EXCLUSIVE – Strengthening the data protection ecosystem in Singapore through the work of PDPC
OpenGov speaks to Mr. Yeong Zee Kin, Deputy Commissioner, Personal Data Protection Commission (PDPC), Singapore
The Personal Data Protection Commission (PDPC) was established on January 2 2013 to administer and enforce the Personal Data Protection Act 2012 (PDPA). This year’s Privacy Awareness Week is happening from April 29 to May 5 and the full list of events can be found on www.pdpc.gov.sg/privacy-awareness-week-2017. The focus of the Privacy Awareness Week this year will be the importance of sharing personal data with care in today's data-driven world where Big Data and the Internet of Things take centre stage, through the theme "Share With Care".
OpenGov had the privilege to speak to Mr. Yeong Zee Kin (above photo), Deputy Commissioner of PDPC to learn more about his work at the organisation, the current data protection landscape in Singapore, developing the role of Data Protection Officers and more.
Could you tell us more about your role as the Deputy Commissioner of PDPC?
The PDPC is a new and small department but the scope of the Commission’s functions is growing exponentially, especially in the last 12 months when we started to issue data protection breach decisions.
As Deputy Commissioner, part of my duties would be to ensure the timeliness of our investigations and the quality of our decisions, as well as to promote the development of data protection jurisprudence. Apart from this, I also ensure that our policies are formulated to deal with new and increasingly complex issues as technology and business models evolve, sectoral or broad-based issues identified from our cases, and that they support national initiatives such as the Digital Economy and Smart Nation, while keeping pace with international developments. These policy updates may surface as advisory guidelines, practical guidance or Act amendments.
During my tenure, it is also my goal to strengthen the data protection ecosystem in Singapore to enhance our nation’s reputation as a hub for data innovation. In order to achieve this, it is imperative that we develop the role of Data Protection Officers (DPOs) as a highly-respected profession, build in-house competency for organisations and provide peer support for the DPOs. We recognise that DPOs are important drivers in ensuring that their organisations’ personal data protection measures are adequate and compliant with the PDPA.
What are some of the initiatives and projects that are happening at PDPC now?
The PDPC will be actively reviewing the Act to keep it relevant, taking in the needs of the industry today and their anticipated needs in the near term. Some issues that we are looking into include a review of the consent-based regime, data breach notification and the introduction of a data protection certification framework.
We also want to enhance the data protection ecosystem, and will put in place additional resources to help businesses use personal data responsibly. For example, we are developing Data Protection starter kits to help SMEs kick-start data protection practices within their companies, intensifying our engagements with SMEs through Trade Associations/Chambers of Commerce/Professional Bodies and sector-specific fora, and providing more affirmative guidance through new and revised Advisory Guidelines to give certainty on what is permissible under the PDPA.
To professionalise the role of DPOs, we are developing a training and competency development framework culminating in certificates that will accord DPOs with professional recognition and equip them with the skills and knowledge to better carry out their responsibilities.
What is the current protection landscape in Singapore in the context of public and private sectors? Can you share steps being taken to ensure compliance with the Personal Data Protection Act (PDPA)?
The public sector’s framework is based closely on the same data protection principles that the PDPA is founded on, according similar levels of protection for personal data as the PDPA. There are, however, some differences in limited circumstances which are necessary to enable the public sector to carry out its regulatory and statutory functions in an effective and accountable manner.
Our priority at present is to ensure that organisations are aware of their obligations under the PDPA and encourage their compliance with the PDPA through industry outreach and strategic communications. Such efforts started as early as in 2012, after public consultations on the proposed data protection regime and Do Not Call (DNC) Registry. We have been engaging organisations on a regular basis, largely through Trade Associations and Chambers of Commerce, and complement our outreach activities with advertisements in multiple platforms. More recently, we commissioned an info-educational series on television where various SMEs shared their organisations’ data protection policies and practices.
To better help organisations protect personal data in their care, we work with sector regulators to push out new and updated advisory guidelines, many of which are in response to issues that we discover during investigations.
Since the PDPA is a baseline legislation, how does the PDPC work with relevant sector regulators in exercising its functions?
The PDPA does not override the other sectoral laws. When there are cases related to personal data protection in those sectors, we will consult the sector regulator and work closely with them to ensure that either the sector regulator or PDPC will review the case and if the case warrants investigations, then either the sector regulator or PDPC will investigate it.
What kind of measures can be taken for protecting personal data, without stifling data availability and innovation or compromising the potential benefits from big data?
Generally, well-crafted and effective consent clauses are the pre-eminent mode of ensuring that customers’ data is respected and trust in the companies is built up. Organisations should not look at consent-taking as one-off, but make the best use of their various touch points with customers as an effective way to obtain and refresh consent for new data uses. Organisations are encouraged to keep an open policy and proactively communicate with customers, utilising the most appropriate channels available to build and maintain good communication and rapport with customers, thereby instilling customer confidence.
We recently revised our advisory guidelines on anonymisation clarifying how organisations may use and share anonymised data, thereby enabling consumers to reap the social benefits from wider use of data, all while ensuring personal data is still protected. Our plan is to progressively clarify other exceptions in the PDPA that organisations can rely on for big data and analytics.