Tuesday, 22 April 2014

Good start to securing personal data

By Irene Tham, The Straits Times, 21 Apr 2014

SINGAPORE'S new Personal Data Protection Act was more than a decade in the making. So when it was finally passed in Parliament in October two years ago, the public got excited.

They were especially happy with the national Do-Not-Call (DNC) Registry, which lets them block telemarketing calls, SMSes and faxes. They could finally say goodbye to pesky telemarketers.

The Registry went into force on Jan 2 this year and has 595,000 local numbers - there are about eight million local mobile numbers here.



The Personal Data Protection Commission, which manages the Registry, is investigating 3,000 complaints that are valid.

While the new law has been welcomed by consumers, does it give them enough protection in areas of the greatest need?

For sure, it does tackle one key annoyance: unwanted marketing phone calls, which have interrupted meetings, disturbed sleep at ungodly hours and even taxed consumers' wallets - one gets charged for incoming calls while roaming overseas.

With the new rules, telemarketers who call phone numbers listed in the Registry risk a fine of up to $10,000 for each offence.

But the protection does not fully extend to phone or fax messages though.

Some consumers are unhappy over a last-minute exemption that allows firms to send text and fax messages to existing customers without checking with the Do-Not-Call Registry. This is as long as customers are given an option to unsubscribe to the messages via the same channel.

Consumers criticised the Commission for caving in to business pressures - a charge it denied. They also took issue with the exemption being introduced without public consultation.

Despite some loud complaints, others say it may be useful to be kept informed via SMS of promotions and deals from companies.

A credit card user, for instance, may want to be informed by his bank about promotional tie-ups with retailers. Similarly, a mobile, pay-TV or broadband subscriber may want his telco to inform him of discounts or freebies for renewing his subscription.

Said 36-year-old engineer John Wong: "I would like to know if there is a discount in a bookstore. The channel of passing useful information like this can be killed by the DNC Registry but the exemption allows for some flexibility."

In any case, phone messages are deemed less intrusive and less painful on the pocket, as messages received while roaming overseas are free.

The Registry rules are only one part of the new Act though; other provisions that deal with the way organisations may collect, use and disclose personal data kick in only from July 2.

Here, it may be worthy to note that the new Act does not have long arms to protect the general privacy of individuals.

For instance, owners of buildings such as malls do not need the individual's consent to record security camera footage - even though the images are considered personal data. Shopkeepers who take smartphone pictures of customers for promotional reasons also do not need consent.

The Commission feels that camera phones are now widely available and their use can be "reasonably expected". So, a notice by shopkeepers or building owners informing customers that photographs might be taken would suffice.

Also, government agencies are exempted from the new law. Minister for Communications and Information Yaacob Ibrahim had said government agencies are subject to their own set of rules on protecting personal data and these are sometimes more stringent than the new law - but these rules have not been made public.

What the Act does cover is the indiscriminate collection of data.

For instance, a 7-Eleven counter employee verifying the age of customers buying cigarettes or alcohol may record in the computer system only customers' birth dates - but not other information such as identity card number or name.

In another example, a lucky draw organiser may not be allowed to ask participants to disclose their household income if the information is not necessary.

The Act also protects consumers from inappropriate use and disclosure of their information.

For instance, if the lucky draw organiser wants to disclose the personal data of contest participants to third parties or use it for marketing - differing from the original intent - it must get participants' consent.

Failure to do so could mean a breach of the Act. The fine for violating general data protection provisions goes up to $1 million.

One loophole, though, is that Singapore has no jurisdiction over overseas companies with no local set-ups. It will need to work with other countries in this aspect.

Overall, while the law will always play catch-up to theft and misuse, Singapore's new Personal Data Protection Act is a good start in trying to protect people's personal data.

And judging by how the Commission has gone after at least three organisations for violating the new rules, it looks like it is taking the protection of personal data very seriously indeed.





Firms can text, fax ads to consenting customers
By Irene Tham, The Straits Times, 21 Apr 2014

IN SINGAPORE, vendors are given one crack at texting or faxing customers - including those listed on the Do-Not-Call (DNC) Registry - with relevant promotional materials.

If the customer says no - by unsubscribing via the same channel the message is received - vendors have to stop the marketing.

This major concession was introduced a few days before the DNC Registry kicked off on Jan 2.

Some had criticised the exemption, saying it was back-pedalling on the Registry. But the Personal Data Protection Commission, which administers the Registry, defended its move, saying the exemption has a narrow scope and does not apply to voice calls.

Actually, Singapore's DNC Registry is not the only system in the world with exemptions. It is in line with practices in countries like Britain, the United States and Australia. In Britain, SMS marketing is treated the same way as e-mail marketing.

While the blanket rule states that consent from consumers is required before organisations can market to them, there is a "soft opt-in" exception to the rule.

This exception lets organisations send marketing materials as long as the information is related to what customers had bought.

But recipients must be given a simple means of refusing the use of their contact details for such marketing purposes. And it should be free except for the cost of transmission.

The US National DNC Registry, which covers only voice calls, also contains an exemption for businesses that have an existing relationship with customers.


No comments:

Post a Comment