OBS, PA and Personal Data – Or Govt Privacy Fail

My company recently decided to send its leadership team for a team-building activity organised by Outward Bound Singapore (OBS) and asked us to fill in OBS’ course registration form which contained the usual disclaimers but buried in the consent clause was this statement: “I also authorise the Outward Bound Singapore to disclose my personal information to its employees/agencies as it is necessary for official purposes in connection with the People’s Association (including PAssion Card) Programmes.”

Why the heck should I give my personal information to the People’s Association (PA) as a condition of taking part in an OBS programme ? A bit of background here: OBS is the licensee of Outward Bound International in Singapore and is operated by the PA. The PA is a government agency that was set up to to promote racial harmony and social cohesion. It does this through a network of Community Centres, so-called “grassroots organisations” and even a discount card programme, the PAssion Card referred to earlier.

In my last post, I speculated that the public sector would be excluded from Singapore’s Data Protection (DP) law and unfortunately I was proved correct when the Ministry of Information, Communication and the Arts (MICA) released its Consultation Paper on the proposed DP regime. According to MICA, the public sector will be excluded from the DP regime because “public sector rules accord similar levels of protections for personal data as the proposed DP law.”

Insofar as they apply to the private sector, MICA’s DP proposals do appear to be consistent with international norms such as the OECD Guidelines and APEC Privacy Framework. Among the principles that MICA has accepted is the principle of Consent, i.e., organisations must gain the consent of individuals before processing that person’s data. According to MICA’s Consultation Paper, “an organisation may not, as a condition of supplying a product or service, require an individual to consent to the collection, use or disclosure of personal data beyond what is necessary to provide the product or service.”

How can it be necessary for OBS to release my personal data to PA and the PAssion Card programme just to enroll me in a one-day team-building activity ? There was no check-off box for me to agree or disagree to disclosure of my data to third parties, just a single omnibus consent clause. The government has never revealed its internal rules for handling personal data but suffice to say, either OBS is not following the rules or the government’s rules do not in fact provide the same level of protection as the DP Act is intended to provide in the private sector. In any case, I struck off the part about disclosing data to PA and wrote in an additonal “NO DISCLOSURE TO PA” for good measure on the form. We shall see whether I start to receive promotional mailings or phone calls from PA anyway despite my admonition to OBS not to disclose my data to PA.

In an interview with the Straits Times, the former head of the PA, Mr Tan Boon Huat, admitted that grassroots leaders may be given access to the profiles of PAssion Card members. In the Singapore context, “grassroots leaders” refers to some 30,000 office-holders in grassroots organisations around Singapore. While grassroots members are officially volunteers, they have close ties to ruling party Members of Parliament and their children receive preferential admission to schools in their district. Mr. Tan says that grassroots leaders have to follow the same confidentiality rules as PA staff but the fact is that grassroots leaders are volunteers – there is no contractual relationship between the PA and grassroots members – hence whatever rules PA may have are not legally binding on the grassroots leaders. Furthermore, because there is no employer-employee relationship between the PA and grassroots volunteers, PA is not legally responsible for the actions of a grassroots leader. According to the PA’s website there are 1,023,258 PAssion Card members today.

Quite apart from this specific case, there is a broader problem with the government’s claim that its internal rules provide sufficient protection for personal data. The basic fact is that internal rules are not the same as legislation. They can be changed at any time and even if the government were to break its own rules, affected individuals would have no legal recourse. Internationally, in a survey of 78 countries in Privacy Laws and Business International Report, all but Malaysia and India either included the public sector in their DP Laws or had separate legislation for the public sector. The United States and Thailand do not have comprehensive privacy laws for their private sectors, but have privacy laws covering their public sectors. Singapore therefore seems to be out of step with international trends in excluding its public sector from DP legislation.

I am not optimistic that the government will change its mind for this first iteration of the DP Act. However, I expect that there will be enhancements to Singapore’s DP regime in the future, and we can continue to urge the government to extend coverage of DP legislation to the public sector in Singapore in the near future.

[Previously published at Zdnetasia’s Tech Podium, http://www.zdnetasia.com/blogs/call-for-spore-data-protection-law-to-include-public-sector-62302750.htm]

Squirming out – The Standard

The importance of whistleblowers.

Squirming out – The Standard.
Thursday, August 05, 2010
Dennis Chong

Octopus Cards chief executive Prudence Chan Pik-wah stepped down yesterday to quell the uproar over the sale of private data, but the company’s board was accused of allowing her a dignified exit.

She will stay with the company for another six months to help respond to issues raised by the sale of private data.

Despite a promise to turn over data sales revenue exceeding HK$44 million to the Community Chest and a personal “sorry” from its CEO, a legislator worries that Chan could influence the probe that has been launched into the fiasco.

The Octopus board said last night it has accepted Chan’s resignation.

A senior executive from major shareholder Mass Transit Railway Corp, David Tang Chi-fai, will serve as interim chief executive before Chan officially departs in February “to ensure a smooth transition.”

But critics branded the resignation as a show, saying Chan will still have the power to intervene in the company’s review of data protection policies.

Legislator Wong Kwok-hing described Chan’s exit as a “dignified departure,” which gives him the impression the company is trying to sidetrack criticism.

“Chan is to stay for another six months and could affect the handling to the issue,” Wong said. “The company has not said how it will reform. I have strong reservations about the arrangement.”

He said: “More than one person is responsible,” adding he will continue his push in the Legislative Council for greater scrutiny.

Chan issued a statement last night, saying she is sorry. “I have given tremendous thought to the events over the past few weeks. I believe the current issue could have been better handled.”

Last night, media confront Chan as she was getting into her car. She smiled and thanked the public for their concern but refused to say whether she resigned under pressure. Before getting back into the car, she urged the public to continue using Octopus Cards.

Following a five-hour board meeting, Octopus Holdings chairman Lincoln Leung Kwok-kuen said the company will ensure data sold to merchants is deleted. The company will also re-focus on its electronic payment business to restore goodwill.

Leung admitted the company does not have an exact figure on how much was made from data-selling business, which began in 2002.

He said an auditor will be called in to figure out the amount, which will include the HK$44 million it previously reported to have generated between 2006 and 2010.

Leung stressed Chan’s six-month notice period is stipulated in her contract.

She will be assisting in responding to queries arising from the issue and in reviewing data protection practices.

Asked whether he should step down as chairman, Leung said the company will be in a better position if he stays.

Chan was accused of making contradictory statements on whether Octopus was selling the personal data of cardholders. On July 7, Chan said the firm would not sell customer data to any third party. But a week later, a former insurance agent said CIGNA had bought the data of 2.4 million cardholders for marketing purposes. On July 20 Chan admitted Octopus sold personal data to two merchants.

In a Privacy Commission meeting on July 26, Chan further admitted the company earned HK$44 million over four and a half years by sharing personal data with six merchants.

Your Privacy Online – What They Know – WSJ.com

Your Privacy Online – What They Know – WSJ.com.

Notwithstanding the WSJ’s rabid right-wing leanings elsewhere in its editorial pages, this is a good series on the growth of user tracking across the web. The only criticism I have is that it only covers the activities of commercial advertisers.

This article helpfully provides links to pages that large internet companies provide to reveal what they know (or think they know and are willing to admit that they know) about you.


As always, if this is what the companies most open to public scrutiny do, one wonders about organisations not subject to public scrutiny.

The Standard – China’s Business Newspaper

Octopus in for privacy grilling after data furor

Octopus Cards, which earlier admitted sharing customers’ data with two merchants, said it is discussing ways to terminate the contracts signed with them.

Thomas Yau

Monday, July 26, 2010

Octopus Cards, which earlier admitted sharing customers’ data with two merchants, said it is discussing ways to terminate the contracts signed with them.

That came with company officials set to meet the privacy commissioner today.

Unionist Wong Kwok-hing asked the Legislative Council to demand details from Octopus on how much it got from disclosing the personal data of customers and, if necessary, to use the Powers and Privileges Ordinance to get the information.

Octopus also apologized to the public for providing personal data to merchants for marketing purposes, saying it would no longer do so. It said it was also “actively working” with Cigna and CPP to terminate the contracts.

The Federation of Trade Unions also said an investigation it conducted concluded that the Mass Transit Railway was the “big tiger” behind Octopus with 57.4 percent of its shares and that it did not do enough to prevent the disclosure of customer data.

In a report released yesterday, the union said that while MTR claimed it could not control the card company’s board of directors because it had only 49 percent of the voting rights, some of MTR’s senior staff such as general managers Jeny Yeung Mei-chun and Herbert Hui Leung- wah were on the Octopus Rewards board of directors.

In addition, Octopus chief executive Prudence Chan Pik-wah was listed in MTR’s annual report as “key corporate management.”

“By using MTR’s leading role in the city’s transport system and property development, Octopus Cards has been expanding dramatically. MTR in return, became Octopus Cards’ major supplier in many services,” the report said.

These services include the Octopus Card being used as ID cards in MTR-managed residential blocks’ security systems and checking students’ attendance in schools. “It is impossible that MTR is unaware of Octopus’s development,” it added.

The FTU urged the Office of the Privacy Commissioner for Personal Data to include representatives from MTR in its hearing and for the company to appear before the Legco panel.

“Let’s see if the privacy commissioner can burst the big tiger behind Octopus,” Wong said.

An MTR spokeswoman said Octopus was an independent company and that it should explain the issue.

via The Standard – China’s Business Newspaper.

Singapore Law Watch

Singapore Law Watch.

Title: Police sought Google user info
Source: Straits Times
Author: Chua Hian Hou

Legal News Archive

SINGAPORE police and other law enforcement agencies have, over several occasions last year, asked Internet search giant Google to surrender information on its users.

Although Google refused to say what information was requested, The Straits Times understands that it could include what a user was looking for, when and where he used a Google service like Blogger, and even the contents of his Gmail account.

So far, police have asked for information on 62 Internet users, over a six-month period between July and December 2009.

Google disclosed this on a new website, http://www.google.com/governmentrequests, on Wednesday.

On the official Google blog, the company’s chief legal officer David Drummond said it ‘regularly receives requests from law enforcement agencies to hand over private user data… The vast majority of these requests are valid, and the information needed is for legitimate criminal investigations’.

Police spokesman Tham Yee Lin would say only that information obtained during police investigations is confidential.

Google spokesman Dickson Seow declined to elaborate on the specifics of Singapore’s requests. He said the company has always tried to protect its users’ privacy and therefore does not automatically comply with every such request. He added that whether it complies, and the extent to which it does, depends on the specifics of the case.

But lawyer Bryan Tan, who specialises in technology-related issues, said that companies like Google have to comply so long as the requesting party has the right to such information.

For instance, in pursuing an online scam, the police can ask Google for details of the alleged scammer’s Google profile, so that they can get clues to the perpetrator’s identity. Such requests are unlikely to meet much resistance, said Mr Tan.

A total of 40 countries had requested information about its users, said Google.

Law enforcement officials from Brazil, where Google’s Orkut social networking site is very popular, topped the list with 3,663 requests, ahead of the United States (3,580), the United Kingdom (1,166) and India (1,061).

But there was a noticeable absence in its list: China. By way of explanation, Google said ‘Chinese officials consider censorship demands as state secrets, so we cannot disclose that information at this time’.

Besides requests for user data, the world’s most popular search engine – which also owns the YouTube video-streaming service, the Blogger weblog host, Google Maps and Street View virtual maps – received a number of requests to remove content on its sites over the same period.

‘Many of these requests are entirely legitimate, such as requests for the removal of child pornography,’ said Mr Drummond.

Some requests, though, may be over civil complaints, said Mr Seow.

Examples include a band asking Google to remove a YouTube video which made use of its songs without permission, or an allegedly defamatory blog posting. There were fewer than 10 such requests; it complied with just half, Google said.