Just How Much Personal Data are You Sharing with Your Mobile Apps?

Featured image for the "Just How Much Personal Data are You Sharing with Your Mobile Apps?" article. It features a person signing in on his mobile and a thief looking to still the data.

Data is a tricky tool. It can be used to verify identity and find like-minded people. From our birth dates to our gender and favourite food preferences, we have all shared data online.

However, after the recent news outbreak concerning Cambridge Analytica, United States citizens are quickly realising their personal data could have been analysed, sold and utilised to influence the electoral success of the Trump Campaign in 2016.

And it all started with a simple click on a much-loved social media platform – Facebook.

It was then revealed that Cambridge Analytica had made use of personal data that was harvested by a British academic, Aleksandr Kogan. Kogan created an app that harvested personal data of any users as well as their friends, if they logged into the app using their Facebook username and password.

These data was later sold to Cambridge Analytica who is believed to have used it to help the Trump campaign garner popular support.

As the saga in the US continues to unfold with investigations drawn by Facebook and relevant authorities, it is time to consider how we can protect and prevent the misuse of our personal data.

Personal Data Protection Act (PDPA) – Is Mobile App Information Protected Under the Legislation?

According to the Personal Data Protection Act (PDPA), personal data refers to any information that can be used to identify a person. Therefore, specific information we share online and through mobile applications such as our credit card information, names, numbers and email addresses, will come under the purview of personal data.

How is My Personal Data Protected?

The PDPA is implemented and executed by the Personal Data Protection Commission (PDPC), to ensure that an organisation or person working within an organisation complies with data protection obligations. Personal data, including that which is collected through mobile applications, must meet the PDPA data protection obligations:

  1. Consent – Organisations may collect, use or disclose personal data only with the specific user’s consent
  2. Purpose – Organisations may collect, use or disclose personal data for the purpose that the user has granted consent for. The user should not be required to consent to the collection, use or disclosure of personal data beyond what is reasonable for the organisation to produce a particular good or service.

How Can I Protect My Personal Data?

The PDPC develops a baseline standard of data protection specific to the industry and sector. But users can help to protect their personal data in their own ways, too.

When prompted to provide information, users can check if the information required is optional, or if they can provide alternative information that they are comfortable sharing.

For example, instead of providing their house or mobile phone number, users may prefer to provide their email address if they are given the choice to do so, as this may give a greater degree of anonymity and choice for the user to decide if they wish to engage with the mailer.

Looking out for these alternatives and/or skip functions can go a long way in ensuring that the data more sensitive to a user, can remain confidential and used reasonably.

Amending Personal Data that You’ve Already Provided

Depending on the circumstances, users may feel the need to change or remove personal data they have previously shared. Unlike the popular idiom -‘once it’s on the internet, it’s never off’ – data information in Singapore, thanks to the provisions of the PDPA, can be taken off or replaced as per the will of the user.

This is as long as the new data is verified and legitimate as a suitable replacement for the previously provided data. Referring back to the PDPA, personal data shared through mobile applications, can be accessed, changed or removed by the user in accordance with an organisation’s data protection obligation under the PDPA, which requires user consent.

Should you wish to remove your personal data shared by an organisation, you can do so with reasonable notice of at least 10 business days. The organisation should inform you of the likely consequence and cease collection, use and/or disclosure of your personal data.

Can a Cambridge Analytica Case Emerge in Singapore?

The PDPA requires all organisations and person working on behalf of an organisation, who are operating within Singapore, irrespective of which country may hold their registered headquarters, to comply with the data protection obligation in accordance with Singapore law.

Cambridge Analytica would have found it difficult to fish and collect information from Singaporeans without coming under heat from the PDPC, who would question the purpose behind data collection and oversee the disclosure of this information.

Since 2015, the PDPC has been urging mobile application developers to comply with the data protection obligations. This has by far ensured that our personal data is protected by providing a provision for users to seek redressal through the PDPC for any personal data misuse.

Who Does the PDPA Not Apply to?

However, do note that certain organisations and person working on behalf of an organisation, may be able to use our personal data and do not come under the purview of PDPA.

Persons excluded from data protection obligation under the PDPA include:

  • Individuals or persons acting on a domestic basis;
  • Employee acting in course of employment;
  • Public agency or organisation acting on behalf of other public agency or organisation;
  • Business contact information including name, position or title, business telephone number, business address, business mail or fax.

My Information has been Misused. What Next?

Despite the precautions taken, it is possible that personal data is still procured and used without user knowledge. If the user suspects misuse of personal data by an organisation, he/she may approach that particular organisation to discuss the matter.

If the user and organisation is unable to resolve the matter, the PDPC may refer the matter to a qualified mediator, on the user and organisation’s agreement. In spite of the assistance, where the situation cannot be resolved amicably, the PDPC has the right to search premises and request documentation without warrant in relation to the user’s personal data.

For example, if the organisation requires the user to pay a fee, or refuse to provide access or correct the personal data within reasonable time.

If the complaint is found to have merit, the company will be required to cease collecting, using and disclosing information and, destroy existing personal data collected in contravention of the PDPA.

While a situation like Cambridge Analytica meddling in political affairs may not be a reality for Singapore, vigilance amongst users and organisations must be maintained when it comes to personal data sharing.

Singapore has a high degree of smartphone and internet penetration. By ensuring we are aware how much information we choose to share and withhold, and understanding our right to redressal for misused personal data, we can safeguard our data from being used for any wrongful means.

If you require legal assistance on protecting your personal data, feel free to get in touch with our data protection lawyers.