There are many unique aspects of Singapore’s data protection regime, but few attract more attention than the fact that the Personal Data Protection Act excludes the government. Since the Government is so pervasive in our lives, this gives rise to some confusion amongst Singaporeans as to what the PDPA actually covers.

On the one hand, since the massive data leaks happening at government agencies and public health agencies, the Government was under much pressure to take action. The government was also questioned as to why it was excluded from the PDPA. The official answer is that the government is subject to comparable if not higher standards of data protection.

However, there is another thread in this story. To defend itself in the public, government agencies appear to have no qualms releasing personal information to the public. Do government agencies know the power of the data they possess over a person? Do they know how it should be used?

First steps in accountability for the Government#

This is not fresh news, but the Government’s Smart Nation has announced that it implemented the first tranche of Public Sector Data Security Review Recommendations. The two main initiatives launched were a microsite to explain the government’s data protection standards and a place to complain about data protection breaches by public agencies.

Briefly, these are great initiatives. They didn’t exist before so it is great that they do now. I do suspect that there will still be many more questions regarding government practices directed at the PDPC. Most Singaporeans, rightly or wrongly, still associate the PDPC with data protection.

A closer look at the government’s explanation of their data protection standards is also insightful. I was surprised to see how closely the explanation tracked the Personal Data Protection Act. Right down to the definitions. Right down to the exclusions. It confirms the government’s position that the standards are broadly applicable to both the public and private sectors.

As the first step, I believe they are promising. Let’s not forget that progress is never a given. I worried that the Government was focusing too much on data security. Thankfully, the data protection standards are fairly comprehensive in Singapore’s context.

While legal structures and personal data protection policies are important, the difficulty is in application. Let’s hope for less cookie-cutter Privacy Statements (no update on that one) and limp explanations of the processes public agencies undertake to process personal data.

In a national crisis, will Data Protection be pushed aside?#

Setting up an information microsite and a hotline would be great news for the Government’s Smart Nation. However I suspect that they are very focused on COVID-19 right now. In particular, their TraceTogether contact tracing app, which made world headlines. They open-sourced the app! Wrote a white paper!

Unfortunately the enthusiasm for the app did not translate into adoption. Reportedly only 10-20% of the population had downloaded it. (Full disclosure: I didn’t) This is bad news because a contact tracing app needs to be downloaded by a critical mass of people to be effective.

This has led some people to suggest that we have to give up privacy to have less lockdown.

It is puzzling why Singapore has not taken advantage of the Government’s exclusion from the Personal Data Protection Act (PDPA) to exercise the needed decisiveness in this virus outbreak.

Irene Tham, “No other way but to make use of TraceTogether mandatory”, Straits Times (1 May 2020)

The most saddening and maddening aspect of this case is that the people who did TraceTogether thought about data protection seriously. Based on the information provided, I do think they have made the best decisions available. The fact that Google and Apple and other countries are basing their apps on TraceTogether confirms that we are heading down the right path.

I am glad that the government did not take the easy way out of claiming some exclusion. They did not need it in the first place. In the particular case of TraceTogether, a public agency has done data protection, and it should be the model for the public sector.

If we are going to sacrifice privacy in the name of TraceTogether, it would be a sad day for the folks who are trying hard to convey the message that the Government is not above the law for data protection.

Conclusion#

Data Protection can’t be done in a crisis. If the business is losing money, the temptations to wrongfully exploit personal data for profit can easily overcome “data protection”. Similarly, even the best plans can be let down by implementation. However, data protection, like other compliance programs, are critical for us to make ethical decision in extraordinary times. Progress is never a given, so hang in there!

Oh… and here’s hoping that the lockdown ends quickly and safely.