Mr Tan Kiat How, Commissioner of the Personal Data Protection Commission,
Mr Raymund Liboro, Commissioner of the Philippines Data Protection Commission,
Members of the Data Protection Advisory Committee,
Ladies and Gentleman
2 I am happy to join you today at the 6th Personal Data Protection Seminar.
3 In the present digital landscape, the collection and use of personal data by organisations are increasingly important and also necessary to provide better products and services for consumers. At the same time, consumers’ expectations of responsible personal data protection are rising.
4 Around the world, regulators are responding to consumers’ rising expectations for data protection with higher data protection standards. Many of you would have experienced the flurry of requests for consent for data collection from organisations arising from the EU General Data Protection Regulation. Closer to home, Asian countries are also raising their data protection standards to remain attractive to businesses and stay competitive in the international market. For instance, two years ago, Japan strengthened its personal data protection laws to address technological changes and to be recognised by other markets as a country with a safe data environment. Just last year, Malaysia took enforcement actions against organisations that breached data protection laws.
5 In Singapore, we have paid careful attention to data protection. We enacted the PDPA (Personal Data Protection Act) in 2012 and have taken action against breaches of the PDPA, including the failure to reasonably protect the personal data. There will also be instances where personal data is lost due to a deliberate and sophisticated attacks. The recent SingHealth cyberattack that we experienced is one such example. In these instances, it is important that we take the appropriate response in order to restore public confidence whilst at the same time, understand the nature of challenges in taking the necessary measures to further fortify our IT systems. We have convened a Committee of Inquiry to get to the bottom of the incident and recommend appropriate and additional security measures to further strengthen our IT systems. The PDPC (Personal Data Protection Commission) has also been notified of the incident and will investigate this matter. PDPC will take into account the Committee of Inquiry’s report in its determination and assessment of any appropriate action to be taken. We have started our Smart Nation journey, and we will continue to move forward to seize opportunities afforded by technology even as we strengthen our systems so as to build and sustain trust that we have painstakingly built up over the years. While there will be incidents like this from time to time, we need to ensure that we do not derail from our larger Smart Nation objective, and to create opportunities for individuals and enterprises.
6 Consumer trust commands a premium in the digital economy. Good data protection is how we can secure and maintain that trust. PDPC’s survey showed that two thirds of Singapore’s consumers are more willing to entrust their personal data to organisations with sound data protection practices. In fact, the greater the consumer trust, the more confidence consumers and the general public have in sharing their personal data with organisations, and the more data-innovations organisations can deploy. Thus, many organisations recognise the value of sound data practices because they can derive a competitive advantage. In other words, good data protection policies and practices are a competitive advantage in the business world. It is akin to many other areas such as sustainable business practices, and it is something that businesses must take seriously.
7 I would like to outline what the Government in Singapore, and what organisations can do in this digital climate today.
8 On our part, the Government will support innovative and accountable data practices to help organisations gain consumer trust so as to exploit new local and international markets. First, we will ensure that our data protection regime remains balanced and progressive.
9 The PDPA is a progressive piece of legislation, but we are reviewing it so that our regulatory environment keeps pace with the evolving needs of organisations and individuals in a digital economy, and enable the legitimate use of data and data innovation, while safeguarding individuals’ interests. For example, we intend to:
a. Enhance the current framework in which organisations may collect, use, and disclose personal data;
b. Include an “opt-out” option so that organisations will be able to rely on the provision of notification of purpose to consumers;
c. Introduce a “legitimate interest” basis for such collection, use or disclosure to enable organisations to protect legitimate interests that will have economic, social, security or other benefits for the public, such as to detect fraud.
d. Introduce a mandatory notification of data breaches, so that affected individuals can take steps to protect themselves from the risks of harm arising from data breaches, while affected organisations can receive guidance from PDPC on post-breach remedial actions.
These enhancements will be accompanied by accountability measures to safeguard individuals’ interests.
10 While the review of the PDPA is ongoing, PDPC will continue to provide more regulatory clarity and certainty, such as through issuing advisory guidelines that explain PDPC’s interpretation of the Act in specific domains and scenarios.
11 Second, beyond strengthening our domestic regime, we are facilitating the regional development of personal data protection standards, as this will contribute to the promotion and growth of regional and global trade and the flow of data. Besides the development of an ASEAN Framework on Personal Data Protection adopted by ASEAN Telecommunications Ministers in 2016, we are currently developing an ASEAN Digital Data Governance Framework. When completed in 2019, the Framework will enhance data management and facilitate harmonisation of data regulations among ASEAN Member States. With greater harmonisation, organisations will find it clearer and easier to comply with data protection laws across ASEAN. In a recent meeting that I had with several ASEAN Ministers, there is a clear recognition that this is an opportunity for ASEAN to establish thought and practice leadership in this important and evolving area. We will also participate in international mechanisms that facilitate cross-border data flows, such as the APEC Cross-Border Privacy Rules (CBPR) and Privacy Recognition for Processors (PRP) systems, so that certified organisations will find it easier to move personal data across borders in participating APEC economies.
12 While the PDPA will remain progressive, we cannot be solely reliant on laws. Organisations must also develop a culture of accountability to build consumer trust. We will support organisations in building consumer trust by launching the Data Protection (DP) Trustmark, a certification programme based on the principles of the PDPA, and administered by IMDA (Info-communications Media Development Authority).
13 First, the DP Trustmark would be a visible badge of recognition for accountable and responsible data protection practices used by organisations, including appropriate data protection policies and practices, adequate measures to identify and address data protection risks, and a sound data breach management plan. Hence, organisations that have obtained the DP Trustmark will have a competitive advantage to gain consumer trust and loyalty. Second, applicants of the DP Trustmark can obtain the APEC CBPR/PRP certifications more seamlessly, where as pointed out, certified organisations can exchange personal data more easily with other certified organisations in participating APEC economies. It becomes a building block towards free, accountable, responsible flow of data and exchange of information across organisations that have sound data protection policies.
14 IMDA will begin pilot DP Trustmark certifications this year to fine-tune the process. I am happy that organisations from diverse sectors recognise the DP Trustmark’s value and are participating in the pilot. These include organisations from financial and ICT services such as DBS and Singtel, health and educational services such as Carpe Diem@ITE, Fullerton Healthcare, Fullerton Systems and Services, and the Tan Tock Seng Hospital Community Fund, as well as lifestyle services such as Chan Brothers Travel and Redmart. This diversity of enterprises and their participation will ensure the rigour of the certification processes before the DP Trustmark is launched officially at the end of this year. I would like to encourage other interested organisations to approach IMDA to collaborate on this important initiative. The broader the participation, especially in the pilot phase, the more robust the system will be when we move into broad based implementation.
15 While the Government will do its part to facilitate innovative and accountable data use, we strongly encourage organisations to put in place measures to do the same. To keep pace with evolving local and international personal data regulations, organisations have to develop data protection capabilities. Capability development begins with the Data Protection Officers, but should include organisations’ business units. Indeed, that is the tension that we are all managing—between business imperatives and operational needs—and yet ensuring that we manage the legitimate concerns around confidentiality and security of data. When both Data Protection Officers and business units have a sound understanding of data protection, they can help organisations develop responsible data protection practices that support innovative business models.
16 One area where organisations can strengthen capability is data sharing, for which PDPC has introduced facilitative measures last year. To counter the misconception that data protection laws have a blanket prohibition against data sharing, PDPC launched a data sharing guide to illustrate how organisations may share data legitimately. Additionally, to facilitate data sharing arrangements that have benefits to the public, PDPC introduced a regulatory sandbox. Data sharing arrangements may be exempted from one or more obligations under the PDPA if the arrangements meet certain criteria and safeguards are incorporated. This allows companies that are ready with good accountability practices to try out the alternative means to consent to collect, use or disclose personal data before the PDPA is amended. This way, once the PDPA is amended, they can naturally exit the regulatory sandbox and scale their solutions. For instance, some VWOs may decide to share personal data of their beneficiaries to provide better, more complete services in a way that will improve their beneficiaries' lives and well-being. This is a legitimate objective and one that we should support as long as the data practices are conducted in a responsible and accountable manner. We welcome organisations who are ready to make good use of the sandbox to submit their proposals for data sharing arrangements to PDPC.
17 With evolving developments in data protection, it is good to see the industry and PDPC keep pace and publish updated resources. For example, the “Data Protection Law in Singapore” and the “PDP Digest” are now in their second editions. These are useful materials for organisations that are stepping up their capability development.
18 Besides these text-based resources, I am pleased to see the growth of communities of practice such as the AsiaDPO and the Law Society’s Cybersecurity and Data Protection Committee. These are practitioners who are passionate about the personal data protection practice. I encourage all of you to network, share your experiences and learn the best practices at data protection seminars, such as the one today, to build up your own communities of practice. This is an area of novelty. There is much evolution and it is occurring at a rapid pace. We need everyone to actively engage and exchange ideas on such issues.
19 More importantly, as we go about the seminar today, I would urge everyone to keep in mind that responsible data protection is a whole-of-Singapore endeavour, and we each play a part—whether it is the Government, private sector or the people sector—in ensuring robust practices to preserve trust in and among our institutions and organisations.
20 I wish all of you a fruitful seminar. Thank you.