S'pore firms should welcome data protection law

SINGAPORE--The country's upcoming data protection legislation will ultimately protect the marketing environment for companies here to run an "honest business", according to an industry observer. Lawyers add that the regulation has less to do with eradicating the use of data, than it is to provide clear parameters to ensure compliance and legitimate handling of data.

"We see a clear role for regulation as a key pillar in an effective data protection and privacy framework, [and it will] work in tandem with two other pillars: education and technology," said Lisa Watson, chairman of Direct Marketing Association of Singapore (DMAS). The association has 50 corporate members comprising both consumers and businesses, all of which have "some affiliation and relationship to direct marketing services", she said.

Last month, Singapore's Minister for Information, Communication and the Arts (MICA) Lui Tuck Yew announced the government will provide a "baseline standard for data protection" in early 2012 and propose new data protection laws to "protect individuals' personal data against unauthorized use and disclosure for profit".

In a phone interview with ZDNet Asia, Watson noted that any regulation should be a combination of government legislation and industry self-regulation, working together to protect consumers and create a level playing field for local businesses. These legislations should also keep pace with technological advances as they come into the marketplace, she added.

"Most companies do care about data protection and want to do "honest business", she said. "But, it never occurred to them that how they do it may not be right or that they should question where the data came from, how it was collected and whether there was consent," she explained.

Nonetheless, Watson admitted: "There may be exceptions and a few bad ones [which] give the whole business a bad name."

Hence, data protection laws will provide clear principles and rules to protect the marketing environment, and help "the good guys" do the right thing and protect their relationship with their customers, she noted. "Businesses should welcome the fact that this is taken seriously by the government", she added.

Impact on business community
Asked about the extent the new legislation might impact businesses operating in Singapore, Watson said it would be difficult to know for sure until the draft proposal is released.

"Not everyone will be happy in the short term because there will be short-term costs and inconvenience," she said, but reiterated that there will be "huge long-term benefits".

DMAS members are already expected to comply with the Model Data Protection Code so they will not unlikely be significantly affected, she revealed. "We can't, of course, speak for non-members," she added.

Lawyers ZDNet Asia spoke to were divided about potential impact of the data protection legislation on local businesses.

In a phone interview, Rajesh Sreenivasan, head of technology, media and telecoms practice at Rajah & Tann Singapore, said companies here would not be severely affected as it would be "just another compliance activity".

Bryan Tan, director of Keystone Law and ZDNet Asia blogger, noted that "most companies would be affected" since they collect and use some form of data, including employee data.

In particular, companies such as marketing agencies which rely on personal data to support their business operations would be the "worst hit", he said in a phone interview.

Law likely to cover personal data use
Tan, who specializes in tech law, said the collection, retention and use of personal data will likely be covered by the upcoming laws, with "use" being the most critical component of the three. Personal data includes data that can identify an individual such as identity card (IC) and mobile phone numbers, financial records and income statements, he explained.

Sreenivasan concurred: "Based on what [Lui] said, we're looking at personal data protection laws intended to set parameters on how personal information should be treated, in a certain way, when you come into possession of the data."

Apart from the collection, maintenance and use of data, the legislation could also mandate the kind of consent needed to use the data, and how to deal with disputes with regard to improper data collection, he said.

Sreenivasan said the act is not intended to bar businesses, but to ensure due respect is given to personal data that are obtained legitimately.

He added: "[But, with] only the ministerial statement, [any discussion] is just conjecture at this stage and it would be premature to lay down expectations on what will be legal or not."

He recommended that in light of the upcoming regulations, businesses should undertake some exercise such as conducting an audit on the type of personal information they posses and ensure it is used in a proper way.

In an e-mail statement, a spokesperson from DBS Bank told ZDNet Asia: "DBS takes client confidentiality and security very seriously, and the bank welcomes greater protection for consumer personal data".

The local bank already has stringent processes and systems in place to protect its customers' data, she said, adding that it will review details of the legislation to determine if any new measures have to be put in place.