by MP for Aljunied GRC, Chen Show Mao
Mr Speaker,
The Bill before us has been a long time in coming. Back in 1990, the Law Reform Committee of the Singapore Academy of Law published a working paper entitled “Data protection in Singapore: A case for legislation.” Today we have a bill that proposes a baseline data protection framework to regulate the way organisations in Singapore collect, use, disclose and safeguard our personal data.
This Bill relates to the protection of personal data. It is developed based on principles derived from the OECD Guidelines on the protection of privacy. These principles include among others Accountability and Openness.
The data protection provisions being introduced will serve as a “baseline” law. That is, we legislate for a minimum standard of data protection that would apply across the board. There are then express provisions within the Bill for various exceptions, particularly that any other written laws shall prevail over these data protection laws, should there be any conflicting positions.
This is in part how, as the Government stated, “the general baseline law will apply concurrently with existing sectoral regulations”, such as for banking or telecommunications.
The Bill allows for various other exemptions. For example, an organization may collect, use or disclose personal data without having to comply with the data protection laws if doing so is “necessary in the national interest”. Or if the collection, use or disclosure of personal data is “necessary to respond to an emergency that threatens the life or safety of that individual or another individual”. Or if the personal data is “publicly available”. Or if the use or disclosure of personal data is “necessary for any investigation or proceedings”.
These exemptions would have been helpful in providing some flexibility to organisations, such as government agencies, when dealing with the interests of the public in specific cases. Unfortunately, this Bill will not apply to public agencies. It expressly carves out the application of personal data protection laws to public agencies that collect, use or disclose our personal data: these include government ministries, tribunals and upon notification by the Minister, statutory boards like the PA and the HDB. As an extension, the personal data protection laws will also not apply to private organisations when they act on behalf of a public agency.
Sir, this is an area in which the Bill is lacking. Like private organisations, public agencies that collect, use and disclose personal data of individuals should be required by law to comply with the minimum levels of data protection in this Bill.
A reason given by the Government is that public agencies do not need to be included, as they are already governed by their own set of rules, and that these rules provide similar levels of protection.
Sir, to the extent the government’s data protection rules are contained in our written laws such as the official secrets act, they will continue to apply even if we extend the coverage of this bill to our public agencies. This is because, as mentioned earlier, this bill is set up as a baseline law that is not intended to affect rights and obligations under existing law.
Sir, to the extent the government’s data protection rules are not contained in written laws then I do not know what they are. I do not know what these rules are, because they are not made known to the public. What I know is that if these rules are not laws then they are not subject to parliamentary scrutiny and oversight, and we do not know when (or how) they get created, amended or terminated. The people — who are directly affected by these rules — do not know what they are, much less have the chance to have their views on them heard.
Also, while individuals will be able to complain to the Data Protection Commission — the DPC — relating to suspected violations of these data protection laws, it is not clear if and how under current government data protection rules, individuals have any similar rights for complaint against public agencies relating to the wrongful collection, use or disclosure of personal information.
The government has also said that some of its rules are ‘more stringent in other areas’. That could continue to be the case even if this bill should apply to public agencies. There is nothing in these laws stopping organisations — both public and private — from having internal rules that afford even better protection for personal data should those be deemed necessary or desirable.
The concepts of accuracy, and individual access and correction, are key provisions contained in this Bill. This means that individuals have the right to request access to their personal data that an organisation holds, and also to request that individuals be provided with information about ways in which their personal data has been used, and to provide the names of parties to whom the data has been disclosed. Individuals also have a right to request that organisations correct any errors or omissions in the personal data.
It is just as important, if not more important, that these concepts of accuracy and access rights should also apply to public agencies that collect, use or disclose personal data. Public agencies during the course of their duties use personal data to make decisions, such as whether to grant somebody Workfare Income Supplement Payments, which have a direct impact on the lives of individuals, therefore it is important that individuals should be able to access their personal data on the basis of which the Government is making decisions on them, and to ask for such data to be corrected if they are inaccurate.
One reason we have been given for why the public sector needs to be excluded is that public agencies often have to share information with one another and to deal with national emergencies.
And indeed we do already have laws that allow public entities to share data. Examples include the Income Tax Act, the Medical Registration Regulations and the Immigration Act. As mentioned earlier, these would continue to apply as they are contained in existing written laws.
Also as mentioned earlier, we have broadly worded exemptions contained in the Bill relating to national interest and to emergencies, which may well be helpful to our public agencies looking to share information in a national emergency.
By ensuring that the public sector also falls within the remit of our personal data framework, individuals can be certain that there is at least a minimum baseline that applies to the way the public sector treats their personal data, and they can take comfort from how the processes and rules are clear to them.
I also note that of the jurisdictions in the world that have a personal data protection framework, only very few do not have personal data protection laws that are applicable to public agencies. Therefore, making this data protection framework applicable to public sector organisations will mean that Singapore will be truly in line with international standards, one of the three principles that the Bill is based on.
Sir, the protection of personal data is welcome not only because of its expected economic benefits. The protection of personal data is welcome because it acknowledges an important principle. That our personal data belongs to us as persons — much like our cash, phones and wallets or other forms of property — and this property needs to be safeguarded and protected by law against misuse, including by the Government.
We must remind ourselves that the proper function of our Government and its associated bodies first and foremost is to provide essential services to the people. The Government collects our personal data in order to be able to provide us with various services, such as administering our CPF accounts for our retirement needs, or our Medisave accounts for our medical expenses.
However, this information belongs to us, and our government agencies must handle our personal data with care. Above all, they should be accountable to the people and to Parliament about the way in which they use and safeguard our data while they carry out various services for us.
Mr Lui Tuck Yew, as MICA minister in 2011 said: “what we are doing, first and foremost, is to govern the proper processing of personal information such as the collection, the use, the disclosure and the transfer of this data, and to make sure that this is properly regulated.” Sir, There is no reason why that should not apply to our public agencies.