From compliance to accountability: A robust and progressive data protection framework
Mr Tan Kiat How, Commissioner of the Personal Data Protection Commission,
Mr Leong Keng Thai, Executive Chairman of the Data Protection Advisory Committee,
2 Since we started this annual seminar, the attendance has grown every year. It goes to show that people recognise the value and importance of data protection. This is especially important given our plan to grow the digital economy and become a Smart Nation.
3 Earlier this year, Singapore released the Committee on the Future Economy’s report. Building strong digital capabilities was a key recommendation, and one strategy to achieve this is to use data as an engine of growth.
4 Indeed data has helped to improve our lives. Today, we can save time by finding the fastest routes from A to B. Companies like Grab, Ninjavan and CapitaLand make use of data to serve customers better and offer new services. NTUC is also using machine learning to recommend products to its members.
5 Technology will make it easier to collect and analyse the vast array of data in the future. But the most important determinant of whether we can realise the potential of data is not technology, but trust – trust that companies collect data sensibly, use them responsibly, and protect them well. Without trust, data sharing will decrease, and data-driven innovation will slow.
Pivoting from Compliance to Accountability
6 Singapore must therefore aspire towards a high standard of data protection that strengthens trust with the public, gives confidence to customers whose data is collected and used, while providing an environment for companies to thrive in the digital economy.
7 The PDPA provides the framework for data protection and sharing in Singapore. But the PDPA was crafted in an era where the majority of data was provided by users who fill in their personal particulars via physical and online forms. Today, data can be generated and mined through online activities and transactions. Mobile apps can make use of our location information to match us to the nearest car ride sharing apps or food delivery options. IoT devices stream data from health sensors and home cameras so you can keep track of your loved ones through various apps.
8 In these examples, consent clauses have been used to inform customers and seek their consent on how their personal data will be used. However, most people click through privacy notices or consent clauses without reading them.
9 A few years ago, British retailer GameStation played an April Fools’ joke on its customers by requiring customers to surrender their souls as a condition of sale – unless they chose to opt-out of this condition. Close to 9 in 10 customers did not choose to opt-out, presumably because they never even read the clause! While this was meant to be a joke, it highlights that the consequences of businesses treating personal data lightly can be very grave.
10 In Singapore, the PDPC has had to intervene in cases where companies were too lax with personal data. For instance, one company had obtained broad consent from its customers to disclose bank account details in the course of processing an insurance claim. However, the company subsequently shared personal bank details with a healthcare institution that did not require any payment information. The PDPC intervened to limit disclosures to what was required, even though the consent clause was broad enough to permit the sharing.
11 It is not possible for the PDPC to catch every single breach. Instead, companies must play their part. Organisations must change their mindsets, to not view data protection as a mere compliance exercise, but rather as a responsibility bestowed upon them by their customers, and fully integrated into the organisational culture of stewardship and accountability. This mindset shift is essential to build trust with their customers.
12 The PDPC has charted a three-stage process to help companies along this journey from compliance to accountability. In the first stage, the PDPC will be introducing later this year an online assessment tool and producing guides to help companies put in place a Data Protection Management Programme and to help businesses conduct Data Protection Impact Assessments.
Data Protection Trustmark Certification Scheme
13 In the second stage of our journey to accountability, we will launch a Data Protection Trustmark certification scheme by the end of 2018. In a survey conducted last year, PDPC found that 4 in 5 consumers would be more confident transacting with an organisation that has an accreditation for meeting personal data protection standards. The DP Trustmark will be a visible indicator that a business adopts sound practices and keeps its processes updated regularly. In assessing applications for the Trustmark, we will recognise businesses that have made the transition from mere compliance to accountability.
14 In the third stage of our journey to accountability, we plan to allow for a more progressive approach to collecting and using personal data, while also providing greater transparency when data breaches occur.
15 It has been five years since the enactment of the PDPA. It is therefore timely to review the PDPA to take on board the lessons that we have learnt, and to ensure that it is updated to reflect our ambitions to becoming a trusted global hub for innovative uses of data.
16 We will therefore be launching a series of public consultations on proposed amendments to the PDPA. In this first consultation, we will seek comments on proposed enhancements to our framework for collection, use and disclosure of personal data, and a mandatory data breach notification framework.
17 In particularly in the event of data loss or breaches, it is important that individuals’ interests are protected. This is why the PDPC is proposing the introduction of mandatory data breach notification to replace the voluntary one in place today. Notification will enable affected individuals to better protect themselves by taking some action, and allow affected organisations to receive guidance from the PDPC on how to manage the breach. We will build in thresholds to ensure this requirement does not become an unnecessary burden.
18 The PDPC is also prepared to work with companies who adopt accountability practices to create regulatory sandboxes to allow us to understand how our proposed changes to the PDPA might work in practice so that we can fine-tune the details before we amend the PDPA. This will enable companies who are ready to continue to be innovative and competitive.
Supporting data sharing for innovation
19 Even as we urge businesses to be accountable for the data they collect and use, we also want to urge them to use the data meaningfully to drive growth and innovation. Data, once collected, can generate value not only for the organisation collecting the data, but also for others far removed from the initial point of contact.
20 Today, companies already have to share data with others in the ecosystem in order to provide services: an e-commerce shop needs to share customer data with the logistics company that delivers that package to your door step. When we purchase car insurance, our good driving record with one insurance company can be ported over to another insurance company when we switch insurers. The no claim bonus allows good drivers to enjoy a preferential insurance premium.
21 All of this benefits us as consumers, but these examples merely scratch the surface of what is possible with greater sharing of data. Companies that collaborate can achieve so much more for their customers. Unfortunately, some businesses would cite the PDPA as a reason for not sharing personal data. This is a myth. The PDPA does not prohibit the sharing of personal data. In fact, we want to encourage the responsible sharing of personal data in order to generate value for our economy. This is why the PDPC is publishing a Guide to Data Sharing to provide clarity for companies about how they can share data today.
Facilitating Cross-border Flows of Data
22 In the digital economy, data flows do not happen solely within the confines of Singapore’s borders but take place internationally. In 2014, cross-border data flows accounted for almost US$3 trillion of global GDP. The direct value added to Singapore’s GDP of data connectivity in trade is estimated at around 40%. These numbers will only increase in the future. As they do, the international community will demand higher cross-border data protection standards so that customers and businesses overseas can exchange data with Singapore with the assurance that we will use the data responsibly.
23 I am therefore pleased to announce that Singapore has – this week – submitted our Notice of Intent to participate in the APEC Cross-Border Privacy Rules System and the APEC Privacy Recognition for Processors System – or the APEC CBPR and PRP – and will align our DP Trustmark standards with these. The APEC CBPR system harmonises data standards across participating economies, allowing businesses to share data responsibly across borders more seamlessly. Businesses can enjoy more clarity, save on the cost of ensuring compliance with multiple standards across different economies, and retain consumer confidence in the responsible handling of their data. Companies that obtain our DP Trustmark standards will concurrently be certified under the APEC CBPR.
24 Data is at the centre of the digital economy. By supporting data sharing for innovation, strengthening business accountability, and facilitating cross-border data flows, we hope to build a trusted, robust AND progressive data protection ecosystem in Singapore that allows us to harness the economic opportunities offered by the digital economy.
25 On this note, I wish you a fruitful seminar, with valuable insights and exciting exchanges. Thank you.
 Statistics from McKinsey Global Institute (2016) Digital Globalization: The New Era of Global Flows
 Statistics from the APEC Policy Support Unit (2012)