Please find a summary of 4 PDPC enforcement actions for the period Jun 2016 to Aug 2016 below:

---

1. 22 Jun 2016: AIA Singapore Pte Ltd (“AIA”) – WARNING

On 22 June 2016, PDPC announced that AIA was investigated relating to unauthorised disclosure of a Complainant’s personal data, in particular, his bank account details, to Chiropractic First CFG (TP) Pte Ltd (“CFG”) in respect of the Complainant’s claim under an insurance policy.  This unauthorized disclosure took place on or around May 2015.

A warning was issued as the unauthorized disclosure was only made to a single 3^rd party company, CFG, and that there was no evidence of actual loss or damage suffered by the complainant from the disclosure made and that AIA had undertaken an immediate review of its processes in relation to the disclosure of personal data to parties following this incident.

The salient point to note is that even if consent was obtained to disclose personal data to 3^rd parties, the purpose of the disclosure of personal data has to be what “a reasonable person would consider appropriate in the circumstances” under Section 18 of the PDPA.  In this case, disclosing the Complainant’s bank account details to CFG in order to obtain medical records or medical reports was not considered reasonable.

---

 2. 21 Jul 2016: Central Depository Pte Ltd (“CDP”) and Toh-Shi Printing Singapore Pte Ltd (“TSP”) – TSP FINED $5,000

On 21 July 2016, the PDPC announced that the CDP reported a personal data breach by its external vendor in charge of printing CDP account statements for CDP, TSP, involving around 195 of its customers’ personal data to the PDPC.

Although printing services provided by TSP were governed by a Data Management Services Agreement, and that TSP was supposed to put in place measures to protect the confidentiality of the CDP account holders’ personal information, the PDPC found that the breach was due to human error on TSP’s part and could have been avoided by having adequate operational processes in place.  CDP was also investigated and found not to be in breach of the PDPA.

TSP was eventually fined $5,000 for data breach and for not taking reasonable preventative steps before the personal data breach occurred.  The fine was levied as a considerable number of individuals were affected and sensitive financial personal data was involved.

---

3. 25 Jul 2016: Spear Security Force Pte. Ltd. (“Spear”) – WARNING

On 25 July 2016, the PDPC released its decision on whether there was a breach of the PDPA relation to the lapses by Spear’s employees in safeguarding the visitor log book of Prive Executive Condominium (the “Condominium”), which contained personal data of the visitors.

On 24 December 2015, the PDPC received a complaint from a resident of the Condominium claiming that Spears was in breach of the PDPA as he had observed that the security guards under Spear’s supervision had left the log book open and unattended on a table near the guard post at the Condominium’s entrance.  Spear was appointed by the MCST of the Condominium to provide security services.

During the PDPC’s investigation, Spears mentioned that it was aware that the visitor log book had been left unattended by its security guards on multiple occasions from the feedback, and had already taken remedial actions.

In view that there was no evidence suggesting that the visitors’ personal data had actually been exposed to unauthorised third parties due to the lapses by Spear and Spear had demonstrated that it had taken reasonably adequate steps to remedy the lapses, the PDPC decided to issue a Warning against Spears for the breach of its obligations under Section 24 of the PDPA.

---

4. 12 Aug 2016: Chua Boon Yong Justin, Property Agent – FINED $500

On 12 August 2016, the PDPC announced that it had investigated and fined a property agent $500 with regards to an unauthorized disclosure of personal data by the property agent.

On 15 Nov 2014, there was a complaint to the PDPC regarding the unauthorised disclosure of personal data of his wife and himself by the property agent of his landlord following a dispute with a fellow tenant (“Tenant B”) residing at the same property.  The property agent had disclosed the personal data to Tenant B as the property agent assumed that Tenant B was prepared to lodge a police report over the matter.

The property agent took the view that he was acting in a “personal or domestic capacity” in the matter, since his actions were unrelated to real estate matters and that his “intervention” in the matter was justified in the circumstances.

However, the PDPC ruled that the property agent was obliged to comply with the provisions in the PDPA as the personal data was collected in the course of his work. Hence it was for his ‘business’ purposes, and not for his personal or domestic purposes.

In addition, the PDPC also noted that the property agent had not obtained the consent of the Complainant and his wife for the disclosure of their personal data to Tenant B and as such, had breached Section 13 of the PDPA.

The important point to note is that personal data collected in the course of an individual’s work shall be subject to the obligations under the PDPA. Hence, measures have to be taken to ensure that such personal data in their possession or control must be sufficiently protected, and that the PDPA must be observed when dealing with the personal data.

---

Contact P2D Solutions now if you have a PDPA related query about your organisation!