Governments shouldn't be exempt from data protection laws

After years of existence without general data protection or privacy laws, Singapore is finally slated to introduce proposed legislation in this realm early next year.It's a regime I look forward to and one that's a long time coming.

After years of existence without general data protection or privacy laws, Singapore is finally slated to introduce proposed legislation in this realm early next year.

It's a regime I look forward to and one that's a long time coming. In a January 2008 blog post, I discussed my concerns about whether governments put sufficient care in ensuring that the data they collect about citizens--locally and globally--is sufficiently secured.

The U.K. government, for example, lost the personal details of 25 million individuals in 2007. I wonder if citizens can hold their governments accountable when incidences like these occur, or whether I can do likewise should the U.S. government leave unprotected the details of my fingerprint--which is required of any foreigner who visits the country.

Data protection or privacy legislation can ensure safeguards are in place to protect people's data, and remind businesses to be vigilant about how they use customer data.

But, as today's guest blogger highlights, the Singapore government may eventually be exempted from adhering to the country's proposed data protection legislation.

An engineering manager for an aerospace maintenance, repair and overhaul (MRO) company, Ngiam Shih Tung is a Singaporean who has been closely following data privacy issues in the country. Shih Tung points out that a parliamentary discussion last month reveals the enforcement of the nation's Spam Control Act, passed in 2007, does not involve government ministries and statutory bodies.

In his blog post, he highlights that while there are instances--for national security and law enforcement purposes, for example--in which governments should understandably be exempted from data protection legislation, they should still be held by the same standards as private organizations.

He raises a concern that, like the Spam Control Act, the government may exempt itself from enforcement when data protection legislation is enacted.

I absolutely agree, especially when a 2007 report unveiled that governments around the world were increasingly invading the privacy of their citizens with surveillance, identification systems and the archival of private data. Governments must be measured against the same standards and legislation as the private sector, and must face the same penalties if security breaches occur due to a lack of technological safeguards.

And like Shih Tung, I too hope the Singapore government will also realize that.

Last month, after years of resisting calls for data protection legislation, Singapore's Minister for Information, Communication and the Arts (MICA), Lui Teck Yew, announced the government would be enacting legislation to provide a baseline standard for data protection in Singapore. While this is a welcome change of heart by the government, the government itself may actually be exempt from the proposed legislation and much remains to be seen on how the law will work.

Thirty-one years ago, the developed nations' club, the Organisation for Economic Co-operation and Development (OECD), adopted a set of data protection principles. As far back as 1989, the Law Reform Committee of the Singapore Academy of Law recommended that Singapore adopt a data protection regime covering both the public and private sectors. However, that call fell on deaf ears and it was left to Hong Kong to be the first Asian country outside of Japan to adopt data protection legislation in 1996. It even appointed a Privacy Commissioner with powers to enforce Hong Kong's Personal Data (Privacy) Ordnance.

Still, better late than never, and one of the advantages of starting later is that we can benefit from the experiences of other jurisdictions.

One area of concern, though, is that even though MICA has promised to consult stakeholders, its definition of stakeholders comprises only "public, private and people sectors". Where are individuals in this discussion?

It is very ironic that MICA is proposing privacy laws and, yet, individuals are not considered to be stakeholders. Possibly, MICA considers organizations that will be regulated by the proposed legislation as stakeholders but does not consider the people whom the legislation is supposed to protect, to be stakeholders.

In civil service speak, the "people sector" doesn't refer to real people but rather to Voluntary Welfare Organisations (VWOs) and similar bodies. These organizations are included presumably because the government wants to integrate public and private databases of welfare recipients.

A question was raised during a parliament session last month regarding the data protection model. In his reply, even though the public sector was identified as a stakeholder, Lui implied that the proposed law will only apply to businesses that collect data. That is a very glaring omission. The OECD principles recognize exemptions for national security and law enforcement purposes but apart from that, government databases are held to the same standard as private ones.

If anything, I would argue that government databases should be held to higher standards of transparency and security. The reason is that while telemarketers may be a nuisance, they can't cause you real harm, but incorrect data held in public databases could cause real harm. In many cases, we also do not have the choice of not giving our information to government agencies.

So much remains to be seen as to the details of the proposed data protection legislation, and while the government must be applauded for accepting the idea of data protection legislation, the signs are that this will only be a tentative first step in Singapore's progress toward implementing a comprehensive privacy protection regime.