Good start to securing personal data

Good start to securing personal data

Singapore's new Personal Data Protection Act was more than a decade in the making. So when it was finally passed in Parliament in October two years ago, the public got excited.

They were especially happy with the national Do-Not-Call (DNC) Registry, which lets them block telemarketing calls, SMSes and faxes. They could finally say goodbye to pesky telemarketers.

The Registry went into force on Jan 2 this year and has 595,000 local numbers - there are about eight million local mobile numbers here.

The Personal Data Protection Commission, which manages the Registry, is investigating 3,000 complaints that are valid.

While the new law has been welcomed by consumers, does it give them enough protection in areas of the greatest need?

For sure, it does tackle one key annoyance: unwanted marketing phonecalls, which have interrupted meetings, disturbed sleep at ungodly hours and even taxed consumers' wallets - one gets charged for incoming calls while roaming overseas.

With the new rules, telemarketers who call phone numbers listed in the Registry risk a fine of up to $10,000 for each offence.

But the protection does not fully extend to phone or fax messages though.

Some consumers are unhappy over a last-minute exemption that allows firms to send text and fax messages to existing customers without checking with the Do-Not-Call Registry. This is as long as customers are given an option to unsubscribe to the messages via the same channel.

Consumers criticised the Commission for caving in to business pressures - a charge it denied. They also took issue with the exemption being introduced without public consultation.

Despite some loud complaints, others say it may be useful to be kept informed via SMS of promotions and deals from companies.

A credit card user, for instance, may want to be informed by his bank about promotional tie-ups with retailers. Similarly, a mobile, pay-TV or broadband subscriber may want his telco to inform him of discounts or freebies for renewing his subscription.

Said 36-year-old engineer John Wong: "I would like to know if there is a discount in a bookstore. The channel of passing useful information like this can be killed by the DNC Registry but the exemption allows for some flexibility."

In any case, phone messages are deemed less intrusive and less painful on the pocket, as messages received while roaming overseas are free.

The Registry rules are only one part of the new Act though; other provisions that deal with the way organisations may collect, use and disclose personal data kick in only from July 2.

Here, it may be worthy to note that the new Act does not have long arms to protect the general privacy of individuals.

For instance, owners of buildings such as malls do not need the individual's consent to record security camera footage - even though the images are considered personal data. Shopkeepers who take smartphone pictures of customers for promotional reasons also do not need consent.

The Commission feels that camera phones are now widely available and their use can be "reasonably expected". So, a notice by shopkeepers or building owners informing customers that photographs might be taken would suffice.

Also, government agencies are exempted from the new law. Minister for Communications and Information Yaacob Ibrahim had said government agencies are subject to their own set of rules on protecting personal data and these are sometimes more stringent than the new law - but these rules have not been made public.

What the Act does cover is the indiscriminate collection of data.

For instance, a 7-Eleven counter employee verifying the age of customers buying cigarettes or alcohol may record in the computer system only customers' birth dates - but not other information such as identity card number or name.

In another example, a lucky draw organiser may not be allowed to ask participants to disclose their household income if the information is not necessary.

The Act also protects consumers from inappropriate use and disclosure of their information.

For instance, if the lucky draw organiser wants to disclose the personal data of contest participants to third parties or use it for marketing - differing from the original intent - it must get participants' consent.

Failure to do so could mean a breach of the Act. The fine for violating general data protection provisions goes up to $1 million.

One loophole, though, is that Singapore has no jurisdiction over overseas companies with no local set-ups. It will need to work with other countries in this aspect.

Overall, while the law will always play catch-up to theft and misuse, Singapore's new Personal Data Protection Act is a good start in trying to protect people's personal data.

And judging by how the Commission has gone after at least three organisations for violating the new rules, it looks like it is taking the protection of personal data very seriously indeed.

This article was published on April 21 in The Straits Times.

Get a copy of The Straits Times or go to straitstimes.com for more stories.

This website is best viewed using the latest versions of web browsers.