I received something in the mail in April that caused me some irritation. It was a colourful card wishing me a “joyous new year” – in April. It turns out that various Indian and Indian-derived new years are celebrated in April. Inside, the card contained information about some celebratory programme.
Why would this card irritate me? In just the preceding few months, Christmas, New Year and Chinese New Year had passed without me getting any card. Somehow my telco found out my ethnicity and sent me a card that it figured was tailored to my interests (It wasn’t. I have no idea who those people in the pictures are).
How they figured it out is not a difficult question. Telcos in Singapore (and in many other countries) collect copies of one’s identity card perhaps mandated by law, and also to identify the customer during customer interactions. Singapore’s identity cards (ICs) clearly state the person’s race. My guess is that someone at the telco thought it a good idea to collect the personal information about ethnicity for some tailored marketing. It couldn’t hurt, right? After all it already holds on to the information. Not so.
Singapore enacted a personal data protection act (PDPA) a few years ago. One key idea of the law is that personally identifiable information (such as the information in one’s IC) should only be collected with consent for a stated purpose (such as identifying a person when he calls up the telco claiming to be a customer). Getting promotional material from the company about non-telephone services was not something that I had signed up for.
I exchanged a few emails with the telco’s data protection office. I was advised thus:
“We are using the individual’s ethnicity/race to ensure that we do not send offers/events that are not relevant or potentially offensive to the customer.”
I found this to be objectionable even on some non-privacy grounds but what I found really problematic was how they ended that email.
“If you could share the reason of why you would not consent to giving this information, it will be helpful for us to see how we can best address your concerns.”
The telco took for granted that I was giving up this information and I would be OK with them using it for the purposes they chose. Without asking me.
In the very last email, the DPO assured me that the telco would not provide my data to third parties for commercial purposes without seeking my explicit permission. I had no such worries. My concern was that they would abuse it internally for commercial purposes without asking my explicit permission, as they already had.
Companies can try to wiggle out of their responsibilities by finding loopholes with the law. My ethnicity is not really the personally identifying information (PII) that is the focus of the PDPA. The problem lies in the fact that it is collected from the IC, that treasure trove of PII and we have no visibility as to what else the company is doing with our information.
The PDPA was a step in the right direction for Singapore. Many companies have scrambled to follow the letter of the law in terms of visible implementation. They have put up notices on their websites stating who customers can contact if they wish to enquire about the privacy of their data. They have appointed data privacy officers with clear responsibilities. These are mandated by the law and an auditor can verify it.
What is difficult is to bring about a change in attitude toward customer data as something that belongs to the customer and not to the profit-seeking company. Appearing to obey the law may not be too difficult. Understanding and accepting the intent of the law will take some time and motivation.
This essay was originally posted at my LinkedIn page: https://www.linkedin.com/pulse/my-telco-knows-ethnicity-should-vijay-luiz