COVID-19 has overrun the world these days. Since it ruined my Chinese New Year at the end of January, it has gripped nations from East to West in a slow moving death dance. It’s threatening lives, cancelled sports events and cratered the stock markets. It hasn’t stopped, and it won’t for at least several months.
The situation in the South East Asia is also quite intense. Manila faces “enhanced” community quarantine. Singapore encouraged all to practice social distancing. Across the causeway, Malaysia is under lock down. That lockdown caused a bit of a panic here in Singapore.
Amidst this unprecedented situation, is there a role for Data Protection or Privacy? Being an infectious disease, everyone would like to know where the infected have been. Do we have to give up our personal data?
As an IAPP Op-Ed goes, there is a risk that in trying to fight this disease, we “mistakenly transform our world into a dystopia“. On the other hand, trying to claim that perhaps we are going too far in this climate can draw a terrible reaction.
Data Protection Authorities (DPA) need to walk this fine line. So how is everyone around here doing?
On March 10, the National Privacy Commission released a statement after the President announced a Public Health Emergency. On March 19, the NPC released a bulletin titled “Data protection in times of Emergency“.
What I liked: Its balance between key points and detail. On the one hand it highlights that data protection is not preventing the government from doing its job, but also reminds all that sensitive information should be handled carefully. I liked this pithy statement:
The direction is lawful and straightforward. COLLECT WHAT IS NECESSARY. DISCLOSE ONLY TO THE PROPER AUTHORITY.
The DPA also goes into some detail on explaining the interaction between laws and the situation at hand, which I think is very useful for DPOs to relate to their management.
Around 13 February, the Personal Data Protection Commission released an Advisory. The Advisory was linked on its front page. At this point, Singapore was gearing up in its first response to COVID-19.
What I liked: The PDPC created a cutesy card to tell people that an organisation was collecting information.
What I didn’t like: As the card says, it appears that the PDPC’s stand is permissive. A paragraph in the advisory is dedicated to reasonable security measures, but there is very little other guidance. What kind of measures are permissible? Are all bets off once there is a public health emergency? The PDPC’s advisory offers very little support to a DPO who wishes to implement a well-designed policy.
I was surprised because compared to other materials which the PDPC has produced, this seemed very lackluster.
It seems that COVID-19 has managed to shut down this outfit. The only notice on its website (in Malay) was to say that some of its operations would be closed. Bummer. If anyone knows anything, please let me know…
Hopefully this quick survey of response from DPA illustrates the challenges faced in data protection in this region. Unfortunately for other countries here, there isn’t really a DPA. What else are you seeing out there?