With the new year came a new chief executive officer at Singapore’s Infocomm Media Development Authority. Tan Kiat How took over as CEO of the IMDA, as well as commissioner of the IMDA-housed Personal Data Protection Commission, on Jan. 1, having previously served as Deputy Secretary (Cyber and Technology) of the Ministry of Communications and Information.
In this Q&A, the new head of the PDPC discusses the commission’s role in educating the commercial sector, the major issues he sees in privacy and data protection, and provides his views on Singapore’s place in the global privacy community.
What do you think are the major threats to data privacy in 2017?
Emerging technologies such as the Internet of Things (IoT) and big data analytics bring with them both significant amounts of social and economic benefits and policy and privacy challenges.
These technologies enable service providers to make better use of our personal data to improve and create new services. With the proliferation of sensors in IoT devices, we anticipate more data to be collected, used, stored, and transferred. Big Data technology provides exponential increases in the speed, volume, variety, and velocity of personal data that is collected and analyzed, thereby making it more challenging for organizations to keep track of their data assets. The form factor of IoT devices, for example, the lack of screens or user interfaces, and the proliferation of sensors that are able to collect personal data without any interaction with the data subject, present new hurdles to obtaining consent from data subjects.
When we participated in the Global Privacy Enforcement Network (GPEN) Sweep on IoT earlier this year, we noted that less than half of the IoT devices and applications surveyed adequately inform users of the type of personal data that is being collected or how it is used.
Are there any significant amendments to the current Act in the pipeline?
We are still in the early stages of reviewing the PDPA. Some issues that we are looking into in the upcoming year include review of the consent regime, data protection certification framework and data breach notification.
There have been some significant data breaches in Singapore in recent years. What lessons do you think we should learn from these?
A majority of the data breaches in Singapore were fundamentally due to lack of reasonable IT security measures or human errors. As more businesses go online, organizations collecting, using, or protecting personal data online need to be cognizant of the importance of securing data not just through technical measures, but also through administrative and physical considerations.
"When we participated in the Global Privacy Enforcement Network (GPEN) Sweep on IoT earlier this year, we noted that less than half of the IoT devices and applications surveyed adequately inform users of the type of personal data that is being collected or how it is used." — Tan Kiat How, Commissioner, PDPC
Of course, data protection is not limited to electronic platforms. From the dumpster-diving incidents highlighted in the local media last year, it is clear that even the simplest preventive action, such as shredding of paper documents containing personal data, would go a long way in protecting personal data.
An organization’s Data Protection Officer (DPO), which is a mandatory appointment under the PDPA, is an important driver to ensure that the organization’s personal data protection measures are adequate. In addition, employees who have any contact with personal data should also have adequate and specific training on data protection.
What would you say are the PDPC’s top three data security/privacy wins in recent times?
With the launch of our Do Not Call (DNC) Registry in January 2014, we saw a decrease of 70 percent in the number of complaints relating to unsolicited telemarketing, from nearly 8,000 complaints, as we moved from the first year to the second. From our annual surveys, we also found that more organizations that conduct telemarketing (88 percent of respondents in the 2016 survey) have become aware of the DNC provisions, and are making it a point to check the DNC Registry prior to the conduct of their telemarketing activities. These suggest that organizations are taking their PDPA obligations seriously.
Our data protection provisions came into force in July 2014 and we started to issue our Grounds of Decisions on breach cases this year. We note that a majority of the breaches occurred because of the lack of reasonable IT security measures, and have published various guides to help organizations with such concerns. The cases have been widely profiled in the media and this has helped to elevate the awareness of personal data protection in Singapore.
The number of complaints resolved through facilitation is on the rise and has doubled in the past year. This indicates that organizations are cognizant of their customers’ personal data protection concerns and are accounting to their customers through better communications and data protection practices.
What are you hoping will result from your privacy Trustmark?
Apart from enabling compliance with the PDPA, the Data Protection Trustmark is intended to enhance data protection standards and accountability in the management and protection of personal data, provide a competitive advantage for local and international businesses that are certified, and boost consumer confidence in organizations’ usage and sharing of personal data.
"An actual change of organization behavior, however, is likely to depend on how fervently breaches are enforced, or are perceived to be enforced." — Tan Kiat How, Commissioner, PDPC
What’s your view on the implications of transferring data across borders and how data can be protected without hampering business?
The huge volume of personal data being transferred internationally and the ease and speed with which they can be transmitted amplify the challenges posed to the regulation of personal data transfers. Data protection laws also vary from jurisdiction to jurisdiction. While not every country has a data protection law, those that do may adopt differing models. The practical reality is that a business looking to expand markets and operate in multiple geographical locations needs to be compliant with the various countries’ laws and negotiating these differences is often a long-drawn but necessary process.
We recognize the importance of removing barriers to facilitate legitimate cross border transfer of data, and we actively track discussions on the regional and international fronts on mechanisms that can help to build trust in relation to cross border flows.
What is your view on the maximum fines imposed under GDPR and how effective do you think fines are as a deterrent or an incentive for companies to improve their data protection management?
Having two tiers of financial penalties signals that the EU deems certain GDPR Articles to be more important, or that some breaches cause more harm than others. Fines are effective as a deterrent to the extent that they prompt organizations to pay heed to the financial cost of not complying with the GDPR, and to encourage them to review their data protection policies and possibly invest in technology and resources to develop better data protection management practices. An actual change of organization behavior, however, is likely to depend on how fervently breaches are enforced, or are perceived to be enforced.
"We are in the process of obtaining clarifications and assessing the feasibility of supporting the APEC Cross-Border Rules under our legislative and regulatory framework." — Tan Kiat How, Commissioner, PDPC
We believe that it is equally important that steps are taken to assist organizations, particularly small- and medium-sized enterprises (SMEs), to cope with the implementation of good data protection practices. These may be in the form of financial incentives, training programs or referral guidelines/guides. To this end, PDPC has rolled out a variety of schemes, programs and guidelines/guides that aim to incentivize companies to improve their data protection management.
Is Singapore likely to join the APEC Cross-Border Rules and how will this help facilitate trade with Singapore?
Singapore supports the seamless transfer of data between countries. We are in the process of obtaining clarifications and assessing the feasibility of supporting the APEC Cross-Border Rules under our legislative and regulatory framework. We are keen to make things easier for businesses and recognize that an internationally-recognized and harmonized mechanism such as this could be helpful in facilitating the flow of data across borders.
How will you continue to raise awareness of data protection issues in Singapore?
Apart from advertising and engaging the media, we actively seek to raise awareness of the PDPA among organizations and individuals through education and outreach, such as information collateral, e-newsletters, sectoral briefings, customized talks, and industry/community roadshows. Some of these were conducted in collaboration with trade associations, chambers of commerce, and industry watchdogs, as well as other public agencies. Through our annual surveys, we have found this approach useful — awareness among organizations has shown marked improvement since 2013.
We will also continue to hold the Personal Data Protection Seminar annually as a platform to facilitate networking and sharing of best practices on data protection matters among industry thought leaders, and participate yearly in the Asia Pacific Privacy Authorities (APPA) Privacy Awareness Week, initiated in 2006, to promote specific themes relating to personal data protection.