'

Singapore industry needs stronger codes of conduct as consumer data gains value

As businesses capture more information about customers, consumers need to be more informed about such practices and industry guidelines and codes of conduct must evolve to ensure responsible data use.

With businesses capturing more data about their customers, Singapore needs to reassess its guidelines and codes of conduct for the industry to ensure personal information is used responsibly and securely.

Pointing to the data "gold rush", Rajnesh Singh, Asia-Pacific bureau director for Internet Society (ISOC), said companies increasingly were realising they could make money out of data and collecting as much as possible.

With businesses fumbling, Singapore must take more care in data aspirations

Singapore government has been opening up user data access to ease information exchange and business transactions, but it should observe some caution as major organisations continue to slip up over security.

Read More

He noted that the push for organisations to adopt digital transformation had resulted in these companies also wanting to store every piece of data while embarking on such initiatives. "Digital transformation may be a double-edged sword in that sense," Singh said in an interview with ZDNet.

He added that more businesses such as retailers were tapping technologies such as data mining, artificial intelligence, and data analytics to extract insights and finetune their business, collecting more and more data with the hopes of being able to better predict consumer demand.

However, he said, there had to be a limit to how much these companies were allowed to collect and this should not go beyond facilitating the services they rendered.

He pointed to how, in Singapore for instance, customers frequently were asked to hand over their national identification card number to facilitate various trivial business transactions, such as entering lucky draws or signing up for customer loyalty programmes.

On its part, the Singapore government last November said it was reviewing guidelines in the country's Personal Data Protection Act (PDPA) to limit the use of national identification numbers, specifically, the collection, use, and disclosure of such numbers. Under the proposed revision, some common business practices would have to change such as the collection of NRIC numbers from shoppers to track the number of redemptions for free parking as well as use of these numbers to create retail membership accounts.

Singh said: "Consumers have to stand up and say enough is enough...and ask what businesses do with their data. And the problem is, not every consumer is aware [what's being collected] and even those who know, there is no Option B," he noted, stressing that this needed to change.

"It must evolve from "yes" or "no" as the two absolutes, where if you don't agree to a company's TOC (terms and conditions), you can't use their service," he noted. While he recognised organisations were offering free services in exchange for customer data, he underscored the need also to ensure consumer choice.

He suggested that Singapore companies could offer additional options in which consumers would agree to a certain subset of rules in exchange for limited access to their services or fewer features on their service platforms.

"The industry as a whole needs to mature," he said. "Consumers are becoming more informed [so] industry guidelines and codes of conduct also need to evolve."

He added that banks and credit card companies as well as merchants should allow consumers to opt out of having their spending or purchasing details tracked. Mobile apps also should not insist on gaining permission for access to features that were unnecessary to facilitate their services.

Read this

Data privacy ambiguity may hamper Singapore's smart nation ambition

Smart nation plan means massive amounts of data will be collected and analyzed, prompting questions about data privacy and security. With Singapore's public sector excluded from the country's data protection act, how will data management be properly governed?

Read More

Singh, though, acknowledged that some companies, particularly small and midsize businesses, might not want to or had the resources to handle the associated complexities of managing such environments.

New codes needed for new technologies

Regardless, with new technologies such as drones, home automation, facial recognition, and autonomous vehicles coming up on the horizon, he mooted the need for caution and new regulations.

"The question is, will we be controlling technology or will technology be controlling us?" he posed, noting that a lot of these new technologies seemed to suggest the latter.

Pointing to facial recognition technology, he said: "That's your biometric data and we know systems do get hacked and people lose their phones. As a consumer, I don't know what's going to happen to that data. How sure am I that phone companies aren't storing my biometrics data somewhere? Can someone [hack into that system and] impersonate me some day, for instance, using holographic images?"

He suggested that some of these added measures and guidelines, such as permissions granted to mobile apps and limited access TOCs, could be included in the PDPA.

And with the exclusion of the Singapore government from the country's data protection act, he said there also should be similar guidelines on how the public sector managed citizen data.

He noted that while the government might need data access and exchange across agencies to facilitate citizen services, it, too, should collect only the minimum required to process such services. "What is the level of data needed? Does the tax department really need to know your health record?"

"[Data access is] something we need to fix as an industry...giving consumers the option to opt out of things," Singh said, adding that this need was further compounded by the increasing deployment of Internet of Things (IoT).

In its 2018 action plan, ISOC had included the need to secure IoT as a key priority, especially as 20.4 billion of such devices were expected to be implemented by 2020.

Elaborating on this, Singh added that manufacturers such as Samsung had announced plans to include an IoT chip in all of their new products by 2020, effectively embedding intelligence and network connectivity in these devices.

With such devices connected to corporate and home networks, new attack vectors would be created. Hackers could breach unsecured IoT devices and launch attacks similar to DDoS (distributed denial of service) and bring down business, or even national, networks, he said.

To address such concerns, ISOC is championing its Online Trust Alliance as a framework and checklist for IoT manufacturers, offering a set of standardised security and privacy protocols for the production of their devices, he added.