Skip to main content
You are here: News

News

The following news feed provides an overview of the current activities and news from APPA members.

The articles on this page are updated regularly from members’ news and media pages. If you have any questions or concerns about the content contained in the articles, please contact the respective member. You can locate members’ details underneath each article or on our Contact us page.

Privacy Commissioner investigating political party compliance with PIPA

Acting Information and Privacy Commissioner Drew McArthur is investigating whether political parties in BC properly collect, use and disclose the personal information of British Columbians.

Office of the Information and Privacy Commissioner, British Columbia
Source: OIPC News and Events
22 Sep 2017, 6:00am AEST

Keynote address to Freedom of Information and Privacy Association 2017 Info Summit

Good morning and thank you Vince and the FIPA board for inviting me to speak today. You know, last year I joked that I was “here for a good time… not a long time…” But as it turns out, that’s not quite true!

Office of the Information and Privacy Commissioner, British Columbia
Source: OIPC News and Events
22 Sep 2017, 6:00am AEST

Mobile App Settles FTC Allegations That it Failed to Deliver Promised Cash Rewards for Meeting Exercise and Diet Goals

Operators of Pact app to pay more than $940,000 in settlement

A screenshot of the Pact appThe operators of a mobile app that promised cash incentives to get consumers to commit to fitness and nutrition goals have agreed to settle Federal Trade Commission allegations that they falsely promised that consumers who met weekly goals would be paid financial rewards, and unfairly billed many consumers without their consent.

Consumers who used the Pact app made “pacts” to exercise a certain number of times per week or meet dietary goals, and agreed to be automatically charged an amount, ranging from $5 to $50 per missed activity, if they did not complete their pacts. Consumers who met their weekly goals were supposed to receive a share of the money collected from those consumers who did not. Consumers’ weekly goals and monetary incentives carried over to the next week unless consumers changed or canceled them.

In its complaint, the FTC alleges that the defendants charged tens of thousands of consumers the monetary penalty even when the consumers met their goals or after they cancelled the service. For example, one military consumer complained that the defendants charged her for missed pacts when she could not get the app to recognize the gym at the Air Force base where she was stationed. Another consumer said she deleted her account but continued to be billed more than $500 in recurring charges. The FTC further alleges that the defendants failed to adequately disclose to consumers how to cancel the service and stop recurring charges.

“Consumers who used this app expected the defendants to pay them rewards when they achieved their health-related goals, and to charge them only when they did not,” said Tom Pahl, Acting Director of the Bureau of Consumer Protection. “Unfortunately, even when consumers held up their end of the deal, Pact failed to make good on its promises.”

The FTC alleges that the actions of Pact, Inc., and its principals Yifan Zhang and Geoffrey Oberhofer, violate the FTC Act’s prohibition against unfair and deceptive practices and the Restore Online Shoppers’ Confidence Act (ROSCA). ROSCA prohibits using a negative option feature to charge consumers for goods or services unless the material terms of the transaction, including the method to stop recurring charges, are clearly and conspicuously disclosed before obtaining consumers’ billing information.

As part of the settlement, the defendants are prohibited from misrepresenting the circumstances under which they will charge or make payments to consumers, and from charging consumers without their express, informed consent.  The defendants also agreed not to market or sell products that include a negative-option billing feature without clearly and conspicuously disclosing the terms to consumers. In addition, consumers will receive more than $940,000 in earned cash rewards and refunds for improper charges as part of a $1.5 million judgment, the rest of which is suspended. Pact has already begun the process of returning money to consumers, and, under the terms of the settlement, must notify consumers and complete payments of more than $940,000 within 30 days of entry of the order.

The Commission vote authorizing the staff to file the complaint and stipulated final order was 2-0. The FTC filed the complaint and stipulated final order in the U.S. District Court for the Western District of Washington. The order is subject to final approval by the Court.

NOTE: The Commission files a complaint when it has “reason to believe” that the law has been or is being violated and it appears to the Commission that a proceeding is in the public interest. Stipulated final orders have the force of law when approved and signed by the District Court judge.

The Federal Trade Commission works to promote competition, and protect and educate consumers. You can learn more about consumer topics and file a consumer complaint online or by calling 1-877-FTC-HELP (382-4357). Like the FTC on Facebook, follow us on Twitter, read our blogs and subscribe to press releases for the latest FTC news and resources.

Federal Trade Commission, United States
Source: Press Release Feed
21 Sep 2017, 10:00pm AEST

Commissioner finds government routinely in contravention of FIPPA

A special report issued today by Acting Information and Privacy Commissioner Drew McArthur found the BC government routinely operates in contravention of timeliness requirements in the Freedom of Information and Protection of Privacy Act (FIPPA). The commissioner’s review, conducted in spring and summer 2017, examined government responses to access requests from April 1, 2015 to March 31, 2017.

Office of the Information and Privacy Commissioner, British Columbia
Source: OIPC News and Events
21 Sep 2017, 6:00am AEST

Amazing Rentals data breach impacting QLD and NT customers

Customers of Amazing Rentals in Darwin, Caboolture and Toowoomba are being encouraged to take proactive steps to protect their identity following a data breach involving financial information.

Office of the Australian Information Commissioner
Source: News - OAIC
21 Sep 2017, 5:48am AEST

FTC Helps Consumers Understand Affiliate Marketing in Online Advertising

Graphic describing how affiliate marketing works: when you see an online ad, click on it and make a purchase, everyone behind it gets paid - the owner, manufacturer and affiliated marketers/promotersA “free” trial offer may be tempting, but it could be a scam out to get your money.

The Federal Trade Commission wants consumers to be aware of affiliate marketing in online advertising. Affiliate marketing is a good way to promote a product or service, but only if the ad is truthful. Some marketers may use misleading information to get people to click on their ads.

An FTC blog post, What’s affiliate marketing? Should I care? describes how affiliate marketing works and how to avoid scams, which is summarized in an infographic, How Affiliate Marketing Works.

The Federal Trade Commission works to promote competition, and protect and educate consumers. You can learn more about consumer topics and file a consumer complaint online or by calling 1-877-FTC-HELP (382-4357).  Like the FTC on Facebook, follow us on Twitter, read our blogs and subscribe to press releases for the latest FTC news and resources.

Federal Trade Commission, United States
Source: Press Release Feed
20 Sep 2017, 10:00pm AEST

Court Finds Defendants Lied to Consumers When Selling Legal Services for Mortgage Relief

Falsely claimed ‘mass joinder’ lawsuits would void mortgage or get consumers $75,000 cash

A federal court has found that Jeremy Foti and Charles Marshall, acting through Brookstone Law and Advantis Law, “made numerous false and/or misleading material statements to consumers” when selling legal services for purported mortgage relief.

The court found that Foti and Marshall controlled or participated in the scheme, knew they were deceiving consumers, and illegally took more than $18 million from them. The FTC has asked the court to impose monetary judgments on them and ban them from any debt relief activities in the future.

The court found that the defendants falsely told homeowners they could get “at least $75,000” or their homes “free and clear” through so-called mass joinder lawsuits against their mortgagors. These suits combined hundreds of consumers in the same matter; however, unlike class-action lawsuits, in the event of trial each plaintiff in a mass joinder suit would have to prove his or her case separately. The defendants had never prevailed in such a suit.

As a result of the court’s decision, litigation against all of the defendants in this matter has now been resolved. Earlier this year, Vito Torchia and R. Geoffrey Broderick stipulated to orders banning them from debt relief work in the future, including a judgment of almost $2 million against Broderick. Damian Kutzner and Jonathan Tarkowski also stipulated to orders, with Kutzner agreeing to a judgment of more than $18 million.

The Commission votes approving the stipulated final orders against Kutzner, Tarkowski, Torchia and Broderick were unanimous. The U.S. District Court for the Central District of California entered orders against Kutzner on January 9, 2017, Tarkowski on January 9, 2017, Torchia on February 15, 2016, Broderick on April 14, 2017, Brookstone and Advantis on August 28, 2017, and Foti and Marshall on September 5, 2017.

NOTE: Stipulated final orders have the force of law when approved and signed by the District Court judge.

The Federal Trade Commission works to promote competition, and protect and educate consumers. You can learn more about consumer topics and file a consumer complaint online or by calling 1-877-FTC-HELP (382-4357). Like the FTC on Facebook, follow us on Twitter, read our blogs and subscribe to press releases for the latest FTC news and resources.

Federal Trade Commission, United States
Source: Press Release Feed
20 Sep 2017, 10:00pm AEST

Right to Know Day

This Thursday 28 September the OAIC is encouraging all Australians to explore their Right to Know.

Office of the Australian Information Commissioner
Source: News - OAIC
15 Sep 2017, 7:11am AEST

Advice for small organisations when there’s a complaint

If yours is a small business or organisation, there’s every chance you may be fairly inexperienced in what to do if you receive a request for personal information. But we hope you are at least aware that the Privacy Act gives people the right to make a request for information that is about them.

Under the Act, your business or organisation is legally obligated to respond to that request within 20 working days and to provide the information requested, although the law does allow reasons for withholding the information.

Giving access to information can take several forms. It can mean giving a copy of a document; giving a reasonable opportunity to look at a document or listen to or view a recording; giving a summary of the information; providing a transcript; or giving the information orally – depending on the requester’s preference.

Pointers for responding to a complaint

But here’s the thing. Failure to respond to or comply with a request for personal information can result in a complaint from the requester to the Privacy Commissioner. We hope this never happens to you but in case it does, here are some pointers on how best to respond.

  1. The first thing to do is talk to us and to tell us what you know about the complaint and the information that’s requested. Our aim is to try and resolve the matter to the satisfaction of both parties – the complainant and the respondent (your business or organisation). Be nice to us because we’re only doing our jobs. We are not advocates for the complainant.
  2. The second thing to observe is timeliness. Respond as quickly as you can to our requests for information. No one wins in a protracted complaints dispute. If a complaint drags on, it can become stressful, tiring and expensive for your organisation or business and the complainant. There are also many benefits in resolving a complaint to prevent it becoming a case for the Human Rights Review Tribunal to decide. This can be an even longer and more costly process and, in the end, the Tribunal could well decide in favour of the complainant and against your organisation.
  3. The third point is to remember that our goal is to resolve, not to punish. We’re here to mediate and we do this in a number of ways in our efforts to reach an agreement. One of the techniques we use is to call conferences between both parties, but we’d rather keep things less formal and resolve them quickly, without a situation escalating out of hand.

Tell us in confidence

In order for us to review your decision to withhold information from a complainant, we will almost always need to see the information. This worries some organisations sometimes because they fear that we will give the information to the complainant to see. But we are not allowed to disclose the information that is being reviewed and we do not disclose the information. So when you send us the information, what we are doing is reviewing it to see if we agree with your reasons for not handing it over to the complainant.

However, when you give us information to review, it will help us if you can tell us clearly what information is being withheld and the reasons why your organisation wants to withhold the information.

Looking ahead

We have many resources to help organisations and businesses like yours comply with the Privacy Act. Our website has tools such as AskUs, Priv-o-matic and free online privacy training modules and they are designed to be used to help make privacy easy.

Perhaps a starting point is to familiarise yourself with a quick tour of the Privacy Act's information privacy principles. It may also be a good idea to display it in the administrative area of your organisation to help you and your colleagues or employees understand the obligations and responsibilities that come with holding personal information. This way, when you have an encounter with a privacy issue, you’ll know where to start.

Image credit: Solitary sandpiper via John J Audubon's Birds of America.

Office of the Privacy Commissioner, New Zealand
Source: Blog
13 Sep 2017, 7:20am AEST

A sincere apology is hard to beat

It is said that a sincere apology should include the three Rs – regret, responsibility and remedy. Why apologise and how to do it properly is a subject we’ve discussed before. But we continue to see apologies that fail to convince a complainant. So it’s something we thought we’d revisit in this post because the quality of an apology is an important part of our efforts to resolve privacy complaints.

As a recent case has shown, the sincerity of an apology can affect an agency’s bank balance by lessening the damages awarded. The Human Rights Review Tribunal noted in its decision in Raymond Keith Williams v ACC:

An appropriate and timely apology can be taken into account under s 85(1)(4) of the Privacy Act when considering whether the defendant’s conduct has ameliorated the harm suffered as a result of the breach of privacy.

The Tribunal noted that in AB v Chief Executive, Ministry of Social Development:

… an appropriate apology given at the right time is a matter that can be taken into account under s.85(4) of the Act in considering whether and to what extent the defendant’s conduct has ameliorated the harm suffered as a result of an interference with privacy. In this case, however, we think the apology came far too late to have been of any value in that respect.

 

In that case, the defendant took one year to acknowledge the breach and another year to apologise for it. The Tribunal considered the apology had no mitigating effect, describing it as having been provided at the “eleventh hour”, after proceedings had been commenced and was considered to be motivated by litigation concerns.

Referring back to Mr Williams v ACC, the Tribunal said:

The circumstances of the present case are the polar opposite in terms of speed, motivation and sincerity.

 

The apology cannot “erase” the humiliation, loss of dignity or injury to feelings caused by the interference with privacy. Nor is it a “get out of jail free” card. The question in each case is whether and to what degree the emotional harm experienced by the particular plaintiff has been ameliorated. While this is a fact specific inquiry, it can be said that ordinarily an apology must be timely, effective and sincere before weight can be given to it. It is not inevitable an apology, even if sincerely and promptly offered, will ameliorate the emotional harm experienced by the plaintiff. Much will depend on who the particular plaintiff is and the particular circumstances of the case.

The Tribunal awarded Mr Williams $7,500 in damages but it is clear in its reasoning that if ACC had not apologised in such a sincere and timely way, that sum would have been greater.

In another case, a recruitment agency expressed its sincere apologies and stated that the mistake it made was unacceptable, given that confidentiality is vitally important to the nature of its business. The agency also assured our office and the complainant that it had implemented processes to ensure that the mistake would not occur again. The complainant was satisfied and we closed the complaint.

In another example where an apology successfully resolved a dispute after the complainant asked for the apology to come, not from the agency itself, but directly from the person in the agency who breached her privacy. 

Making a sincere apology sounds straightforward but as we see time and time again, many apologies fail to express the three Rs - regret, responsibility and remedy. But getting an apology right could make it easier on everyone – the agency, the complainant and our office – and divert a complaint away from an expensive, time consuming process which ends with an unwelcome sting for your agency.

Image credit: Head of Odysseus via Wikipedia.

Office of the Privacy Commissioner, New Zealand
Source: Blog
12 Sep 2017, 7:32am AEST

Information governance for the information age: OAIC Corporate Plan released

We have released our Corporate Plan for 2017–18, which outlines our priorities and key success factors.

Office of the Australian Information Commissioner
Source: News - OAIC
31 Aug 2017, 4:50am AEST

Benchmarking against international privacy peers

It can be useful to compare an organisation’s processes or performance against another one’s competitors in the same industry class. It is especially useful to compare with the ‘best in class’ and set targets to meet or exceed the industry norms. This is sometimes called ‘best practice benchmarking’ and is an important tool to support continuous improvement.

That can be difficult for an organisation such as our office where it is, by design, a ‘one of a kind’ in its specialist jurisdiction. While particular functional areas of the organisation may be compared with organisations with similar functions (such as other complaints handling bodies), there is always the suspicion that one is comparing apples with kiwifruit.

However, there are now equivalents of New Zealand’s Privacy Commissioner in many jurisdictions: recent research has counted over 120 privacy laws around the world*. Is it possible to benchmark against the processes and performance of those bodies?

The bad news is that due to a paucity of internationally comparable statistics and a lack of published standards, it is difficult at the moment to do much best practice benchmarking between privacy and data protection authorities.

But the good news is that efforts are being taken to develop internationally comparable statistics and standards for privacy authorities. Our office is actively supporting several efforts.

One earlier effort: Case reporting standards

One of the major activities undertaken by our office is to handle privacy complaints. While complaints can be taken to a statutory tribunal, the vast majority of cases do not need to progress to an adversarial hearing in a formal court setting, and are instead resolved through processes managed within our office.

One effect of this is that there are no formal court judgments for the vast majority of cases and therefore limited case law to assist lawyers, organisations and the public to interpret the Privacy Act. To address this issue, the Privacy Commissioner has released illustrative ‘case notes’ on a selection of real cases each year. This innovative approach was based upon pioneering efforts of the New Zealand Office of the Ombudsmen.

The New Zealand experience with case notes was so successful that we recommended the approach to other data protection authorities in the region. But having taken advice from an international expert in legal information systems, we pursued two best practice innovations. These involved developing an international citation system and effective approaches for cross-border dissemination.

Ultimately, these two approaches were published as case reporting citation and dissemination standards adopted by the Asia Pacific Privacy Authorities (APPA) Forum in 2005**. The adoption of these best practice standards enabled our office to adopt and report upon an auditable quality indicator which was that:

Case notes are published in accordance with APPA Forum standards.

Our office continues to adhere to these best practice approaches.***

Developing public awareness benchmarks

Filling the gaps of internationally comparable statistics and creating benchmarks and standards is a long term task but a start has been made.

At its meeting in Seoul in June 2014, the APPA Forum adopted at New Zealand’s suggestion a further Statement of Common Administrative Practice. This standard concerned Recommended Common Core Questions for Community Attitude Surveys. The standard is designed to enable meaningful cross jurisdictional comparisons of public attitudes and enable the development of regional benchmarks that could be useful in planning and performance monitoring.

The APPA standard started with the modest objective of encouraging privacy authorities across the Asia Pacific to include two standard measures of public awareness in their opinion polling. These are questions asking:

  • Are you aware of the [name of privacy law]?
  • Have you heard of the [name of privacy enforcement authority]?

Three years on, APPA was in a position to adopt its first benchmark figures for average levels of awareness of privacy laws and authorities. These benchmarks are calculated from surveys conducted in several jurisdictions (including New Zealand) since 2014.

The new benchmarks will be published on the APPA website, and will be updated periodically.

Regional Benchmarks for Awareness of Privacy Law and Privacy Authorities

 

Average

Range

Are you aware of the [name of privacy law]?

67%

43-91%

Have you heard of the [name of privacy enforcement authority]?

60%

47-77%

The APPA Regional Benchmarks for Community Awareness of Privacy Law and Privacy Authorities have been compiled from the results of surveys undertaken by APPA member authorities using similar questions that generate comparable results.

APPA has chosen to establish these benchmarks as it believes that measurement of these matters may be useful for APPA members in planning and in measuring performance. Informed citizens and consumers who are aware of the existence of privacy law or the authority responsible for enforcement are in a position to exercise their privacy rights.

It is common for public bodies, including privacy authorities, to set targets for their performance. These can be maintained as internal targets or they can be set as external performance indicators and reported publicly or as an accountability measure to oversight bodies. Targets are usually set to be realistically achievable but also to ‘stretch’ the public body and encourage it to aim to do better. Public bodies may also find it useful to measure their performance against their peers. Targets that are set by reference to international standards may have particular credibility in the eyes of stakeholders.

The APPA benchmarks may be useful to APPA members in several ways, including:

  • in setting an internal target for the first time, the APPA ‘range’ benchmark may help APPA authorities to devise a target that appears to be realistic to achieve;
  • APPA authorities can use the benchmark to stretch themselves in internal targets e.g. in relation to public communications work an ambitious target might be set to achieve awareness levels ‘at least 10 percent higher than the APPA benchmark’; or
  • in setting an external performance indicator an authority could rate themselves against levels achieved across the region e.g. ‘To maintain awareness levels equalling or exceeding the regional average measured in the APPA benchmark’.

ICDPPC Census

In its current role as Secretariat of the International Conference of Data Protection and Privacy Commissioners (ICDPPC), our office in conjunction with the OECD Secretariat recently undertook the largest ever survey of data protection authorities in the world – the ICDPPC Census. Some 87 privacy authorities completed the survey which involved more than the 4000 individual answers to questions.

The results of the Census will be publicly released at the 39th ICDPPC in Hong Kong in September. A presentation on the Census will be one feature of a planned APPA-ICDPPC-OECD Roundtable to be held alongside the main conference that will be exploring an ‘international privacy metrics agenda’. The roundtable will also report on substantial efforts by the OECD to develop internationally comparable measures in areas of privacy.

Our office, in its role as ICDPPC Secretariat, has been encouraging third party use of the Census results and a particular hope is that regional groups of privacy authorities will find it useful to compare their regional profiles against the global benchmarks.

Future developments

For anyone interested in statistics regarding privacy authorities, these are interesting times. We will see the release of the ICDPPC Census results and the Hong Kong roundtable. Relevant OECD statistics are also expected this year. There is also active work in ICDPPC and APPA working groups that should produce bear fruit in 2018.


* See Greenleaf, Graham, Global Tables of Data Privacy Laws and Bills (5th Ed 2017) (January 31, 2017). (2017) 145 Privacy Laws & Business International Report, 14-26. Available at SSRN.

** See APPA Forum Statements of Common Administrative Practice on Case Note Citation (November 2005) and Case Note Dissemination (November 2006), available on the APPA website.

*** At New Zealand’s initiative, the approach recommended in those regional standards have also been endorsed at international level in the Resolution on Case Reporting adopted in 2009 by the ICDPPC.

Image credit: Dunaliella cells via Census of Marine Live E&O

 

Office of the Privacy Commissioner, New Zealand
Source: Blog
18 Aug 2017, 9:05am AEST

Developing a trusted data ecosystem to support Singapore's Digital Economy

The PDPC has embarked on a new series of initiatives as part of its efforts to develop a trusted data ecosystem in Singapore.

These include the launch of a public consultation for the review of the PDPA, a new guide to help organisations adopt best practices when sharing data, plans to introduce a DP Trustmark, and more.

Please download the media document here:
 
  • Media Release

Personal Data Protection Commission, Singapore
Source: Personal Data Protection Commission Singapore - Press Room
27 Jul 2017, 12:00pm AEST

Address by Mr Tan Kiat How, Commissioner of PDPC, at the PDP Seminar 2017 on Thursday, 27 July 2017, at the Sands Expo and Convention Centre, Marina Bay Sands

Dr Yaacob Ibrahim, Minister for Communications and Information, 
Speakers,
Distinguished Guests,
Ladies and Gentlemen,
 
1. The Digital Economy provides exciting opportunities for businesses and workers.  We have seen the rise of platforms in domains such as e-commerce, social media and e-payments, and the growth of vibrant digital ecosystems around these platforms. In these ecosystems, data is the currency of exchange and the basis on which enterprises innovate business models, products and services. Trust is a key lubricant that enables the entire system to function.

2. A robust data protection regime is important to engender trust in our ecosystem and enable our companies to seize growth opportunities. That is why since the last seminar, we have been ramping up data protection capabilities among organisations.

Current Data Protection Landscape
3. We are making steady progress. From our recent industry survey, the number of organisations with some data protection policies and practices in place has increased to 96%. This is up from 70% the year before.  

4. Of these, half had appointed a Data Protection Officer, or DPO. While this is a marked improvement over the previous year’s 40%, we cannot stress enough that appointing a DPO is mandatory. More importantly, it is a decision that should not be taken lightly. As the champion within the organisation, the DPO plays an important role. He takes the lead on putting in place internal policies, designing processes and inculcating the right data protection culture. On our part, the PDPC will continue to develop programmes and schemes to support and elevate the DPO in his role. 
 
5. It has been three years since the data protection provisions have come into force We have investigated over 300 enforcement cases since then, with a majority of the cases receiving an advisory notice. For the more serious cases, we issued over 30 full-length decisions where many of the organisations in breach had to pay financial penalties and carry out other directions to strengthen their data protection policies and practices.

6. Our firm enforcement actions aim to drive home the message that personal data protection is important. As we strive towards a Digital Economy, data protection cannot be just about compliance; it must be about accountability. Accountability is an organisation’s promise to customers that their personal data will be handled carefully. It is about being able to demonstrate to customers that the organisation has put in place measures that pre-emptively identify and address risks to the personal data of their customers. 

7. In a recent survey that we conducted among some 1,500 consumers, 93% of respondents trusted that, with the PDPA in place, their personal data would be protected from misuse by organisations; four out of five respondents had noticed an improvement in organisations’ data protection practices; and 73% of the respondents was willing to provide their personal data to these organisations for products, services and other perks. It’s a significant change from last year, where only about half of them indicated a willingness to do so. This suggests greater trust in the organisations here.

8. This trust is an asset that all of us, as stakeholders in our local ecosystem, have a collective responsibility to preserve and protect. 

Building a Culture of Trust in the Data Protection Ecosystem
9. Let me elaborate how PDPC will help companies make this transition from compliance to accountability.
 
10. Later this year, PDPC will be producing two guides – the first on how to implement a Data Protection Management Programme, or DPMP; and the second on how to conduct Data Protection Impact Assessments, also known as DPIAs. These are accountability and data protection by design tools, which adopt sensible, risk-based approaches towards data protection.
 
11. A DPMP sets out the organisation’s management policies, application of processes and practices, and roles and responsibilities of staff in the handling of personal data. Developing a DPMP within an organisation takes careful planning and considerations of all aspects of data collection and use, and the DPMP guide will help organisations put in place a practical and robust personal data protection programme regime. 
 
12. To help DPOs make strategic decisions on where and what to focus their efforts on, PDPC will be introducing a PDPA Assessment Tool for Organisations. It is an interactive online tool that helps the DPO to review the organisation’s data protection policies and processes, identify gaps, provide actionable suggestions and recommend relevant resources – such as the PDPC’s advisory guidelines – to improve data protection measures. This tool will be free and made available on PDPC’s website.  
 
13. The second guide is on the conduct of DPIAs. It will be a useful resource for the DPO as he sets about reviewing systems or processes to identify where personal data may be at risk. This guide can also be used when designing new systems or processes. DPIAs should ideally be conducted once before the design of the system or process is finalised, and again to ensure that the solutions to address the risks are properly implemented before the system or process goes ‘live’. The integration of DPIAs within an organisation’s business processes is a crucial step towards adopting a Data Protection by Design approach.

Supporting our SMEs
14. We foresee that some companies may need a bit more guidance. This will be especially true for SMEs who may not have an experienced DPO on staff. To support them, we will be implementing a few measures.  

15. First, the Data Protection Starter Kit. This is expected to be introduced later this year. It will be a step-by-step guide that highlights nuggets of useful information and resources, such as sample clauses, forms and templates in an easy-to-understand manner. This will be available first as an online and hardcopy resource, and will be followed by a mobile app.
 
16. Second, PDPC will be appointing a panel of Data Protection Advisors to provide targeted help for SMEs. The advisors can guide SMEs on the implementation of data protection processes and systems that are tailored to the organisation’s operational needs. This advisory service will allow SMEs to have a better understanding of their obligations under the PDPA, identify data protection gaps within the organisation and point them to relevant resources. Advisors will also be able to identify available grants that SMEs may tap on, types of courses their employees can attend, and connect them to external data protection service providers.
 
17. I have spoken about the tools and guides that we will be introducing this year as the first stage of our journey from compliance to accountability. In the next stage, we plan to develop the DP Trustmark. We aim to do so by end 2018. The DP Trustmark is a clear recognition that an organisation has put in place accountability practices that go beyond a checklist approach to compliance. Over the coming year, we will be seeking views on key features of the Trustmark, for instance the certification criteria. We plan to start the industry consultation by end of the year. 

Learning from One Another 
18. The PDPC has been actively issuing enforcement decisions for about 15 months now. There are always lessons we can draw from each situation. 

19. Let me give you an example. We received a complaint against the Singapore Institute of Management (SIM) concerning the alleged disclosure of the complainant’s NRIC image to a third party over the institute’s online portal. While processing applications, a staff erroneously uploaded the complainant’s scanned NRIC image to another applicant’s online records. This human error resulted in the disclosure of the complainant’s personal data to the third party. Upon notification of the incident, SIM immediately removed the image from the portal. The staff who committed the error was also counselled.

20. The key issue is whether the organisation has made reasonable security arrangements to protect their applicants’ personal data. After investigation, we determined that the sample documentary checks that SIM had instituted were adequate in providing reasonable assurance of the correct tagging of applicants’ scanned documents. Hence, we were satisfied that SIM had adequately discharged its Protection Obligation and decided that there was no breach. 

21. This case is one of the many that we have compiled in a Personal Data Protection Digest. With a Digital Economy, the discourse on data protection laws and practices will only grow deeper. The Personal Data Protection Digest deals with practical issues faced by data protection practitioners in the course of their work, and cover a variety of topics.
I hope that it will provide helpful guidance to DPOs, as well as lawyers and in-house legal counsels who advise on data protection. Our aim is for this effort to contribute to the growing knowledge and experience in this area.

22. At this time, I would like to acknowledge the contributions of the Data Protection Advisory Committee. Their sound advice and industry insight have informed the Commission's decisions. This volume is very much their product as well.
 
Conclusion
23. We believe that data protection and data innovation goals are not mutually exclusive. In fact, a robust data protection regime is an important foundation for which data innovation can thrive. All of us have a shared responsibility to build up the trust quotient needed to enable the smooth functioning of this ecosystem, which enable businesses to seize opportunities and reap the rewards of data innovation. 

26. I hope many of you will benefit from today’s event. 

27. On that note, I would like to thank Minister Yaacob for gracing our event once again, and wish everyone an engaging and fruitful day. 

Personal Data Protection Commission, Singapore
Source: Personal Data Protection Commission Singapore - Press Room
27 Jul 2017, 12:00pm AEST

Speech by Dr Yaacob Ibrahim, Minister for Communications and Information, at the Personal Data Protection Seminar 2017, at Sands Expo and Convention Centre on 27 July 2017 at 9.35am

Personal Data Protection Commission, Singapore
Source: Personal Data Protection Commission Singapore - Press Room
27 Jul 2017, 11:45am AEST

PCPD Joins Hands with Members of the Asia Pacific Privacy Authorities to Promote Privacy Awareness

Office of the Privacy Commissioner for Personal Data, Hong Kong
Source: Office of the Privacy Commissioner for Personal Data
29 Apr 2016, 10:00am AEST

A Community Service Order was imposed on an Insurance Agent for Using Personal Data in Direct Marketing without Consent

Office of the Privacy Commissioner for Personal Data, Hong Kong
Source: Office of the Privacy Commissioner for Personal Data
25 Apr 2016, 10:00am AEST