathway of accountability. Data portability enhances data subjects’ ability to access and obtain a copy of their personal data, by clarifying that data controllers’ accountability to consumers extend to the transmission of a copy their personal data upon request. Data innovation clarifies when organisations may make secondary use of data for innovation purposes without seeking fresh consent. To benefit from them, accountable organisations have to put in place sound policies and practices. It is on the topic of translating accountability from principle to practice that I devote the bulk of my address to.
Accountability & the PDPA
5. The principle of accountability forms the substratum of the PDPA. Section 11 of the PDPA states that an organisation is responsible for the personal data in its possession or under its control. The organisation is also required to designate someone responsible for its compliance with the PDPA, and who will develop and implement the necessary policies and practices in order to do so. This principle pre-dates the PDPA and its roots may be traced to the 2003 voluntary Model Data Protection Code for the Private Sector.
6. The Commission’s shift from compliance to accountability is therefore not a shift in principle but a shift in emphasis. We focused on promoting accountability practices in our journey which started in 2017, and which is taking place in 3 stages:
First, introducing accountability tools from 2017. This includes guides such as the Guide to Developing a Data Protection Management Programme (DPMP) and the Guide to Data Protection Impact Assessments (DPIA).
Second, recognising organisations with accountable practices through certification systems such as the Data Protection Trust Mark (DPTM), which we piloted last year and formally launched earlier this year in January.
Third, upcoming amendments to the PDPA will further accentuate and integrate accountability within the Act. Mandating accountable practices like risk assessments allows us to enhance our consent regime, and provide additional options like deemed consent through notification-and-opt-out, and legitimate interest exception.
7. Today, I wish to share with you how we are integrating accountability into our regulatory policies and practices.
Incorporating data protection into the corporate risk management framework
8. The DPMP Guide sets out a comprehensive approach to designing, implementing, and administering a DPMP, in order to help organisations comply with the PDPA. A DPMP covers management leadership’s role in designing policies and implementing processes for the handling of personal data; as well as defining the roles and responsibilities of the people within the organisation. A DPMP helps organisations build high-trust relationships with customers and business partners through its ability to demonstrate accountable practices.
9. Today, we are releasing a revision of the DPMP Guide to include an updated section on risk management. In line with what we have been pushing for in the DPMP Guide, we have worked with MAS and the Singapore Institute of Directors to include data protection as a specific item in the Board Risk Committee Guide, which is part of the Institute’s Corporate Governance Guides for Boards in Singapore. Highlighting data protection as an aspect of compliance and IT risks ensures that data protection gets attention at the Board-level, and that data protection risks are included in Enterprise Risk Management Frameworks. This rounds out that section of our DPMP Guide by ensuring that data protection risks get attention of the Board; and is complemented by our recommendation that the Data Protection Office be appointed from, or have a direct reporting line into, senior management. Good accountability practices within an organisation must start right and the direction and tone have to be set by its highest leadership.
Providing more tools to assist adoption of accountable practices
10. Policies have to be translated into practices that members of staff are able to carry out. A DPMP maps out internal practices, including process and systems monitoring tailored to an organisation’s risk profile. Over the years, we have introduced tools to assist DPOs, for example, the Data Protection Starter Kit, the PDPA Assessment Tool for Organisations (PATO), the Data Protection Notice Generator, the DPIA Guide, in addition to the DPMP Guide that I just spoke about. I am excited to share that over the next couple of weeks, we will be releasing additional accountability tools to assist DPOs:
We are taking first steps into RegTech for personal data protection. RegTech is the use of technology to help organisations meet their regulatory monitoring, reporting and compliance obligations. The Personal Data Asset Inventory Tool was developed by ICONZ-Webvisions through IMDA’s Open Innovation Challenge. It was facilitated by the PDPC and supported by DPOs who volunteered their time and experience to help define its feature-set. It will be made available for download at the end of the month. It allows DPOs to map and keep track of how personal data is being managed within their organisation and across all data touchpoints. This is a free-to-use tool and made available on an open source basis. We hope that this will allow DPOs to carry out their work in a more efficient manner, as well as encourage solution providers to commercialise this tool with enhanced features and functions.
We also have companies coming forward to make available free basic versions of their commercial solutions. Just last month, Straits Interactive launched their Basic DPOInBox. Later this month, OneTrust will also be launching a free edition of their privacy management software. This is just the start, and we will continue to work with solution providers to make more data protection RegTech tools available so that DPOs can better manage the personal data under their organisation’s care.
Another important accountability tool in a DPO’s arsenal is the practice of data protection by design. The principle is to embed data protection considerations into the design of business processes or information systems. The DPbD Guide will be launched at the Asia Pacific Privacy Authorities (APPA) forum later this month. It will provide very practical guidance on design considerations at each stage of the software development life cycle to meet data protection obligations. For those who are curious, you can get a preview at our Data Protection by Design session, co-organised with SGTech, taking place tomorrow (ie 23 May 2019) at PIXEL.
Vigilance and responsiveness as hallmarks of an accountable organisation
11. An effective DPMP will include an internal monitoring and reporting system for data breach incidents, complemented by drawer plans that the organisation can activate during such a contingency. Today, we take further steps to shape the right behaviour and practices in this area. As you may already know, the Commission intends to convert the voluntary breach notification system that we have today into a mandatory data breach notification regime. Under this system, organisations will have to notify the Commission and affected individuals when a significant data breach occurs. This is necessary for 3 reasons:
First, notifying individuals enables them to take steps to protect themselves. This can include actions such as changing their passwords or terminating their credit cards. We want to strike a balance between empowering individuals with information so that they can act, but not inundating them with too many notifications such that they develop fatigue and miss that one notification which required their attention.
Second, by notifying the Commission early, we can provide guidance to organisations in managing the breach and containing any potential harm. Our primary aim is to work with organisations to manage the incident. We hope to be able to lend our experience to organisations without the expertise. In this, I believe that the Commission and organisations’ interests are aligned in acting to protect the consumer.
Finally, the data breach notification regime allows the Commission to identify trends and problem hotspots, thereby enabling us to design appropriate interventions. This is something that we are currently doing, as can be seen from some of our more industry-focused advisory guidelines. The MCST advisory guidelines released in March this year being the most recent example. Mandatory breach reporting enhances our ability to be intervene effectively in this area.
12. Today, we release a revised data breach management guide. This fleshes out the voluntary breach notification system we have in place presently, by providing detailed guidance on the contents of a data breach management plan, and the steps for responding to data breaches. This is encapsulated in our 4-step CARE framework:
Containing the data breach;
Assessing impact and implementing the remediation plans;
Reporting the breach to the Commission and notifying affected individuals if necessary; and
Evaluating the response and considering actions to prevent future recurrence.
13. The revised data breach management guide is out on our website now. It is a tangible step taken by the Commission to work with organisations to get ready for the future. We are still operating a voluntary breach notification system, but we are fleshing it out so that we can make use of this time to work through the operational details. By working together with industry, we can co-create a system that is practical to operate while effective in delivering on the objective of protecting our consumers’ personal data.
14. An essential part of our CARE framework is remediation. An accountable organisation will have remediation plans that are ready to be implemented during a contingency. When coupled with a good internal monitoring and reporting system, data incidents are identified early and swift action can be taken. Early action can reduce the risks to customers. How can the Commission encourage and incentivise this behaviour? On this occasion, we are also releasing the Guide on Active Enforcement, or the Active Enforcement Framework (the "Framework") as we refer to it. We have parlayed the experience of enforcing the PDPA over the last 4 years into a Framework that optimises our investigative resources and maximises the effectiveness of our enforcement reach.
15. I will only point out that the Framework is available on our website and I will leave it to your curiosity to do the rest. But on the topic of accountability, I wish to highlight that we have crafted two enforcement policies to motivate organisations to develop and implement accountable practices.
data breach management plan, and the steps for responding to data breaches. This is encapsulated in our 4-step CARE framework:
First, we are introducing an option for organisations to submit an undertaking. For companies that have detected a data breach early and demonstrate that they are able to respond to this breach quickly with established processes, what they need most is time to implement their remediation plan. Such organisations will be able to submit an undertaking that they are ready to implement their remediation plan and resolve the breach. This high standard can only be met by organisations who have sound accountable practices. One class of such organisations are those whose accountable practices have been independently audited, for example organisations who are Data Protection Trust Mark-certified. Naturally, acceptance of undertaking in lieu of investigations is a matter for the Commission’s discretion. The Commission will accept an undertaking only if it achieves a similar or better enforcement outcome than the traditional investigative process.
Second, for organisations that are contrite and willing to admit that they have breached the PDPA, we are introducing an expedited process. This is available for cases where the nature of the data breach is similar to common precedent cases. These clear-cut data breaches can and should be brought to a conclusion swiftly. This is expected to reduce time required for investigations by up to half, and provides an option for accountable organisations to conduct themselves in a dignified manner. Organisations can expect that where financial penalties are involved, the organisation’s admission of its role in the incident will be taken as a strong mitigating factor.
16. In the final analysis, accountability is about being answerable to the people who entrust you with personal data. These can be your customers, your employees, as well as business partners seeking to engage your services to process their personal data. The ultimate goal of our shift from compliance to accountability is to establish a high level of consumer trust as the bedrock of our data protection regime, thereby enabling data innovation in Singapore’s Digital Economy.
17. The Commission’s efforts that I have shared today are directed at supporting the development of good data protection practices within an organisation. First, by setting the right tone such that organisational leadership take data protection risks seriously, and by motivating the right corporate response through our enforcement policies. Second, by assisting DPOs in their development of data protection policies and practices through the provision of accountability tools. These initiatives help provide a firm foundation on which future enhancements to the consent regime, data portability and data innovation can rest upon.
18. On this note, I thank you all for your attention, and I look forward to engaging with you in deeper discussions on these topics in our panel discussion.