My company recently decided to send its leadership team for a team-building activity organised by Outward Bound Singapore (OBS) and asked us to fill in OBS’ course registration form which contained the usual disclaimers but buried in the consent clause was this statement: “I also authorise the Outward Bound Singapore to disclose my personal information to its employees/agencies as it is necessary for official purposes in connection with the People’s Association (including PAssion Card) Programmes.”
Why the heck should I give my personal information to the People’s Association (PA) as a condition of taking part in an OBS programme ? A bit of background here: OBS is the licensee of Outward Bound International in Singapore and is operated by the PA. The PA is a government agency that was set up to to promote racial harmony and social cohesion. It does this through a network of Community Centres, so-called “grassroots organisations” and even a discount card programme, the PAssion Card referred to earlier.
In my last post, I speculated that the public sector would be excluded from Singapore’s Data Protection (DP) law and unfortunately I was proved correct when the Ministry of Information, Communication and the Arts (MICA) released its Consultation Paper on the proposed DP regime. According to MICA, the public sector will be excluded from the DP regime because “public sector rules accord similar levels of protections for personal data as the proposed DP law.”
Insofar as they apply to the private sector, MICA’s DP proposals do appear to be consistent with international norms such as the OECD Guidelines and APEC Privacy Framework. Among the principles that MICA has accepted is the principle of Consent, i.e., organisations must gain the consent of individuals before processing that person’s data. According to MICA’s Consultation Paper, “an organisation may not, as a condition of supplying a product or service, require an individual to consent to the collection, use or disclosure of personal data beyond what is necessary to provide the product or service.”
How can it be necessary for OBS to release my personal data to PA and the PAssion Card programme just to enroll me in a one-day team-building activity ? There was no check-off box for me to agree or disagree to disclosure of my data to third parties, just a single omnibus consent clause. The government has never revealed its internal rules for handling personal data but suffice to say, either OBS is not following the rules or the government’s rules do not in fact provide the same level of protection as the DP Act is intended to provide in the private sector. In any case, I struck off the part about disclosing data to PA and wrote in an additonal “NO DISCLOSURE TO PA” for good measure on the form. We shall see whether I start to receive promotional mailings or phone calls from PA anyway despite my admonition to OBS not to disclose my data to PA.
In an interview with the Straits Times, the former head of the PA, Mr Tan Boon Huat, admitted that grassroots leaders may be given access to the profiles of PAssion Card members. In the Singapore context, “grassroots leaders” refers to some 30,000 office-holders in grassroots organisations around Singapore. While grassroots members are officially volunteers, they have close ties to ruling party Members of Parliament and their children receive preferential admission to schools in their district. Mr. Tan says that grassroots leaders have to follow the same confidentiality rules as PA staff but the fact is that grassroots leaders are volunteers – there is no contractual relationship between the PA and grassroots members – hence whatever rules PA may have are not legally binding on the grassroots leaders. Furthermore, because there is no employer-employee relationship between the PA and grassroots volunteers, PA is not legally responsible for the actions of a grassroots leader. According to the PA’s website there are 1,023,258 PAssion Card members today.
Quite apart from this specific case, there is a broader problem with the government’s claim that its internal rules provide sufficient protection for personal data. The basic fact is that internal rules are not the same as legislation. They can be changed at any time and even if the government were to break its own rules, affected individuals would have no legal recourse. Internationally, in a survey of 78 countries in Privacy Laws and Business International Report, all but Malaysia and India either included the public sector in their DP Laws or had separate legislation for the public sector. The United States and Thailand do not have comprehensive privacy laws for their private sectors, but have privacy laws covering their public sectors. Singapore therefore seems to be out of step with international trends in excluding its public sector from DP legislation.
I am not optimistic that the government will change its mind for this first iteration of the DP Act. However, I expect that there will be enhancements to Singapore’s DP regime in the future, and we can continue to urge the government to extend coverage of DP legislation to the public sector in Singapore in the near future.
[Previously published at Zdnetasia’s Tech Podium, http://www.zdnetasia.com/blogs/call-for-spore-data-protection-law-to-include-public-sector-62302750.htm]