Privacy Act sows confusion

The past few weeks have brought about another slew of confusion related to the Personal Data Protection Act (PDPA), which kicked in on July 2. Some bank statements were free of marketing inserts after the banks decided that the Act prevented them from sending anything, for example, while others were filled with fliers. A small non-profit organisation grappled with the question of whether a sign at the entrance to an auditorium was sufficient to comply with the Act and allow it to use photos from an event it held there. The human resource department at an SME increased the workload of its already-overburdened staff to ensure compliance with the Act.

These activities are only a few of many that illustrate the complexity and confusion that still surround the PDPA. Indeed, more than a month after the Act came into effect, organisations large and small continue to struggle to interpret the Act and figure out how to comply with it. Some even seem unaware as to what the Act requires them to do.

The PDPA is clearly well-intentioned. Before it came into effect, consumers were increasingly inundated with unsolicited marketing calls using their personal data, and concerns about companies abusing data to target consumers were growing. Cases of consumers being scammed or harassed when their data was used inappropriately were also on the rise.

The Act was designed to address these and a myriad other worries. As Mr Yaacob Ibrahim, Minister for what was then the Ministry of Information, Communications and the Arts, explained during the second reading of the Act in 2012, consumers need a data protection regime to address growing concerns over the use of their personal data and to maintain trust in organisations which manage their data. The Act also strengthened Singapore’s position as a trusted business hub, he said, by putting it on par with other countries that have enacted data protection laws.

To ensure its effectiveness, any person guilty of an offence under the PDPA can be fined up to S$1 million or sentenced to three years in prison.

However well-intentioned it may be, the Act has created immense challenges and costs. As consulting firm PWC stated after the Act was passed, the challenges range from taking an inventory of all requirements and establishing a data protection structure to revisiting the way an organisation manages its entire set of clients’ and employees’ personal data.

Another difficulty is simply in understanding the Act. As an example of how complex the law is, NTUC’s Data Protection Officer Training Programme takes four full days to explain how the Act works and lay just a practical foundation. Guidelines issued by the Personal Data Protection Commission (PDPC) last year, one of many documents explaining the Act, run to more than 100 pages.

And obtaining information can be difficult. As Singapore Dental Association president Kuan Chee Keong wrote earlier this year, perhaps reflecting concerns in other sectors as well, “the PDPA commission, overwhelmed with the brouhaha over the DNC Registry, has no time to address concerns in other sectors. The healthcare sector will just have to wait for our turn.” It was only last week, more than two months after the Act came into effect, that the PDPC issued further guidelines only for the healthcare, social, education and photography sectors.

Perhaps understandably, then, an Industry Readiness Survey, conducted by the PDPC earlier this year, showed that half of organisations did not have adequate data protection measures in place and were not clear about what needed to be done.

While more organisations may have figured out parts of the Act since then, a significant number are still not in compliance with the law.

MAKING THE ACT LESS CONFUSING

While the Act came into effect only on July 2, it has been clear that organisations find it challenging to figure out and implement the Act.

Given this, at least three steps seem imperative. The first is to publicise the Act so that more organisations know about it.

While policymakers may assume that everyone knows about the Act, talks held with SMEs and non-profit organisations as well as ordinary citizens indicate that many do not know about the PDPA or think that it does not apply to them. An effective publicity campaign is also essential.

Next, organisations, such as the chambers of commerce or the PDPC, could develop better programmes to help companies understand the Act.

Data protection officers need tools to explain how to implement the Act correctly, such as easy-to-understand guidelines, YouTube videos that go beyond only an introduction, quick answers to questions and other materials which explain things better than four-day workshops or hundreds of pages of guidelines.

Finally, a set of templates would make implementation easier. While each organisation is different and templates need to be tailored to their needs, easily obtainable samples of procedures, job descriptions and other materials would dramatically reduce the burden of compliance for many organisations.

Since even banks and other companies with enormous budgets have varying understanding of how to interpret the Act, it seems apparent that far greater efforts are needed to ensure organisations adhere to the letter and the spirit of the Act.

While the PDPA can bring about tremendous benefits in the long run, more support to make its implementation easier may be the only way to avoid burdening well-intentioned organisations across the island and ensure the legislation achieves its goal.

ABOUT THE AUTHOR:

Richard Hartung is a financial services consultant who has lived in Singapore since 1992.