Skip to main content
You are here: News

News

The following news feed provides an overview of the current activities and news from APPA members.

The articles on this page are updated regularly from members’ news and media pages. If you have any questions or concerns about the content contained in the articles, please contact the respective member. You can locate members’ details underneath each article or on our Contact us page.

Developing a trusted data ecosystem to support Singapore's Digital Economy

The PDPC has embarked on a new series of initiatives as part of its efforts to develop a trusted data ecosystem in Singapore.

These include the launch of a public consultation for the review of the PDPA, a new guide to help organisations adopt best practices when sharing data, plans to introduce a DP Trustmark, and more.

Please download the media document here:
 
  • Media Release

Personal Data Protection Commission, Singapore
Source: Personal Data Protection Commission Singapore - Press Room
27 Jul 2017, 12:00pm AEST

Address by Mr Tan Kiat How, Commissioner of PDPC, at the PDP Seminar 2017 on Thursday, 27 July 2017, at the Sands Expo and Convention Centre, Marina Bay Sands

Dr Yaacob Ibrahim, Minister for Communications and Information, 
Speakers,
Distinguished Guests,
Ladies and Gentlemen,
 
1. The Digital Economy provides exciting opportunities for businesses and workers.  We have seen the rise of platforms in domains such as e-commerce, social media and e-payments, and the growth of vibrant digital ecosystems around these platforms. In these ecosystems, data is the currency of exchange and the basis on which enterprises innovate business models, products and services. Trust is a key lubricant that enables the entire system to function.

2. A robust data protection regime is important to engender trust in our ecosystem and enable our companies to seize growth opportunities. That is why since the last seminar, we have been ramping up data protection capabilities among organisations.

Current Data Protection Landscape
3. We are making steady progress. From our recent industry survey, the number of organisations with some data protection policies and practices in place has increased to 96%. This is up from 70% the year before.  

4. Of these, half had appointed a Data Protection Officer, or DPO. While this is a marked improvement over the previous year’s 40%, we cannot stress enough that appointing a DPO is mandatory. More importantly, it is a decision that should not be taken lightly. As the champion within the organisation, the DPO plays an important role. He takes the lead on putting in place internal policies, designing processes and inculcating the right data protection culture. On our part, the PDPC will continue to develop programmes and schemes to support and elevate the DPO in his role. 
 
5. It has been three years since the data protection provisions have come into force We have investigated over 300 enforcement cases since then, with a majority of the cases receiving an advisory notice. For the more serious cases, we issued over 30 full-length decisions where many of the organisations in breach had to pay financial penalties and carry out other directions to strengthen their data protection policies and practices.

6. Our firm enforcement actions aim to drive home the message that personal data protection is important. As we strive towards a Digital Economy, data protection cannot be just about compliance; it must be about accountability. Accountability is an organisation’s promise to customers that their personal data will be handled carefully. It is about being able to demonstrate to customers that the organisation has put in place measures that pre-emptively identify and address risks to the personal data of their customers. 

7. In a recent survey that we conducted among some 1,500 consumers, 93% of respondents trusted that, with the PDPA in place, their personal data would be protected from misuse by organisations; four out of five respondents had noticed an improvement in organisations’ data protection practices; and 73% of the respondents was willing to provide their personal data to these organisations for products, services and other perks. It’s a significant change from last year, where only about half of them indicated a willingness to do so. This suggests greater trust in the organisations here.

8. This trust is an asset that all of us, as stakeholders in our local ecosystem, have a collective responsibility to preserve and protect. 

Building a Culture of Trust in the Data Protection Ecosystem
9. Let me elaborate how PDPC will help companies make this transition from compliance to accountability.
 
10. Later this year, PDPC will be producing two guides – the first on how to implement a Data Protection Management Programme, or DPMP; and the second on how to conduct Data Protection Impact Assessments, also known as DPIAs. These are accountability and data protection by design tools, which adopt sensible, risk-based approaches towards data protection.
 
11. A DPMP sets out the organisation’s management policies, application of processes and practices, and roles and responsibilities of staff in the handling of personal data. Developing a DPMP within an organisation takes careful planning and considerations of all aspects of data collection and use, and the DPMP guide will help organisations put in place a practical and robust personal data protection programme regime. 
 
12. To help DPOs make strategic decisions on where and what to focus their efforts on, PDPC will be introducing a PDPA Assessment Tool for Organisations. It is an interactive online tool that helps the DPO to review the organisation’s data protection policies and processes, identify gaps, provide actionable suggestions and recommend relevant resources – such as the PDPC’s advisory guidelines – to improve data protection measures. This tool will be free and made available on PDPC’s website.  
 
13. The second guide is on the conduct of DPIAs. It will be a useful resource for the DPO as he sets about reviewing systems or processes to identify where personal data may be at risk. This guide can also be used when designing new systems or processes. DPIAs should ideally be conducted once before the design of the system or process is finalised, and again to ensure that the solutions to address the risks are properly implemented before the system or process goes ‘live’. The integration of DPIAs within an organisation’s business processes is a crucial step towards adopting a Data Protection by Design approach.

Supporting our SMEs
14. We foresee that some companies may need a bit more guidance. This will be especially true for SMEs who may not have an experienced DPO on staff. To support them, we will be implementing a few measures.  

15. First, the Data Protection Starter Kit. This is expected to be introduced later this year. It will be a step-by-step guide that highlights nuggets of useful information and resources, such as sample clauses, forms and templates in an easy-to-understand manner. This will be available first as an online and hardcopy resource, and will be followed by a mobile app.
 
16. Second, PDPC will be appointing a panel of Data Protection Advisors to provide targeted help for SMEs. The advisors can guide SMEs on the implementation of data protection processes and systems that are tailored to the organisation’s operational needs. This advisory service will allow SMEs to have a better understanding of their obligations under the PDPA, identify data protection gaps within the organisation and point them to relevant resources. Advisors will also be able to identify available grants that SMEs may tap on, types of courses their employees can attend, and connect them to external data protection service providers.
 
17. I have spoken about the tools and guides that we will be introducing this year as the first stage of our journey from compliance to accountability. In the next stage, we plan to develop the DP Trustmark. We aim to do so by end 2018. The DP Trustmark is a clear recognition that an organisation has put in place accountability practices that go beyond a checklist approach to compliance. Over the coming year, we will be seeking views on key features of the Trustmark, for instance the certification criteria. We plan to start the industry consultation by end of the year. 

Learning from One Another 
18. The PDPC has been actively issuing enforcement decisions for about 15 months now. There are always lessons we can draw from each situation. 

19. Let me give you an example. We received a complaint against the Singapore Institute of Management (SIM) concerning the alleged disclosure of the complainant’s NRIC image to a third party over the institute’s online portal. While processing applications, a staff erroneously uploaded the complainant’s scanned NRIC image to another applicant’s online records. This human error resulted in the disclosure of the complainant’s personal data to the third party. Upon notification of the incident, SIM immediately removed the image from the portal. The staff who committed the error was also counselled.

20. The key issue is whether the organisation has made reasonable security arrangements to protect their applicants’ personal data. After investigation, we determined that the sample documentary checks that SIM had instituted were adequate in providing reasonable assurance of the correct tagging of applicants’ scanned documents. Hence, we were satisfied that SIM had adequately discharged its Protection Obligation and decided that there was no breach. 

21. This case is one of the many that we have compiled in a Personal Data Protection Digest. With a Digital Economy, the discourse on data protection laws and practices will only grow deeper. The Personal Data Protection Digest deals with practical issues faced by data protection practitioners in the course of their work, and cover a variety of topics.
I hope that it will provide helpful guidance to DPOs, as well as lawyers and in-house legal counsels who advise on data protection. Our aim is for this effort to contribute to the growing knowledge and experience in this area.

22. At this time, I would like to acknowledge the contributions of the Data Protection Advisory Committee. Their sound advice and industry insight have informed the Commission's decisions. This volume is very much their product as well.
 
Conclusion
23. We believe that data protection and data innovation goals are not mutually exclusive. In fact, a robust data protection regime is an important foundation for which data innovation can thrive. All of us have a shared responsibility to build up the trust quotient needed to enable the smooth functioning of this ecosystem, which enable businesses to seize opportunities and reap the rewards of data innovation. 

26. I hope many of you will benefit from today’s event. 

27. On that note, I would like to thank Minister Yaacob for gracing our event once again, and wish everyone an engaging and fruitful day. 

Personal Data Protection Commission, Singapore
Source: Personal Data Protection Commission Singapore - Press Room
27 Jul 2017, 12:00pm AEST

Updated privacy policy

The OAIC has updated its privacy policy. The update includes the following changes:

Office of the Australian Information Commissioner
Source: News - OAIC
27 Jul 2017, 1:59am AEST

FTC Returns Money to Victims of Business Opportunity Scheme

The Federal Trade Commission is mailing 2,711 checks totaling more than $372,000 to people who paid American Business Builders and related entities for a home-based business opportunity. The defendants claimed that people would earn substantial income offering payment processing services, credit card terminals, and merchant cash advances to small businesses.

Under a settlement with the FTC, the defendants – which include American Business Builders, ENF, Network Market Solutions, UMS Group, United Merchant Services, Universal Marketing and Training, and Unlimited Training Services – are banned from selling business and work-at-home opportunities and related services.

The average check amount is $137.42. Recipients should deposit or cash checks within 60 days. The FTC never requires consumers to pay money or provide account information to cash a refund check. If they have questions about the case, they should contact the FTC’s refund administrator, Rust Consulting Inc., at 800-373-9651.

To learn more about the FTC’s refund program, visit www.ftc.gov/refunds.

The Federal Trade Commission works to promote competition, and protect and educate consumers. You can learn more about consumer topics and file a consumer complaint online or by calling 1-877-FTC-HELP (382-4357). Like the FTC on Facebook, follow us on Twitter, read our blogs and subscribe to press releases for the latest FTC news and resources.

Federal Trade Commission, United States
Source: Press Release Feed
26 Jul 2017, 10:00pm AEST

FTC to Hold First Roundtable on Economic Liberty

WHAT:The U.S. Federal Trade Commission will host a Roundtable, Streamlining Licensing Across State Lines: Initiatives to Enhance Occupational License Portability. The event will explore options for enhancing the portability of occupational licenses.
WHEN:Thursday, July 27, 2:00 p.m.–4:00 p.m. EDT
WHERE:Constitution Center
400 7th St., SW
Washington, DC 20024
WHO:FTC Acting Chairman Maureen K. Ohlhausen, as well as stakeholders, including experts on the law of interstate compacts; representatives of organizations that have developed or administer compacts or model laws for specific professions; government officials who have facilitated the adoption of state legislation aimed at improving the portability of licenses for military spouses, and others.
WEBCAST:The conference will be webcast.

Federal Trade Commission, United States
Source: Press Release Feed
26 Jul 2017, 10:00pm AEST

FTC Announces Winner of its Internet of Things Home Device Security Contest

Tool would help address security vulnerabilities caused by out-of-date software in IoT devices

The Federal Trade Commission announced that a mobile app developed by a New Hampshire software developer was awarded the top prize in the agency’s competition seeking tools to help consumers protect the security of their Internet of Things (IoT) devices.

The FTC launched the contest in January to challenge innovators to develop a tool that would help address security vulnerabilities of IoT devices.

With the assistance of an expert panel of five judges, the FTC awarded Steve Castle the $25,000 top prize for his proposal for a mobile app, “IoT Watchdog.” As a software developer, Castle said he was motivated to enter the contest to distill his network security knowledge and experience into a tool that can help users easily determine if their devices are out of date or if their networks are insecure. The mobile app he proposed seeks to help users manage the IoT devices in their home. It would enable users with limited technical expertise to scan their home Wi-Fi and Bluetooth networks to identify and inventory connected devices. It would flag devices with out-of-date software and other common vulnerabilities and provide instructions on how to update each device’s software and fix other vulnerabilities.

“Congratulations to Mr. Castle and thanks to all participants in our contest. Their innovative ideas will help consumers secure their devices and aid the growth of the IoT overall,” said Acting FTC Chairman Maureen K. Ohlhausen. “The full promise of the Internet of Things could be lost if consumers do not trust their devices. By improving security for consumers, the ideas generated by our contest will help the IoT flourish.”

The FTC also awarded an honorable mention to a team that proposed an alternative method of securing home networks from vulnerable IoT devices. The team, led by long-time Silicon Valley-based engineers BJ Black and Michael Birmingham, was awarded $3,000 for its proposal to develop a tool called Persistent Internal Network Containment (PINC) that uses virtual networks to isolate each device on a home network so that consumers can easily monitor and manage their IoT devices.

The Internet of Things, an array of billions of everyday objects sending and receiving data over the Internet, is expanding rapidly with the adoption of applications such as health and fitness monitors, home security devices, connected cars and household appliances. It offers many benefits for consumers, but also raises privacy and security concerns. The proposals developed as part of the FTC contest are just one part of the agency’s ongoing and comprehensive efforts to help improve IoT device security.

The Federal Trade Commission works to promote competition, and protect and educate consumers. You can learn more about consumer topics and file a consumer complaint online or by calling 1-877-FTC-HELP (382-4357). Like the FTC on Facebook, follow us on Twitter, read our blogs and subscribe to press releases for the latest FTC news and resources.

Federal Trade Commission, United States
Source: Press Release Feed
26 Jul 2017, 10:00pm AEST

Williams v ACC: Getting the information right

A recent Human Rights Review Tribunal decision has highlighted the importance of agencies complying with privacy principle 8 (the accuracy principle) and ensuring they take reasonable steps to ensure the information is accurate and up-to-date before they use it.

Principle 8 is relevant if a decision affecting an individual has been made on the basis of incomplete, outdated or inaccurate personal information. Information privacy principle 8 says that:

An agency that holds personal information shall not use that information without taking such steps (if any) as are, in the circumstances, reasonable to ensure that, having regard to the purpose for which the information is proposed to be used, the information is accurate, up to date, complete, relevant, and not misleading.

In the case of Williams v ACC, ACC had relied on a medical report based on an eight-month-old assessment without checking if Mr Williams had further injury or deterioration when deciding to cancel his weekly earnings-related compensation payments. 

After Mr Williams made a privacy complaint to ACC about the failure to comply with principle 8, ACC promptly reinstated the payments and made an apology for their non-deliberate breach of principle 8. Mr Williams has now been awarded $7,500 damages by the Tribunal for the emotional harm he had suffered as a result of this interference with his privacy.

ACC’s due process error

Due to injury, Mr Williams was receiving weekly earnings-related compensation payments. On 24 December 2014, ACC advised the payments would cease from 21 January 2015. In reaching this decision, ACC relied on a supplementary medical report provided by an occupational medicine specialist that included a proviso:

Unless there has been a further injury or a significant deterioration since I saw [Mr Williams] this would continue to be my opinion i.e. in my opinion he is capable of working in his pre-injury work role as truck driver.

But ACC did not check with Mr Williams if he had suffered any further injury or deterioration before deciding to cancel the payments. 

Mr Williams initially took the step of requesting review of the ACC decision but then opted to bring judicial review proceedings in the High Court, to try to have the decision overturned as soon as possible. He then became aware of information privacy principle 8.

Mr Williams wrote to ACC on 13 April 2015, drawing attention to the proviso in the supplementary medical report, and pointing out that had ACC sought up-to-date, accurate, complete and relevant medical information relating to his injury, he would have provided relevant additional and new information.

This complaint to ACC about breach of principle 8 resulted in a prompt same day acknowledgement, and just over a week later, on 22 April 2015, ACC advised the decision to cease his payments had been overturned in light of the acknowledged due process had not been followed when it made the 24 December 2014 decision. Mr Williams was advised his weekly compensation payments would be reinstated and backdated to January 2015. By 24 April 2015, ACC had acknowledged the breach of privacy principle 8 and provided a written apology.

But the apology was not adequate to fully resolve the matter for Mr Williams who sought monetary compensation for the error. Mr Williams complained to us but as we were unable to settle the matter to his satisfaction, he filed proceedings in the Human Rights Review Tribunal seeking $10,000.

Tribunal’s decision on causation and damages

As ACC accepted that there had been an interference with Mr Williams’ privacy, the Tribunal’s decision was about Mr Williams' claim for $10,000 damages. The Tribunal accepted the credibility of the witnesses and observed that Mr Williams impressed as a reserved, quiet and private individual and, while he had a limited ability to speak freely about himself, the Tribunal did not doubt that he had experienced the emotional harm of which he spoke.

While ACC’s apology to Mr Williams was both genuine and immediate, the Tribunal noted that an appropriate and timely apology can be relevant and may lessen the harm suffered to an individual. But the apology could not erase the humiliation, loss of dignity or injury to feelings caused by the interference with privacy, nor is it a “get out of jail free” card.

Accepting the apology was not sufficient to adequately compensate for the consequences of the interference with his privacy, the Tribunal was satisfied the nature and degree of emotional harm experienced by Mr Williams required an award of damages:

The circumstances of the case are consistent with and reinforce the claim by Mr Williams he experienced humiliation, loss of dignity and injury to feelings. The announcement by ACC that his compensation payments would terminate was received on Christmas Eve. Over the holiday period he was left to contemplate a precarious future and the severe consequences which would inevitably flow from the termination of the payments on 21 January 2015. He could hardly have been anything other than worried, nervous and fearful about his financial insecurity, his inability to meet basic living costs and his uncertain and unknown future. It is not surprising his relationship with his partner came under strain. In the New Year, as a person who had been in continuous employment for 45 years and who took pride in supporting himself and his family, he found himself at Work and Income applying for social welfare assistance. He similarly had to face his bank with an admission that he was no longer able to meet his financial commitments. His mortgage had to be rearranged and his credit card debt addressed. His anger, frustration, humiliation and feeling of powerlessness is understandable.

 

On the facts found, there is a clear causal connection between the termination of his compensation payments and his feelings of humiliation, loss of dignity and injury to feelings.

While accepting that Mr Williams’ claim for $10,000 was not extravagant, the Tribunal rejected the claim that ACC’s error had been deliberate. In the circumstances, including recognition of the speed, with which the interference was recognised, acknowledged and remedied by ACC, Mr Williams was awarded $7,500.

The case was contrasted with the award of $15,000 in an earlier case - Taylor v Orcon - where principle 8 was breached, resulting in more serious humiliation, loss of dignity and injury to feelings.

Here are some other examples involving a breach of principle 8:

Image credit: American goldfinch via National Audobon Society.

 

Office of the Privacy Commissioner, New Zealand
Source: Blog
25 Jul 2017, 1:35pm AEST

Keynote Speech by Mr Yeong Zee Kin, Deputy Commissioner of PDPC, at the IAPP Asia Privacy Forum on Monday, 24 July 2017, at the Sands Expo and Convention Centre, Marina Bay Sands

Ms Rona Morgan, IAPP Managing Director of Asia,
Our Philippine counterpart, Commissioner Raymund Liboro from the National Privacy Commission,
Fellow personal data protection and privacy colleagues,

The Evolving Role of Data Protection Officers
1. It is my privilege to be able to again address my colleagues and comrade at arms in personal data protection. It is almost a year to the day that I last stood before you and shared PDPC’s view of how a robust personal data protection regime is not inimical, but can contribute positively to, the innovative use of data. Since then, we have done our best to strike the right chord, by ensuring that we provide advisory guidelines and practical guidance to clarify ambiguities, so that businesses can make commercial decisions effectively. In this vein, we have issued updates to our anonymisation guidelines to clarify that we take a risk management approach to this topic; and we published a redacted version of a practical guidance on how the research exception ought to work, so that we can make better use of the data we have on hand to make better decisions and improve the services we provide to our customers.

2. The conscientious follower of our website will know that we have also been active in enforcement, taking firmly in hand any organisation that breaches the PDPA. I am told that our frequency of enforcement makes the PDPC one of the most active data protection authorities in the world. Is this level of enforcement warranted? We believe so. Data is such a valuable commodity that if it is not handled with care, it may negatively impact businesses such as through the disruption of business operations, the loss of reputation, loss of customer trust, loss of business opportunities and the diversion of time and resources to deal with costly data breaches. We keep a close eye on the type of breaches that come up before us. A majority of the data breaches in Singapore have been due to the lack of data protection policies and poor IT security measures. Lately, we have observed another emerging trend – the lack of training.

3. The casual reader of our website resources may go away with the impression that it is all bad news and data breaches. But not all is doom and gloom. Conversely, there are other cases where we have found that an organisation had acted responsibly, such that even though there was a data breach, the company was let off. One such case involved the real estate agency, CBRE. Documents containing personal data of its customers were retrieved from the garbage area of an office building. Our investigations found that CBRE had implemented reasonable data protection policies and practices. They also conducted regular training for their employees and set out specific guidance on disposing of confidential information. Furthermore, they adopted policies in relation to information security and communicated them through the Code of Conduct and Employment Handbook. As such, PDPC decided that the agency had conducted its affairs reasonably and appropriately. CBRE was not found to be in breach of the PDPA.

4. This case bespeaks the crucial role of the Data Protection Officer. A DPO who carries his role well is an asset to his organisation. He ensures compliance with the PDPA, but he can do so much more. We plan to share positive examples where a DPO was able to demonstrate that his organisation had in place the right set of data protection policies, had adopted the right culture and practices, and was able to show that his organisation was accountable to its customers for the care of their personal data. An organisation that is accountable may well avoid a finding that it has breached the PDPA even though there had been a data breach.

5. There are exciting plans that we will be unveiling at PDPC’s annual Personal Data Protection Seminar later this week encircling the topic of accountability. I look forward to seeing my fellow DPOs at the seminar. I hope too, that guests to our country will linger for a little while and be able to hear first-hand the announcements that we have lined up. Today, for this audience, I share the amuse-bouche, to whet your appetite, and speak a little about the evolving role of the DPO in accountability and how PDPC plans to help us all make that change.

6. Our emphasis on the crucial role played by DPOs within an organisation echoes global developments. The EU General Data Protection Regulation (GDPR), for example, acknowledges the value of “privacy on the ground” by mandating the appointment of a DPO for all public authorities as well as private organisations that handle personal data on a large scale. With the EU GDPR placing greater emphasis on the role, the importance of the DPO is set to grow. Over here in our little red dot, we had already foreseen how crucial the DPO is to an organisation and have mandated that every organisation appoints a DPO since PDPA was enacted back in 2012.  

DPOs’ Role in Accountability
7. An organisation that wishes to be effectively accountable to its customers for the personal data that it holds has to begin the transformation from within. The direction and impetus must come from the top: the board of directors and the CEO. With strong management support, the DPO can be empowered to bring about the changes that are necessary. Ideally, he should be part of the management team because he has a mammoth challenge. The least of his tasks is the introduction of policies that are customised for his organisation. After that, he must communicate these policies and ensure that business processes across the organisation are reviewed and updated, to ensure that the right practices are adopted. He must put in place a training programme, so that all of his colleagues who have to deal with personal data in the course of their work are aware of the new policies and practices. Beyond this, his greater challenge is to help them internalise the need to adopt a culture of respect for their customer’s personal data.

8. These are not one-off tasks that the DPO checks off. The DPO has to be engaged in all the right conversations within the organisation, so that he is able to bring with him the best data protection advice, and contribute to creating the solutions that his organisation needs in order to improve its quality of service. The DPO cannot be a road block. He has to be a pathfinder. He has to equip himself with the right knowledge and tools to be able to contribute positively and help his colleagues achieve his organisation’s goals. At the same time, he is the referee and the lines man. He has to ensure that there are no breaches of the PDPA.

9. We place the DPO at the centre of our plans because we see the DPO as the catalyst. Our plan is simple. First, a DPO needs to be equipped with data protection know-how. Training is essential. Next, a DPO needs access to guidance, tools and help so that he is able to carry out his role effectively. Finally, a DPO cannot function alone but must plug into a larger network of like-minded persons. We need to place DPOs in communities of practices wherehe may seek out others who face similar challenges to share experiences and solutions.

Strengthening DPOs’ Capabilities
10. With regards to training, PDPC understands the need to equip DPOs with deep knowledge and skills. The DPO is a career path and we hope to professionalise it by lifting the level of training and discourse. We have been rolling out initiatives to do just that:

a. Sector and Industry Briefings. PDPC works with at least 67 trade associations, chambers of commerce and professional bodies to reach out to organisations. We conduct numerous sector specific briefings to help DPOs understand how the PDPA applies to their industry and share lessons that we pick up through our enforcement actions. We have so far reached out to more than 29,800 individuals from more than 10,000 companies.

b. Online Learning. PDPC also has a popular e-learning programme. It has served over 20,000 website visitors and has been a useful resource for organisations that want their employees to acquire a basic understanding of the PDPA. The e-learning Corporate Account feature was launched in August 2015. Since then, more than 13,000 employees from 100 organisations have benefitted from the complimentary online training.

c. PDPC’s Two-day Fundamentals of the PDPA Course. To equip new DPOs with basic knowledge and skills in complying with the PDPA, PDPC had developed a two-day course on the Fundamentals of the PDPA. Since its inception in June 2014, about 5,000 attendees have benefitted from the course with the number of attendees growing every year. In the last 12 months, from July 2016 to June 2017, there were almost 1,000 attendees. That is a 30.2 per cent increase from the same period in the previous year.

d. Partnership with IAPP on an Advanced Course. PDPC aims to further enhance the capabilities and professionalise the role of the DPO in organisations. To do so, PDPC and IAPP are working together to equip DPOs beyond basic principles of the PDPA to provide practical data governance and data protection skills.

Helping and Guiding DPOs
11. Next, I turn to share some of our plans to provide help and guidance to DPOs. PDPC recognises that DPOs may be at varying levels of implementing personal data protection measures in their organisations. Many, in particular Small and Medium Enterprises (SMEs), may struggle to find resources. On this front, we have exciting announcements to make at our PDP Seminar. I think that we are entertaining last minute registrations, for those of us who have not already signed up.

12. The new initiatives that we will be announcing complement existing resources we have rolled out in the past year:

a. Advisory Guidelines, Practical Guidance and Guides. The PDPC develops advisory guidelines, practical guidance and guides to help organisations understand how to operationalise personal data protection measures. I have mentioned the updates to the anonymisation guidelines and the practical guidance on the research exception earlier. In 2016, PDPC rolled out several guides on topics that include the securing of personal data in electronic medium, building websites for SMEs, disposal of personal data in physical medium and the handling of access request.

b. Financial Assistance. To help organisations with funding support when implementing their data protection initiatives, PDPC collaborated with SPRING Singapore in August 2016 to help SMEs tap on SPRING’s Capability Development Grant (CDG). The grant can be used to defray up to 70 per cent of qualifying upgrading project costs. This includes consultancy and training services, assessments and audits, and can also be utilised to defray the costs of adopting software solutions.

c. Virtual Assistant “Ask Jamie”. In March 2016, PDPC launched an automated 24/7 virtual assistant. Utilising natural language processing to decipher questions and provide suitable responses, Jamie adds a human touch to interactions with users who visit the PDPC website for quick answers.

Forging DPO Networks
13. Finally, the third limb of our strategy. Placing DPOs within communities of practices. Besides strengthening a DPO’s capabilities and equipping them with the right skills and tools, forging DPO support networks is important. DPOs need peer-to-peer assistance, and the opportunity to exchange ideas, support one another, discuss challenges and opportunities, and encourage thought leadership within the DPO community. This helps to gather and nurture a pool of quality DPO professionals:

a. Forming of Communities of Practices for DPOs. To help encourage this, PDPC is supporting the formation of Communities of Practices for DPOs. This year, PDPC has been reaching out to trade associations and chambers of commerce, encouraging them to create networking opportunities for DPOs in various sectors. The PDPA applies to the entire private sector and we need a multiplicity of communities. Each sector faces a different set of data protection challenges and has to craft a customised solution for itself. We are only just starting to roll out this new initiative. PDPC plans to co-organise sector-specific DPO engagement and networking sessions. Through these sessions, we hope to encourage DPOs to step up as champions to further the cause. We also encourage ground-up initiatives such as the formation of informal networks of DPOs. We hope DPOs who are active thought leaders, will form associations or societies to help become drivers of personal data protection for their sectors. There is room for different communities and if you do form up, please get in touch with us. PDPC would like to connect and work with you.

b. Encouraging Champions of Personal Data Protection (Case Studies). PDPC has been engaging various companies every year, to share good data protection practices and to be advocates of personal data protection. Their sharing helps other organisations who are starting their own personal data protection measures. In 2016, a collection of stories on good data protection practices was published in a special booklet. PDPC also put together a four-part info-education TV series based on eight of these stories. Called “Your Personal Data, Our Responsibility”, the series, which was broadcast in English and Mandarin on free-to-air channels, reached 2.3 million viewers.

Conclusion
14. These are exciting times for the Data Protection Officer in Singapore and in Asia. And this is the start of a busy week. I have shared my views on how the role of a DPO is evolving. In such changeful times, training and discourse amongst DPOs are absolutely crucial. This is the reason why we have changed the format of our annual PDP Seminar. It will now expand into a full day event with three concurrent workshops in the afternoon. The workshops are intended to focus on practical issues and we hope they will be a little more hands-on and interactive. But the overwhelming response we have received thus far might make that a bit challenging for the workshop facilitators.

15. This week, we are also co-hosting a workshop with Japan’s Ministry of Internal Affairs and Communication. The workshop provides a forum for our ASEAN counterparts to share data protection experience and exchange notes. So even as we encourage DPOs to form communities of practices, the PDPC is also leading by example! As the personal data protection authority for Singapore, we look forward to working with DPOs and help level up and professionalise our cadre of DPOs, as well as forge networks of DPO professionals that will perhaps one-day grow beyond our shores.

16. I thank you for your attention and patience, and wish everyone a fruitful forum over the next two days.
 

Personal Data Protection Commission, Singapore
Source: Personal Data Protection Commission Singapore - Press Room
24 Jul 2017, 4:00pm AEST

Are you our next Team Manager (Policy and Technology)?

If you are looking for a new team leadership opportunity and you’re a shoo-in when it comes to interest in privacy issues, check us out! We’re looking for a Team Manager (Policy and Technology) to lead our policy team of five.

Privacy is hot

Privacy is a hot topic and you’ll be right at the forefront of it. The policy and technology team works with public and private sector agencies across a wide range of privacy issues. It deals with gritty and far-reaching issues to ensure the public can have confidence in the way government and businesses use their personal information.

Some examples we’re proud of include the Privacy Commissioner’s inquiry into the government’s proposal (now to be redesigned) to collect individual client-level data from non-governmental social sector agencies; the Customs and Excise Bill that would have given Customs the ability to require people to give up their device passwords at the border; the creation of a Privacy Tick trust mark; and the sharing of personal information across agencies in support of the government’s social investment initiatives.

And then, there’s the team’s involvement in studying the privacy impacts of the latest advances in information technology. Biometrics feels so yesterday! Today, it’s also about big data, artificial intelligence, robotics, Blockchain, the Internet of Things, the re-identification of data - to name a few hot privacy-related topics.

Make a difference

If you’re looking for a challenge, if you want to make an actual difference to people’s lives, if you want to work somewhere where your contribution can make a material difference, take a look at our role. It’s fully hands on. You’ll need the policy and intellectual smarts to provide the best possible advice; you’ll coach, mentor and lead an outstanding team; and you’ll build and develop networks and key stakeholder relationships with government agencies and businesses.

You’ll be working with a Privacy Commissioner who’s always keen to find new ways to do things better, to make the best use of technology, and make our office work smarter while making privacy easy for organisations. That’s the vision. We value innovation, excellence, independence, integrity and respect. Does any of this sound like you? Check us out or tell someone you know who might be the perfect fit.

Applications close on 7 August 2017. Please send enquiries to our external recruiter, Kirsty Brown. You can contact Kirsty on 04 499 9471 or kirsty.brown@h2r.co.nz.

Office of the Privacy Commissioner, New Zealand
Source: Blog
24 Jul 2017, 2:07pm AEST

Ethical data use & future privacy challenges — Data + Privacy Asia Pacific Conference wrap up

Ethical data management and the implications of new technologies to privacy headlined the subjects discussed by international experts at Data + Privacy Asia Pacific this July.

Office of the Australian Information Commissioner
Source: News - OAIC
24 Jul 2017, 3:20am AEST

Why has my information been withheld?

The Privacy Act gives you the right to request access to information about you (see principle 6). That right to access your personal information is essential if you want to maintain some understanding and control over who knows what about you. Your right of access is strong, and does not require you to provide reasons for wanting information.

The Act includes reasons that an agency may rely on to refuse all or part of your request. You are also entitled to know that information is being withheld from you and why it is being withheld.

It can be confronting to have portions of documents ‘blacked out’ or withheld, and it is easy to fall into the trap of assuming that something highly sensitive or important is being hidden.

Fortunately, that’s where we can help. One of the roles of our Office is to review information that has been withheld. We can provide an independent assessment of whether the withholding grounds have been correctly applied.

Quick guide to the withholding grounds

Below is a quick guide to the most common withholding grounds and the sort of information which is typically withheld.

Unwarranted disclosure of affairs of another

This section (29(1)(a)) allows an agency to withhold information that is about someone else. This is commonly used to withhold:

  • information about someone else that happens to be stored with your information;
  • portions of ‘mixed’ information where another individual is identified;
  • the identities of people who may have complained or raised concerns about you.

Often it is possible to provide a summary of the information in a way that doesn’t identify other individuals. This is something you can ask for.

Maintenance of the law

This section (27(1)(c))allows an agency to withhold information if disclosing that information would be likely to prejudice the maintenance of the law. It is commonly used to withhold:

  • information held by Police that could affect an investigation or reveal investigative techniques, if disclosed;
  • the names of informants.

This withholding ground will usually only apply when there is an active or ongoing investigation or legal process. Once the investigation is complete, the risk to the maintenance of the law will generally no longer exist. You may be entitled to information withheld under this section if you ask again, after the investigation is over.

Information does not exist – or cannot be found

This section (29(2)(b)) allows an agency to refuse a request for information when the information does not exist or cannot be found. This is commonly used to withhold:

  • information that was never recorded or never existed;
  • information that has been destroyed (as a matter of process or by mistake); or
  • information that has been misfiled and cannot be located.

Relying on this withholding ground can indicate issues with record keeping and storage. There is no obligation under the Act to record information but once information is held, it needs to be kept secure.

Evaluative material

This section (29(1)(b))allows an agency to withhold information that is ‘evaluative material’ which was given to the agency under a promise of confidentiality.

This is commonly used to withhold references provided to prospective employers.

If information is withheld from you under this section, you might consider making a request for information directly to the person or agency who supplied the information.

Where another law applies

Section 7 of the Privacy Act says information may be withheld when another law restricts access to personal information. For example, section 11 of the Immigration Act 2009 restricts the application of principle 6 of the Privacy Act in relation to certain classes of information held by Immigration New Zealand.

Further points to note

  • The starting presumption is that you are entitled to access personal information an agency holds about you.
  • Your request does not need to be made in writing, but it is often helpful to have evidence of your request in the event of a complaint.
  • The agency you have requested information from should explain that information has been withheld and why. This includes reference to a withholding ground, as well as an explanation of why it applies.
  • There may be alternative ways to answer your concerns. A summary note or discussion with the agency may resolve the issues that prompted your request.
  • The Privacy Act allows you to request access to your personal information – it does not require an agency to generate new information in order to answer your questions.

Image credit: Wikimedia commons.

Office of the Privacy Commissioner, New Zealand
Source: Blog
19 Jul 2017, 12:21pm AEST

Acting Commissioner’s statement on the improper disposal of financial documents in Metchosin

Acting Information and Privacy Commissioner Drew McArthur issued a statement about the improper disposal of financial documents in the District of Metchosin.

Office of the Information and Privacy Commissioner, British Columbia
Source: OIPC News and Events
7 Jul 2017, 6:00am AEST

Find out how the GDPR will impact your business this July

On 12 July at the Data + Privacy Asia Pacific conference, attendees will have the unique opportunity to hear various international privacy regulators unpack the European Union’s General Data Protection Regulation (GDPR) requirements.

Office of the Australian Information Commissioner
Source: News - OAIC
28 Jun 2017, 11:45pm AEST

Trust and Transparency the focus of Privacy Awareness Week

The Office of the Information and Privacy Commissioner for BC, along with members of the Asia Pacific Privacy Authorities (APPA), will observe Privacy Awareness Week from May 15-21. This year’s theme, “Trust and Transparency,” will be highlighted in OIPC promotional materials, events, and activities throughout the week.

Office of the Information and Privacy Commissioner, British Columbia
Source: OIPC News and Events
13 May 2017, 6:00am AEST

Commissioner to audit ICBC information sharing agreements

Acting Information and Privacy Commissioner Drew McArthur has determined that the office will audit information sharing agreements of the Insurance Corporation of British Columbia (ICBC).

Office of the Information and Privacy Commissioner, British Columbia
Source: OIPC News and Events
24 Feb 2017, 7:00am AEDT

PCPD Joins Hands with Members of the Asia Pacific Privacy Authorities to Promote Privacy Awareness

Office of the Privacy Commissioner for Personal Data, Hong Kong
Source: Office of the Privacy Commissioner for Personal Data
29 Apr 2016, 10:00am AEST

A Community Service Order was imposed on an Insurance Agent for Using Personal Data in Direct Marketing without Consent

Office of the Privacy Commissioner for Personal Data, Hong Kong
Source: Office of the Privacy Commissioner for Personal Data
25 Apr 2016, 10:00am AEST