Susan Long (2002)

Guess who’s reading your personal data today?

Susan Long, Straits Times, 18 May 2002

A controversy over the lack of privacy protection has broken out in The Straits Times Forum pages. Many readers complain that their personal data are being transmitted from one agency to another without their consent. Has the line between legitimate dissemination of private information and invasion of privacy been crossed? Our senior correspondent finds out why privacy safeguards are falling behind here.

TWELVE years ago, a five-man committee, headed by Associate Professor Chin Tet Yung, was formed to study data protection in Singapore.

Commissioned by the Government, the panel produced a 27-page working paper that recommended privacy laws for both the private and public sector that would give Singaporeans the right to check on their personal data kept by government agencies, credit-card companies and banks.

But despite the presence of high-powered members from the Attorney-General’s Chambers and the National Computer Board, the proposal never made it through the legislative process.

What stood in the way of legislating privacy here was an ambivalent social climate then, says Prof Chin, who was then chairman of the Singapore Academy of Law’s technology and law sub-committee.

‘To put it really bluntly, there was zero awareness of the rights of data subjects then. Only lawyers were not in favour of data sharing.

‘The man in the street thought it was a very practical idea to give his change of address to just one government agency and have it circulated to all other departments,’ says Prof Chin, who is now chairman of the Government Parliamentary Committee for Law and Home Affairs and MP for Sembawang GRC.

Another school of thought among technology watchers is that at that time, the Government was pushing computerisation and legislation would have made companies more unwilling to adopt expensive data-collecting computers over manual systems.

A decade ago, the concept of privacy as a human right was probably seen as too individualistic and even more anathema to the Government than it is today.

The result is that the road to privacy protection has become a long and winding one dogged by false starts and stops and dissolved committees with no end in sight.

True to its ‘private’ nature, the process has been shrouded in hush-hush speculation and seen as only applicable to the private – but not the public – sector here.

A dozen years after Prof Chin’s committee made its recommendations, no law has been passed and data protection is still officially ‘under review’.

In March, Straits Times reader Dennis Tan rekindled the issue when he wrote to the Forum page complaining that his national service exit-permit details were made available to the match-making agency, Social Development Unit (SDU).

Suddenly, as if a hornets’ nest had been disturbed, a string of about 20 indignant letters appeared in this newspaper. The writers demanded to know why the universities here were blithely sharing matriculation details of their students – without their permission – with the SDU.

What is the Government’s position on privacy? What are its safeguards for citizens? These queries were met by feeble and familiar-sounding replies from the National University of Singapore, Nanyang Technological University and the Ministry of Defence.

They said that that only names, NRIC numbers and addresses were given to SDU for the ‘sole purpose of membership’. All the official letters ended with the line: ‘We are currently reviewing our working arrangements with SDU’.

CROSSING THE LINE

BUT for now, the question is: Has the thin red line between legitimate dissemination of private information and invasion of privacy been crossed?

Definitely, says all the technology and society watchers interviewed by Insight.

Double standards prevail here, charges Dr Ngiam Shih Tung, who has spent years researching privacy issues and contributed to the 1990 working paper on data protection.

‘If you were to call NUS or NTU and ask for a student’s phone number, they will tell you that they cannot release the information for privacy reasons. Yet they released the information to SDU, which is no different from giving student details to credit-card companies and other mass marketeers,’ says the engineer in an aviation service company.

Prof Chin maintains that in principle, information supplied for one purpose should not be used for another, without the person’s consent.

But as no such data-protection legislation exists here, the universities and Mindef did not breach any law. As global privacy watchdog, http://www.privacyinternational.org, notes, Singaporeans do not seem to have ‘any explicit right to privacy’.

Some technology watchers contend that the real reason why privacy legislation never took off here is that the Government, a big data collector and user itself, was resisting tying its own hands.

Citing incidences of privacy violations, they recall how the Ministry of Home Affairs scanned 200,000 SingNet subscribers’ computers without informing them in 1999.

PRIVATE VERSUS PUBLIC

GOING by the complaints in the Forum pages these days, most revolve around privacy violations by the Government or government-linked entities.

According to a recent ST Interactive survey, 80 per cent of readers felt that the personal information collected in databases was being disseminated too freely. They complained about the numerous instances in which personal data, ranging from one’s religion to O-level results, were collected with scant justification.

Of late, some telecommunication companies seem to be following suit in this information-gathering frenzy. For example, when buying a prepaid card to set up roaming on your mobile phone, you have to furnish your NRIC number, address and existing phone numbers, among other details.

SingTel claimed it did not really need the data for demand analysis but did so because it was a stipulation of the regulator, the Infocomm Development Authority of Singapore (IDA).

When contacted, all IDA would say was: ‘The telecommunication operator has the right to take precautionary measures, as part of its customer-relationship management practices, to minimise and manage any risk of fraud among users of its services.’ Other questions drew a frustrating blank.

Relating an encounter with another regulator, Mr Harish Pillay, founder of Maringo Tree Technologies, a start-up that focuses on cryptography, security and embedded systems, remembers how, five years after setting up website Sintercom together with Dr Tan Chong Kee, they were asked by the Singapore Broadcasting Authority to register the site just before the General Election last year.

The registration form demanded his NRIC number and home address and details of his employer and salary.

‘What those bits of information got to do with registration is beyond me. It merely serves to instil fear,’ he said. In the end, they shut down Sintercom in protest.

But the latest episode sparking an outcry in the Forum pages is TransitLink’s insistence on recording the NRIC numbers of people buying ‘subsidised’ ez-link cards.

TransitLink says the NRIC numbers are required to track the $2 card ‘subsidies’ handed out to Singaporeans. But letter writers questioned TransitLink’s ‘business sense’ in paying someone to write the software to collect the NRIC numbers and stretching out each sale to record the numbers, which resulted in long queues.

Dr Ngiam calls this ‘a classic example of a government-linked agency failing to consider the actual costs and benefits before collecting personal information’.

The consequence is not just privacy intrusion but needless paperwork and red tape. It also cascades down to an overall lack of respect for what should be protected personal data, which is guarded jealously in most advanced countries.

The identity card system, for example, does not exist in Britain because of heightened awareness of privacy. In the United States, the social security number is strictly confidential and disclosed only for tax and employment purposes.

In stark contrast, the NRIC is flagrantly demanded here as ‘collateral’ by security guards in government and private offices and even condominiums. Names and NRIC numbers of winners of lucky draws are also regularly flashed in the newspapers for all and sundry to see.

The official stance on privacy was best expressed by Health and Second Finance Minister Lim Hng Kiang during the Budget Debate on Wednesday.

He said that although the Government recognises that data confidentiality is crucial, it does not want its agencies to develop into silos that collect and refuse to share their own data, which would affect service levels here.

Others say that it is transparency, not privacy, which matters more in this treacherous post-Sept 11 climate, in which freer access to personal information is needed to combat the rise in terrorism, computer crimes and so on.

CASE FOR LEGISLATION

STILL, technology watchers point out that it would not hurt to have an independent Privacy Ombudsman, as in countries like Finland. His first task could be to do a comprehensive reassessment of the data requirements of government agencies.

Right now, Singapore’s privacy safeguards are woefully inadequate, compared to most advanced countries which have updated their privacy-protection laws to cope with the phenomenal growth of the Internet and increased risks of hacking.

There is no omnibus privacy law or governing authority in Singapore, beyond a small unit which looks at privacy matters at the Ministry of Finance, headed by Mr Panneer Selvan. When contacted, a ministry spokesman said he was ‘too busy’ to shed more light on the nature of its business.

What exists are bits and pieces of private-sector self-regulatory measures such as a Telecommunication Competition Code, which prevents telcos from using customer data indiscriminately, and the Banking Act, which prohibits disclosure of financial information without the customer’s permission.

In 1998, the National Internet Advisory Board released an industry-based self-regulatory e-commerce code for the Protection of Personal Information and Communications of Consumers of Internet Commerce.

Earlier this year, the industry-led National Trust Council launched a public-consultation exercise on its model Data Protection Code for the private sector. It is trying to come up with a privacy code for Singapore businesses and approaches privacy solely as a means of promoting e-commerce.

As Dr Ngiam remarks wryly, this is ‘a typically Singaporean approach – viewing everything through an economic rather than a humanistic lens’.

‘It is ironic that IDA is trying to introduce a privacy code for the private sector but remains silent about privacy in the public sector. The reality is that in Singapore, abuses of privacy by private organisations are nuisances at most, but abuses of privacy by the Government can have far more severe consequences,’ he says.

The poser he and others set: How can the Government put in place privacy protection laws for the private sector unless it leads the way, as it did in implementing IT in Singapore, and adopts a privacy code itself first?

After all, privacy laws in Europe, Australia, Canada and Hongkong cover both the private sector and the government. Even business-minded America, which is reluctant to adopt privacy laws for the private sector, has a Privacy Act and Paperwork Reduction Act which guard against government agencies misusing personal information.

Detractors sum up the Government’s attitude towards privacy with this analogy: ‘My right and your privilege’.

It pays lip service to privacy but being aware of the importance of data protection is scarely enough.

Credible privacy policies must be put in place soon – and preferably not only when Singapore’s hand is forced on the verge of signing a free-trade agreement with a data-protection stickler like the European Union.

Privacy safeguards

Hongkong: The Privacy Commissioner’s Office ensures compliance with its Personal Data (Privacy) Ordinance, which covers both the private and public sector.

The law gives Hongkongers the right to be informed of the use of their personal data and to expect that the information is accurate, up-to-date, secure and kept for no longer than necessary.

No one has a right to compel a person to provide his ID card number unless authorised by law.

Britain: The Information Commissioner, who reports directly to Parliament, is empowered to promote respect for the private lives of individuals, accountability of public authorities and good information-handling.

The Data Protection Act and Freedom of Information Act govern both the private and public sector. Because of public antagonism towards the concept of data sharing, there is no national identity card system.

Canada: The Privacy Commissioner of Canada is authorised to investigate complaints. The Privacy Act and the Personal Information Protection and Electronic Documents Act give individuals the right to access and correct personal information held about them by the government and other organisations. Social insurance numbers are generally kept private except when required for a specific or legitimate purpose.

United States: The Office of Information and Regulatory Affairs is charged with meeting annual paperwork-reduction goals and reviewing the information management of each federal agency. For the public sector, the Privacy Act and Paperwork Reduction Act safeguard against the misuse of records and require that the government collect information with a minimum burden on the public and at a minimum cost to itself.

The private sector has its own sector-specific legislation. Social security numbers are confidential and not disclosed except for tax or employment purposes.

Data Protection in Singapore https://stngiam.wordpress.com http://www.ngiam.net (Dormant)

%d bloggers like this: