On 21 April 2016, the Personal Data Protection Commission (PDPC) issued a press release outlining its enforcement action against 11 organisations for breaches to the Personal Data Protection Act (PDPA).
The highlight penalty was a $50,000 fine and other directions meted out against karaoke chain K Box Entertainment Group Pte Ltd for not putting in place sufficient security measures to protect the personal data of 317,000 members (a list of the members’ details were uploaded onto some website), for inadequate data protection policies and the absence of a Data Protection Officer (DPO). Its IT vendor in charge of managing its content management system, Finantech Holdings Pte Ltd, was also fined.
PDPA breaches can result in financial penalties, valuable work hours spent on investigation proceedings, loss of trust from one’s clients, and reputational harm.
Since the PDPA came into full effect in July 2014, the PDPC has received 667 complaints. 92% of these complaints were resolved through investigation and facilitation between the respective organisations and individuals.
In this article, I consider some key themes in the enforcement action cases highlighted in the 21 April 2016 press release.
IT / Cyber-security Measures
In several cases, the organisations were found in breach because they did not have sufficiently robust IT and cyber-security infrastructure or measures put in place to prevent hackers or leaks of their customers’ / users’ personal data from being stolen and posted online. In some failures included:
- a failure to update security patches;
- using weak admin passwords;
- a failure to implement security measures to protect databases online.
I have already mentioned K Box and Finantech above. Another case was the Institution of Engineers, Singapore (IES) where 4000 members’ contact numbers, member IDs and passwords were posted online. Similarly, Fei Fah Medical Manufacturing Pte Ltd had 900 customers’ usernames, passwords, contact numbers and email addresses leaked on a website.
Metro Pte Ltd was found to be in breach of the PDPA when it failed to detect well-known and common cyber-security vulnerabilities which remained unpatched until an internal IT security audit. As a result, the personal data of 445 customers was leaked onto a website.
Employee / Vendor Mistakenly disclosed personal data
In several cases, the organisations were found to have breached the PDPA for their employees or IT vendors mistakenly or negligently sending to customers the personal data of other customers or doing seemingly minor things which disclosed personal data.
In the case of Universal Travel Corporation Pte Ltd, one of its staff shared a document containing 37 customers’ personal data when 4 of its customers requested for information relating to their flight for travel insurance application purposes.
Challenger Technologies Ltd was found to have breached the PDPA when its IT vendor wrongly sent out an email update on its behalf to over 165,000 members regarding the status of their membership points. Its IT vendor Xirlynx Innovations was also found to have breached the PDPA.
Also, an employee of the Singapore Computer Society mistakenly sent out an email to registrants of an event and attached a document containing personal data of the 214 registrants, including their personal data.
YesTuition Agency was found to have breached PDPA when it named its tutors’ photograph files by their NRIC numbers which were uploaded onto their website.
Commercial Practices undertaken Without Users’ Consent
In the case of Xiaomi Singapore Pte Ltd, they were found to have breached the PDPA by uploading its users’ personal data to its servers overseas without the knowledge of their users.
Common Thread: Lack of PDPA Policy
A common thread in the above cases is that there was no comprehensive PDPA policy designed or implemented. There was therefore a lack of staff training and awareness of what they should watch out for when dealing with customers’ or users’ personal data. Further, there was no Data Protection Officer (DPO) appointed in some cases. IT and cyber-security measures must be put in place especially where an organisation is technology-dependent or harnessing. Further, in some situations, it may be prudent to have proper procedures and mechanisms put in place to ensure that law-violating mistakes do not occur.
The PDPA applies to any individual, company, association or body of persons, corporate or unincorporated, whether or not (a) formed or recognised under the law of Singapore; or (b) resident, or having an office or a place of business, in Singapore. It is therefore important for businesses, societies / associations, organisations, etc. to consider crafting a PDPA policy and procedure, and provide staff training to ensure compliance of the same.