Keynote Speech by Deputy Commissioner, Mr Yeong Zee Kin, at Data Interconnection and Security Development Summit, on Sunday, 5 January 2020, at Zhuhai, People's Republic of China
05 Jan 2020
1. Organisations today operate in an increasingly connected and competitive digital economy where individuals’ online and real-world activities generate a burgeoning amount of data. In such a competitive and evolving business environment, a “check-box” compliance approach may overly constrain businesses in their use of data to create value and better services for their customers.
2. Understanding that data protection and data innovation are two sides of the same coin, Singapore advocates for the use of data in a trusted manner as a bedrock for the digital economy. This guides our approach to data protection, going beyond a compliance-based approach to a heavier emphasis on the principle of accountability.
3. What do we mean by accountability? Simply put, accountability is exercising responsibility over personal data in your care, and being answerable to the people who have entrusted their personal data to you. This entails protecting personal data under your possession or control, and using personal data for not just lawful but ethical purposes, to benefit your customers. Trust cannot be built alone but has to permeate the supply chain. Organisations that have demonstrated accountability will provide their business partners with greater assurance, and strengthen trust with customers.
4. The principle of accountability forms the substratum of Singapore’s data protection law, the Personal Data Protection Act (PDPA). Section 11 of the PDPA states that an organisation is responsible for the personal data in its possession or under its control. The organisation is also required to designate someone responsible for its compliance with the PDPA, and who will develop and implement the necessary policies and practices in order to do so. This principle pre-dates the PDPA and its roots may be traced to the 2003 voluntary Model Data Protection Code for the Private Sector.
5. Over the past few years, Singapore increased our focus on promoting accountable practices:
- First, introducing accountability tools from 2017. This includes guides such as the Guide to Developing a Data Protection Management Programme (DPMP) and the Guide to Data Protection Impact Assessments (DPIA).
- Second, recognising organisations with accountable practices through certification systems such as the Data Protection Trust Mark (DPTM), which we piloted in 2018 and formally launched earlier last year in January.
- Third, upcoming amendments to the PDPA further accentuate and integrate accountability within the Act. Mandating accountable practices like risk assessments allows us to enhance our consent regime, and provide additional options like deemed consent through notification-and-opt-out, and legitimate interest exception.
6. Accountability entails the translation of data protection principles into effective practices by each organisation tailored to their needs, and highlights the importance of having proper internal governance and management structures to monitor the data that they hold. This enables them to react in the event of a data incident. In today’s digital economy, data incidents can happen to anyone, even to companies that are compliant with data protection laws. Retrospective remedy of data breaches is insufficient as the harm to customers and deleterious impact on commercial reputation cannot be reversed. It is thus important to pre-emptively identify and remediate risks in order to ensure that an organisation adequately protects the data that it holds. This shift to accountability allows us to encourage companies to go beyond mere compliance and be prepared for such data incidents.
7. On the international arena, accountability is an effective way to connect like-minded jurisdictions. Firstly, it focuses on effective implementation of data protection practices while recognising that data protection principles may be articulated differently in domestic laws, without dogmatic insistence on value-based doctrines such as fundamental or human rights. For example, our Courts have not read privacy and data protection as fundamental rights into our Constitution; but data protection is a set of obligations imposed on organisations and enforced by my office or through the civil courts as a statutory tort. This acknowledges the different cultural, historical and geographical traditions that influence the development of data protection laws and allows us to build bridges between jurisdictions which have chosen to enshrine their data protection principles differently.
8. Secondly, the emphasis on protecting stakeholders, from consumers and companies to economies, is a pragmatic approach that is suited for Asia. Accountability cannot be a principle preached by regulators to organisations but has to be embedded in how data protection systems are administered and enforced. I will speak to Singapore’s approach and experience in building a data protection ecosystem for our economy founded on accountability. When implemented as part of the data protection system of administration and enforcement, accountability can be an effective connector between like-minded economies, to achieve interoperability between different jurisdictions.
Singapore’s Implementation of Accountability
9. Singapore takes three perspectives in our implementation of accountability:
- First, from the perspective of organisations: Accountability is about getting their house in order, and putting in place data privacy policies and practices tailored for their needs.
- Second, from the perspective of administering an effective system of data protection: Accountability requires building a set of measures to incentivise the adoption of accountable practices, and to recognise organisations who have done so.
- Third, from the global perspective: Accountability enables our companies to connect with companies outside our borders who have similar accountable practices, thereby building a trusted network for cross-border data flows.
From the Perspective of Organisations
10. The PDPC’s suite of accountability tools are intended to help organisations put in place the right level of internal governance and security measures to protect personal data in their possession or under their control, so that data can be used responsibly and respectfully. Our Guide to Developing a DPMP sets out a comprehensive approach to designing, implementing, and administering a DPMP. A DPMP covers management leadership’s role in designing policies, monitoring data protection risks at the enterprise level and implementing processes for the handling of personal data; as well as defining the roles and responsibilities of the people within the organisation. A DPMP helps organisations build high-trust relationships with customers and business partners through its ability to demonstrate accountable practices.
11. These policies have to be translated into practices that members of staff are able to carry out. A DPMP maps out internal practices, including process and systems monitoring tailored to an organisation’s risk profile. Over the years, we have introduced various tools to assist organisations, for example, the Data Protection Starter Kit, the PDPA Assessment Tool for Organisations (PATO), the Data Protection Notice Generator, the Data Protection Impact Assessment Guide, in addition to the DPMP Guide that I just spoke about. We also released a Personal Data Asset Inventory Tool and DPOInBOX privacy management software earlier last year.
12. In May last year, we launched a Guide on Data Protection by Design (DPbD) in partnership with the Hong Kong PCPD. The principle of data protection by design is to embed data protection considerations into the design and development of IT systems. The DPbD Guide provides practical guidance on design considerations at each stage of the software development life cycle to meet data protection obligations, so that personal data is secured and protected against unauthorised use or disclosure.
From the Perspective of Administering an Effective Data Protection System
13. Abstracting from the organisation to a system level perspective, we have also launched the DPTM certification in January last year to recognise organisations that have robust data management and governance standards. It is an enterprise-wide certification looking at an organisation’s standard of data protection policies, processes, and accountability practices, and is valid for three years. The DPTM promotes high standards that go beyond domestic data protection laws and which are aligned with international standards such as the OECD Privacy Principles and APEC Privacy Framework. It enforces consistency as it entails regular independent third party review.
14. The DPTM is a visible badge of recognition that organisations are accountable and responsible in their data protection policies and practices. It enhances the competitive advantage of certified organisations who can differentiate themselves in the market place by their data management practices. Clients and business partners can be assured that not only are adequate data safeguards in place, there is also vigilant monitoring of systems, and drawer plans to contain and manage data breaches, should they occur.
15. We have also embedded accountability into our enforcement philosophy. Our Active Enforcement Framework which recognises and motivates organisations to develop and implement accountable practices in two ways.
16. First, accountable organisations with an effective internal monitoring and notification system will have early detection of data incidents. If a data breach is confirmed, they will be ready to implement their breach management plan. What they appreciate most is not the threat of protracted investigations hanging over their heads, but to be given the opportunity to implement their breach management plan. Such organisations may come to the PDPC with an undertaking. The undertaking will be accepted if it achieves a similar or better enforcement outcome than a protracted investigation. If they are able to implement their breach management plan as scheduled, and it is implemented effectively, there will be no need to commence protracted investigations.
17. Second, clear-cut data breaches can and should be brought to a conclusion swiftly. We did not have this option before, but organisations now have the option of requesting for an expedited breach decision. They have to admit to a breach of the PDPA, and they have to assist the PDPC in reaching a swift decision. This allows accountable organisations to conduct themselves with dignity and act responsibly. They do not have to be wary that statements made to customers and business partners may compromise pending investigations by the PDPC. They can adopt a consistent stance in all communications and actions. This exemplifies accountability to customers, business partners and the regulator. This also has the benefit of allowing such companies to quickly put the episode behind them and for PDPC to channel investigation resources to other priorities
From the Global Perspective
18. Accountability will also set us up for safe and secure cross-border data flows between trusted entities and economies. Our data protection law requires organisations be satisfied that the receiving organisation is able to protect personal data when it is transferred overseas. This can be achieved through a variety of ways, from contracts to binding corporate rules that can be implemented within the private sector. Our efforts have been focused at system-level constructs like mutual recognition and certifications that supports cross border data flows. We have been a participant of the APEC Cross Border Privacy Rules (CBPR) and Privacy Recognition for Processors (PRP) since 2018. This is a system premised on accountability. It creates a trusted network of accountable organisations in participating APEC economies and allows personal data to flow within this network more seamlessly. Singapore is also exploring mutual recognition of data protection regimes or developing compatible tools to facilitate data flows with our key economic partners through trade agreements. These tools include recognition of the APEC CBPR System as a valid transfer mechanism.
19. Interoperability is an important objective of Singapore’s efforts to ensure that cross-border data flows between economies with effective data protection systems and accountable organisations that have implemented good data protection practices. Closer to home, we are active in building a similar accountability based framework in ASEAN that is designed to inter operate with the APEC CBPR System. Singapore led the development of the ASEAN Framework on Personal Data Protection in 2016 and Framework on Digital Data Governance in 2018. The ASEAN Framework on Personal Data Protection establishes a set of principles to guide member states in the implementation of personal data protection measures. The Framework draws from the OECD Guidelines and the APEC Privacy Framework as part of ASEAN’s efforts to align to international standards. We rode on the momentum to develop the Framework on Digital Data Governance in 2018 to provide business certainty on digital adoption and innovative, as well as build good data protection standards regionally.
20. One initiative that ASEAN is in the midst of developing is the ASEAN Cross Border Data Flows Mechanism to facilitate trusted data flows in the region and globally. The voluntary Mechanism proposes a dual-track approach comprising ASEAN Certification and Model Contractual Clauses, to demonstrate compliance in protecting data transferred. The Mechanism takes into account an ASEAN Member States' level of readiness. For instance, a Member State with adequate capabilities and enforcement systems in place is encouraged to adopt the ASEAN Certification immediately. The ASEAN Certification is designed to ensure interoperability with other international frameworks such as APEC CBPR.
21. As the Chinese proverb goes, 独木不成林 – we know that major accomplishments cannot be achieved through a single individual’s effort. A small country like Singapore relies on strategic partners in the international arena to develop mechanisms that enables cross-border data to flow between economies in a manner that is safe and secure, thereby building up trust between stakeholders. Acknowledging the wide spectrum of maturity in data protection regimes across Asia, and the diversity of cultures, histories and legal traditions, we believe that accountability can be the interstitial tissue that connects our data protection regimes.
22. Accountable organisations exercise responsibility over personal data in their care, and are answerable to the people who have entrusted their personal data to them. Effective administration of accountability in domestic data protection systems builds trust and can be the lubricant for cross-border data flows. In Asia Pacific, we already have an accountability based system in the APEC CBPR. In the past couple of years, it has gained momentum and it makes sense for us to adapt it to work for Asia. We will need like minded collaborators to commence technical discussions for its adaptation so that it is optimal for the Asian context.
23. On this note, I thank you all for your attention.