In this age of ubiquitous information, where every
individual has a space in which they can define themselves, policy makers are
struggling to determine how they can make innovation work whilst protecting
every individual’s cyber identity. Clarice Africa reports.
According
to Martin Abrams, President of the Centre for Information Policy Leadership
(CIPL), data protection has always been equated with individual control.
However, times have changed and individuals can no longer protect their own
data with the help of a few archaic legislations. At present the situation has become
too complex and too abstract for individuals to understand the risks involved.
As such,
individuals need organisations to use information in
Read more…
In this age of ubiquitous information, where every
individual has a space in which they can define themselves, policy makers are
struggling to determine how they can make innovation work whilst protecting
every individual’s cyber identity. Clarice Africa reports.
According
to Martin Abrams, President of the Centre for Information Policy Leadership
(CIPL), data protection has always been equated with individual control.
However, times have changed and individuals can no longer protect their own
data with the help of a few archaic legislations. At present the situation has become
too complex and too abstract for individuals to understand the risks involved.
As such,
individuals need organisations to use information in a responsible and
accountable manner. In order to do that, the public has to drive the demand so
that policymakers place that burden upon organisations.
By doing
so it would enhance an organisation’s ability to be entrepreneurial with data
since it allows it to determine how its data protection principles will fit in
with the organisation’s business processes.
Abrams
explains that good data protection law needs to first and foremost begin with
the setting of concrete objectives that would prevent individuals from being
harmed by the inappropriate use of information, and for organisations to
protect data and use it appropriately.
“Individuals
should have the right to see the data that pertains to them, as such there
should be clear objectives that would establish a space where an individual’s
reputation is maintained and is properly protected,” says Abrams.
In
addition, data protection and privacy laws are of critical importance
especially now that countries are moving towards a knowledge-based economy.
“Governments
need to have the necessary data protection and privacy laws in place as an
infrastructure for the next generation of information economy, specifically on
emerging technologies such as cloud computing,” he says.
PRIVACY PRINCIPLES
The most
enduring set of privacy principles are the Organisation for Economic
Co-operation and Development (OECD) guidelines which were established in the
1980’s. It provides the most commonly used privacy framework, and are reflected
in many existing and emerging privacy and data laws. In addition, it also
serves as the basis for the creation of leading practice privacy programmes.
Given that
the OECD Privacy Principles are tied closely to EU member nations’ data
protection legislation, the Asia Pacific region came up with a privacy
framework in 2004, based on the OECD privacy principles.
The
Asia-Pacific Economic Cooperation (APEC) Privacy Framework overlaps with other
frameworks; however, it concentrates on actual or potential harm as a result of
disclosing information, rather than individuals’ rights pertaining to their
information.
“Data
protection laws and privacy principles among countries are not very different
as they tend to have the same elements. They establish the fact that data usage
should be transparent to individuals, that individuals should have control where
it is appropriate, and that information should be used consistently with the
transparency that was provided,” says Abrams.
ENFORCEMENT AND ACCOUNTABILITY
“There’s a
lot of discussion in the world on when an organisation needs to demonstrate its
comprehensive data privacy programme. Is it when there’s a failure? Or when a
regulator wants to test the market?”
Abrams
points out that the concept of enforcement relates to a new generation of data protection
laws where it is something that creates a sense of certainty in the
organisation - that if they don’t comply then they will be caught.
“Organisations
will have to define how they will go about implementing their data privacy
programmes whilst having the teeth to make sure they can actually put those
programmes in place,” he says.
“This
tends to come under the rubric of accountability. Because it requires an
organisation to be responsible for meeting those objectives and be answerable
for their programmes.”
Accountability
obligates organisations to take responsibility for the safe and appropriate processing
and storage of data, wherever it occurs. It requires organisations to implement
effective data protection and privacy policies that correspond to accepted
external criteria found in laws, regulations and industry best practices.
“It asks
for organisations to analyse and understand the risks that data use raises for individuals
and to take necessary and appropriate steps to mitigate those risks. It further
requires that organisations make judicious decisions about data use, even when
traditional individual consent or choice may not be available,” Abrams remarks.
KEEPING UP WITH INNOVATION
“There is
a change in the way data can be used to predict future behaviour, it’s evolved
for years, but at some point we made a switch from data being an enabler of
processes to being a definer of processes.”
Part of
this is the fact that there’s now so much more data that is collected from various
digital devices. Today, we generate as much data in two days as we generated in
the first 6,000 years of recorded history. As such individuals would have difficulty
exercising control over their data.
Given the
fast pace of innovation, Abrams asserts that it is important that the nature of
data protection and privacy laws are able to keep up with it.
“With that
said, organisations should tailor their data protection and privacy programmes
to their business model, the nature and size of their data holdings, the technologies
and applications they deploy, and the risks that data and the related
applications pose to the rights and freedom of individuals.”
He adds
that it is also important that decision makers understand what is necessary to
be part of this global information-based world, and to think about whether
their respective laws are forward looking and if they are indeed driven by
their objectives.
Founded in
2001, the Centre for Information Policy Leadership develops initiatives that
encourage responsible information governance necessary for the continued growth
of the information economy. Collaborating with industry leaders, consumer organizations
and government representatives, the Centre develops policies that foster
privacy and information security, while balancing economic and societal interests.
For more information, please go to www.informationpolicycentre.com
|
Singapore a Step
Closer to a National Privacy Regime
|
|
Singapore is now a step closer to implementing a national privacy
regime with the conclusion of the third round of consultations on a personal data
protection law. This round follows two public consultation exercises held
late last year as part of an ambitious goal to have the law in effect within
the next two years.
The cloud features prominently in this review, both in terms of
the responsibilities of data processors and controllers in protecting and
respecting customer information, and also how Singapore can use this baseline
law to further consolidate its position as the leading data hub in Asia.
At present, Singapore does not have a national data protection
law, relying on more than 180 statutes and sectoral regulations such as
banking and healthcare. This has resulted in a degree of policy misalignment
with other data protection regimes in the region. In some cases, this has
affected the uptake of cloud services from customers in the region where their
local data protection laws are more stringent than the regime operating in
Singapore today. This proposed new data protection regime will certainly go a
long way to iron out this misalignment and set the benchmark for cloud policy
for many other countries to follow.
Microsoft has been active in these consultation processes through
written submissions, hosting industry and government roundtables and forums and
1:1 meetings with key policy makers in the Singapore Government. For more
information, please contact John Galligan at jogallig@microsoft.com or
consult our submission at the MICA website: www.mica.gov.sg/DPconsultation/responses/Organisations%20(46)/Microsoft.pdf
|