INFORMATION MANAGEMENT

Citation(2012) 24 SAcLJ 143
Date01 December 2012
Published date01 December 2012

Towards Consumer Data Protection Legislation in Singapore

Information privacy is commonly protected in three ways. The first is a mandatory legislative framework which allows organisations to collect and hold data, subject to certain legal obligations, while protecting the rights of individuals to information privacy (data protection). The second is a co-regulatory scheme administered by the Government and industry. The third comprises industry-based, self-regulatory codes which are voluntary business initiatives, not laws. Singapore is proposing general base-line data protection legislation applicable only to the private sector which will operate alongside existing sector-specific statutes that govern certain public and commercial sectors. The long awaited Consumer Data Protection Bill is expected in 2012, after five years of an inter-ministry review. This is long overdue in view of global commerce and networks and the prevalence of data protection laws in many countries, among which are Singapore's major trading partners. This article will review the limited data protection that Singapore offers prior to the proposed legislation, trace the reasons in support of specific laws and suggest how the proposed framework could benefit from the experience of well-respected international and national initiatives in the area of information privacy.

I. Introduction

1 The personal information that is collected by marketing and human resource departments of commercial organisations and data collecting companies about their customers, employees and other parties is a valuable asset and an important business tool. Personal information1 may be needed for a variety of purposes: for completing

a transaction or payment, providing service support, marketing products, detecting and preventing security threats, participating in contests and surveys or applying for a job. These practices pose very real legal compliance issues for organisations handling personal information, particularly in countries with data protection laws which govern the collection, use and disclosure,2 security and transfer to third parties3 and third countries of personal information. These practices also raise issues related to the ethical and correct exploitation of personal information. Trust and confidence in privacy and security in an online environment, as much as the credibility of the merchant and trustworthiness of the transaction, are matters of real concern to customers.
II. Protection of information privacy

2 With such critical issues in mind, it is surprising that Singapore, a financial centre and nation aspiring to be an e-commerce hub, has not been in the forefront of enacting specific data protection laws. Data protection may be viewed as part of the right to privacy, giving the individual the right to know, and to exercise control over, how personal information is collected, used and disclosed. Privacy, however, is not a constitutionally protected right in Singapore. Instead, limited protection is given to personal information under a bewildering variety of sector-specific statutes4 (numbering over 160), through self or co-regulatory industry codes of practice,5 contractual obligations or the common law.6

3 Sector-specific statutes are of limited scope and application with regard to data protection. They contain secrecy and disclosure provisions which typically penalise the unauthorised release of personal information. Industry-specific codes7 may be directly relevant but lack legal force and sanction. A good example is the Model Data Protection Code for the Private Sector (“Model Code”) developed by the National Internet Advisory Committee (“NIAC”) Legal Subcommittee in December 2002. The Model Code,8 based on internationally recognised standards, is a voluntary co-regulatory scheme co-ordinated by the National Trust Council (“NTC”) representing industry and the Government (Ministry of Trade and Industry). The Model Code has been incorporated into the accreditation criteria for the “TrustSg”,9 a nation-wide e-merchant trustmark intended to create a more secure online business environment. This is an initiative by the NTC and supported by the Infocomm Development Authority of Singapore (“IDA”).10 Currently, the trustmark programme is compulsory for all government ministries and agencies. Businesses accredited with the “TrustSg” seal displayed on websites and physical storefronts signify that they are compliant to a code of conduct representing fair business, marketing and advertising practices drawn from the Model Code and that they respect customer privacy by adhering to privacy principles and proper management of customers' personal data. They include informing customers of the policies and procedures for managing personal data, the purposes of the data collection, their use and the need for consent before disclosing to third parties.

4 Feedback from businesses indicate that the “TrustSg” accreditation has enhanced credibility, increased customer confidence and boosted online sales and market share.

5 The NTC also seeks to facilitate cross-border recognition of trustmarks and to internationalise “TrustSg” through the Asia-Pacific Trustmark Alliance. Members of the Asia-Pacific Alliance include operators in Korea, Japan, Philippines, Singapore, Taiwan, Thailand, the US and Vietnam.

III. The Model Data Protection Code for the Private Sector

6 The Model Code was based on the Canadian Standards Association's Model Code for the Protection of Personal Information, which was derived from the Organisation for Economic Co-operation and Development's (“OECD”) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980)11 (“OECD Guidelines”) and the EU Data Protection Directive12 (“EU Directive”). The Model Code is expected to facilitate electronic commerce in Singapore and the future enactment of specific data protection laws. In fact, Singapore's proposed consumer data protection framework is derived from the Model Code as well as the data protection laws of certain key jurisdictions which will be highlighted below. As such, the data protection principles underlying the Model Code, its objectives and content will be relevant to the proposed legal framework. The objectives of the Model Code are to: (a) strike a balance between the legitimate information needs of businesses and an individual's interest in data protection; (b) harmonise data protection principles in the private sector and (c) establish minimum standards for the protection of personal data.

A. Data protection principles

7 The underlying principle of information privacy is that all personal data must be obtained, used and processed “fairly and lawfully”. The original version of the Model Code contains 11 data protection principles which have been framed in broad, flexible terms to facilitate application across sectors. These principles form the basis

of the proposed legislation. They deal with the access, collection, processing, use and transfer of personal data.

Principle 1 – Accountability

An organisation is responsible for personal data in its possession or custody and must appoint an individual who will be accountable for the organisation's compliance with the principles.

Principle 2 – Specifying purposes

An organisation must specify and document the purposes for which personal data is collected and reveal such information to the individual at or before the time the data is collected or if not, within a reasonable time thereafter.

Principle 3 – Consent

The knowledge and consent of the individual is required for the collection, use, or disclosure of personal data to a third party. This is subject to a long list of exemptions.

Principle 4 – Collection limitation

Subject to various exemptions, the collection of personal data is limited to the specified purposes. Data must be collected by “fair and lawful” means.

Principle 5 – Limiting use, disclosure and retention

Subject to various exemptions, personal data is not to be used or disclosed to a third party for purposes other than those for which it was collected, unless the individual consents to such use or disclosure. An organisation must implement guidelines and procedures to retain and destroy personal data and the individual must have access to the personal data which is to be used in making a decision concerning him. Personal data must not be kept longer than is necessary to fulfil the specified purposes and must be destroyed, erased or made anonymous if no longer required.

Principle 6 – Accuracy

Personal data must be as accurate, complete and up-to-date as is necessary for the purposes for which it is to be used. Updates are only to be obtained where necessary to fulfil the purposes for which the data is collected.

Principle 7 – Security safeguards

Personal data must be protected by appropriate security safeguards against accidental or unlawful loss, unauthorised access, disclosure, copying, use or modification. Security measures must be commensurate with the risks and consequences of disclosure so that more sensitive data must be safeguarded by a higher level of protection. An organisation must exercise care in preventing unauthorised access to the data (eg, allowing access only on a need-to-know basis, stressing the importance of maintaining confidentiality) and when disposing of personal data.

Principle 8 – Openness

An organisation must make readily available its policies and procedures for handling personal data, the name and address of the data controller, the means of gaining access to personal data and what personal data is made available to other organisations (including subsidiaries).

Principle 9 – Individual access and correction

Subject to exceptions, an individual must, upon his request, be informed of the existence, use and disclosure of his personal data and must be given access to that data. Access may be refused, for example...

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT