Dear privacy pros,
I trust everyone is keeping well and safe amid all the recent upheavals. I know I am not alone in wishing that, for once, there would be some major news that bodes well for humanity.
It's been comparatively quiet on the privacy front, so I thought I might take some time to reflect on how far we have come and how far we still have to go.
At least in Singapore, where I am based, privacy awareness has certainly come a long way since the Personal Data Protection Act was first enacted in 2012. I think it is safe to say that by now, even the proverbial man (or woman) on the street would have a fairly good idea about the privacy rights they are entitled to and the recourse that is available if such rights are blatantly infringed.
Likewise, organizations that process personal data, even smaller "mom-and-pop" setups or SMEs, are generally aware of the need to avoid collecting more data than required and adequately protect such data during collection, use, transit or storage.
However, I do not think that our work is, or will ever be, done. Even if we put aside the new threat vectors, nefarious practices and bad actors that are constantly emerging from the woodwork, there is always room to improve how well-intentioned companies that wish to comply with their privacy obligations actually put compliance into practice.
For example, I nearly fell off my chair recently when mortgage brokers I am working with about a loan in Australia provided a long list of supporting documents required to assess my application. Besides the customary credit bureau report, income tax returns and various declarations as to income and expenses, the lender required full, non-redacted copies of not only my bank statements and credit card statements but also copies of bank statements for various companies that I run.
I had extensive discussions with the mortgage brokers to understand the rationale for such extensive disclosures better, as I felt duty-bound to do as a privacy advocate. The lender purportedly required the personal bank and credit card statements to establish that I have sound spending habits and that there were no major expenses that have not been disclosed. Similarly, the corporate bank statements were necessary to show that the companies were financially sound and had real sources of income.
I fully appreciate the business imperative and need for the lender to establish a prospective borrower's creditworthiness properly. However, I do not understand why the bank would need to know what I spend my money on, as long as the credit bureau report proves I have always paid my credit card dues on time. Similarly, financial statements should be sufficient to establish the financial standing of the companies, without the need to expose commercially sensitive information like how much franchise fees or rent we pay or personal information associated with payments made by the company's customers.
At the end of the day, much of this may resolve into a question of interpretation, so consumers, no matter how well-informed, will inevitably be placed between a rock and a hard place if companies comply with the letter but not the spirit of the law.
Nevertheless, I know that the industry will continue to mature and move forward as more and more privacy professionals like you work hard to educate and advocate for ever-improving privacy compliance within your organizations.
If you want to comment on this post, you need to login.