Viral posts on elderly cleaner — let’s review meaning of consent and how personal data is shared online

Last week, the story of an 82-year-old cleaner known as “Ah Umm” or “Madam L” took the internet by storm after social media user Koh Meng Shuen recounted her work and family circumstances based on a conversation with her. He argued that individuals such as Mdm L need to be better supported by the state.

These posts were then widely shared online as critiques of inequality and social support policies. However, Mr Koh later removed the posts, as he had learned of inaccuracies in his earlier descriptions. He also apologised to Mdm L for the unsolicited and unwanted attention generated, as some concerned individuals had tried to seek her out.

On July 29, the Ministry of Social and Family Development (MSF) responded with a statement further detailing Mdm L’s circumstances, while advising the public to refrain from sharing the circumstances of vulnerable people on social media and to link them up with social services directly instead.

As researchers examining perceptions and governance of data in Asia, we note that this incident has brought up pertinent questions of the meaning of data and how it can be used ethically.

In Singapore, discussions of data protection often focus on unauthorised data leaks and cybersecurity flaws, such as the 2018 SingHealth cyber-attack. But we also need to pay attention to how data can be ethically handled by both the public and “authorised” parties, even in the absence of malicious intentions.

In the local context, authorisation is usually understood in terms of consent and notification, which are core tenets of the Personal Data Protection Act. It is not enough to understand authorisation as a one-off agreement, and meaningful consent is key.

In other words, an individual should be continuously informed of how their personal data may be used and disclosed by those they share it with.

Even if consent has been given, authorities as well as members of the public should also exercise much caution so as not to compromise the safety, privacy and dignity of individuals.

In the original case of how Mdm L’s information was shared online, we see how the ethics of data sharing are blurred in the context of personal social media.

After all, we are used to using social media to share the experiences of our everyday lives. In the moment, it may not seem like a big deal to share an enlightening interaction with a stranger.

However, the details shared in the original posts could still be considered the personal data of Mdm L, especially since members of the public were able to determine her identity from the information posted.

Consent was not obtained as she was unaware that photos were being taken and the conversation would be shared publicly. While Mr Koh probably had good intentions in publicising her story, it is difficult to control the consequences of spreading such sensitive personal information online.

For its part, MSF is right to caution that sharing the personal details of individuals and families on social media “may lead to further distress” for people who are already in vulnerable positions.

There is an irony in its decision to disclose more personal data about Mdm L online, in response to Mr Koh’s viral posts.

The ministry’s statement contained further information such as the circumstances of her son’s death, her living arrangements and her wages, ostensibly to counter netizens’ suggestion that not enough support exists for people in Mdm L’s position.

It is unclear whether Mdm L’s family consented to such information being disclosed by MSF. However, the potential consequences of such public disclosure lead us to consider data ethics beyond the principle of individual consent.

This incident is the latest in a trend of public agencies disclosing personal information in order to defend their policies and processes, and it is worth considering whether this continues to be appropriate as a standard response to critiques.

For example, in April, details of assistance that a family had received were disclosed online by MSF in response to a news article about how low-income families were coping during the pandemic.

Last year, the Central Provident Fund (CPF) Board disclosed some of the medical history of an individual who had complained about not being able to access her CPF savings.

In these cases, the Smart Nation Digital Government Office had clarified in December 2019 in a statement that the “release of personal details [is] necessary to provide the public with correct and relevant facts”, and such disclosure is to “preserve the public trust reposed in them and to ensure that citizens are not misled”.

But organisations privy to the personal data of their clients need to also consider the power dynamics among the stakeholders involved.

When considering digital vulnerability, data ethics and social welfare are not separate issues. Privacy expert Professor Michele Gilman notes: “Poor people experience privacy differently because the stakes for them are often much more dire.”

Those in positions of financial vulnerability often do not have the option to keep their data “private”. This is because information has to be shared with social service agencies or community members in order to obtain the support they need. 

Meanwhile, public agencies and social service organisations, unlike an individual citizen, have a duty of care and accountability to citizens and users of their services. 

While it is important that they defend their policies and correct falsehoods, public agencies in particular are unlike companies that will suffer losses if their customers choose to stop patronising them. 

Individuals seeking social support stand to lose much more from the disclosure of their information than institutions do from public criticism.  

If the issue of contention is the adequacy of Singapore’s economic structures and social policies, then critiques and healthy debate are undoubtedly necessary.

But it is possible and appropriate for these discussions to take place without the disclosure of vulnerable individuals’ information in ways that the individuals themselves have little control over.

For example, public agencies can clarify the policies they have available to people in similar situations and explain how to seek assistance.

They can also clarify that the information being circulated is not entirely true, without disclosing the specific details of an individual’s circumstances and personal information. 

The point here is not to minimise data sharing altogether, but to protect the agency and dignity of those who disclose their data in the process.

After all, many choose to share their data publicly in contexts like mutual aid and crowdfunding, where they have control of how the data is disclosed and trust that it will be used for their benefit.

Trust in the adequacy of public policies is important, but this should also include trust that personal data will be handled in a safe and dignified way.

To this end, frameworks such as the Public Sector (Governance) Act to ensure greater transparency and accountability around public agencies’ handling of personal data are crucial. 

The ongoing review of public sector data protection rules is an important step that could consider such ethical questions, in addition to the reinforcement of cybersecurity measures. 

While regulations are continuously revised to keep up with new ways in which people use technology, ethical discretion is just as important as regulatory safeguards.

ABOUT THE AUTHORS:

Wong Kwang Lin and Dr Natalie Pang are respectively research assistant and senior lecturer at the Department of Communications and New Media, National University of Singapore.