Category: Privacy

Privacy laws applied to Government at last

Well, OK, we haven’t really seen the details yet, and we already know that there will be exceptions, and that it will be inherently time-limited because TraceTogether is supposed to go away when Covid comes under control. But the fact that the Government was forced to give in to calls for legal protection of contact tracing data is a big step forward for Singapore.

The Government has already announced that the legislation will be introduced under a Certificate of Urgency meaning that the First, Second and Third Readings of the Bill will be on the same day. This is unavoidable as it is necessary to restore public trust in SafeEntry/TraceTogether as soon as possible but it also means that there will be even less opportunity than usual to examine the Bill before it becomes law. Hopefully, the Government will release drafts of the Bill a reasonable time before it is introduced, rather than its usual practice of only releasing the text of a Bill at its First Reading, which in this case might be the same day that the Bill becomes law. Some things that we should watch out for:

What will be protected ?

The SNDGO press release mentioned “digital contact tracing solutions, which comprise the TraceTogether Programme and the SafeEntry Programme” so both platforms will likely be included. But what about contact tracing information obtained by non-digital means such as interviews ? A 65-year-old woman was recently sentenced to five month jail for trying to conceal her meetings with a male friend from MOH contact tracers. Would patients and close contacts be more forthcoming with contact tracers if they could be assured that anything they say to contact tracers would be kept confidential under force of law and would only used for controlling disease ?

As a side note, while looking at the legislative history of the Infectious Diseases Act, I discovered that healthcare professionals are prohibited, with some exceptions, from disclosing that a person is HIV positive. Most of those exceptions are related to the treatement or prevention of AIDS, but one of the exceptions is disclosure to a police officer under the Criminal Procedure Code. The exception was added in 2008 but no explanation was given in Parliament as to why it was necessary. It would be useful for an MP to ask for clarification from the government whether non-digital information provided to contact tracers can be used for any purpose besides disease control.

How serious is a “serious crime” ?

The Progress Singapore Party (PSP) has issued a statement saying that contact tracing data should only be used for “fighting the pandemic and nothing else”. I am sympathetic to that view and look forward to PSP Non-Constituency Members of Parliament (NCMPs) Leong Mun Wai and Hazel Poa arguing that position in parliament. Pragmatically speaking, though, it would be very hard to legislate such a purist position even though other jurisdictions such as Australia have done so.

TraceTogether is certainly not required to conduct contact tracing. MOH contact tracers were very successful durings SARS in 2003, and in the early stages of the Covid pandemic before electronic contact tracing was even introduced. All that digital contact tracing does is to reduce the manpower required and to make the process faster. Similarly, Police were investigating crimes long before SafeEntry/TraceTogether and will still be able to investigate crimes after the Covid pandemic is controlled and the government has promised that SafeEntry/TraceTogether will be stood down. The only reason to justify police access to contact tracing data is to speed up investigations where speed is critical (e.g. to prevent imminent likelihood of serious harm to somebody) or where this is no realistic way of obtaining the information (e.g. from a deceased person and where no other witnesses are known). Looking at the list of of crimes that SNDGO has released, most could be justified on the grounds that speed is critical and that access to the data could reduce the risk of serious harm. The exception is drug trafficking. While we can argue over the long-term harm that is caused by drug addiction, it is hard to see any scenario where speed would be so essential that it would be necessary to make use of TraceTogether information to prevent imminent harm to others. I would assume that “drug trafficking” is included in the list more to signal the Government’s “tough on drugs” stance than for actual public safety reasons.

1Offences involving the use or possession of corrosive substances, offensive/ dangerous weapons, e.g. possession of firearms, armed robbery with the use of firearms.
2Terrorism-related offences under the Terrorism (Suppression of Bombings) Act, Terrorism (Suppression of Financing) Act, and Terrorism (Suppression of Misuse of Radioactive Material).
3Crimes against persons where the victim is seriously hurt or killed, e.g. murder, culpable homicide not amounting to murder, voluntarily causing grievous hurt (where the victim’s injury is of a life-threatening nature).
4Drug trafficking offences that attract the death penalty.
5Escape from legal custody where there is reasonable belief that the subject will cause imminent harm to others.
6Kidnapping.
7Serious sexual offences, e.g. rape, sexual assault by penetration.
Categories of Serious Offences to be Covered

“Clear and pressing need” and “Who decides ?”

This is perhaps the most important part of the proposed law that must be scrutinised if it is not possible to hold to the position of a total ban on the use of contact tracing data for anything other than prevention of infectious disease. The Government says that digital contact tracing data will only be accessed if there is a “clear and pressing need” for it, but what exactly is a “clear and pressing need” and who decides if a specific request passes that criteria.

At a minimum, I would expect that any procedure for accessing contact tracing data would require the investigating officer to clearly specify the reasons for the request, the specific individual whose data is being targeted and why there is a “clear and pressing need” for the data, and that the request should be approved by an independent reviewer such as a Judge in a similar manner to how search warrants are issued today.

It will be meaningless if the investigating officer himself gets to decides that there is a “clear and pressing need” for the data. Might as well not bother with the law in the first place. The present requirement in the Criminal Procedure Code of police officers above the rank of sergeant or inspector is a very low bar because even Police full-time National Servicemen (NSFs) are routinely appointed as sergeants or inspectors. If a teenaged Police NSF sergeant is not even old enough to vote, I don’t think he is old enough to decide that there is a “clear and pressing need” to access contact tracing data.

What does the government mean by “Clear and pressing need” ? Does that mean that there is a likelihood of serious harm to an individual if the request for acess is not granted ? If there are alternative means of obtaining the information that the police are looking for, there is no “pressing need” and the request should not be granted. I would also expect the police to have to demonstrate a reasonably clear idea of what they are looking for, rather than just going on a fishing expedition.

Data retention period

Both TraceTogether and SafeEntry claim that data is deleted for 25 days. That is relatively clear-cut in the case of TraceTogether data on your own app or token. That would be deleted if you do not test positive within that period. However, you may still leave some digital footprints for much longer than 25 days on other people’s TT or in the SE system.

For example, let’s say you briefly said “Hi” to Bob a week ago. Bob tests positive and MOH extracts his TT data. Under present guidelines, you would not be considered a close contact so MOH will not contact you. But would MOH decrypt your identifier anyway even though you only met Bob for one minute ? And once the identifier is decrypted, how long is the data kept if the subject is never identified as a close contact to be sent for Covid testing ?

Similarly, for SafeEntry, if no one who visits a particular location tests positive, MOH is supposed to delete the SafeEntry records for that location after 25 days. But let’s say Bob visited the supermarket a week before he tested positive and MOH extracts the list of everyone who visited the supermarket around the same time that Bob visited. But how long is “around the same time” ? Does that mean only a few hours or does it mean a few days before and after Bob’s visit ? How long do they keep the data if no-one else tests positive besides Bob ?

It’s not clear if the proposed legislation would also specify the data retention period (25 days) and most importantly, define the conditions under which data would be retained for longer than 25 days.

Ministerial exemptions

This is one of my pet peeves. Many laws in Singapore give the Minister substantial leeway to exempt people or classes of people from the law, or to unilaterally introduce subsidiary legislation that substantially changes requirements in an Act. An example of this was under the Personal Data Protection Act, where the Minister for Communications and Information announced exemptions that weakened key parts of the Do Not Call (DNC) registry just a week before the new law was to come into effect. Likewise, I would not be surprised if provisions that allow the Minister to unilaterally modify the privacy protections on contact tracing data are inserted into the legislation. Given that TraceTogether/SafeEntry are supposed to only be temporary anyway, it does not make sense for the Minister to be given that power. If the Government wishes to tighten any rules on accessing contact tracing data, they can do that with internal SOPs anyway. If they wish to loosen the rules, they should go back to Parliament since any changes to COVID regulations can be passed quickly under Certificates of Urgency.

Singapore’s DNC exemption is not a soft opt-in

The Personal Data Protection Comission (PDPC) has argued that the existing customer exemption was introduced to give consumers the choice of receiving promotional messages and also that other countries such as the UK had similar exemptions. These arguments are red herrings: Even without the exemption, individuals always had the choice of giving consent to receive promotional messages and the UK “soft opt-in” rules for existing customers require that individuals must be given a chance to opt out at the time their data was initially collected.

Had they wanted to, the PDPC could have implemented a “soft opt-in” in Singapore even without an exemption order. Considering that businesses had more than a year to prepare for the implementation of the DNC after the Act was passed, the PDPC could have encouraged businesses to make use of that window to get consent from their customers. Instead, the PDPC created a permanent exemption which inverts the basic premise of Data Protection that individuals have the right to control how their personal information is used. Instead of the default position being that businesses should not use a person’s data without permission, the default has been inverted such that the company has the right to send promotional messages until consent is withdrawn.

Granted, the fact is that most businesses did not prepare in advance and did not get express or implied consent to send marketing messages even to customers with whom they had an on-going relationship.  A hard stop once DNC kicked in may have been quite disruptive to many companies. Had a public consultation been held, I could have lived with a time-limited exemption under which businesses would be given a limited time, say one year, to get consent from their existing customers to send marketing messages. This would not be unduly onerous to businesses – If they claim to have an “ongoing relationship”, they should certainly be contacting that customer at least once a year anyway. Unfortunately, there was no public consultation so now we are stuck with a permanent exemption which subverts one of the basic principles of Data Protection.

Of the DNC, the White Paper and Our Singapore Conversation

Six MPs have submitted questions for Monday’s Parliament sitting regarding the implementation of the Do Not Call registry. Unfortunately, none of the questions directly address the fact that the government changed the regulations at the last minute without any public consultation. To recap, the government announced in 2011 that it would finally be introducing Data Protection legislation, some 22 years after the government first created a committee to study the issue. A Do Not Call (DNC) registry was to be included in the Personal Data Protection Act (PDPA) and three rounds of public consultation were held before the Act was passed by parliament in 2012.  The DNC registry opened for registration on 2 Dec 2013, but one week before the DNC rules were due to come into effect on 2 Jan 2014, the government announced an exemption that would allow businesses to SMS and fax existing customers. Telemarketers cheered but individuals were shocked and dismayed by the sudden weakening of a long-anticipated law that Singaporeans had hoped would protect them from junk calls and messages.

We can argue over whether the exemption is in fact “pragmatic” and “reasonable” or similar to other country’s rules, but the fact is that the government changed the rules at the last minute, without warning and without any public consultation, in stark contrast to the far more open and transparent manner in which the PDPA and DNC rules were originally drafted. Three rounds of public consultation were held, and unless the commenter requested otherwise, all comments were published on the Ministry of Information, Communications and the Arts (MICA), now Ministry of Communications and Information (MCI), website.  It was very much the open, transparent, consultative approach to policy making associated with the Our Singapore Conversation (OSC) and which Singaporeans hoped to see more of.

Yet once the rubber hit the road, the government fell back to its old, familiar method of formulating and implementing public policy.  The government decided what was best for us behind closed doors and that was that. In other words, it’s the Population White Paper all over again.  Just as the government views us as economic digits in calculating its target population for Singapore, the PDPC refers to us as “consumers” rather than as “individuals”. But of course, to be “consumers”, we have to consume and companies have to have a way to sell to us.  The PDPC’s repeated claims that the exemption was made in the interests of consumers is at best paternalistic and at worst an attempt to turn black into white, just as they initially claimed that businesses never raised the issue of existing customers until after the close of public consultations. Ironically, one of the members of the PDPC had suggested that a public message board be created to take in ideas, views and comments as part of the National Conversation. In Arun Mahizhnan‘s words, “Such transparency will go a long way to pacify the widespread perception that the government is selective in its hearing and self-serving in its sharing. After decades of careful orchestration of what the public says or hears in public, the completely transparent modus operandi on the part of the government will be refreshing and reassuring.” He goes on to say, “If the government explains its rationale for selecting only certain ideas for further consideration clearly and carefully, the fallout should be manageable.”. While not completely open, the Data Protection public consultations held in 2011-2012 were fairly close to this ideal. In contrast, the process by which the existing customer exemption was created in 2013 was policy-reversal by fait accompli. The PDPC only grudgingly acknowledged there was even a policy reversal at all, let alone give a rationale for making the change. We most certainly were not given any chance to present counter-arguments against the exemption.

We have seen in 2013 two contrasting faces of the PAP. There was the PAP of the White Paper – arrogant, paternalistic, top-down – and the PAP of the OSC – open, consultative, touchy-feely.  Much as the DNC exemption is, on the scale of things, a storm in a teacup, we can again see both sides of the government. During the initial public consultations for the Data Protection Act, we saw the open, consultative PAP of the OSC but when the DNC exemption was inserted without prior warning, we saw again the old arrogant, paternalistic, top-down and secretive PAP . So which is the real PAP ? Come 2016, which PAP will be voting for ?

OBS, PA and Personal Data – Or Govt Privacy Fail

My company recently decided to send its leadership team for a team-building activity organised by Outward Bound Singapore (OBS) and asked us to fill in OBS’ course registration form which contained the usual disclaimers but buried in the consent clause was this statement: “I also authorise the Outward Bound Singapore to disclose my personal information to its employees/agencies as it is necessary for official purposes in connection with the People’s Association (including PAssion Card) Programmes.”

Why the heck should I give my personal information to the People’s Association (PA) as a condition of taking part in an OBS programme ? A bit of background here: OBS is the licensee of Outward Bound International in Singapore and is operated by the PA. The PA is a government agency that was set up to to promote racial harmony and social cohesion. It does this through a network of Community Centres, so-called “grassroots organisations” and even a discount card programme, the PAssion Card referred to earlier.

In my last post, I speculated that the public sector would be excluded from Singapore’s Data Protection (DP) law and unfortunately I was proved correct when the Ministry of Information, Communication and the Arts (MICA) released its Consultation Paper on the proposed DP regime. According to MICA, the public sector will be excluded from the DP regime because “public sector rules accord similar levels of protections for personal data as the proposed DP law.”

Insofar as they apply to the private sector, MICA’s DP proposals do appear to be consistent with international norms such as the OECD Guidelines and APEC Privacy Framework. Among the principles that MICA has accepted is the principle of Consent, i.e., organisations must gain the consent of individuals before processing that person’s data. According to MICA’s Consultation Paper, “an organisation may not, as a condition of supplying a product or service, require an individual to consent to the collection, use or disclosure of personal data beyond what is necessary to provide the product or service.”

How can it be necessary for OBS to release my personal data to PA and the PAssion Card programme just to enroll me in a one-day team-building activity ? There was no check-off box for me to agree or disagree to disclosure of my data to third parties, just a single omnibus consent clause. The government has never revealed its internal rules for handling personal data but suffice to say, either OBS is not following the rules or the government’s rules do not in fact provide the same level of protection as the DP Act is intended to provide in the private sector. In any case, I struck off the part about disclosing data to PA and wrote in an additonal “NO DISCLOSURE TO PA” for good measure on the form. We shall see whether I start to receive promotional mailings or phone calls from PA anyway despite my admonition to OBS not to disclose my data to PA.

In an interview with the Straits Times, the former head of the PA, Mr Tan Boon Huat, admitted that grassroots leaders may be given access to the profiles of PAssion Card members. In the Singapore context, “grassroots leaders” refers to some 30,000 office-holders in grassroots organisations around Singapore. While grassroots members are officially volunteers, they have close ties to ruling party Members of Parliament and their children receive preferential admission to schools in their district. Mr. Tan says that grassroots leaders have to follow the same confidentiality rules as PA staff but the fact is that grassroots leaders are volunteers – there is no contractual relationship between the PA and grassroots members – hence whatever rules PA may have are not legally binding on the grassroots leaders. Furthermore, because there is no employer-employee relationship between the PA and grassroots volunteers, PA is not legally responsible for the actions of a grassroots leader. According to the PA’s website there are 1,023,258 PAssion Card members today.

Quite apart from this specific case, there is a broader problem with the government’s claim that its internal rules provide sufficient protection for personal data. The basic fact is that internal rules are not the same as legislation. They can be changed at any time and even if the government were to break its own rules, affected individuals would have no legal recourse. Internationally, in a survey of 78 countries in Privacy Laws and Business International Report, all but Malaysia and India either included the public sector in their DP Laws or had separate legislation for the public sector. The United States and Thailand do not have comprehensive privacy laws for their private sectors, but have privacy laws covering their public sectors. Singapore therefore seems to be out of step with international trends in excluding its public sector from DP legislation.

I am not optimistic that the government will change its mind for this first iteration of the DP Act. However, I expect that there will be enhancements to Singapore’s DP regime in the future, and we can continue to urge the government to extend coverage of DP legislation to the public sector in Singapore in the near future.

[Previously published at Zdnetasia’s Tech Podium, http://www.zdnetasia.com/blogs/call-for-spore-data-protection-law-to-include-public-sector-62302750.htm]

Squirming out – The Standard

The importance of whistleblowers.

Squirming out – The Standard.
Thursday, August 05, 2010
Dennis Chong

Octopus Cards chief executive Prudence Chan Pik-wah stepped down yesterday to quell the uproar over the sale of private data, but the company’s board was accused of allowing her a dignified exit.

She will stay with the company for another six months to help respond to issues raised by the sale of private data.

Despite a promise to turn over data sales revenue exceeding HK$44 million to the Community Chest and a personal “sorry” from its CEO, a legislator worries that Chan could influence the probe that has been launched into the fiasco.

The Octopus board said last night it has accepted Chan’s resignation.

A senior executive from major shareholder Mass Transit Railway Corp, David Tang Chi-fai, will serve as interim chief executive before Chan officially departs in February “to ensure a smooth transition.”

But critics branded the resignation as a show, saying Chan will still have the power to intervene in the company’s review of data protection policies.

Legislator Wong Kwok-hing described Chan’s exit as a “dignified departure,” which gives him the impression the company is trying to sidetrack criticism.

“Chan is to stay for another six months and could affect the handling to the issue,” Wong said. “The company has not said how it will reform. I have strong reservations about the arrangement.”

He said: “More than one person is responsible,” adding he will continue his push in the Legislative Council for greater scrutiny.

Chan issued a statement last night, saying she is sorry. “I have given tremendous thought to the events over the past few weeks. I believe the current issue could have been better handled.”

Last night, media confront Chan as she was getting into her car. She smiled and thanked the public for their concern but refused to say whether she resigned under pressure. Before getting back into the car, she urged the public to continue using Octopus Cards.

Following a five-hour board meeting, Octopus Holdings chairman Lincoln Leung Kwok-kuen said the company will ensure data sold to merchants is deleted. The company will also re-focus on its electronic payment business to restore goodwill.

Leung admitted the company does not have an exact figure on how much was made from data-selling business, which began in 2002.

He said an auditor will be called in to figure out the amount, which will include the HK$44 million it previously reported to have generated between 2006 and 2010.

Leung stressed Chan’s six-month notice period is stipulated in her contract.

She will be assisting in responding to queries arising from the issue and in reviewing data protection practices.

Asked whether he should step down as chairman, Leung said the company will be in a better position if he stays.

Chan was accused of making contradictory statements on whether Octopus was selling the personal data of cardholders. On July 7, Chan said the firm would not sell customer data to any third party. But a week later, a former insurance agent said CIGNA had bought the data of 2.4 million cardholders for marketing purposes. On July 20 Chan admitted Octopus sold personal data to two merchants.

In a Privacy Commission meeting on July 26, Chan further admitted the company earned HK$44 million over four and a half years by sharing personal data with six merchants.

Your Privacy Online – What They Know – WSJ.com

Your Privacy Online – What They Know – WSJ.com.

Notwithstanding the WSJ’s rabid right-wing leanings elsewhere in its editorial pages, this is a good series on the growth of user tracking across the web. The only criticism I have is that it only covers the activities of commercial advertisers.

This article helpfully provides links to pages that large internet companies provide to reveal what they know (or think they know and are willing to admit that they know) about you.

http://online.wsj.com/article/SB10001424052748703999304575399041849931612.html

As always, if this is what the companies most open to public scrutiny do, one wonders about organisations not subject to public scrutiny.

The Standard – China’s Business Newspaper

Octopus in for privacy grilling after data furor

Octopus Cards, which earlier admitted sharing customers’ data with two merchants, said it is discussing ways to terminate the contracts signed with them.

Thomas Yau

Monday, July 26, 2010

Octopus Cards, which earlier admitted sharing customers’ data with two merchants, said it is discussing ways to terminate the contracts signed with them.

That came with company officials set to meet the privacy commissioner today.

Unionist Wong Kwok-hing asked the Legislative Council to demand details from Octopus on how much it got from disclosing the personal data of customers and, if necessary, to use the Powers and Privileges Ordinance to get the information.

Octopus also apologized to the public for providing personal data to merchants for marketing purposes, saying it would no longer do so. It said it was also “actively working” with Cigna and CPP to terminate the contracts.

The Federation of Trade Unions also said an investigation it conducted concluded that the Mass Transit Railway was the “big tiger” behind Octopus with 57.4 percent of its shares and that it did not do enough to prevent the disclosure of customer data.

In a report released yesterday, the union said that while MTR claimed it could not control the card company’s board of directors because it had only 49 percent of the voting rights, some of MTR’s senior staff such as general managers Jeny Yeung Mei-chun and Herbert Hui Leung- wah were on the Octopus Rewards board of directors.

In addition, Octopus chief executive Prudence Chan Pik-wah was listed in MTR’s annual report as “key corporate management.”

“By using MTR’s leading role in the city’s transport system and property development, Octopus Cards has been expanding dramatically. MTR in return, became Octopus Cards’ major supplier in many services,” the report said.

These services include the Octopus Card being used as ID cards in MTR-managed residential blocks’ security systems and checking students’ attendance in schools. “It is impossible that MTR is unaware of Octopus’s development,” it added.

The FTU urged the Office of the Privacy Commissioner for Personal Data to include representatives from MTR in its hearing and for the company to appear before the Legco panel.

“Let’s see if the privacy commissioner can burst the big tiger behind Octopus,” Wong said.

An MTR spokeswoman said Octopus was an independent company and that it should explain the issue.

via The Standard – China’s Business Newspaper.