Data Protection & Privacy in Singapore
Presented By
Goh Seow Hiong
Deputy Director (Infocomm Devt Policy)
Infocomm Development Authority of Singapore
27 March 2001
Confidential
© IDA Singapore 2000
www.ida.gov.sg
Data Protection & Privacy in Singapore
27 Mar 01
Copyright © IDA Singapore
2001
Overview
2
- Privacy & Data Protection
- Not provided under constitution
or general law
BUT
- Public
sector
- Strict laws protecting the
confidentiality of data held by the government & statutory boards
- Private
sector
- Sectoral privacy laws
- Industry codes of practice
- Common
law
Data Protection & Privacy in Singapore
27 Mar 01
Copyright © IDA Singapore
2001
Statutory Framework
3
- Statutory framework covers
both the public and private sectors (sectoral laws)
- Public
sector
- Official Secrets Act
- Statistics Act
- Central Provident Fund Act
- Electronic Transactions Act
- etc.
- Private
sector
- Computer Misuse Act
- Telecommunications Act &
Telecom Competition Code
- Banking Act
- etc.
More
than
150+ laws
with privacy
provisions!
Data Protection & Privacy in Singapore
27 Mar 01
Copyright © IDA Singapore
2001
Public Sector Framework
4
- Official
Secrets Act s 5 &
Statutory Bodies and Government Companies (Protection of Secrecy) Act
s 3
- Information entrusted in
confidence to a person owing to his official position
- must take reasonable care
of the information
- must not retain if required
lawfully to dispose of it
- Statistics
Act
- Information on any individual
obtained under the Act
- must not disclose without
written consent of that person
- may disclose if it can be
done without identifying the individual and Minister determines that
an appropriate time has elapsed
Data Protection & Privacy in Singapore
27 Mar 01
Copyright © IDA Singapore
2001
Public Sector Framework
5
- Central
Provident Fund Act s 59
- Information acquired by employee
in course of duty/employment
- must not, without lawful
authority, communicate or publish to any person
- Electronic
Transactions Act s 48
- Information acquired through
exercise of certain powers under the Act
- must not disclose except
for lawful purposes eg. to prosecute offences under ETA
- Etc.
Data Protection & Privacy in Singapore
27 Mar 01
Copyright © IDA Singapore
2001
Private Sector Framework -
Regulatory
6
- Computer
Misuse Act s 3
- Information or data held
in any computer
- criminal offence to access
without authority
- Telecommunications
Act s 42
- Information transmitted by
telecommunications
- criminal offence to intercept
without lawful authority
- IDA Code
of Practice for Competition in the Provision of Telecom Services s 3.2.6 (mandatory code)
- End User Service Information
e.g. end user’s calling patterns, billing address, credit history
etc.
- licensee has duty to protect
Data Protection & Privacy in Singapore
27 Mar 01
Copyright © IDA Singapore
2001
Private Sector Framework -
Regulatory
7
- Banking
Act s 47
- Particulars of account holder
e.g. bank balance
- cannot divulge without the
written permission of the customer
- Etc.
Data Protection & Privacy in Singapore
27 Mar 01
Copyright © IDA Singapore
2001
Private Sector Framework -
Self-Regulatory
8
- Industry
Codes of Practice
- regulate the professional
conduct of members
- provide mechanisms for complaints
handling and dispute resolution
- Examples
of such Codes
- Direct Marketing Association
of Singapore (DMAS) Code of Practice
- National Association of
Travel Agents of Singapore (NATAS) Code of Practice
- National Internet Advisory
Committee’s “Electronic Commerce Code for the Protection of Personal
Information and Communications of Consumers of Internet Commerce”
(1998)
Data Protection & Privacy in Singapore
27 Mar 01
Copyright © IDA Singapore
2001
E-Commerce Code
9
- Background
- Published by National Internet
Advisory Committee in Sept 1998
- Voluntary
scheme establishing standards of behaviour for ISPs and Internet content
providers
- How it
works
- Code is administered by
a Compliance Authority (self-regulatory certification body) that grants
the use of a “Privacy Code Compliance Symbol” to companies that
comply with the Code
- CaseTrust became the 1st
Compliance Authority in 1999
Data Protection & Privacy in Singapore
27 Mar 01
Copyright © IDA Singapore
2001
E-Commerce Code
10
- Objectives
of code
- To encourage use of the
Internet for delivery of public services and e-commerce
- To provide minimum standards
for the use and management of personal information of Internet users
- To protect the confidentiality
of private communications
- To provide a channel for
handling of complaints by consumers of Internet commerce relating to
non-compliance with the Code
Data Protection & Privacy in Singapore
27 Mar 01
Copyright © IDA Singapore
2001
Privacy Principles in Code
11
- Confidentiality
- Must take reasonable steps
to ensure confidentiality of users’ personal particulars
- Must not sell users’ personal
particulars (unless as part of the sale of the business as a going concern)
- Collection
and use
- Should collect and use users’
personal particulars only with users’ consent
- Should give the user an
option as to whether the provider
- can send promotional materials
to the user on behalf of third parties or
- release information to third
parties for the purposes of sending such materials
Data Protection & Privacy in Singapore
27 Mar 01
Copyright © IDA Singapore
2001
Privacy Principles in Code
12
- Accuracy
- Must take reasonable steps
to ensure that users’ personal particulars
- are accurate and kept up-to-date
- can be checked by the user
upon request, and erased or rectified as requested by the user
Data Protection & Privacy in Singapore
27 Mar 01
Copyright © IDA Singapore
2001
Enforcement & Compliance
13
- Compliance
- Provider must establish
operational procedures for compliance with the Code
- Sanctions
- Compliance Authority may
investigate any complaint, and after giving the provider a reasonable
opportunity to be heard
- dismiss the complaint
- give a warning to the provider
- revoke or suspend the provider’s
right to use the “Privacy Code Compliance Symbol”
- publicise the non-compliance
by the provider
Data Protection & Privacy in Singapore
27 Mar 01
Copyright © IDA Singapore
2001
Law of Confidence
14
- Background
- Right derives from common
law and/or equity
- Covers trade secrets, state
secrets and personal secrets
- Close analogy to property
- Elements
of action
- Information has quality
of confidence
- Information is imparted
within a relationship of confidentiality
- Unauthorised use and disclosure
Data Protection & Privacy in Singapore
27 Mar 01
Copyright © IDA Singapore
2001
Recent Developments
15
- Worldwide
devts
- More and more countries
are enacting general data protection/privacy laws e.g. Chile, Australia,
Canada
- Lack of consumer privacy
is becoming a significant obstacle to e-commerce
- US studies: US$2.8 b
in lost online sales in 1999, potential losses of up to US$18 b
by 2002 (compared to projected total sales of US$40 b)
- Domestic
devts
- IDA Consultation Paper on
Building Trust and Confidence in Electronic Commerce
- general view - businesses
are not doing enough to protect privacy
- half think this is impeding
b2c e-commerce adoption
- Sanctions
- Compliance Authority may
investigate any complaint, and after giving the provider a reasonable
opportunity to be heard
- dismiss the complaint
- give a warning to the provider
- revoke or suspend the provider’s
right to use the “Privacy Code Compliance Symbol”
- publicise the non-compliance
by the provider
Data Protection & Privacy in Singapore
27 Mar 01
Copyright © IDA Singapore
2001
Singapore’s Response
16
- Educate
industry on the need to do more to protect consumer privacy
- Set up
National Trust Council
- to look into pertinent issues
like trust marks, fraud management & best practices in e-business
- to implement National Trust
Mark Programme to accelerate adoption of trust marks
- to appoint professional bodies
as Authorised Code Owners (ACOs) to certify businesses with sound e-business
security & privacy practices
- CASE appointed as the first
ACO
- Set up
inter-government agency task force to examine privacy issues comprehensively
- Leverage
on industry-led activities to develop best practices & codes
Data Protection & Privacy in Singapore
27 Mar 01
Copyright © IDA Singapore
2001
Conclusion
17
- Multi-pillar
approach to data protection & privacy
Sectoral
Laws
Codes
of
Practice
Common
Law
National
Trust Council
Data
Protection Framework
Industry
Education
Data Protection & Privacy in Singapore
27 Mar 01
Copyright © IDA Singapore
2001
THANK YOU
For more information
http://www.ida.gov.sg
http://ec.gov.sg
18