Striking the right balance

by

26 December 2016
Personal data protection

Personal data protection policy is a constant work in progress, and the Singapore Personal Data Protection Commission (PDPC) draws on different tools to deal with the spectrum of issues from “known unknowns” to the “unknown unknowns”.

Shedding light on this and on the philosophy behind Singapore’s personal data protection laws at a fireside chat during the Data Privacy Asia seminar in November, Yeong Zee Kin, Deputy Commissioner of the PDPC, said, “In Singapore, we actually have a very economic focus in promoting and enforcing the data protection law. We see data protection as key to building up the network or system of trust.”

The whole basis of Singapore’s Personal Data Protection Act is to ensure that organisations are able to maintain and benefit from a high level of trust from customers while being able to participate fully in the new economy and to benefit from data, said Yeong.

However, the shifting landscape of a data-driven economy means that personal data protection policy has to constantly evolve.

To deal with the “known unknowns”, PDPC looks ahead to identify the trends that need addressing and, through consultation, receives feedback and gets an idea of what the “burning issues” are. It also plugs into discussions with the rest of government to find out what their areas of focus are, and what they would like to achieve. “We take that feedback and draw up a plan for what are the areas where we think new advisory guidelines should be produced or existing ones amended,” said Yeong. This helps PDPC to deal with the “known knowns”.

At the other end of the spectrum are the “unknown unknowns”, and one mechanism that PDPC uses to deal with these is practical guidance. “Advisory guidelines may work for, say, 80 per cent of cases, but there could be some ambiguity, something we overlooked, a new development that we did not anticipate. So how do we deal with it?”

When companies write in with specific queries that are not covered within the advisory guidelines, PDPC puts the issue through the process of practical guidance. “Sometimes, unfortunately, the answer may be ‘No, you can’t do it’, but oftentimes we work with organisations to find a solution, to shape a service or product and find a way in which it can be delivered.”

PDPC’s message to businesses is this: “Protect the data, but don’t lock it up.”

“Don’t put too many layers of restrictions such that you are not able to participate and benefit from the new technologies that are coming on-stream that enable us to get better insights from data and use it in new ways to offer services,” said Yeong. “We need to strike a balance.”