Four months after Singapore’s first privacy protection laws came into effect, the chief counsel to the nation's Personal Data Protection Commission concedes there is “still a fair amount of work to do” to get the business community up to date with the demands of the new regime.
Speaking in Sydney to the ANZ branch of the international association of privacy professionals (iappANZ), David Alfred said a recent survey of ‘privacy readiness’ amongst Singapore business showed that 65 percent of organisations were prepared for the new laws, key elements of which came into effect in 2 July 2014.
“Even those who say they comply, I think the reality of that depends very much on what level that organisation is able to implement data protection and not just compliance," he said.
“So I guess that is where our next phase of outreach efforts in the coming years will focus. We need to get buy-in from more senior levels of management, so that they are aware of the importance of protecting personal data, both as an asset to them and as a responsibility to their customers."
Singapore, one of the most popular offshore data hosting locations for Australian enterprises, passed its Personal Data Protection Act in January 2013, but staggered the deployment of modules of the Act - including the major data protection rules - to give organisations time to adjust.
“We are a bit late to this party," Alfred said. “We have looked at what other countries have done and our law is somewhat similar to Canada. But we have also looked at aspects of Australia, the UK and New Zealand as well, particularly when it comes to our cross border rules."
The Act filled a void in Singapore’s legal system, and aims to “strengthen and entrench Singapore’s competitiveness and position as a trusted, world-class hub for businesses” by establishing the country’s first privacy regulation environment.
The regime stands aside for native data laws when it comes to offshore information only stored - and not used or disclosed - within its borders. This means that in the case of data collected in Australia, the new Act only applies if this information is disclosed to a party other than the data hosting vendor inside Singapore.
However, Alfred said part of the Personal Data Protection Commission’s mission at this early stage was to cement a “culture of respect for personal data” within the island nation, and to educate businesses so they can effectively balance the use of data as an asset alongside the protection of customer rights.
“We try to educate individuals about what they should be doing to protect themselves before it becomes a problem. So we have these two roles: outreach and education as well as enforcement.”
He described the 18 months since the first modules of the law took effect as “an interesting journey”, which has involved the implementation of new rules overseeing customer consent as well as requirements for privacy policies that outline intended uses of the information and the estimated duration of the storage.
The Act also requires all applicable business to appoint a senior employee responsible for data protection.
Alfred said it was already clear that those who appointed senior managers as their chief data authorities also demonstrated a greater commitment to protecting their customer’s information - beyond simple 'tick the box' compliance.
“Ideally, we would want someone with sufficient authority up the management chain to be accountable. At the same time we recognise that this is something that may not happen very fast,” he said.