New guide to clear doubts on sharing customer data

Organisations are concerned that seeking consumers' consent for new uses of their personal data - a requirement under the Personal Data Protection Act - might be too onerous.
Organisations are concerned that seeking consumers' consent for new uses of their personal data - a requirement under the Personal Data Protection Act - might be too onerous.PHOTO: ST FILE

Protecting consumers' privacy is not at odds with Singapore's push to get more organisations to use or share customers' data to, say, plan retail promotions or transport routes, said Singapore's privacy watchdog.

The Personal Data Protection Commission told The Straits Times it has received several such queries, prompting it to spell out the techniques for treating consumers' data for such purposes in a newly issued guide.

"More of them (organisations) realise the strategic value of the data they collect as a source of competitive advantage," said a spokesman for the commission.

However, organisations are also concerned that seeking consumers' consent for new uses of their personal data - a requirement under the Personal Data Protection Act - might be too onerous.

The commission has clarified in the guide, Anonymisation, issued two weeks ago, that data stripped of personal identifiers - name, age and contact details - can be used or shared with third parties without first seeking consumers' consent. Consumer data that is anonymous is not considered personal data.

Companies may also choose to use anonymisation techniques to continue to retain consumer data without breaking the law.

These techniques include replacing a person's name with a randomly generated string of numbers, removing the first five digits of a person's NRIC number, or putting individuals in broad age groups instead of stating one's age.

The commission has also reminded organisations to use robust techniques so an individual's identity cannot be construed by combining separate data sets.

Lawyer Gilbert Leong, senior partner at Dentons Rodyk & Davidson, said companies trip up when they do not ensure that the anonymisation process is not easily reversed.

"The commission is also quick to warn that once re-identification occurs, such data ought to be treated as personal data," Mr Leong said.

Some local companies said the guide is useful.

EZ-Link, which issues contactless cards for public transport and retail payments, said: "We will be using anonymous data on card usage to generate solutions that benefit our commuters."

It is working with the National University of Singapore and Alibaba Cloud, a unit of China's Alibaba Group, to analyse commuters' travel data.

This has potential uses, for instance, when a bus breaks down. The location and expected destinations of affected commuters could be shared with taxi and car-sharing operators to put nearby drivers on alert. Another possible use is for planning better retail promotions at train stations.

Singapore's largest telco Singtel said it, too, uses the anonymised data of mobile phone users to identify where crowds normally form to help the telco decide where to install equipment to boost mobile signals.

"When data is used for marketing and research, we obtain consent from customers who can opt out," a Singtel spokesman said.

A version of this article appeared in the print edition of The Straits Times on April 10, 2017, with the headline 'New guide to clear doubts on sharing customer data'. Print Edition | Subscribe