|
|
[Home] [Help] [Databases] [WorldLII] [Feedback] |
|
Singapore Law Reform Commission |
Prepared by The National Internet Advisory Committee Legal Subcommittee
EXECUTIVE SUMMARY
REPORT
1. Preface
2. Members of the NIAC Legal Subcommittee
3. Background of Report
4. Present Data Protection Framework in Singapore
5. The Need for a Harmonised, Comprehensive, Data Protection Regime in
Singapore
6. Possible Models - Enforcement and Compliance Options for a Data Protection
Regime
7. Projected Compliance Costs
8. The NIAC Model Code
9. Summary of Recommendations
10. Conclusion
ANNEXES
Annex 1: Members of the NIAC Legal Subcommittee
Annex 2: Singapore Legislation Touching on Confidentiality of Personal Data
Annex 3: Enforcement and Compliance Options for a Personal Data Protection
Regime for the Private Sector in Singapore
Annex 4: Guidelines and Comments on the Model Code by the Legal Subcommittee
Annex 5: Comparative Table of Definitions of Personal Data/Information in
Various Data Protection Instruments
APPENDIX
Appendix A: EU Directive on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of Such Data (95/46/EC)
Prepared by The National Internet Advisory Committee Legal Subcommittee
International trends
1.1 Most of the world's data protection laws are based around sets of (variously named) information privacy principles which formally derive largely from two sources: the OECD Guidelines (1980)[1] and the Council of Europe Convention for the Protection of Individuals with Regard to the Automatic Processing of Personal Data [2].
1.2 The latest progeny of this legislative line is the European Union's Directive on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of Such Data (95/46/EC) ("EU Directive"). The EU Directive has influenced legislation in Québec, New Zealand, Taiwan, Hong Kong and elsewhere. The EU Directive is, in most respects, a consolidation of the data protection instruments of the 1980s (and thinking of the 1970s).
Significance of EU Directive to Singapore
2.1 Although Singapore is not an EU nation, the EU Directive may possibly have an impact on us in two ways:
• Article 25 of the EU Directive prohibits EU nations from transferring personal data to third countries which do not guarantee adequate protection of such data.
• It is arguable that the EU Directive also requires, in this third country, a restriction against onward transfers of data to fourth countries which do not guarantee adequate data protection.
2.2 Thus, there is not only the possibility that the flow of personal data from EU countries to Singapore may be impeded, but that countries which want to ensure the free flow of personal data from EU countries would enact data protection laws and include in them restrictions prohibiting the transfer of data to countries without adequate data protection schemes (the
“flow-on effect”). This has already happened in some of our neighbouring countries[3].
2.3 The EU is Singapore's third largest export market after Malaysia and the US. This, and the "flow-on effect", means that the lack of an adequate data protection regime in Singapore may impede international trade and place Singapore businesses at a disadvantage in the global economy.
Governing cyberspace
3.1 International trends are not the only reason for the development of data protection schemes in Singapore. With the advent of the information age comes the potential for mischief on an unprecedented level, both in terms of nature and scale. Data protection regimes impose discipline over a new breed of technology practitioners, who are yet to be regulated by any code of ethical behaviour, but who wield tremendous power over consumers by virtue of their potential to control personal data. Such discipline bolsters the confidence of consumers in the integrity of the e- commerce (and m-commerce) market, thus encouraging the increased automation of transactions between businesses and their customers, as Singapore strives to become an info-communications hub in a fully networked world.[4]
Current position
4.1 While Singapore has both a strong common law tradition as well as appropriately structured statutory provisions to regulate the use of personal data, there is fragmentation of the laws, both with regard to their subject matter and to their administration. There is no general and comprehensive data protection law. Varying degrees of protection are accorded by a great number of statutory provisions providing for the confidentiality of information in the possession of government agencies. Certain sectors are also governed by the common law and self-regulatory codes. This is similar to the position taken by the US which has thus far avoided enacting general data protection laws.
Scope of report
5.1 The main thrust of this Report is to set out the Subcommittee's views on what constitutes “fair information principles”. These principles find expression as the 11 DPPs in the Model Code.
5.2 However, as the adequacy of a data protection regime depends not only on the fair information principles it is founded on, but also on implementation issues (such as enforcement and compliance mechanisms), this Report also sets out very briefly some of the Subcommittee's views on what may constitute an appropriate data protection model for the Singapore private sector.
Summary of recommendations
6.1 The main recommendations of the Subcommittee are:
6.1.1 Effective protection of personal data is desirable in the
Singapore private sector.
6.1.2 The data protection regime for the private sector should be founded on internationally recognised standards of data protection.
6.1.3 As an interim measure, voluntary data protection guidelines for the private sector (such as the Model Code) should be given official recognition and adherence invited on a voluntary basis. The exercise will have an educative and harmonising function and should facilitate the introduction of legislation, should Parliament decide in the future to legislate.
6.1.4 In the longer term, it remains to be seen whether a reliance on voluntary controls in the private sector would be completely effective or whether an appropriate degree of legislative intervention may be required. The full effect of a self-regulatory regime is yet to be felt by industry, consumers, and by society as a whole, and much would depend on their response to the regime and how it works out in practice.
6.1.5 The data protection regime should be concerned with
"personal data" in the sense of any representation of data, true or not, factual or judgmental, relating to a living individual whose identity is either apparent from the data, or can be reasonably ascertained. All data that are capable of being read intelligibly should be covered. The regime should not merely cover "sensitive" or "intimate" data. However, the level of protection will depend on the sensitivity of the data.
6.1.6 At this stage, the data protection regime should apply only to the processing of data wholly or partly by automated means. For practical reasons, the regime should not at this stage apply to processing of data otherwise than by automatic means, even if such data form part of a filing system or are intended to form part of a filing system. It would be difficult for manual filing systems to comply
with some of the principles (e.g. access and accuracy). But if manual data are subsequently converted to electronic form, the data processor will, from that point onwards, be required to comply with the Model Code.
6.1.7 The data protection principles should immediately apply to data in existence upon adoption of the Model Code. However, the following principles will only apply after a transition period of one year:
(i) Principle 6 (Accuracy) – i.e. there would be no breach of this principle during the transition period;
(ii) Principle 9 (Access) – i.e. the data user would not be required to provide a full copy of all data held at the time of the request, but would be entitled to first clean up the data by updating and removing irrelevant or dubious data. The data user would then be obliged to provide the data subject with a copy of all the remaining data.
6.1.8 The data protection regime should apply to any personal data processed or controlled in Singapore, regardless of whether the data controller is within Singapore.
6.1.9 The data protection regime should apply in favour of all data subjects, whether or not they are resident in Singapore. In particular, access and correction rights should not be restricted to Singapore residents.
6.1.10 The data protection regime should prevent organisations from transferring any data which would involve a loss of control over the data, to any recipient within or outside Singapore unless certain conditions are met.
6.1.11 Certain types of data, and certain types of data processing, may be exempted from the application from some or all of the data protection rules.
Prepared by The National Internet Advisory Committee Legal Subcommittee
1. PREFACE
1.1 This is a report by the Legal Subcommittee of the National Internet
Advisory Committee ("NIAC") on the Private Sector Model Data Protection Code
("Model Code").
1.2 The Model Code aims to strike a balance, in this information age, between the legitimate information needs of businesses, industries and institutions, on the one hand, and individuals’ interests in the protection of their personal data, on the other.
1.3 The Model Code is modelled after the Canadian Standards Association’s
Model Code for the Protection of Personal Information (CAN/CSA-Q830-96)
("CSA Code"). The CSA Code has been approved as a National Standard of Canada by the Standards Council of Canada and is based on the Organisation for Economic Cooperation and Development's Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (OECD, Paris, 1981)
("OECD Guidelines").[5]
1.4 The Model Code establishes 11 basic Data Protection Principles ("DPPs") for private sector organisations that collect or use personal data. These 11 DPPs establish what is hoped will eventually serve as a national benchmark, across industries and across sectors, for the fair handling of personal data. Retailers
(including e-tailers), direct marketers, financial institutions, telecommunications companies, product manufacturers, service providers, universities and hospitals are just some of the potential users of personal data with whom the Model Code has been drafted in mind.
1.5 The Model Code may be adopted wholesale. Alternatively, it may serve as a template upon which more industry-specific data protection rules may be based. In this regard, the Model Code has been designed to provide flexibility, allowing rules to be varied or stated in a different manner according to legitimate needs of each sector and in the context of its own environment.
1.6 The Model Code thus serves two purposes:
• It establishes minimum acceptable standards for data protection.
• It promotes the harmonisation of data protection rules among the various sectors, rendering the future establishment of any data protection regime an easier task.
2. MEMBERS OF THE NIAC LEGAL SUBCOMMITTEE[6]
2.1 The Model Code is the result of a collaborative effort by members serving in their personal capacities but who are drawn from key groups concerned with online data protection in Singapore. The 17-member Subcommittee that developed the Model Code includes representatives from:
• the government, including AGC, IDA, SBA and the Police
• the academia
• Small and Medium Enterprises (SMEs)
• private sector lawyers
• the media
• the health service industry
• the info-communications industry
• specialists in information technology
3. BACKGROUND OF REPORT
3.1 In 1999, the NIAC Legal Subcommittee proposed an E-Commerce Code for the Protection of Personal Information and Communications of Consumers of Internet Commerce. This Code has since been adopted by CaseTrust and
incorporated into its Code of Practice as part of an accreditation scheme promoting good business practices among store-based and web-based retailers.
3.2 However, the drafting of the E-Commerce Code did not take into account the more recent EU Directive on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of Such Data (95/46/EC)
("EU Directive")7. The Chairman of the Legal Subcommittee, Mr Charles Lim, suggested to the NIAC that a more comprehensive code be drawn up taking into consideration the EU development. The NIAC thus assigned to the Legal Subcommittee the task of expanding the relevant portion of the E-Commerce Code into a Data Protection Code for Industry Self-Regulation in Singapore.
3.3 The first initiative taken by the Chairman of the Legal Subcommittee was to co-opt several new members, hailing from various backgrounds dealing with or concerned with data protection, to provide more views and feedback on the issue of data protection.
3.4 The Subcommittee met on four occasions (24 Feb 2001, 21 Apr 2001, 11
May 2001 and 26 May 2001) to discuss the draft Code. Numerous informal discussions were also conducted via email.
3.5 The development of data protection regimes globally has not gone unnoticed by the Singapore government. While work on the NIAC Model Code was ongoing, it was announced in Parliament[8] that the Ministry of Communications and Information Technology (MCIT) would spearhead an inter- agency task force to study general privacy issues, taking into account international developments. It was stated in Parliament that the inter-agency study would
"focus on the impact of e-commerce and Internet on data protection and privacy and will cover, among other things, financial information collected from e- commerce websites".
3.6 While the work undertaken by the NIAC and the inter-agency task force may overlap to a certain degree, the efforts of both committees could effectively complement each other. [9]
4. PRESENT DATA PROTECTION FRAMEWORK IN SINGAPORE
4.1 While Singapore has both a strong common law tradition[10] as well as appropriately structured statutory provisions[11] to regulate the use of personal data, there is fragmentation of the laws, both with regard to their subject matter and to their administration. There is no general and comprehensive data protection law. This is similar to the position taken by the US which has thus far avoided enacting general data protection laws.
4.2 Data protection provisions in Singapore also tend to take the "traditional" approach of regulating only the more common forms of "processing" (such as collection and disclosure). It may not have fully taken into consideration modern jurisprudence in the area of data protection which deals also with such issues as rights to access and correction, accuracy, and data security.
4.3 Thus, while Singapore laws protect personal data in certain sectors and even complements such protection with a host of other IT laws on a broad spectrum of issues, there is no uniform approach. Instead, varying degrees of data protection are accorded by a great number of statutory provisions providing for confidentiality of information in the possession of the government or particular sectors. A drawback with this sectoral approach is that it requires new legislation to be introduced with each development of new technology.
4.4 Aside from the legal framework, other, more pro-active, sectors have adopted varying degrees of security and confidentiality measures on a voluntary basis, in some cases reinforced by advisory codes of practice for their sector[12]. However, again, such initiatives may not provide a uniform, comprehensive, data protection regime[13].
5. THE NEED FOR A HARMONISED, COMPREHENSIVE, DATA PROTECTION
REGIME IN SINGAPORE
Governing cyberspace
5.1 Singapore in the 1990s, like most other industrialised countries, is characterised by a high level of technological development, and the increased automation of transactions between businesses and their customers. With the advent of the information age, however, comes the potential for mischief on an unprecedented level, both in terms of nature and scale.
5.2 Data protection regimes impose discipline over a new breed of technology practitioners, who are yet to be regulated by any code of ethical behaviour, but who have the potential to wield tremendous power over consumers by virtue of their control over personal data. Such discipline bolsters the confidence of consumers in the integrity of the e-commerce[14] market, thus encouraging the increased automation of transactions between businesses and their customers, as Singapore strives to reap the full benefits of the information age for the benefit of her citizens.
Growth of e-commerce
5.3 The potential danger posed by data protection issues on the growth of e- commerce was reiterated in the revised Explanatory Statement to the Privacy Amendment (Private Sector) Bill 2000 (Commonwealth of Australia)[15]:
“Surveys conducted in Australia and in other countries such as the United States have indicated that consumer confidence in electronic commerce depends largely on the level of protection afforded to their personal information. Consumers want some limitations
imposed on the private sector in respect of personal information that may be collected. Also, consumers want stronger controls regarding how their personal information may be used after it is collected and to whom it may be disclosed outside the organisation. The Government acknowledges that if this issue is not adequately addressed, it has the potential to hamper the growth of electronic commerce.”
5.4 Similarly, in Victoria, Australia, public concerns about potential information privacy invasions have been a significant factor in prompting data protection initiatives[16].
5.5 A national survey in the US showed that 81% of the American public feel that consumers have "lost all control" over the way businesses collect and use their personal information.[17] A US Government report noted that “if consumers feel
that their personal information will be used or used in ways that differ from their original understanding, the commercial viability of the NII [National Information Infrastructure] could be jeopardised as consumers hesitate to use advanced communication networks”.
5.6 Members of the Legal Subcommittee felt that these statements accurately reflect some of the concerns faced by the Singapore public with respect to e- commerce.
Vulnerability of e-consumers
5.7 Modern technologies present ample opportunity for "scare-mongers" to generate high levels of paranoia, and hence undermine investments. Examples of applications that are especially exposed are electronic services delivery, Internet commerce, intelligent transportation systems, and anything that involves smart- cards or biometrics. Consumers need to be sure that personal data acquired from companies trading on the Internet are not misused, and that they will not be subjected to unsolicited or undesired advertising and marketing.
Impact of EU Directive on Singapore
5.8 Another aspect of the problem involves the continued transborder flow of personal data in support of global business activities. Private and public organisations wishing to participate in global trade need to continue to receive and communicate personal data on employees and consumers.
5.9 However, in 1998, the EU enacted legislation (the EU Directive) prohibiting the transfer of personal data by EU countries to a country that does not have an adequate data protection regime. The EU Directive does not purport to have extra-territorial jurisdiction, nonetheless it impacts Singapore in two ways:
• Article 25 of the EU Directive prohibits EU nations from transferring personal data to third countries that do not guarantee adequate protection of such data.
• It is arguable that the EU Directive also requires, in this third country, a restriction against onward transfers of data to fourth countries that do not guarantee adequate data protection.
5.10 Thus, there is not only the possibility that the flow of personal data from EU countries to Singapore may be impeded, but that countries wishing to ensure the free flow of personal data from EU countries would enact data protection laws and include in them restrictions prohibiting the transfer of data to countries without adequate data protection schemes (the “flow-on effect”). This has already happened in some of our neighbouring countries[18].
5.11 The EU is Singapore's third largest export market after Malaysia and the US.[19] This, and the "flow-on effect" if our other trading partners are required by the EU to block data transfers to Singapore, means that the lack of an adequate data protection regime applying to the private sector in Singapore may be an impediment to international trade. This may place Singapore businesses at a disadvantage in the global economy.
5.12 At this time, the Europeans are gradually clarifying how this provision
(Article 25) is going to be enforced. But, while a comprehensive legislative scheme applying to both the public and private sectors (eg. HK, NZ, Canada) is clearly the easiest way to satisfy the EU Directive, Article 25 of the Directive is itself quite clear that a range of other options are available, including voluntary data protection codes applied by industries, or binding contractual clauses between the parties concerned in the data transfer.[20] Such measures may be considered
adequate provided they are effectively applied and offer sufficient safeguards concerning data subjects’ rights, including rights of redress.[21] In July 2000, the European Commission approved the US' sectoral and self-regulatory approach to data protection known as the "Safe Harbour" arrangements[22].
5.13 It would appear that central to European concerns is the need to “deliver a good level of compliance with the rules...A good system is generally characterised by a high degree of awareness among data controllers of their obligations, and among data subjects of their rights and the means of exercising them.”
5.14 At the very least, businesses that rely on the free transfer of personal data about European clients, consumers and competitors will have to assure the EU that their industry and professional codes, if such exist, are complied with. It appears that a statement of good intentions will not suffice. An international standard could simplify the process of determining adequacy within a highly complex and networked data processing environment.
Need for a harmonised regime
5.15 A proliferation of data protection regimes and practices is confusing to consumers. A wide variation of practices may even mislead some consumers. For example, some organisations' "privacy policies" posted on their websites are bland statements of good intention. Others are heavily influenced by the input of the corporate legal department, while yet others are simply difficult to find!
5.16 A diversity of data protection regimes also makes monitoring and auditing by the relevant authorities difficult.
5.17 Finally, just as inconsistencies between the laws of the various nations threaten commerce[23], so too do inconsistent regimes applied to different sectors within the same country. On the other hand, harmonised regimes translate into lower operational costs for global businesses, which only have to comply with a single set of requirements.
5.18 This is not to say that sectoral data protection regimes cannot play a part. Within the framework of a comprehensive data protection regime, sectoral legislation or codes may effectively complement a general regime by providing more detailed protection for certain categories of information, such as telecommunications, police files or consumer credit records.
Conclusion
5.19 Good data protection is good business. Certainly this is so in the long run. The Legal Subcommittee suggests that rewards will be reaped if private sector organisations are proactive in this area, co-operate in fostering a culture of protecting personal data in a harmonious fashion, and work together to ensure a vital, open domestic and international marketplace.
5.20 The Legal Subcommittee thus recommends that a uniform comprehensive data protection regime be introduced as part of a package of rules to facilitate trade and the growth of e-commerce generally.
6. POSSIBLE MODELS – ENFORCEMENT AND COMPLIANCE OPTIONS FOR A
DATA PROTECTION REGIME
6.1 Codes are meaningless unless they are accompanied by a clear strategy to make them effective and ensure compliance[24]. Such issues go beyond the ambit of fair information principles (the "content" of a data protection regime) and are therefore technically outside the scope of the Subcommittee’s study. Nonetheless, for the sake of completeness, the views of the Subcommittee on this issue are set out[25].
6.2 Five possible enforcement and compliance options were considered[26]:
• Comprehensive data protection laws
• Sectoral data protection laws
• Comprehensive codes of practice[27]
• Sectoral codes of practice[28]
• Co-regulatory schemes
6.3 Depending on their application, these options can be complementary or contradictory. In several countries surveyed, a few of these options were used simultaneously in providing effective data protection. The relative advantages and disadvantages of each of these regulatory options are briefly set out in Annex 3.
Comprehensive regime
6.4 The Legal Subcommittee recognises that the overseas trend is clearly towards some form of omnibus or comprehensive data protection regime and suggests that the data protection regime for Singapore should similarly be comprehensive – geographically, jurisdictionally (subject to principles of international law), and sectorally – given that the information highway knows no boundaries. This also makes it easier to amend the law as circumstances change.
Self or co-regulation vs. prescriptive legislation
6.5 While many countries in Europe still adopt the traditional regulatory approach of prescriptive legislation (i.e. "command-and-control"), there is an emerging recognition that the adoption of legislation is not a panacea to all the ills in society. The trend now is to regulate less but regulate better. This is often attempted by utilising self or co-regulatory models[29].
6.6 The distinguishing feature of the co-regulatory model (over the self- regulatory model) is that the former acknowledges the important role of the government. The level of government involvement in a co-regulatory model spans a wide spectrum, from little control ("light touch") to more interventionist approaches.[30]
Self-regulation
6.7 While a voluntary or self-regulatory regime (i.e. one that lacks mandatory statutory controls) has the attractive features of saving costs[31] and avoiding red tape, Canadian, Australian and United Kingdom law reform inquiries that have examined the matter have unanimously concluded that this approach provides inadequate protection to information privacy.[32] It has even been said that "in reality self regulation may equal no regulation and just provide a convenient tool to hold out and proclaim that something is being done about data protection".[33]
6.8 The dangers of relying on a self-regulatory regime are set out in Moira Paterson's[34] article on the Australian experience, “Privacy Protection in Australia: The Need for an Effective Private Sector Regime”[35]:
“A self-regulatory scheme will be effective only to the extent that businesses choose to become part of it. While there are a large number of businesses which are likely to do so, either because they are already committed to responsible privacy practices or because they hope to gain some commercial advantage from doing so, a large number of businesses were opposed to the implementation of legislation either on the basis of cost or because they felt that they should have an unfettered right to use personal data. It seems unduly optimistic to expect that all of them will participate in any scheme which provides more than mere window-dressing. Furthermore, those who might otherwise have been prepared to participate in an effective scheme may be deterred from doing so by the fact that they will be placed at a cost disadvantage in comparison to their less responsible competitors. ... A purely voluntary scheme, without an effective oversight mechanism, is unlikely to generate the level of public confidence which is required to facilitate the growth of an embryonic electronic commerce industry and or to create and encourage the free flow of personal information into Australia.”
Co-regulation
6.9 The Legal Subcommittee thinks that the logic of co-regulatory models is compelling for three reasons:
• This approach encourages continuous and innovative self- improvement by giving business greater flexibility, within a clear framework of societal expectations and requirements, rather than stopping at compliance with a set performance or standard. This puts to good use the entrepreneurial dynamism and informational advantages of the business sector and promotes active involvement of the business community in the policy-making process;
• This approach reduces dependency on limited government resources by making use of industry’s knowledge and resources, thus reducing the expense of the government having to collect the information, develop this into regulations, and then monitor the effects, often without an appropriate level of industrial and process experience.
• The government is in the best position to promote international co- operation and harmonisation of self-regulatory schemes, and is more likely to be effective than any single sector in securing the collective action of sectoral organisations.
7. PROJECTED COMPLIANCE COSTS
7.1 On the important issue of compliance costs for the different models, Moira
Paterson states[36]:
“The cost to an individual business of any privacy regime depends on what the regime requires in terms of registration and other book- keeping, the extent to which it requires substantial changes to that business’s existing practices, such enforcement costs as are required to be funded by that business and the extent to which that business is required, or chooses, to comply with the regime. There is therefore no logical reason why a statutory scheme should be any more costly than a voluntary one, assuming that they both offer
adequate levels of privacy protection.”
7.2 Several members of the Legal Subcommittee (from the private sector) expressed the view that the compliance costs arising from comprehensive legislation would not be a significant issue from a private sector e-commerce organisation’s point of view. The reason was that the global nature of e-commerce businesses already requires most organisations which are involved in e-commerce activities to comply with one or more statutory data protection regimes in various industrialised countries. These members felt that if the Singapore statutory regime follows the common overseas model, the additional compliance costs would be minimal.
7.3 This view is consistent with Moira Paterson’s statement in her same article that:
“Evidence from jurisdictions which have recently enacted private sector privacy laws suggest, however, that costs has not been a substantial problem. For example, the Australian Privacy Commissioner notes that private sector peak organisations representing banks, insurance companies and human resource specialists have all reported “minimal costs”.[37] In fact there is evidence from Quebec which suggests that implementing data protection measures may more than pay for itself in terms of cost reduction or increased productivity that have resulted from improved information handling practices.[38]”
7.4 On the other hand, Hahn, in a recent study[39], estimated that it may cost US companies up to US$36 billion to develop and implement the necessary information technology infrastructure to comply with online privacy legislation — sufficient to have a significant effect on business activity.
7.5 However, the Legal Subcommittee felt that Hahn’s conclusions may not be reliable for the following reasons: Firstly, the study was based on draft information privacy legislation, not industry codes. Secondly, the study was funded and commissioned by the US Association for Competitive Technology. Thirdly and most significantly, members thought that some of the assumptions adopted by Hahn may not be correct. Hahn states his methodology at page 17:
“To obtain quantitative estimates of the cost, I requested that ACT collect estimates on the initial costs of modifying systems to allow a website to track the types of information discussed above. Then I estimated how many websites the proposed laws would affect. Finally, I multiplied the software cost by the number of affected sites to obtain an estimate of the industry-level cost to compliance.”
7.6 Hahn had thus estimated compliance costs by multiplying the assumed costs of software modification for one website by the number of websites likely to be affected by the draft US information privacy legislation. As such, the number of websites already equipped with online information privacy measures had not been discounted from the calculation. The difficulty of his task was even conceded by Hahn[40]:
“Quantifying the unit costs and the number of affected websites is a difficult task. First, since very few websites have needed software to track PII and its uses, little is known about much it would cost. Second, there are several estimates of the number of World Wide Web domains, but little data on how many of those are unique, U.S.- based, commercially viable sites, that collect and share PII, and would continue to do so if the proposed bills become law.”
7.7 In view of the apparent conflict of views and the lack of reliable data on the business costs of data protection compliance in Singapore, the Legal Subcommittee recommends that a comprehensive study on this important issue be conducted in the future.
Conclusion
7.8 In response to any argument that a data protection regime might be too costly to businesses, three points may be made:
• The loss of one’s reputation as a responsible corporate citizen because of an information privacy scandal can be even more costly. Scandals, such as those involving the Lotus Marketplace product, the “P-Trak” database from Lexis-Nexis, the Pentium III chip, and more recently the
“Doubleclick” software will continue to raise the profile of information privacy and temporarily force those data users whose practices have
been criticised to restore their reputations.
• Implementing data protection policy need not be a complicated process. Data protection could be a component of “total quality management” and indeed there are some interesting parallels between the fair information principles and the requirements of quality assurance.
• In some (but not all) cases, data protection principles are common-sense and may already be implemented as part of the responsible organisation’s obligations to its customers. Thus, although organisations may not have thought about the data protection principles systematically, many may already be complying with a good number of the data protection principles without knowing it.
8. THE NIAC MODEL CODE
8.1 We should explain from the outset that the Model Code is intended to provide a broad and flexible framework based on the principles of the OECD Guidelines. The principles have thus been framed in general terms so that they may be applied by a wide range of organisations to the personal data they hold. The principles are designed to be flexible enough to take into account sectoral differences, variations in individual cases, and even the development of new technologies
8.2 However, it is not a case of "one size fits all", as we also recognise that data uses differ between sectors. While the principles in the Model Code are sacrosanct, organisations may "tailor" the wording of the Model Code to suit their own needs by developing codes of practice that explain how the principles will be implemented.[41] Thus, the Model Code also serves as a template upon which businesses or industries may base more refined, industry-specific, data protection codes.
Data Protection Instruments
8.3 The Subcommittee considered three sets of fair information principles, namely those contained in:
• The OECD Guidelines (1980);
• The EU Directive (1995); and
• The CSA Model Code (1996).
OECD Guidelines
8.4 Most of the world's data protection laws are based around sets of (variously named) information privacy principles which formally derive largely from two sources: the OECD Guidelines (1980) and the Council of Europe Convention for the Protection of Individuals with Regard to the Automatic Processing of Personal Data[42].[43]
8.5 The OECD Guidelines are still in force. They have been a useful template and they have elicited certain commitments from major companies in the United States and Canada to adhere to information privacy principles. They continue to carry considerable force within the debates over the future of global e-commerce. However, the OECD Guidelines have been surpassed to some extent by the EU Directive, passed in 1995 to harmonise European data protection laws.
EU Directive
8.6 However, these early international data protection instruments were merely proposals that individual nations could take or leave at their choosing.[44] The need for a binding frame that would force all member states to adopt data protection laws was thus one of the major factors leading to the development of the EU Directive in 1995.
8.7 Four little words in this Directive mean that organisations outside Europe will have to take far more seriously their data protection commitments.[45] At this time, the Europeans are gradually clarifying how this provision is going to be enforced. Notwithstanding, the Legal Subcommittee took guidance from the EU Directive in formulating the Model Code. This is evident from the minutes of proceedings as well as the rest of this Report.
CSA Code
8.8 The CSA Code is based on the OECD Guidelines. Canada was the first country in the world to establish a voluntary, national standard for the protection of personal information. The CSA Code is the result of a collaborative effort by representatives from all key groups concerned with privacy in Canada. The 45- member committee that developed the Code included representatives from such diverse sectors as the financial services, telecommunications, cable television and direct marketing industries; federal and provincial governments; consumer advocates; organised labour; and experts in security and information technology.
8.9 At first glance, the CSA Code might just seem a Canadian version of the OECD Guidelines -- a rearrangement and translation of the key principles into the Canadian context. Its real significance, however, is that it represents a consensus brokered among the major stakeholders.
8.10 A comparison of the CSA Code with those of other jurisdictions also reveals that the CSA Code is fairly representative of the typical data protection principles articulated by major jurisdictions[46]. The CSA Code has also recently become the framework for federal data protection legislation in Canada applicable to the private sector[47].
8.11 We think therefore that the CSA Code is an appropriate starting point for the consideration and development of a private sector code for Singapore. The 10 information privacy principles making up the CSA Code have been rigorously scrutinised by the Legal Subcommittee for their concordance with the Singapore business and regulatory environment and have been modified accordingly.
Data Protection Principles
8.12 The Model Code is organised around 11 data protection principles, roughly differentiated according to the various stages of data processing. With the exception of Principle 11 (which is optional), organisations must adopt all the data protection principles in their entirety – no “cherry-picking” in other words.
8.13 Comments and Guidelines on each of the 11 Data Protection Principles are detailed in the Table at Annex 4. However, the Legal Subcommittee hastens to highlight the caution of the OECD that:
“The distinction between different activities and stages involved in the processing of data which are assumed in the principles, are somewhat artificial and it is essential that the principles are treated together and studied as a whole.”
Definition of Personal Data
8.14 The Model Code regulates the processing of all “personal data”. This is defined as:
“data, whether true or not, in an electronic form, which relate to a living individual who can be identified –
(a) from those data, or
(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller."
8.15 This definition is adapted from UK. In arriving at this definition, no less than nine different definitions of personal data / personal information were considered (see comparative table at Annex 5). The CSA Code's definition closely followed the early, OECD formulation drawn up in 1980. The EU Directive, in 1995, built on the OECD's definition by further defining "identifiable person". However, neither Canada (i.e. in the CSA Code, Privacy Act and PIPEDA) nor New Zealand has adopted this new development. In these jurisdictions, the meaning of "identifiable person" is left open. On the other hand, in UK, the criteria for linking identity to the data is clearly spelt out. Hong Kong and Australian legislation take after the UK (with minor variations).
"Whether true or not": Incorrect Data
8.16 Data may be false and judgements may be erroneous. Incorrect data can arise through inadvertent computer error, technical failure or intentional misuse. Such data should nonetheless fall within the data protection regime for the reason that incorrect data might influence decisions to the detriment of data subjects.[48]
.
8.17 Data protection extends beyond the protection of privacy[49] and does not recognise the same distinctions as the common law, which restricts a remedy for defamation to false statements injurious to reputation.[50]
"In an electronic form"
8.18 The focus of a data protection regime is on recorded data.[51] This contrasts with the common law duty of confidence, which focuses on any information disclosed in circumstances imposing the obligation, whether orally or recorded.[52]
Data protection regimes regulate the disclosure of recorded data, although the disclosure itself may be in any form, including orally.
8.19 Non-automated records range from the systematic to the shambolic. The extent to which they are kept in an organised manner is generally related to the degree of risk posed of disclosure to third parties. Data relating to a data subject buried in an amorphous file and effectively irretrievable as a result would be less likely to be used or transmitted by the record-keeper. This focus on data that occasion specific risks to the data subject is reflected in the OECD Guidelines[53].
8.20 The EU Directive applies to personal data processed by automatic means
(e.g. a computer database of customers) and to personal data that are part of or intended to be part of a non-automated "filing system" in which they are accessible according to specific criteria (e.g. traditional paper files, such as a card file with details of clients sorted in alphabetical order of the names): Article 3(1).
8.21 The Legal Subcommittee felt, however, that the Model Code should not at this stage apply to manual data, even if such data form part of a filing system, as the Subcommittee was unable to assess the impact of the operation of the Model Code to manual records. The Subcommittee felt that it would be difficult for manual filing systems to comply with some of the principles (in particular, access
and accuracy). At a later stage, though, the scope of the Model Code could be extended to include manually-recorded personal data.[54]
8.22 A concern may be raised that this approach presents an incentive to businesses to abstain from automating their information systems in order to circumvent the principles in the Model Code. However, the Legal Subcommittee thinks that this does not pose any real threat in view of the benefits and rewards of being on the information highway.
"Which relate to a living individual"
8.23 This aspect of the definition could potentially be construed very widely. It will be a question of fact in each particular case whether or not data relate to a particular individual. One element to be taken into account is whether a data controller can form a connection between the data and the individual.
8.24 Data do not have to relate solely to one individual. The same set of data may relate to two or more people and still be personal data about each of them. For example, joint tenants of a property or holders of a joint bank account, or individuals who use the same telephone or email address.
8.25 Data may relate to an individual in a business capacity and not just to their private life. For example, the earnings of a sole proprietorship may amount to personal data of the individual sole proprietor. Similarly, data about an individual in a partnership may amount to personal data if it relates to a specific partner.
8.26 Thus, although the Code refers to individuals and not other legal entities such as associations or corporations,[55] there may be situations where data about an association or corporation or other legal entity can fairly be said to "relate to" a specific individual hence personal data. Data solely about the legal entity will however not be personal data.
"Who can be identified from...."
8.27 The individual must be capable of being identified. This might occur from the data itself[56], from data already in the possession of the data controller, or from data that is likely to come into the possession of, the data controller. Regarding
the latter, it will be for the data controller to satisfy himself whether it is likely that such data will come into his possession to render data personal data. This will depend largely on the nature of the processing undertaken by the data controller.
Example:
CCTV footage may produce an image which is not of a distinguishable individual, but if the actual identity of that individual may become apparent from other information likely to come into the possession of the data controller (eg. if the image can be matched to a photograph, a physical description, or a physical person), then this is personal data.
8.28 A controversial issue relates to the profiling of a particular web user built up over a period of time (perhaps through the use of tracking technology or cookies) with no intention of linking it to a name and address or even an email address. There may not be any ability to locate that user in the physical world. One view (which the Legal Subcommittee does not necessarily agree with) is that in the context of the online world, data which uniquely locates an individual in that world, by distinguishing him from others, "identifies" him and is personal data.[57]
8.29 Finally, it should be noted that an individual may be "identified" without his name and address necessarily being known or revealed.
Non-sensitive Data
8.30 The Legal Subcommittee considered whether a data protection regime should only regulate data relating to an individual which it would be reasonable to expect him to regard as intimate or sensitive and therefore to want to withhold or at least to restrict their collection, use or circulation. It has been noted that:
"...if a loss of 'privacy' occurs whenever any information about an individual becomes known (the secrecy component) the concept loses its intuitive meaning."[58]
8.31 This raises fundamental questions regarding the objectives of a data protection regime. Unfortunately, although the general inspiration for the development of data protection laws is apparent, the goals are rarely spelt out in satisfactory detail.[59] But as data protection regimes give effect to the data protection principles, their aims can be discerned from an examination of these principles. The combined effect of the principles can be described as ensuring that the right data are disclosed to the right person for the right purpose. The principles are not an end in themselves but are, it is suggested, about ensuring that decisions made on the basis of information affecting data subjects are fairly made, in a procedural sense.[60]
8.32 A feature of modern society is the propensity to accumulate data. The accumulation of seemingly trivial or non-sensitive data can result in the compilation of revealing profiles. Individual purchases may tell little about a person, but a comprehensive record over a period of time will describe the consumer's lifestyle.
8.33 For this reason we recommend that the data protection regime should be concerned with "personal data" in the sense of any representation of data relating to an identifiable individual and should not be restricted only to sensitive or intimate data.[61]
The Distinction between Information and Data
8.34 While "information" and "data" are used interchangeably in most literature, it appears that "data" has a wider meaning than "information". Professor Raymond Wacks states:[62]
“‘Data’ become ‘information’ only when they are communicated, received and understood. ‘Data’ are therefore potential
‘information’. Thus when the data assume the form of the printed word, they are immediately transformed into information by the reader. Where, however, data consists in acts or signs which require any meaning, they remain in this state of pre-information until they are actually understood by another."[63]
8.35 A similar view was enunciated by Roger Clark:[64]
"The information systems discipline uses 'data' as a quite general term for any measurement of any real-world phenomenon.
'Information' is data which is pertinent to a particular decision, and hence data becomes information only in particular contexts. Such a distinction goes to the very heart of the important concept of
'relevance'. Most data protection regulation should therefore be concerned with 'data', although it may be appropriate to phrase some requirements in terms of 'information', in particular those matters relating to use and disclosure;
8.36 The Legal Subcommittee accepts the reasoning of these distinguished authors and recommends the regulation of "personal data" instead of "personal information". This is the approach taken in the UK and Hong Kong legislation.[65]
Factual and Judgmental Data
8.37 Information about a person may be strictly factual and objective, such as a date of birth. Often, however, it may include an evaluative aspect, e.g. an opinion or judgement. To say that a person drinks a bottle of brandy daily is an assertion of fact, but one inviting the judgement that the person is an alcoholic.
8.38 The distinction is often a matter of form and difficult to draw. However,
“judgmental” data will often be more influential than the factual basis they purport to convey. Accordingly, we recommend that personal data encompassing both
factual and judgmental data be regulated. This is the approach generally adopted in existing data protection laws.[66]
Data Subjects
8.39 The Model Code refers to the person to whom data are linked as the “data subject”. We recommend that the data subject must be a living individual, as it would be too complex to extend regulation to the estates of deceased persons. This is the approach taken under the UK Data Protection Act 1998[67].
8.40 The Legal Subcommittee also considered whether data protection should apply not only to natural persons, but also to groups or classes of natural persons such as associations, and to legal persons such as companies and trusts.
8.41 The OECD had considered this issue and decided in favour of natural persons only, on the basis that " ... individual integrity and privacy are in many respects particular and should not be treated in the same way as the integrity of a group of persons, or corporate security and confidentiality".
8.42 The Legal Subcommittee accepts the reasoning of the OECD and recommends that the Code should apply only to data about “individuals”. This excludes corporations or associations who, though they are “legal persons”, are not individuals.
Territorial scope
8.43 In respect of a data user, the Model Code applies to any personal data processed in Singapore, regardless of whether the data controller is within Singapore.
8.44 Equally, data processing outside Singapore that is controlled from within
Singapore is also subject to the provisions of the Code[68].
8.45 Certain foreign data protection regimes surveyed restrict the scope of protection depending on the status of the data subject, e.g.:
• use of the term "citizen" (rather than "person") – this disqualifies all non- citizens, a not insignificant proportion of the population of many countries especially Singapore[69];
• restriction to people "resident" in the country – this disqualifies not only tourists, but also people (even citizens) whose residence is too short-term or sporadic;
• restriction to persons "in the country" – this disqualifies not only aliens but also citizens during their absence from the country.
8.46 The Legal Subcommittee recommends that the Code should apply in an unqualified manner in favour of all data subjects dealing with the data user. This is also consistent with the Article 25 of the EU Directive, which seeks to protect the personal data of EU subjects.
Onward Transfers of Personal Data
8.47 Based on the above, if data are transferred out of the organisation, but control is retained within the organisation (e.g. transfer to a data bureau solely for processing and return to the organisation for use), the data should remain subject to the general application of the Code.
8.48 Onward transfers of data either for public purposes or for purposes which involve the consent of the data subject should not be subject to additional controls, even when the transfer of data is accompanied by a loss of control over the data.
8.49 Outside of these categories, however, onward transfers should be regulated, otherwise the integrity of the data may be compromised. Principle 11 prevents the organisation from transferring data to any recipient outside Singapore, unless an adequate level of protection is assured. The principle is based on the restrictions on international transfers of personal data set out in Article 25 of the EU Directive.
8.50 The exchange of data is primarily an electronic processing phenomenon but non-automated exchanges such as posted mail or tape recordings also occur. The Model Code regulates only electronic data; however, insofar as electronic data are concerned, the mode of transfer is irrelevant.[70]
Importation of Personal Data
8.51 Upon importation of personal data into Singapore, the data protection principles apply. The data subject is entitled to challenge the data whether or not he resides in Singapore. Access and correction rights are not restricted to Singapore residents.
Existing Records/Transition Period
8.52 The Legal Subcommittee recognised that the adoption of the Model Code involves a major exercise by organisations in putting their data in order. It also requires the co-operation of data subjects in updating their data. Thus, the Subcommittee felt that it would be unfair to subject the organisation immediately to the full force of the Model Code.
8.53 On the other hand, the Subcommittee rejected the alternative position: that the Model Code should apply only to personal data generated after the Model Code is adopted by the organisation. This option was rejected on practical grounds and on principle. On practical grounds, it would be operationally difficult, if not impossible, to distinguish between personal data held before and after a particular date. On principle, the Subcommittee felt that it was unfair to permanently deny access and correction rights to existing personal data or to sanction the continued use or retention of personal data not collected or maintained in accordance with the principles.
8.54 A good compromise between the two alternatives is for the Model Code to be implemented in phases, and for the provision of transitional provisions.
8.55 We accordingly recommend that upon adoption of the Model Code, the Code apply to all personal data already in existence. However, the following principles shall only apply after a transition period of one year:
(i) Principle 6 (Accuracy) – i.e. there would be no breach of this principle during the transition period;
(ii) Principle 9 (Access) – i.e. the data user would not be required to provide a full copy of all data held at the time of the request, but would be entitled to first clean up the data by updating and removing irrelevant or dubious data. The data user would then be obliged to provide the data subject with a copy of all the remaining data.
Exemptions
8.56 Having surveyed the data protection regimes in various jurisdictions, we observe that certain types of data processing are exempted from the application from some or all of the data protection rules. Depending on the jurisdiction, they may include any or all of the following:
1. General Exemptions:
(a) Processing by any individual in respect of personal information for
personal or domestic use only;
(b) Processing by any organisation in respect of personal information for
journalistic, artistic or literary purposes only;
(c) Processing of employment data;
(d) Any processing operations which are necessary to safeguard:
(i) national security;
(ii) defence;
(iii) public security;
(iv) the prevention, investigation, detection and prosecution of criminal offences, or of breaches of ethics for regulated professions;
(v) an important economic or financial interest of Singapore;
(vi) a monitoring, inspection or regulatory function connected, even occasionally, with the exercise of official authority in cases referred to in (iii), (iv) and (v);
(vii) the protection of the data subject or of the rights and freedoms of others; and
(e) Processing of personal data for scientific research or for the sole purpose of creating statistics.
2. Specific Exemptions:
2.1 Collection by organisation without knowledge or consent of individual
(a) Collection is clearly in the interests of the individual and consent cannot be obtained in a timely way;
(b) Collection with the knowledge or consent of the individual would compromise the availability or the accuracy of the information where such collection pertains to an investigation of a breach of an agreement or the law;
(c) Collection is solely for journalistic, artistic or literary purposes;
(d) Information is publicly available.
2.2 Use by organisation without knowledge or consent of individual & Use by
organisation of information for purposes other than those for which it was
collected
(a) Used in the investigation of an illegal act that has been, is being or is about to be committed;
(b) Used in an emergency that threatens the life, health or security of an individual;
(c) Used for statistical, or scholarly study or research that cannot be achieved without use of the information, if:
- information is used in a manner that ensures its confidentiality;
- it is impractical to obtain consent; and
- organisation informs the Commissioner of the use ;
(d) Information is publicly available;
(e) Information was collected under paragraphs 2(a) or 2(b).
2.3 Disclosure by organisation without knowledge or consent of individual
(a) Made to solicitor who is representing the organisation;
(b) For collecting a debt owed by the individual;
(c) To comply with a subpoena or warrant with jurisdiction to compel the production of information;
(d) To a government institution that has made a lawful request for information and has indicated that:
- information relates to national security, the defence of the nation or the conduct of international affairs;
- disclosure is for the purpose of enforcing any law of the nation or a foreign jurisdiction;
- disclosure is for the purpose of administering any law of the nation;
(e) Made on the initiative of the organisation to an investigative body or a government institution:
- information relates to a breach of agreement or an illegal act that has been, is being or is about to be committed;
- information relates to national security, the defence of the nation or the conduct of international affairs;
(f) Made to a person who needs the information because of an emergency that threatens the life, health or security of an individual and, if the individual whom the information about is alive, the organisation informs that individual in writing without delay of the disclosure;
(g) For statistical or scholarly study or research that cannot be achieved without disclosing the information, and:
- it is impracticable to obtain consent; and
- the organisation informs the Commissioner of the disclosure before it is disclosed;
(h) To an institution whose purpose is the conservation of records of historic or archival importance and disclosure is for such purpose;
(i) Made after the earlier of:
- 100 years after the record was created; and
- 20 years after the death of the individual whom the information is about;
(j) Information is publicly available;
(k) Made by an investigative body for purposes related to the investigation of a
breach of an agreement or contravention of the law;
(l) Required by law.
2.4 When organisation not required to/prohibited from giving access to personal
information
(a) When access is prohibited:
(i) If doing so would likely reveal personal information about a third party unless:
- the information about the third party is severable
- third party consents to the access
- individual’s life, health or security is threatened
(ii) Investigative body/government institution objects to the organisation’s complying with an individual’s request to be informed of disclosures made under paragraph 4(c), (d) and (e) and compliance could reasonably be expected to be injurious to:
- national security, the defence of the nation or the conduct of international affairs
- the enforcement of any law of the nation or law of a foreign jurisdiction
(b) When access may be refused:
(i) Information is protected by solicitor-client privilege;
(ii) To do so would reveal confidential commercial information;
(iii) To do so would threaten the life or security of another individual;
(iv) The information was collected under paragraph 2(b)
8.57 The CSA Code does not spell out any exemptions (whether general or specific) but leaves this open for the particular industry or organisation to decide. However, in the Singapore context, the Legal Subcommittee felt that the approach taken in legislation (which is to exhaustively set out all the permitted exemptions, general and specific) is preferred. We have accordingly incorporated an exhaustive list of such exemptions into the Model Code.
9. SUMMARY OF RECOMMENDATIONS
9.1 The main recommendations of the Legal Subcommittee are:
6.1.8 Effective protection of personal data is desirable in the Singapore private sector.
6.1.9 The data protection regime for the private sector should be founded on internationally recognised standards of data protection.
6.1.10 As an interim measure, voluntary data protection guidelines for the private sector (such as the Model Code) should be given official recognition and adherence invited on a voluntary basis. The exercise will have an educative and harmonising function and should facilitate the introduction of legislation, should Parliament decide in the future to legislate.
6.1.11 In the longer term, it remains to be seen whether a reliance on voluntary controls in the private sector would be completely effective or whether an appropriate degree of legislative intervention may be required. This would depend on the response of industry and consumers to the self-regulatory regime.
6.1.12 The data protection regime should be concerned with "personal data" in the sense of any representation of data, true or not, factual or judgmental, relating to a living individual whose identity is either apparent from the data, or can be reasonably ascertained.
All data that are capable of being read intelligibly should be covered. The regime should not merely cover "sensitive" or
"intimate" data. However, the level of protection will depend on the sensitivity of the data.
6.1.13 At this stage, the data protection regime should apply only to the processing of data wholly or partly by automated means. For practical reasons, the regime should not at this stage apply to processing of data otherwise than by automatic means, even if such data form part of a filing system or are intended to form part of a filing system. It would be difficult for manual filing systems to comply with some of the principles (e.g. access and accuracy). But if manual data are subsequently converted to electronic form, the data processor will, from that point onwards, be required to comply with the Model Code.
6.1.14 The data protection principles should immediately apply to data in existence upon adoption of the Model Code. However, the following principles will only apply after a transition period of
one year:
(iii) Principle 6 (Accuracy) – i.e. there would be no breach of this principle during the transition period;
(iv) Principle 9 (Access) – i.e. the data user would not be required to provide a full copy of all data held at the time of the request, but would be entitled to first clean up the data by updating and removing irrelevant or dubious data. The data user would then be obliged to provide the data subject with a copy of all the remaining data.
6.1.12 The data protection regime should apply to any personal data processed or controlled in Singapore, regardless of whether the data controller is within Singapore.
6.1.13 The data protection regime should apply in favour of all data subjects, whether or not they are resident in Singapore. In particular, access and correction rights should not be restricted to Singapore residents.
6.1.14 The data protection regime should prevent organisations from transferring any data which would involve a loss of control over the data, to any recipient within or outside Singapore unless certain conditions are met.
6.1.15 Certain types of data, and certain types of data processing, may be exempted from the application from some or all of the data protection rules.
10. CONCLUSION
10.1 This report proposes the adoption of a comprehensive data protection regime for the private sector. The adoption of the standards in the Model Code is
a significant step forward, whether this is done as part of a voluntary scheme, or in conjunction with legislation.
10.2 The first step, if action is to be taken on the issue of data protection, is to agree on the principles that a data protection regime should promote. This is the substance of the NIAC Model Code. The second step would be to decide on the best approach to ensure compliance with those principles, i.e. whether self- regulation; co-regulation, "light-touch" legislation, or "heavy" prescriptive legislation.
10.3 Insofar as the issue of costs is concerned, it is certainly true that implementation of the data protection principles requires changes to be made. There is the cost of revamping current systems[71]. There is also the cost of devoting human resources to co-ordinating and drawing up procedures for compliance with the Model Code. For organisations already involved in global e- commerce, costs of compliance would be kept to a minimum since the Model Code follows the common overseas model.
10.4 In any event, whatever the price tag involved, this must be viewed against the benefits. Successful implementation of the data protection principles sends a positive message to customers and employees. This is good for customer and employee relations. Implementation of the data protection principles is also an opportunity to get to grips with data collection, holding and processing systems that may no longer be fully under control. Improvements in these areas should bring operational efficiency and planning gains.
10.5 At a higher level, comfort should be taken from the fact that the implementation of an adequate data protection regime means that Singapore
comes up to the international standard that other places with such laws wish to see. As a result, there should be no reason for interference by those other places in the free flow of personal data to Singapore on which trade, particularly in the service industries, crucially depends.
ANNEX 1
Chairman:
Mr Charles Lim Aeng Cheng Head, Law Reform and Revision Division
Attorney-General's Chambers
1 Coleman Street, #10-00, Singapore 179803
Secretary:
Mr Vincent Kor
Senior Legal Manager Policy & Planning Division Singapore Broadcasting Authority
140 Hill Street
MITA Building, #04 - 01
Singapore 179369
Mr Edison Foo General Counsel, Asia Pacific
Ariba Singapore Pte Ltd
UOB Plaza 1, 34th Floor
80 Raffles Place
Singapore 048624
Dr Ang Peng Hwa
Vice-Dean
School of Communication and Information
Nanyang Technological
University Nanyang Avenue Singapore 639798
Mr Lawrence Tan Manager Development Policy
Infocomm Development
Authority of Singapore
8 Temasek Boulevard
#14-00 Suntec Tower 3
Singapore 038988
Assoc Prof Yeo Tiong Min
Associate Professor
13 Law Link
Faculty of Law National University of Singapore
Singapore 117590
Mr Gilbert Leong
IP & E-commerce Counsel, GE Medical Systems, Asia
298 Tiong Bahru Road, #15-
01/06
Central Plaza, Singapore
168730
Mr Lim Chin Tiak
Asst Director, Operations Criminal Investigation Department
Singapore Police Force
Ministry of Home Affairs
90 Eu Tong Sen Street
Singapore 059811
Mr Daniel Seng Kiat Boon Research Director Singapore Academy of Law
3 St Andrew’s Road
#03-00 City Hall
Singapore 178958
Mr Tan Ken Hwee State Counsel Attorney-General’s Chambers
International Affairs Division
1 Coleman Street, #10-00, Singapore 179803
Mr Jim Lim Kheng Huat
M/s Shook Lin & Bok
1 Robinson Road
#18-00 AIA Tower
Singapore 048542
Mr Lionel Tan I-Kwok
Partner
M/s Rajah & Tann
4 Battery Road #26-01
Bank of China Building
Singapore 049908
Ms Wendy Yap Peng Hoon
State Counsel Attorney-General’s Chambers
Law Reform and Revision
Division
1 Coleman Street, #05-04, Singapore 179803
Ms Aileen Koh
Legal Counsel / Manager Accenture, Legal & Commercial Group
152 Beach Road
#19-00 Gateway East
Singapore 189721
Mr Lim Seng Siew
Chief Executive Officer The Portal WWLegal.com Pte Ltd
9B Circular Road
Singapore 049365
Ms Lau Joon-Nie
Deputy Chief Editor, E-News MediaCorp News Pte Ltd Caldecott Broadcast Centre Andrew Road
Singapore 299939
Mr Christopher Tang
Partner
M/s Allen & Gledhill
36 Robinson Road
#18-01 City House
Singapore 068877
ANNEX 2
1. ACCOUNTANTS ACT
2. ADMINISTRATION OF MUSLIM LAW ACT
3. ADVANCE MEDICAL DIRECTIVE ACT
4. AIR NAVIGATION ACT
5. ARCHITECTS ACT
6. AUDIT ACT
7. BANKING ACT
8. BANKRUPTCY ACT
9. BETTING ACT
10. CENSUS ACT
11. CENTRAL PROVIDENT FUND ACT
12. CHARITIES ACT
13. CHILD CARE CENTRES ACT
14. CHIT FUNDS ACT
15. CINEMATOGRAPH FILM HIRE DUTY ACT
16. CIVIL AVIATION AUTHORITY OF SINGAPORE ACT
17. CIVIL DEFENCE ACT
18. COMMERCIAL AND INDUSTRIAL SECURITY CORPORATION ACT
19. COMMODITY FUTURES ACT
20. COMMON GAMING HOUSES ACT
21. COMMUNITY MEDIATION CENTRES ACT
22. COMPANIES ACT
23. COMPUTER MISUSE ACT
24. CONSTITUTION OF THE REPUBLIC OF SINGAPORE
25. CONSTRUCTION INDUSTRY DEVELOPMENT BOARD ACT
26. CONSUMER PROTECTION (TRADE DESCRIPTIONS AND SAFETY REQUIREMENTS) ACT
27. CONTROL OF ESSENTIAL SUPPLIES ACT
28. CONTROL OF MANUFACTURE ACT
29. CONTROLLED PREMISES (SPECIAL PROVISIONS) ACT
30. CO-OPERATIVE SOCIETIES ACT
31. COPYRIGHT ACT
32. COUNTERVAILING AND ANTI-DUMPING DUTIES ACT
33. CRIMINAL LAW (TEMPORARY PROVISIONS) ACT
34. CRIMINAL PROCEDURE CODE
35. CURRENCY ACT
36. CUSTOMS ACT
37. DRUG TRAFFICKING (CONFISCATION OF BENEFITS) ACT
38. ECONOMIC EXPANSION INCENTIVES (RELIEF FROM INCOME TAX) ACT
39. EDUCATION ACT
40. ELECTRONIC TRANSACTIONS ACT
41. EMERGENCY (ESSENTIAL POWERS) ACT
42. EMPLOYMENT ACT
43. ENLISTMENT ACT
44. ENTERTAINMENTS DUTY ACT
45. ENVIRONMENTAL PUBLIC HEALTH ACT
46. ESTATE DUTY ACT
47. EVIDENCE ACT
48. EXCHANGE CONTROL ACT
49. FACTORIES ACT
50. FINANCE COMPANIES ACT
51. FINANCIAL PROCEDURE ACT
52. FIRE SAFETY ACT
53. FUTURES TRADING ACT
54. GENEVA CONVENTIONS ACT
55. GOODS AND SERVICES TAX ACT
56. GOVERNMENT PROCEEDINGS ACT
57. HINDU ENDOWMENTS ACT
58. HOMES FOR THE AGED ACT
59. HOUSE TO HOUSE AND STREET COLLECTIONS ACT
60. HOUSING AND DEVELOPMENT ACT
61. HOUSING DEVELOPERS (CONTROL AND LICENSING) ACT
62. HUMAN ORGAN TRANSPLANT ACT
63. IMMIGRATION ACT
64. INCOME TAX ACT
65. INDUSTRIAL RELATIONS ACT
66. INFECTIOUS DISEASES ACT
67. INLAND REVENUE AUTHORITY OF SINGAPORE ACT
68. INSTITUTE OF TECHNICAL EDUCATION ACT
69. INSURANCE ACT
70. INTERNAL SECURITY ACT
71. INTERNATIONAL ARBITRATION ACT
72. INTOXICATING SUBSTANCES ACT
73. KIDNAPPING ACT
74. LAND ACQUISITION ACT
75. LAND SURVEYORS ACT
76. LAND TITLES (STRATA) ACT
77. LAND TITLES ACT
78. LAND TRANSPORT AUTHORITY OF SINGAPORE ACT
79. LEGAL PROFESSION ACT
80. MAINTENANCE OF RELIGIOUS HARMONY ACT
81. MARINE INSURANCE ACT
82. MARITIME AND PORT AUTHORITY OF SINGAPORE ACT
83. MEDICAL REGISTRATION ACT
84. MEDICINES (ADVERTISEMENT AND SALE) ACT
85. MEDICINES ACT
86. MERCHANT SHIPPING ACT
87. MISUSE OF DRUGS ACT
88. MONETARY AUTHORITY OF SINGAPORE ACT
89. MONEYLENDERS ACT
90. MOTOR VEHICLES (THIRD PARTY RISKS AND COMPENSATION) ACT
91. MUTUAL BENEFIT ORGANISATIONS ACT
92. NATIONAL ARTS COUNCIL ACT
93. NATIONAL COMPUTER BOARD ACT
94. NATIONAL COUNCIL OF SOCIAL SERVICE ACT
95. NATIONAL HERITAGE BOARD ACT
96. NATIONAL LIBRARY BOARD ACT
97. NATIONAL PARKS ACT
98. NATIONAL SCIENCE AND TECHNOLOGY BOARD ACT
99. NATIONAL SERVICEMEN (EMPLOYMENT) ACT
100. NEWSPAPER AND PRINTING PRESSES ACT
101. NGEE ANN POLYTECHNIC ACT
102. NURSES AND MIDWIVES ACT
103. OFFICIAL SECRETS ACT
104. PARLIAMENT (PRIVILEGES, IMMUNITIES AND POWERS) ACT
105. PARLIAMENTARY ELECTIONS ACT
106. PATENTS ACT
107. PAYROLL TAX ACT
108. PENAL CODE
109. PEOPLE’S ASSOCIATION ACT
110. POLICE FORCE ACT
111. PORT OF SINGAPORE AUTHORITY ACT
112. POST OFFICE SAVINGS BANK OF SINGAPORE ACT
113. PRESIDENTIAL ELECTIONS ACT
114. PREVENTION OF CORRUPTION ACT
115. PRISONS ACT
116. PRIVATE HOSPITALS AND MEDICAL CLINICS ACT
117. PRIVATE INVESTIGATION AND SECURITY AGENCIES ACT
118. PROFESSIONAL ENGINEERS ACT
119. PROPERTY TAX ACT
120. PUBLIC SERVICE COMMISSION ACT
121. PUBLIC TRUSTEE ACT
122. PUBLIC UTILITIES ACT
123. RADIATION PROTECTION ACT
124. REGISTRATION OF DEEDS ACT
125. REGULATION OF IMPORTS AND EXPORTS ACT
126. ROAD TRAFFIC ACT
127. SALE OF DRUGS ACT
128. SALE OF FOOD ACT
129. SALE OF GOODS (UNITED NATIONS CONVENTION) ACT
130. SCIENCE CENTRE ACT
131. SECURITIES INDUSTRY ACT
132. SENTOSA DEVELOPMENT CORPORATION ACT
133. SINGAPORE ARMED FORCES ACT
134. SINGAPORE BROADCASTING AUTHORITY ACT
135. SINGAPORE CORPORATION OF REHABILITATIVE ENTERPRISES ACT
136. SINGAPORE POLYTECHNIC ACT
137. SINGAPORE PRODUCTIVITY AND STANDARDS BOARD ACT
138. SINGAPORE SPORTS COUNCIL ACT
139. SINGAPORE TOTALISATOR BOARD ACT
140. SKILLS DEVELOPMENT LEVY ACT
141. STATE IMMUNITY ACT
142. STATES OF MALAYA CUSTOMS DUTIES COLLECTION ACT
143. STATISTICS ACT
144. STATUTORY BODIES AND GOVERNMENT COMPANIES
(PROTECTION OF SECRECY) ACT
145. STREET WORKS ACT
146. SUPREME COURT OF JUDICATURE ACT
147. TELECOMMUNICATIONS ACT
148. TERMINATION OF PREGNANCY ACT
149. TIN AND TIN-ORE (DISCLOSURE OF SMELTERS’ STOCKS) ACT
150. TITLES ACT
151. TOWN COUNCILS ACT
152. TRADE DEVELOPMENT BOARD ACT
153. TRADE MARKS ACT
154. TRADE UNIONS ACT
155. TRAVEL AGENTS ACT
156. URBAN REDEVELOPMENT AUTHORITY ACT
157. VIGILANTE CORPS ACT
158. VOCATIONAL AND INDUSTRIAL TRAINING BOARD ACT
159. VOLUNTARY STERILIZATION ACT
160. WATER POLLUTION CONTROL AND DRAINAGE ACT
161. WEIGHTS AND MEASURES ACT
ANNEX 3
Option Pros Cons
Comprehensive legislation
(directive-based; covers all industries, private and public sectors)
Variant:
Separate comprehensive laws for private sector and public sector respectively
Sectoral legislation
(directive-based; addresses only “high risk” industry sectors or where need to protect consumer confidence is particularly high)
(1) Guaranteed satisfaction of EU Directive and other countries’ data protection laws possible, thus avoiding restrictions on data transfers.
(2) Consistent with current global trends, thus allowing a “seamless” transfer of data internationally. Consistency with international statutory regimes also minimises compliance costs for organisations.
(3) Allows seamless transfer of data between different sectors within Singapore.
(1) Minimal regulation by government (compared to comprehensive legislation) as only “high-risk” sectors are legislated.
(2) Provides scope for flexibility, allowing rules to be varied or stated in a different manner according to legitimate needs of each sector. Remedies can be provided in the context of own environment.
(3) Clarity and specific content can be added to rules. Complex exceptions designed for other sectors can be omitted.
(1) Over-regulation may be onerous on businesses, and is inconsistent with Singapore’s policy of minimising regulatory constraints and
compliance costs.
(2) Cost of setting up a national supervisory authority and recurring operational costs
As in (1) and (2) above +
(3) This approach does not reflect the growing convergence of many industries in each others' markets. Ignores reality that sectoral boundaries are becoming increasing- ly blurred and do not provide any impediment to the flow of data.
(4) Piecemeal approach gives rise to ‘boundary’ issues where data is transferred
to an unregulated sector or sector which is regulated by a different set of rules. Could give rise to an uneven playing field.
(5) Complicated from data subjects’ perspective, as similar types of data receive different treatment depending to sector in which they are located.
(6) Unregulated sectors are still at risk of EU data restrictions
Option Pros Cons
Comprehensive Code of
Practice
(voluntary scheme; pure self- regulation)
Variants:
Standards-based/other audited schemes, eg. eTRUST
Sectoral Codes of Practice
(voluntary scheme; pure self- regulation)
(1) Allows seamless transfer of data between different sectors within Singapore
(2) One view is that a voluntary scheme avoids onerous costs in complying with a legislative regime (but see Moira Paterson’s article, referred to in text of Report).
As in (2) and (3) under
Sectoral Legislation +
(3) Easier to organise
(1) Danger of imposition of restrictions on data transfers to Singapore by foreign countries because of lack of adequate compliance mechanisms.
(2) Effective only to the extent that businesses
choose to become a part of it. Does not adequately deal with less responsible businesses looking for short-term gains. This deters other businesses from opting into the scheme for fear of being placed at a cost disadvantage.
(3) Does not have sufficient external, independent oversight and redress mechanisms to generate public confidence.
(4) Very difficult to organise, requires one sector to take the initiative and
“galvanise” other sectors.
As in (1), (2) and (3) above +
piecemeal approach and
“boundary” issues above +
(6) Care needs to be taken to ensure that the consultation process is not unduly dominated by the large players and that any code that results is not unduly oppressive for smaller businesses.
Option Pros Cons
Co-Regulatory Schemes
(self-regulation within a legislative framework)
When compared with pure,
directive-based legislative schemes:
(1) Encourages continuous and innovative self-improvement by giving business greater flexibility, within a clear framework of societal expectations and requirements, rather than stopping at compliance with a set performance or standard. Puts to good use the entrepreneurial dynamism and informational advantages of the business sector and promotes active involvement of the business community in the policy- making process.
(2) Reduces dependency on limited government resources by making use of industry’s knowledge and resources, thus reducing the expense of governments’ having to collect the information, develop this into regulations, and then monitor the effects, often without an appropriate level of industrial and process experience.
Compared with a pure self- regulatory schemes:
(1) Government intervention is more likely to be effective in securing the collective action of sectoral organisations.
(2) Governments is in a good position to promote international cooperation and harmonisation of self- regulatory schemes
(3) can help forge global links between national schemes.
(1) Question remains whether
"co-regulatory" instruments may be successfully introduced in countries that lack the tradition of the strong enforcement of data
protection law. It has been said that partnership approaches are likely to be more effective when policies have matured beyond a level of ‘basic regulation’.
Example Comments
New Zealand Privacy Act 1993 – Privacy Commissioner may approve Codes which then replace legislative principles.
Data Protection Act 1984 (Ireland)
– as in NZ but codes must be approved by both the Data Protection Commissioner and Parliament.
Netherlands Data Protection Act
1877 – codes have a lesser legal status. Registration of code has no legal force in the sense that breach of them is treated as breach of the Act, but it may have an evidentiary effect in assisting to establish liability under the Act.
Hong Kong Personal Data
(Privacy) Ordinance 1995 – provides that a failure to observe any provision of an approved code does not of itself give rise to any legal liability but may have some evidentiary effect in establishing liability under the Act (similar to Netherlands model)
NZ – appears to have been
“very successful in terms of maximising advantages while avoiding potential pitfalls”. Adoption of industry codes to date the exception rather than the rule. “No evidence of any widespread dissatisfaction by businesses or undue complication of legal framework.”
Ireland – Advantage of ensuring continuing political oversight. But reduces the flexibility of the process.
Netherlands – emphasises the primacy of the data protection principles by ensuring that they cannot be diluted by the registration of codes. But open
to criticism that it creates more uncertainty for businesses.
Hong Kong – HK Law Reform
Commission took the view that the data protection principles were flexible enough to take account of
“sectoral differences, the variation of individual cases and the development of new technologies”. It recommended against imposing legal liability on the ground that it would divert resources away from encouraging compliance with the principles.
Example Comments
UK Data Protection Act 1984
– legislation makes provision for codes which do not have any legal status. UK Data Protection Registrar has a duty to encourage trade associations and data users to prepare and disseminate codes of practice for guidance in complying
with the data protection principles.
Australian Privacy Amendment (Private Sector) Act 2000 – The National Privacy Principles set the base line standards for privacy protection. However, the Privacy Commissioner may approve legally binding codes, to be adopted and enforced by organisations or industries, in place of the NPPs (similar to NZ model).
UK – approach provides for little incentive to industries to develop codes. The lack of provision for oversight of codes may result in a situation where codes may be positively misleading and therefore counter-productive.
Australia – a notable feature of the scheme is the seamless interface between the public and private sectors. But it is open to criticism by the private sector that the principles are both complex in their wording and specifically designed for the public sector. In addition the principles have been criticised as being outdated
and inadequate to deal with the problems posed by modern technological developments.
National Internet Advisory Committee ("NIAC")
Model Code
Scope
This Model Code describes the minimum requirements for the
Guidelines and Comments by the Legal
Subcommittee of the NIAC
[Paragraphs 1 - 1.3 are adapted from the Canadian Standards
ANNEX 4
protection of personal information in the form of electronic data
("personal data"). Any applicable legislation must be considered in implementing these requirements.
1.2
Provided the minimum requirements are met, organisations may tailor this Model Code to meet their specific circumstances. For example, policies and practices may vary, depending upon whether the personal data relate to members, employees, customers, or other individuals.
1.3
The objective of this Model Code is to assist organisations in developing and implementing policies and practices to be used when managing personal data.
Association's Model Code for the Protection of Personal Information
1996 ('CSA Code').]
Comments:
§ Background to the CSA Code
The CSA Code was drafted based on the 1980 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data ('OECD Guidelines'). Canada was the first country in the world to establish a voluntary, national standard for the protection of personal information. The CSA Code was the result of a collaborative effort by representatives from all key groups concerned with privacy in Canada. The 45-member committee that developed the CSA Code included representatives from such
diverse sectors as the financial services, telecommunications, cable television and direct marketing industries, federal and provincial governments, consumer advocates, organised labour, and experts
in security and information technology.
The CSA Code is fairly representative of the typical data protection principles articulated by major jurisdictions and has recently become the framework for federal data protection legislation in Canada applicable to the private sector (Personal Information Protection and Electronic Documents Act 2000)
('PIPEDA').
§ General Guidelines on Model Code:
The Model Code is intended to provide a broad and flexible framework based on the principles of the OECD Guidelines. The principles have been framed in general terms so that they may be applied across sectors by a wide range of organisations.
National Internet Advisory Committee ("NIAC")
Model Code
Guidelines and Comments by the Legal
Subcommittee of the NIAC
However, it is also recognised that data users and uses may vary
ANNEX 4
1.4
Where appropriate, the following data processing activities may be exempted:
(a) Processing required by any law or by the order of a court;
(b) Processing by any individual purely for that individual's personal, family, or household affairs (including recreational purposes);
(c) Processing of personal data purely for journalistic, artistic or
literary purposes;
(d) Processing of employment data;
(e) Any processing operations which are necessary to safeguard:
(viii) National security;
(ix) Defence;
(x) Public security;
(xi) The prevention, investigation, detection and prosecution of criminal offences, or of breaches of ethics for regulated professions;
(xii) An important economic or financial interest of
Singapore;
(xiii) a monitoring, inspection or regulatory function connected, even occasionally, with the exercise of official authority in cases referred to in (iii), (iv) and
(v);
(xiv) the protection of the data subject or of the rights and freedoms of others; and
(e) Processing of personal data for research or for the purpose of creating statistics, provided the results of the research or any resulting statistics are not made available in a form which identifies data subjects or any of them.
significantly between sectors. If this is the case, the Model Code may, as an alternative, be used as a template upon which businesses or industries may base more industry-specific data protection rules.
[Paragraphs 1.4 - 1.6 are not found in the CSA Code and have been inserted by the Legal Subcommittee.]
Comments:
§ Having surveyed the regimes in various jurisdictions, we observe that certain types of data processing are generally exempted. The exemptions adopted here are generally based on those in Canadian legislation in respect of the private sector (Personal Information
Protection and Electronic Documents Act 2000), and the EU
Directive (Articles 3 and 13).
§ Employment data were excluded from the Model Code because of its burden on employers, affecting competitiveness. However, the Subcommittee noted that EU has criticised Australia for exempting employment data. The EU commented that such information is often very sensitive and should be protected. The Canadian PIPEDA exempts general employment information (name, title, business address and telephone number) from the definition of
"personal information".
Despite the Code's exemption of employment data, organisations may opt to restrict this exemption only to such processing activities necessary for the purposes of carrying out their obligations under the employment relationship.
National Internet Advisory Committee ("NIAC")
Model Code
1.5
The Model Code applies to the processing of personal data wholly or partly by automatic means.
Guidelines and Comments by the Legal
Subcommittee of the NIAC
Organisations are of course free to additionally subject their manual filing systems to the operation of the code, on a voluntary basis.
Manual data subsequently converted into electronic form will be subject to the Model Code from that point onwards and the data processor will be required to comply with the Model Code.
ANNEX 4
Comments:
§ The CSA Code does not specify whether only data processed by automated means are covered under the Code, or if non-automated data are also included.
§ The EU Directive (Article 3(1)) applies to personal data processed
by automated means (e.g. a computer database of customers) and to personal data that are part of or intended to be part of a non- automated "filing system" in which they are accessible according to specific criteria (e.g. traditional paper files, such as a card file with details of clients sorted in alphabetic order of the names).
§ The Subcommittee felt that the Model Code should not at this stage apply to manual data, even if such data form part of a filing system or are intended to form part of a filing system, as the Subcommittee was unable to assess the impact of the operation of the Model Code to manual records. The Subcommittee felt that it would be difficult for manual filing systems to comply with some of the principles (e.g. access and accuracy).
National Internet Advisory Committee ("NIAC")
Model Code
1.6
The Model Code applies to any personal data which are processed or controlled by the organisation, regardless of whether the data are transferred out of Singapore.
The Model Code applies in favour of all data subjects, whether
Guidelines and Comments by the Legal
Subcommittee of the NIAC
Comments:
§ The CSA Code is silent on this.
Data may be transferred by an organisation out of Singapore. If control is retained within the organisation (e.g. transfer to a data
ANNEX 4
resident in Singapore or not, whose data are or have been processed by the organisation.
bureau solely for processing and return to the organisation for use), the data remain subject to the operation of the Model Code.
Comments:
§ This is the position in UK. There is also the practical consideration that if data are not processed or controlled within Singapore, effective enforcement by any local oversight agency is precluded.
§ On the issue of whether non-residents should be given the benefit of the protection under the Model Code, the consensus was that it was easier for businesses to comply with a broader "universal" scope as compared with distinguishing between people in Singapore and elsewhere. Another reason is so that the Model Code is consistent with the EU Directive in protecting the personal data of EU citizens and not merely Singapore citizens and Permanent Residents. (E.g. in Australia under the Privacy Act
1988, an Australian company may import data from European citizens and subsequently export them to a country with no privacy laws without the Australian regime applying. Such a measure would make it possible to circumvent the EU Directive if Australia was recognised as providing adequate protection. The Australian approach has thus been criticised by the EU.)
National Internet Advisory Committee ("NIAC")
Model Code
2. Definitions
The following definitions apply in this Model Code:
Collection — the act of gathering, acquiring, or obtaining personal data from any source, including third parties, by any means.
Guidelines and Comments by the Legal
Subcommittee of the NIAC
[Adapted from the CSA Code]
ANNEX 4
Consent — voluntary agreement with what is being done or proposed. Consent can be either express or implied. Express consent is given explicitly, either orally or in writing. Express consent is unequivocal and does not require any inference on the part of the organisation seeking consent. Implied consent arises where consent may reasonably be inferred from the action or inaction of the individual.
[Adapted from the CSA Code]
Comments:
§ The Subcommittee is of the view that the best practice is for organisations to allow consumers to give consent through opt-in rather than opt-out procedures. (See also the comments at paragraph 4.3 on "Consent".)
Disclosure — making personal data available to others outside the organisation.
[Adapted from the CSA Code]
Organisation — a term used in the Model Code that includes associations, businesses, charitable organisations, clubs, institutions, professional practices, and unions.
[Adapted from the CSA Code]
Comments:
§ The Subcommittee is of the view that related organisations should be considered as separate organisations. Otherwise, disclosure within a large group of organisations will frustrate the objectives of the Model Code (e.g. a credit company disclosing personal information to an insurance company within the same group of companies). However, consent to disclose to related organisations may be implied (e.g. a request to purchase a car may imply the data subject's consent to the disclosure of his personal particulars to the car supplier for the purposes of the transaction).
National Internet Advisory Committee ("NIAC")
Model Code
Guidelines and Comments by the Legal
Subcommittee of the NIAC
ANNEX 4
Personal data — data, whether true or not, in an electronic form, which relate to a living individual who can be identified
(a) from those data, or
(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller.
[Adapted from UK Data Protection Act 1998]
Individuals are identifiable not only by their names but also by their pictures, their telephone numbers, or by some special identification number (e.g. NRIC and Passport numbers), etc.
"Personal data" means data which are in a form which can be understood by the recipient (e.g. encrypted data without the key would not be "information" because they cannot be understood). But they would become "information" (and hence "personal data") if they are capable of being decrypted.
Comments:
§ For the avoidance of doubt, the Subcommittee thinks that the Model Code should regulate personal information in the form of electronic data (i.e. "personal data" rather than "personal information").
§ See also the comments under paragraph 1.5.
At a later stage, the Model Code may be extended to include manually-recorded personal data. In the meantime, organisations are free to subject their manually-recorded personal data to the operation of the Model Code.
56
National Internet Advisory Committee ("NIAC")
Model Code
Guidelines and Comments by the Legal
Subcommittee of the NIAC
ANNEX 4
Comments:
§ Another difficult area may arise in the context of b2b transactions. For example, if a business discloses, through one of its employees, its preference for products/supplies, is that personal information about the employee which should therefore be protected? The Subcommittee felt that only personal information purporting to relate to that employee personally would be considered "personal data". Data purporting to relate to a business would not normally be "identifiable" to that employee. The Subcommittee felt that such issues could be determined on the particular facts of each case.
Processing — any operation or set of operations which is performed upon personal data (whether or not by automatic means), such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
Comments:
§ The CSA did not define "processing". However, the Subcommittee felt a definition is necessary as the term is an integral concept in the Model Code. The definition is adopted from the EU Directive (Article 2).
Use — refers to the treatment and handling of personal data within an organisation.
[Adapted from the CSA Code]
National Internet Advisory Committee ("NIAC")
Model Code
3. General Requirements
3.1
Guidelines and Comments by the Legal
Subcommittee of the NIAC
[Adapted from the CSA Code]
Comments:
ANNEX 4
The 11 principles that make up this Model Code are interrelated. Organisations adopting this Model Code shall adhere to the first 10 principles as a whole. Organisations which transfer personal data to third parties overseas should also adhere to Principle 11. Organisations may tailor this Model Code to meet their particular circumstances by
(a) defining how they subscribe to the 11 principles;
(b) developing an organisation-specific code; and
(c) modifying the commentary to provide organisation-specific examples.
3.2
Each of the principles is followed by a commentary on the principle. The commentaries are intended to help individuals and organisations understand the significance and the implications of the principles. Where there is also a note following a principle (see principles 3 and
9), it forms an integral part of the principle.
3.3
Although the following clauses use prescriptive language (ie, the words "shall" or "must"), this Model Code is voluntary. Should an organisation choose to adopt the principles and general practices contained in this Model Code, the clauses containing prescriptive language become requirements. The use of the word "should" indicates a recommendation.
§ Principle 11 is not in the CSA Code. However, the Subcommittee felt that the inclusion of Principle 11 is necessary for consistency with the EU Directive.
National Internet Advisory Committee