Data Protection & Privacy in Singapore 2017/4/14 Data Protection & Privacy in Singapore Presented By Goh Seow Hiong Deputy Director (Infocomm Devt Policy) Infocomm Development Authority of Singapore 27 March 2001 www.ida.gov.sg Confidential © IDA Singapore 2000

Overview Privacy & Data Protection BUT Public sector Private sector 2017/4/14 Overview Privacy & Data Protection Not provided under constitution or general law BUT Public sector Strict laws protecting the confidentiality of data held by the government & statutory boards Private sector Sectoral privacy laws Industry codes of practice Common law Law of confidence 2

More than 150+ laws with privacy provisions! 2017/4/14 Statutory Framework Statutory framework covers both the public and private sectors (sectoral laws) Public sector Official Secrets Act Statistics Act Central Provident Fund Act Electronic Transactions Act etc. Private sector Computer Misuse Act Telecommunications Act & Telecom Competition Code Banking Act More than 150+ laws with privacy provisions! 3

Public Sector Framework 2017/4/14 Public Sector Framework Official Secrets Act s 5 & Statutory Bodies and Government Companies (Protection of Secrecy) Act s 3 Information entrusted in confidence to a person owing to his official position must take reasonable care of the information must not retain if required lawfully to dispose of it Statistics Act Information on any individual obtained under the Act must not disclose without written consent of that person may disclose if it can be done without identifying the individual and Minister determines that an appropriate time has elapsed 4

Public Sector Framework 2017/4/14 Public Sector Framework Central Provident Fund Act s 59 Information acquired by employee in course of duty/employment must not, without lawful authority, communicate or publish to any person Electronic Transactions Act s 48 Information acquired through exercise of certain powers under the Act must not disclose except for lawful purposes eg. to prosecute offences under ETA Etc. 5

Private Sector Framework - Regulatory 2017/4/14 Private Sector Framework - Regulatory Computer Misuse Act s 3 Information or data held in any computer criminal offence to access without authority Telecommunications Act s 42 Information transmitted by telecommunications criminal offence to intercept without lawful authority IDA Code of Practice for Competition in the Provision of Telecom Services s 3.2.6 (mandatory code) End User Service Information e.g. end user’s calling patterns, billing address, credit history etc. licensee has duty to protect 6

Private Sector Framework - Regulatory 2017/4/14 Private Sector Framework - Regulatory Banking Act s 47 Particulars of account holder e.g. bank balance cannot divulge without the written permission of the customer Etc. 7

Private Sector Framework - Self-Regulatory 2017/4/14 Private Sector Framework - Self-Regulatory Industry Codes of Practice regulate the professional conduct of members provide mechanisms for complaints handling and dispute resolution Examples of such Codes Direct Marketing Association of Singapore (DMAS) Code of Practice National Association of Travel Agents of Singapore (NATAS) Code of Practice National Internet Advisory Committee’s “Electronic Commerce Code for the Protection of Personal Information and Communications of Consumers of Internet Commerce” (1998) 8

E-Commerce Code Background How it works 2017/4/14 E-Commerce Code Background Published by National Internet Advisory Committee in Sept 1998 Voluntary scheme establishing standards of behaviour for ISPs and Internet content providers How it works Code is administered by a Compliance Authority (self-regulatory certification body) that grants the use of a “Privacy Code Compliance Symbol” to companies that comply with the Code CaseTrust became the 1st Compliance Authority in 1999 9

E-Commerce Code Objectives of code 2017/4/14 E-Commerce Code Objectives of code To encourage use of the Internet for delivery of public services and e-commerce To provide minimum standards for the use and management of personal information of Internet users To protect the confidentiality of private communications To provide a channel for handling of complaints by consumers of Internet commerce relating to non-compliance with the Code 10

Privacy Principles in Code 2017/4/14 Privacy Principles in Code Confidentiality Must take reasonable steps to ensure confidentiality of users’ personal particulars Must not sell users’ personal particulars (unless as part of the sale of the business as a going concern) Collection and use Should collect and use users’ personal particulars only with users’ consent Should give the user an option as to whether the provider can send promotional materials to the user on behalf of third parties or release information to third parties for the purposes of sending such materials 11

Privacy Principles in Code 2017/4/14 Privacy Principles in Code Accuracy Must take reasonable steps to ensure that users’ personal particulars are accurate and kept up-to-date can be checked by the user upon request, and erased or rectified as requested by the user 12

Enforcement & Compliance 2017/4/14 Enforcement & Compliance Compliance Provider must establish operational procedures for compliance with the Code Sanctions Compliance Authority may investigate any complaint, and after giving the provider a reasonable opportunity to be heard dismiss the complaint give a warning to the provider revoke or suspend the provider’s right to use the “Privacy Code Compliance Symbol” publicise the non-compliance by the provider 13

Law of Confidence Background Elements of action 2017/4/14 Law of Confidence Background Right derives from common law and/or equity Covers trade secrets, state secrets and personal secrets Close analogy to property Elements of action Information has quality of confidence Information is imparted within a relationship of confidentiality Unauthorised use and disclosure 14

Recent Developments Worldwide devts Domestic devts Sanctions 2017/4/14 Recent Developments Worldwide devts More and more countries are enacting general data protection/privacy laws e.g. Chile, Australia, Canada Lack of consumer privacy is becoming a significant obstacle to e-commerce US studies: US$2.8 b in lost online sales in 1999, potential losses of up to US$18 b by 2002 (compared to projected total sales of US$40 b) Domestic devts IDA Consultation Paper on Building Trust and Confidence in Electronic Commerce general view - businesses are not doing enough to protect privacy half think this is impeding b2c e-commerce adoption Sanctions Compliance Authority may investigate any complaint, and after giving the provider a reasonable opportunity to be heard dismiss the complaint give a warning to the provider revoke or suspend the provider’s right to use the “Privacy Code Compliance Symbol” publicise the non-compliance by the provider 15

2017/4/14 Singapore’s Response Educate industry on the need to do more to protect consumer privacy Set up National Trust Council to look into pertinent issues like trust marks, fraud management & best practices in e-business to implement National Trust Mark Programme to accelerate adoption of trust marks to appoint professional bodies as Authorised Code Owners (ACOs) to certify businesses with sound e-business security & privacy practices CASE appointed as the first ACO Set up inter-government agency task force to examine privacy issues comprehensively Leverage on industry-led activities to develop best practices & codes 16

Data Protection Framework National Trust Council 2017/4/14 Conclusion Multi-pillar approach to data protection & privacy Data Protection Framework Sectoral Laws Industry Education Codes of Practice Common Law National Trust Council 17

THANK YOU For more information http://www.ida.gov.sg http://ec.gov.sg 2017/4/14 THANK YOU For more information http://www.ida.gov.sg http://ec.gov.sg 18