S'pore data protection law should include govt

The upcoming Personal Data Protection Act will be more transparent and robust if public sector agencies are included, but overlapping existing internal guidelines could cause confusion.
Written by Ryan Huang, Contributor

Singapore could benefit from expanding its upcoming Personal Data Protection Act (PDPA) beyond the private sector to cover public agencies as well, as this would make the legislation more transparent, robust and comprehensive.

The city-state's Personal Data Protection Act will be in force from January 2013, after the passing of its bill last month. It encompasses a national Do-Not-Call registry, and a new enforcement agency will regulate the management of personal data by businesses and impose financial penalties should rules be flouted.

The government is excluded from the Act though, noted Warren Chik, assistant professor at Singapore Management University's School of Law. The public sector is already bound by its own set of data protection rules such as the Official Secrets Act, he noted.

Concern over public sector data sharing
The strengthening of data protection rules is a milestone for Singapore following privacy concerns over the use of public data, including between government agencies.

In 2002, a Singaporean man complained that following his return after several years abroad, government matchmaking agency Social Development Unit (SDU)--now known as the Social Development Network--was able to get his particulars without consent, according to a report by news site Techgoondu.

In 2002, a Singaporean man complained that following his return after several years abroad, government matchmaking agency Social Development Unit (SDU)--now known as the Social Development Network--was able to get his particulars without consent.

He later found out SDU had gotten his details from the Ministry of Defence (Mindef), which had been kept updated due to his National Service obligations.

Strict rules for government officials
An Infocomm Development Authority of Singapore (IDA) spokesperson told ZDNet Asia that data policies have since been tightened and Mindef no longer shared such personal details.

"The public sector data protection rules are designed to enable agencies to carry out its regulatory and statutory functions in an effective and accountable manner that is in the interest of the public and necessary for the wider good," said the spokesperson.

She added current guidelines, for instance, allow the sharing of personal data across agencies in "public interest" and are "necessary for the government to carry out its duties without impediment". Such duties might include supporting welfare initiatives such as the country's Workfare Income Supplement and Goods and Services Tax (GST) Vouchers, she elaborated.

On the internal policies governing public sector's use of data, IDA said these rules were based broadly on the same principles as the Personal Data Protection Act and accord similar levels of protection to citizens. These are also reviewed on an annual basis, the spokesperson added.
Officers violating these rules would be disciplined according to Public Service Disciplinary Regulations, she said.

"Any unauthorized access, use or disclosure of confidential information would be investigated under the relevant Acts such as the Official Secrets Act and the Statutory Bodies and Government Companies (Protection of Secrecy) Act," the spokesperson explained.

Uniform policy more transparent, robust
Elle Todd, a partner at law firm Olswang, noted the main reason for not including government agencies under the Personal Data Protection Act was due to the fact there was an existing regime and to replace it could cause confusion.

In fact, in some instances such as the use of sensitive personal data, rules for government officials were even stricter than the PDPA, Todd said.

Still, she added it might make sense to have one general, overriding data protection act that applied to everyone as this might make it more transparent and easier for consumers to understand. Europe and the Philippines are examples of an integrated approach, she pointed out.

Agreeing, Chik felt the PDPA should include the public sector for a more "robust and comprehensive" data protection regime. He pointed out this was already the case for other countries with more matured data protection laws.

Bryan Tan, director at Keystone Law, noted there were other countries that have made government agencies exempt from any data protection laws, such as neighboring Malaysia. But he noted Singapore might be swayed to expand its data protection laws in the future.   

"It could well be that Singapore may come under pressure to follow those which do not have such exemptions like the European Union and Hong Kong," Tan said.

Editorial standards