In the wake of the very public scandals involving SingHealth and other public health agencies, there was a palpatable sense that things were going to get better. Finally data protection will have its day in Singapore! Indeed the PDPC slapped a headline writing fine of $1 million. However has there really been sustainable change? I am more skeptical about this.
Witness Exhibit A from the CPF Board. CPF Board responded in the newspaper to criticism that it may have crossed the line in responding to an online article.
The key point which the CPF Board makes is as follows:
We uphold strictly the Government’s data protection standards which are aligned with, if not more stringent than, the requirements of the Personal Data Protection Act (PDPA). For example, we have implemented measures such as Internet surfing separation which are not required in the PDPA. These measures show how seriously the Government takes data protection.
PDPA doesn’t “require” any specific cyber security measure#
Firstly, the PDPA doesn’t require internet separation or any specific cyber security measures. In the PDPC’s guidelines there are several suggestions on cyber security which aim to prevent data breaches.
However the PDPA’s ‘requirement’ is a negative obligation to prevent any unauthorized disclosure or data breaches. This is the Protection Obligation.
As such, if an organisation implements internet separation but still causes a data breach, that’s not an excuse. In SingHealth, fairly elaborate governance structures were put in place. However they were not effective. They were still penalised.
I don’t recall internet separation being mentioned specifically in the guidelines. For a large organisation like the government, internet separation can be very effective in automatically controlling risks. For small organisations, the costs and trouble of having separate computers to surf the internet makes less sense. It would be far more effective to train the user. There isn’t a one size fits all security policy which the law mandates and the PDPA recognises this.
Data Protection is NOT Cyber Security#
If you haven’t noticed it from the last section, I have been taking great pains in highlighting that the CPF Board was referring to its cyber security practices.
Since 80% of PDPA enforcement decisions concerns the Protection Obligation, many people might feel that Data Protection is a lot about cyber security. It sure seemed that way when the Cyber Security Agency was at the forefront of the SingHealth coverage. However to suggest that data protection is cyber security is just wrong.
For one, under the PDPA guidelines, an organisation’s obligations aren’t made up of the protection obligation.
More relevantly, one of an organisation’s obligations is the Purpose Limitation Obligation. It restricts the use of personal data for purposes that a reasonable person would consider appropriate in the circumstances. Is using personal data to refute false allegations appropriate? Is releasing personal data in public for everyone to know, or some kind of public interest appropriate? This is not a guideline or suggestion like internet separation; this is the law, the PDPA.
One of the most interesting PDPC decisions last year can give us some clues. In that decision, a LAN shop published pictures of people who break rules at their shop for all to see. The PDPC held that using personal data in this way was “inappropriate”. The LAN shop could have minimised data or implemented it in a different way to give better effect to its purpose. The PDPC suggested that it was to “name and shame”.
We have very little insight into the CPF Board’s considerations in releasing the member’s data in public. If the CPF Board held itself to the highest standards for data protection, we would find out how they did it. (Pss… DATA PROTECTION IMPACT ASSESSMENT) Instead, we get a curt statement of “after careful deliberation”.
Public Agencies can do better#
Some will say, “Hou Fu, you’re nuts. The CPF Board can’t tell you about their data protection policies in a 500 word ST Forum letter.” I agree with you that the ST Forum is stupid. However this information still is not publicly available. We are left with the same cookie cutter Privacy Statement that every government agency publishes on their website. (By the way the notice does not contain any exceptions for public interest disclosures.)
While the letter is an example of transparency, much more can be done to educate the public on how the CPF Board protects data. This is especially the case when the CPF Board deals with very sensitive and important personal data. Relegating this (and cyber security) to two links at the footer of the website does very little service.
Don’t get me wrong. I don’t believe the CPF Board meant to release the data to retaliate against the CPF member. I also don’t believe the CPF Board or any public agency doesn’t care about data protection just because they may be misinformed or haven’t done things the best way they could. The government is a huge organisation, filled with people who are their biggest liabilities and may not know better individually.
The most heartening part of the letter is that the CPF Board believes that they should represent a standard better than what is legal under the PDPA. Don’t forget that public agencies are not subject to the PDPA. If you press them on whether it is appropriate under the PDPA, the public agency can simply ignore it. Public agencies were supposed to be simply better and it was not necessary to subject it to the PDPA.
It is obvious that change will come, but it might not be immediate. Hopefully this would only be an example of the evolution of data protection in Singapore. What are you seeing out there?