Data Protection Privacy in Singapore Presented By

Data Protection & Privacy in Singapore Presented By Goh Seow Hiong Deputy Director (Infocomm Devt Policy) Infocomm Development Authority of Singapore www. ida. gov. sg 27 March 2001 Confidential © IDA Singapore 2000

Overview Data Protection & Privacy in Singapore 27 Mar 01 Copyright © IDA Singapore 2001 • Privacy & Data Protection • Not provided under constitution or general law BUT • Public sector • Strict laws protecting the confidentiality of data held by the government & statutory boards • Private sector • Sectoral privacy laws • Industry codes of practice • Common law • Law of confidence 2

Statutory Framework Data Protection & Privacy in Singapore 27 Mar 01 Copyright © IDA Singapore 2001 • Statutory framework covers both the public and private sectors (sectoral laws) • Public sector • Official Secrets Act • Statistics Act • Central Provident Fund Act • Electronic Transactions Act • etc. More than 150+ laws with privacy provisions! • Private sector • Computer Misuse Act • Telecommunications Act & Telecom Competition Code • Banking Act • etc. 3

Public Sector Framework Data Protection & Privacy in Singapore 27 Mar 01 Copyright © IDA Singapore 2001 • Official Secrets Act s 5 & Statutory Bodies and Government Companies (Protection of Secrecy) Act s 3 • Information entrusted in confidence to a person owing to his official position • must take reasonable care of the information • must not retain if required lawfully to dispose of it • Statistics Act • Information on any individual obtained under the Act • must not disclose without written consent of that person • may disclose if it can be done without identifying the individual and Minister determines that an appropriate time has elapsed 4

Public Sector Framework Data Protection & Privacy in Singapore 27 Mar 01 Copyright © IDA Singapore 2001 • Central Provident Fund Act s 59 • Information acquired by employee in course of duty/employment • must not, without lawful authority, communicate or publish to any person • Electronic Transactions Act s 48 • Information acquired through exercise of certain powers under the Act • must not disclose except for lawful purposes eg. to prosecute offences under ETA • Etc. 5

Private Sector Framework Regulatory Data Protection & Privacy in Singapore 27 Mar 01 Copyright © IDA Singapore 2001 • Computer Misuse Act s 3 • Information or data held in any computer • criminal offence to access without authority • Telecommunications Act s 42 • Information transmitted by telecommunications • criminal offence to intercept without lawful authority • IDA Code of Practice for Competition in the Provision of Telecom Services s 3. 2. 6 (mandatory code) • End User Service Information e. g. end user’s calling patterns, billing address, credit history etc. • licensee has duty to protect 6

Private Sector Framework Regulatory Data Protection & Privacy in Singapore 27 Mar 01 Copyright © IDA Singapore 2001 • Banking Act s 47 • Particulars of account holder e. g. bank balance • cannot divulge without the written permission of the customer • Etc. 7

Private Sector Framework Self-Regulatory Data Protection & Privacy in Singapore 27 Mar 01 Copyright © IDA Singapore 2001 • Industry Codes of Practice • regulate the professional conduct of members • provide mechanisms for complaints handling and dispute resolution • Examples of such Codes • Direct Marketing Association of Singapore (DMAS) Code of Practice • National Association of Travel Agents of Singapore (NATAS) Code of Practice • National Internet Advisory Committee’s “Electronic Commerce Code for the Protection of Personal Information and Communications of Consumers of Internet Commerce” (1998) 8

E-Commerce Code Data Protection & Privacy in Singapore 27 Mar 01 Copyright © IDA Singapore 2001 • Background • Published by National Internet Advisory Committee in Sept 1998 • Voluntary scheme establishing standards of behaviour for ISPs and Internet content providers • How it works • Code is administered by a Compliance Authority (selfregulatory certification body) that grants the use of a “Privacy Code Compliance Symbol” to companies that comply with the Code • Case. Trust became the 1 st Compliance Authority in 1999 9

E-Commerce Code Data Protection & Privacy in Singapore 27 Mar 01 Copyright © IDA Singapore 2001 • Objectives of code • To encourage use of the Internet for delivery of public services and e-commerce • To provide minimum standards for the use and management of personal information of Internet users • To protect the confidentiality of private communications • To provide a channel for handling of complaints by consumers of Internet commerce relating to noncompliance with the Code 10

Privacy Principles in Code Data Protection & Privacy in Singapore 27 Mar 01 Copyright © IDA Singapore 2001 • Confidentiality • Must take reasonable steps to ensure confidentiality of users’ personal particulars • Must not sell users’ personal particulars (unless as part of the sale of the business as a going concern) • Collection and use • Should collect and users’ personal particulars only with users’ consent • Should give the user an option as to whether the provider • can send promotional materials to the user on behalf of third parties or • release information to third parties for the purposes of sending such materials 11

Privacy Principles in Code Data Protection & Privacy in Singapore 27 Mar 01 Copyright © IDA Singapore 2001 • Accuracy • Must take reasonable steps to ensure that users’ personal particulars • are accurate and kept up-to-date • can be checked by the user upon request, and erased or rectified as requested by the user 12

Enforcement & Compliance Data Protection & Privacy in Singapore 27 Mar 01 Copyright © IDA Singapore 2001 • Compliance • Provider must establish operational procedures for compliance with the Code • Sanctions • Compliance Authority may investigate any complaint, and after giving the provider a reasonable opportunity to be heard • dismiss the complaint • give a warning to the provider • revoke or suspend the provider’s right to use the “Privacy Code Compliance Symbol” • publicise the non-compliance by the provider 13

Law of Confidence Data Protection & Privacy in Singapore 27 Mar 01 Copyright © IDA Singapore 2001 • Background • Right derives from common law and/or equity • Covers trade secrets, state secrets and personal secrets • Close analogy to property • Elements of action • Information has quality of confidence • Information is imparted within a relationship of confidentiality • Unauthorised use and disclosure 14

Recent Developments Data Protection & Privacy in Singapore 27 Mar 01 Copyright © IDA Singapore 2001 • Worldwide devts • More and more countries are enacting general data protection/privacy laws e. g. Chile, Australia, Canada • Lack of consumer privacy is becoming a significant obstacle to e-commerce • US studies: US$2. 8 b in lost online sales in 1999, potential losses of up to US$18 b by 2002 (compared to projected total sales of US$40 b) • Domestic devts • IDA Consultation Paper on Building Trust and Confidence in Electronic Commerce • general view - businesses are not doing enough to protect privacy • half think this is impeding b 2 c e-commerce adoption 15

Singapore’s Response Data Protection & Privacy in Singapore 27 Mar 01 Copyright © IDA Singapore 2001 • Educate industry on the need to do more to protect consumer privacy • Set up National Trust Council • to look into pertinent issues like trust marks, fraud management & best practices in e-business • to implement National Trust Mark Programme to accelerate adoption of trust marks • to appoint professional bodies as Authorised Code Owners (ACOs) to certify businesses with sound e-business security & privacy practices • CASE appointed as the first ACO • Set up inter-government agency task force to examine privacy issues comprehensively • Leverage on industry-led activities to develop best practices & codes 16

Conclusion Data Protection & Privacy in Singapore 27 Mar 01 Copyright © IDA Singapore 2001 • Multi-pillar approach to data protection & privacy Data Protection Framework Common Law Codes of Practice Industry Education Sectoral Laws National Trust Council 17