“Data is a precious thing and will last longer than the systems themselves.” – Tim Berners Lee
The main data protection rules of the Personal Data Protection Act (PDPA) set up by the Singapore Government have come in effect from 2nd July 2014. This is in continuation to the setup of a Personal Data Protection Commission (PDPC) set up in January 2013 by the Ministry of Communications and Information (MCI), Singapore Government.
Sufficient lead time was given by the authorities so that organizations could bring their internal processes and policy to comply with the new regulation.
As per the new regulations, personal data is defined as any data about an individual, whether true or not, which can uniquely identify the individual. The PDPA elaborates on what it considers as personal data, the capture, use of, or processing and basically anything and everything that could be done to and with personal data.
The PDPA has huge ramifications for any business engaged in a B2C model since they process large amounts of individuals’ personal data for service or new sell opportunities. With the increasing use of analytics by Insurers (and other financial services providers), the need to have accurate personal data has never been so high. While the PDPA focusses on what an enterprise can and cannot do with the personal data, it also leaves some margin for insurers to use personal data, if the customer volunteer having expressly understood the purpose of data use.
With increasing incidences of data theft resulting in financial losses, both individuals and enterprises have renewed focus on data security. This need for an increase in protectiveness of the data is not without reason.
A report by Washington-based Center for Strategic and International Studies (CSIS) touts that financial losses due to cybercrime could amount to over USD 100 Bn* in the United States alone. What this essentially leads to is hesitation by individuals to share their personal data beyond what is absolutely necessary. This creates a massive challenge for Insurance and Financial players who bank on this personal data to design and sell customized products and services.
Under the provisions of the PDPA, the individual has right to access and correct their personal data. Customers will have access to all personal data that they have provided to the Insurance and Financial services providers, and their factual identification data. Factual identification data will include a customer’s unique identification information, such as his identity card number, birth certificate number and passport number; address; date of birth; and nationality.
PDPA also mandates the set up of a Do Not Call Registry (DNCR) to cut down on the number of unwanted telemarketing calls, marketing text messages and faxes. However, the PDPA also mentions exceptions in cases where the individual has given explicit permission to be contacted or if the call / text/ fax pertain to product updates, etc. Enforcement is also ensured by providing a mechanism for lodging complaints, redressal and mediation.
The PDPA is tightly integrated with the prevention of money laundering and countering the financing of terrorism. The Monetary Authority of Singapore (MAS) is therefore proposing amendments to existing AML/CFT legislation to clarify FIs’ obligations, while preserving the right of individuals to protect their personal data. The proposed amendments will be added as a new part and applied to the respective MAS AML/CFT Notices issued to Life Insurers [MAS Notice 314] and other financial services providers.