Whose Data Is It Anyway? Why Ownership Matters More Than Consent

2024-01-15

Here’s a confession from inside Singapore’s IT security trenches: the more energy an agency burns chasing perfect consent forms and terms-of-use templates, the less likely it’s actually protecting citizens’ data as intended. The compliance machinery hums quietly in the background, churning out digital consent and audit logs, yet the practical question still lingers—who truly controls the data once it lands in your system?

This false sense of security built on consent has become a trap, especially in government environments where privacy risks aren’t always as visible as you’d like. Consent forms get signed, policies updated, and databases filled. But the handoff between a citizen’s trust and an agency’s stewardship is relegated to paperwork when what’s really needed is operational clarity: who owns the data, who can use it, and who is ultimately accountable when things go sideways. In reality, breaches and abuse rarely hinge on missing consent. They trace back to fuzzy ownership, unclear custodianship, and external vendors or staff who treat personally identifiable information (PII) like a shareable resource until proven otherwise.

Navigating Singapore’s regulatory frameworks—PDPA, sectoral laws, the constant buzz about digital trust—means leaders have to draw a hard line. Forget the comfort of universal consent; agency CISOs must push for ruthless clarity about data ownership. If you’re responsible for security, you shouldn’t just know where sensitive data lives—you should know who, at every step, is on the hook for keeping it safe. This doesn’t mean ratcheting up red tape or stalling innovation with another round of consultations. It means embedding real accountability into architectures, making sure every database, pipeline, and integration has a visible owner, and that the chain of responsibility doesn’t break the moment a system is handed off or “cloudified.”

The best practice for Singapore’s public sector is simple: treat data like an asset that demands stewardship, not just paperwork. The difference between a compliance-driven and a protection-driven agency lies in the answer to one question—if something goes wrong, can you point to a clear owner who cares? If the answer is “not sure,” then no amount of consent will save you from regulatory headaches or loss of public trust. As digital government grows, so does the complexity of keeping that stewardship honest. That means CISOs have to build structures where ownership is the default, not an afterthought—and where every system, not just the newest apps, are subject to real governance, not just ticking boxes.