It is necessary for Singapore to have two separate legislative frameworks for the public and private sectors when it comes to governing private data security, Senior Minister of State for Communications and Information Janil Puthucheary said in Parliament on Monday (2 November).
“We believe that we need these two approaches, because the government is not a private company, nor should it behave as such, and you cannot expect a private company to behave like government,” the MP for Pasir Ris-Punggol GRC noted.
Dr Janil said in this response to a question raised by Aljunied GRC Member of Parliament (MP) Gerald Giam, who asked if the myriad of legislation in Singapore can be consolidated under the Personal Data Protection Act (PDPA) to ensure that government agencies safeguard personal data the same way that it is expected of private sector companies.
During Monday’s debate on the Personal Data Protection (Amendment) Bill, Mr Giam asked: Why is there no universal set of data protection laws for both the government and private sectors?
“Why should public data controllers be treated differently from private data controllers? I believe there is merit in having a universal standard of personal data protection that applies to both private as well as public data controllers. If there is a need to maintain discretion because of national security reasons, these exemptions can be explicitly written into the PDPA,” the Workers’ Party (WP) MP noted.
“The PDPA specifically exempts the government from having to comply with it. The government has explained that this because it has its own set of data privacy standards, which are set out in the Public Sector (Governance) Act (PSGA), the Official Secrets Act (OSA), the Banking Act, the Income Tax Act (ITA), the Statistics Act and the Instruction Manual 8 (IM8), among others,” he added.
As someone who had worked with the government, both as a civil servant and a government contractor, the Aljunied GRC MP stated that there are a number of problems when it comes to having the government to comply with a different set of data protection rules from the private sector.
The first concern that Mr Giam highlighted is that the data protection provisions in all the different Acts varies in their standard of protection.
“Having public data controllers governed by a hodgepodge of separate legislation is likely to lead to differing standards and gaps in coverage,” he argued.
Besides that, the alternative party member also noted that the lack of a single set of rules governing privacy leaves individuals data owners unclear as to what level of personal data protection they are entitled to.
“The Government’s exemption from the PDPA could lead to concerns among citizens about how their sensitive data is being used by the government,” Mr Giam added.
The regulations for government also mainly only include internal checks on the government ministries and agencies, but disciplinary consequences for individual officer, he said.
“A citizen who has incurred damages as a result of a data breach by a government agency has little recourse to pursue civil remedies against that agency. The PDPA, on the other hand, grants such recourse against offending organisations. This could be seen as a lower threshold of accountability on the part of the government.”
Dr Janil responds
Dr Janil clarified some of Mr Giam’s concerns, first addressing the idea that the “standard for the government should be as high, if not higher than the private sector”.
“Mr Giam also suggests perhaps that we should treat government and treat businesses the same way. That the same tool or same behaviour will either be used or expected in the private ground and the public sector.
“We expect government to behave as one service – servicing residents, servicing our citizens, serving our country as one entity. We expect the private sector to behave as individual entities and there needs to be an appropriate separation, gap and data sharing between private entities,” the PAP MP explained.
Dr Janil also pointed out that there is “internal coherence” despite the many different Acts and rules that exist in the country.
“Internally within the government, the data security (and) data privacy space is looked after by the Government Data Office, (which is) a single point of contact. Externally, for the member of the public that are concern about their data security, they also have one point of contact –- the Government Data Security Centre,” he explained.
Dr Janil also clarified that the PDPA is not the equivalent to the PSGA and all the other different Acts that Mr Giam mentioned. But rather, the equivalence is between the PDPA and PSGA only, and the other laws come on top of the PSGA, “governing and controlling behaviour within specific domains,” he noted.
The Senior Minister also reiterated his point that separating public and private sector data protection regimes in Singapore “remains necessary for (the Government) to keep achieving the outcomes that we want to achieve in terms of good policy, responsiveness to citizens, operating as one government”.
Mr Giam concurred with Dr Janil’s “no wrong door” policy and data sharing between agencies. However, he still emphasised that this provision can be made in the PDPA.
To this, Dr Janil asked what outcome will Singapore achieve by merely putting everything under one legislation.
“I doubt very much there is any confusion among the civil servant about the standards expected of them simply because we have two legislative frameworks,” Dr Janil said.
“Categorically, the two are aligned to the same expectations, standards and we will refined them as needed to make sure that is the case. However, we believe that we need these two approaches because government is not a private company, nor should it behave as such, and you cannot expect a private company to behave like government.
“Mr Giam goes on about the burdens that he felt as a civil servant. If the private SMEs had to comply with all the regulations that he had to struggle with as a civil servant, they would not be able to do business in quite the same way. And perhaps innovation, the ease of customer relations, the ease of coming up with new products would be impeded,” Dr Janil concluded.