fbpx

Do we have enough data protection laws?

I read the recent breach of the personal data of over 400 NS men as a result of a technical error perpetuated by a government appointed vendor with concern. The NS men in question had provided their details when trying to redeem certain service linked rewards but instead of obtaining their rewards, they obtained the bonus of each others' details!

While I understand that IT glitches are sometimes avoidable, I wonder if there is enough regulation in place for the protection of our personal data. In the digital age, the use and perpetuation of information is clearly a great means of power and such data should therefore be adequately protected.

The government certainly realises the importance of the spread of information. The way they have sought to combat the propagation of "fake news" is testament to how much weight the government has placed on data, its spread and consequent usage. Should our personal data not also be protected with the same amount of stringency?

Individuals whose data have been breached may not have the resources to pursue the actions required to protect themselves and as such, laws should be put in place to ensure that individuals are not bullied by negligence or fraudulent corporate practices.

Currently, we have the Personal Data Protection Act (PDPA) but is this adequate? Arguably not as the PDPA has rather far reaching exemptions. For example, the PDPA does not apply to the public sector or any agents of the public sector. This would mean that all government bodies and statutory boards are completely outside the remit of the PDPA. Does this mean that the government can do whatever it likes with our data without our consent or knowledge? Does this mean that the NS men whose data were breached have no redress save for a public apology?

Also, the PDPA does not require the data collector to expressly seek permission. This would mean that as long as I provide data willingly without putting any limitations on the usage of such data, the collector can do whatever he/she/it likes with it! Your average Joe would not have considered the implications of providing his data but I can assure you that if he was told that his data could be passed on willy nilly, he would have said no. Shouldn't the government be obligated to ensure that Singaporeans have these basic rights of consent?

If the government can invest so much time and effort into preventing "fake news", it should do the same for our personal data.

An example of how data can be misrepresented is when our contact details are passed on to sister companies or sold to other companies for marketing purposes. I.e. I provide company A with my details for Product A. Company A then sells on my information to Company B, misrepresenting to Company B that I am interested in Product B. I have never consented to Company A selling on my details and I have never indicated that I am interested in Product B. Company A has misused my data and misrepresented to Company B that I may like Product B in order to make a profit through the unethical sale of data.

Aren't these forms of misrepresentation without our consent a form of fake news too? You are after all lying about my interests to make a profit!