By Clara Leow

A casual search about “laws on the unauthorized use of personal data” on Google churns out a staggering figure of 35,500 results. Click after click, link after link, it soon became all too obvious that my search was futile. I discovered just about every privacy policy of companies possible and what surprised me most was the lack of information about how the law can protect an individual from the unwanted use of his personal information. Perhaps, this is in itself reflective of status quo – that there is little that one can do when his personal data has been taken or used without his permission.

The issue of the lack of data protection has been increasingly in the spotlight due to the proliferation of e-commerce and online transactions in the past ten years. The idea of introducing data protection legislation to ensure that personal data submitted electronically will not be sold or used for inappropriate purposes without the knowledge and permission of the data subjects was first raised in Parliament in 1997. An inter-Ministry Committee was subsequently set up in 2007 to review and develop data protection laws and this has largely remained as a work in progress.

Presently the legislations which protect the confidentiality of data are limited to certain industrial sectors. In the public sector, the Official Secrets Act, the Statistics Act and the Central Provident Fund Act are prominent examples of legislation with provisions which protect the confidentiality of information held by government agencies. On the other hand, within the private sector, the banking secrecy provision of the Banking Act stipulates that customer information will not be disclosed by a bank or its officers to any other persons while the Computer Misuse Act deals with the unauthorized access of data stored in computers.

In addition, there are various industrial codes of practice which are governed by industry regulatory bodies to complement the current legislative framework. In the medical sector, there are various codes which require medical professionals to protect sensitive data such as the financial and health information of patients. In the telecommunications sector, the Telecom Competition Code disallows licensees from providing a third party with customers’ personal information which was obtained during the use of their service without permission.

In 2002, the National Internet Advisory Committee (NIAC) developed the Model Data Protection Code (MDPC) for the private sector and the Industry Content Code (ICC). The MDPC provides corporations a set of guidelines on how to collect, use and protect personal data based on “fair information principles”. Minister of Information, Communications and the Arts, Dr. Lee Boon Yang, revealed that the MDPC Code is increasingly adopted by more corporations and even by the Public Service. The ICC articulates a list of industrial good practices which are consistent with legislations and codes of practice which regulate Internet content in Singapore and is voluntary in nature. Corporations can choose to adopt the Code in full or incorporate it into existing user contracts.

But the real question which remains is, how sufficient and effective are the current measures in place? The current provisions of laws governing various sectors deal primarily with the issue of confidentiality and are still inadequate in tackling other aspects of data protection such as accuracy and purpose of use. Furthermore, these laws are restricted in application to the context of a particular industry and there remains no unified consolidated legislation of general application to the unauthorized use of personal information. The drafting of these voluntary Codes has always been a balancing act of safeguarding the individual interest of privacy, economic interest and nation interest.

Bearing this in mind, the main limitation of the Codes is the very fact that it remains voluntary – private companies can opt to follow the guidelines or choose not to. This means that unscrupulous and unethical companies would in the first place, have no incentive to prescribe to the principles of the Code. The voluntary nature of these Codes suggests that there is essentially no means for industries to regulate unethical and unscrupulous businesses which exploit the personal information of their customers.

In addition, there must be an effective enforcement mechanism to ensure that these companies would not abuse the information that they hold. Although much has already been done considering the fact that the issue of data protection only cropped up in the last 14 years, in light of the inadequacies shown, we can only hope that in the near future, more will be done in the area of data protection laws.