There were 5 PDPC enforcement actions published from Feb 2017 to Jun 2017. Details are as follows:
1. 21 Mar 2017: Executive Coach International Pte. Ltd. (“ECI”) – WARNING ISSUED TO ECI
On 20 April 2015, the Complainant, who was a former employee of ECI, complained to PDPC that ECI had disclosed her past personal history in a WhatsApp group chat comprising the Complainant and ECI’s other staff and volunteer trainees (“WhatsApp Group”) without her consent and without notifying her of the purposes for the disclosure.
ECI is an organisation which provides life and executive coaching services to individual and corporate clients. On 7 April 2015, Mr L disclosed highly sensitive information of the Complainant’s personal history, namely her past drug problem and issue with infidelity in her amorous relationship, (“Personal Data”) to more than 50 participants in a closed WhatsApp Group, comprising of staff and volunteers.
The Complainant claimed that the Personal Data was disclosed to Mr L in the context of Mr L being the Complainant’s employer, teacher and coach. ECI argued that Mr L disclosed the Personal Data in his personal capacity and not as an employee of ECI and the Personal Data was only known to Mr L and not ECI, and that ECI did not authorise Mr L to disclose the Personal Data.
The PDPC noted that disclosure of Personal Data was made in the context of an ongoing dispute arising from the unamicable departure of the Complainant from ECI’s employment. Therefore, the PDPC took the view that ECI’s ignorance was immaterial as Mr L was acting in the course of his employment as a director of ECI, when he disclosed the Complainant’s Personal Data in the WhatsApp Group chat, and was not acting in his individual capacity.
The PDPC found ECI in breach of Sections 13 and 20 of the PDPA, and issued a Warning to ECI. PDPC mentioned that a calibrated approach should be taken as the disclosures were internal and not to the public at large even though it was a part of an ongoing dispute.
- Do not disclose any current or ex-employee’s personal data, sensitive or otherwise, even if there is an ongoing dispute regarding that person’s employment; and
- Even if your company did not authorize the disclosure of personal data, if it is found the employee that disclosed the obligation made the disclosure in the course of his/her employment, your company would have breached the PDPA.
- Even though the Personal Data disclosed was found by the PDPC to be highly sensitive, the PDPC took a calibrated approach as the disclosure was to a closed chat group and not the general public.
2. 6 Apr 2017: Tech Mahindra (Singapore) Pte Ltd (“TMS”), Singapore Telecommunications Limited (“Singtel”) – TMS FINED $10,000
This is a case where an error made by TMS in updating a database resulted in the personal particulars of a single customer (“Affected Customer”) replacing personal particulars in the profiles of 2.78 million Singtel users.
On 26 Feb 2016, the Affected Customer had informed Singtel about the login difficulties with his ONEPASS account, which Singtel then escalated the issue to TMS, a Singtel appointed IT vendor. TMS subsequently determined that an update was needed to the Affected Customer’s profile on the ONEPASS database, and executed a database script to update the profile.
On 29 Feb 2016, Singtel received several reports from ONEPASS users that their MySingtel Application profiles had been modified to reflect the Affected Customer’s account number, billing address and services while several other customers also reported that the NRIC field in their ONEPASS profiles on the MyBill and MyAccount portals had been modified to reflect the Affected Customer’s NRIC number.
A total of 2.78 million ONEPASS users’ accounts were affected, of which 2,518 users had viewed the Affected Customer’s NRIC number. Subsequently, Singtel disabled access to the MySingtel Application and disabled access to the ONEPASS profile webpages on the MyBill and MyAccount portals. Singtel also notified the Affected Customer of the incident. Singtel’s investigations disclosed that the incident was caused by a coding issue in the database script that was executed by TMS.
After investigations, the PDPC found that Singtel made reasonable security arrangements in compliance with the Protection Obligation under Section 24 of the PDPA. However, the PDPC found TMS in breach of Sections 24 of the PDPA, due to non-compliance with TMS’s internal security arrangements, SOPs and policies regarding the modification or processing of personal data in the ONEPASS database.
The PDPC directed that TMS pay a financial penalty of $10,000 within 30 days from the date of the PDPC’s direction, due to the sensitive nature of the Personal Data disclosed, the large number of ONEPASS users who had unauthorized modifications made to their Personal Data and that his data breach could have been avoided if TMS had followed Singtel and TMS SOPs.
- An organisation’s external and internal security arrangements, SOPs and policies should always be adhered to by both the organization and any data intermediary.
- When contracting with a data intermediary, make sure to have a contract requiring the data intermediary to comply with the PDPA and to ensure that its employees are trained to comply with all data protection laws and security measures. This is important as an organization and its data intermediary have the same obligation in respect of the personal data processed by the data intermediary on its behalf.
- One of the key benefits of having such a contract is that it would make clear the parties’ respective roles, obligations and responsibilities to protect the personal data.
- Notification, cooperation along with prompt remedial and preventative actions were considered to be mitigating factors. Non-compliance with SOPs or instructions were considered to be an aggravating factor.
3. 26 Apr 2017: National University of Singapore (“NUS”) – DIRECTIONS ISSUED TO NUS
A student at NUS had complained to the PDPC that a URL link that was being circulated for NUS’s 2016 freshman orientation camp (“FOC”) had disclosed (without authorisation) the personal data of student volunteers from the College of Alice and Peter Tan (“CAPT”). CAPT is a residential college of NUS.
The PDPC found that by following a URL link, one could access an online Excel spreadsheet containing personal data such as the full names, mobile numbers, matriculation numbers, shirt sizes, dietary preferences, dates of birth, dormitory room numbers, and email addresses of approximately 143 student volunteers.
NUS had designated several student leaders to take the responsibility for organising the FOC. As part of the process of organising the FOC, these student leaders would recruit other student volunteers to participate as counsellors and assist in the running of the FOC.
The student leaders created an online form using Google Forms for the student volunteers to fill in their personal particulars. The particulars that were entered into the Google Forms were stored in a Google Sheets spreadsheet (the “Spreadsheet”), which was meant to be shared amongst the student leaders only. For the purpose of sharing access to the Spreadsheet, a URL link to the Spreadsheet was generated through Google Sheets by selecting the “Share with specific people” function.
At some point in May 2016, the Spreadsheet came to be circulated beyond the originally intended group after an unknown party changed the setting to “Share using a link”. As a result, any user who possessed the URL could access the Spreadsheet, and all the personal data of the student volunteers contained within. Consequently, the personal data set was now exposed to those who had access to the URL link, which may have extended to persons beyond NUS.
Although NUS had in place general policies and guidelines for the protection of personal data, when it came to the security arrangements on the ground, it did not have any formalised data protection training in place to train and equip its students with the mind-set, knowledge, skills and tools to protect personal data.
While the Organisation had made the e-training programme available on its intranet (“IVLE”), the Organisation did not make it compulsory for all the student leaders of the FOC to undergo the e-training. In any case, the Organisation confirmed that none of the student leaders had undergone the e-training prior to the commencement of the FOC in 2016, even though the student leaders were involved in the handling of the personal data of other students. As such, there was effectively no data protection training provided to the FOC student leaders in 2016.
As such, this was deemed as NUS’s failure to provide adequate training for the student leaders before they handled personal data, hence the risk of a data breach occurrence was increased. Even if a student leader had some knowledge of the PDPA, how that translated into the actual practice of protecting personal data was something that NUS would not be able to ensure.
The PDPC found NUS in breach of Sections 24 of the PDPA, and issued NUS directions to:
a. Within 120 days from the date of the PDPC’s directions:
(i) design training (including online training and dissemination of training materials) that would address personal data protection in the context of the collection and processing of personal data for student events and of the resulting interaction;
(ii) make arrangements for such training to be mandatory for any student leader. For the avoidance of doubt, a student leader is defined as any undergraduate or post graduate student of NUS who has been appointed or is part of any committee tasked to organize any event or activity officially approved or sanctioned by NUS;
(iii) make other arrangements as would be reasonably required;
b. by no later than 14 days after the above action has been carried out, NUS shall, in addition, submit to the Commission a written update providing details on the arrangements for the training for student leaders managing personal data for student events officially approved or sanctioned by NUS.
- This is PDPC’s first data protection enforcement case involving a local university, and was also the first case where the PDPC referred to overseas decisions /guidelines.
- Formalized data protection training should be implemented by organisations as it would be considered as a consideration for ensuring adequate protection of personal data, and could be considered as an administrative or organizational security measure.
- Formal training would also be considered as part of the openness obligation.
- 143 individuals was considered to be a ‘significant number’ by the PDPC, and that the risk of potential harm to the individuals was also taken into account.
- The PDPC displayed flexibility in adjusting to NUS’s requests for a longer time in complying with the directions which were issued.
4. 31 May 2017: Tiger Airways Singapore Pte Ltd (“Tigerair”), SATS Ltd (“SATS”) and Asia-Pacific Star Private Limited (“APS”) – DIRECTIONS ISSUED TO APS
On 27 Jul 2016, the PDPC received a complaint that the passenger name list for Tiger Airways Singapore Pte Ltd (“Tigerair”) flight TR2466 (“Flight Manifest”) had been improperly disposed in a rubbish bin in the gate hold room at Changi Airport. The complainant alleged that the Flight Manifest could have been retrieved by anyone in the vicinity.
SATS was engaged by Tigerair to provide ground handling services. In accordance with the terms of the ground handling services contract between SATS and Tigerair (“Ground Handling Services Contract”), SATS was responsible for the provision of the services by its subsidiaries as if it had been provided by SATS itself.
APS is a wholly-owned subsidiary of SATS. SATS sub-contracted the provision of ground handling services for Tigerair to APS pursuant to a Services Agreement dated 11 June 2014 (“Services Agreement”). Under the Services Agreement, APS was responsible for managing the boarding process, reconciling passenger numbers and verifying travel documents at the boarding gate.
Among other things, APS was required to print a copy of the Flight Manifest at the boarding gate for the cabin crew to take on board the flight and submit to the immigration authority at the arrival destination.
On 26 Jul 2016, an APS employee who was on gate duty for flight TR2466 ran out of paper while printing a copy of the Flight Manifest. The APS employee disposed of the partially-printed Flight Manifest in the rubbish bin in the gate hold room for flight TR2466 and reprinted the Flight Manifest in full (“Data Breach Incident”). The gate hold room where the partially-printed Flight Manifest was discarded was only accessible to passengers and airport staff.
No one could verify the exact number of passengers whose personal data was disclosed in the partially-printed Flight Manifest. The partially-printed Flight Manifest contained passenger personal data such as the passenger’s name, booking reference number (also known as PNR), fare class, sequence number of check-in, date of booking, seat number, destination and flight number. Other personal data such as the passenger’s full name, passport number, home address, phone number, email address and last four digits of the credit card used to pay for the plane ticket could have been retrieved by entering the passenger’s name and the PNR into Tigerair’s “Manage My Booking” portal.
Following PDPC’s investigations, it was determined that Tigerair and SATS had complied with their Protection Obligation under section 24 of the PDPA.
However, the PDPC has also determined that APS did not comply with its Protection Obligation under section 24 of the PDPA and directs APS to:
- conduct a review of its procedures for proper disposal of personal data in its possession and/or control;
- introduce data protection policies that are contextualised and pertinent to the services provided by APS and functions performed by its staff; and
- include a programme for initial and refresher training on its implementation by the APS staff in the course of its operations.
- General guidelines did not necessarily translate into the kind of practices that are actually needed on the ground to protect personal data. It is important for organisations to ensure that an organisation’s policies and training have to be contextualised to its operational settings.
- Ongoing training on the organisation’s data protection obligations and the organisation’s data protection policies and procedures is key to fostering and maintaining a high organisational awareness of data protection concerns and to ensure that the data protection obligations under the PDPA are consistently understood and acted upon by employees.
- In assessing the reasonableness of security arrangements, the PDPC referred to the nature of the personal data leaked, the form of such data (electronic or hardcopy) and the potential impact; all of such factors could be found in the PDPC’s Advisory Guidelines on Key Concepts in the PDPA.
- Both Tigerair and SATS were found to have met their Protection obligation of the PDPA as they had express contractual provisions requiring their respective subcontractors to develop measures to protect personal data.
5. 31 May 2017: Furnituremart.sg (“FMSG”) – DIRECTIONS ISSUED TO FMSG
On 7 Nov 2016, the PDPC received a complaint that an organisation which had issued to its customer (the Complainant) an invoice which had a separate invoice (“second invoice”) containing personal data of another customer printed on the reverse side. In this regard, the other customer’s personal data was disclosed to the Complainant, comprising of the following information of the other customer:
- Customer’s surname;
- Home address;
- Delivery address;
- Telephone number; and
- E-mail address.
During PDPC’s investigation, it was found that FMSG’s procedure was to make three copies of every invoice for the following purposes: The first for FMSG’s filing, the second for the customer, and the third for the customer to sign and return to FMSG on delivery of the goods.
According to FMSG, all signed copies of invoices are supposed to be returned to its office, and subsequently destroyed by its staff on a daily basis. However, the returned invoice, in this case, was put in a printer feed tray, and re-used as printing paper for the complainant’s invoice.
To support its defense, FMSG provided the PDPC with a document entitled, “Policies and internal guideline [sic] for the protection of personal data of customers as at November 2016”. FMSG claimed that some of the policies set out in the document had already been implemented prior to Nov 2016.
However, FMSG admitted that none of its staff had undergone any training in respect of the FMSG’s obligations under the Personal Data Protection Act 2012 (“PDPA”). Further, no training was conducted to explain FMSG’s own internal policies and guidelines to its staff. However, FMSG claimed that management had briefed staff on the internal policies and guidelines at an unspecified meeting.
The PDPC found that FMSG did not make reasonable security arrangements for the protection of personal data:
- FMSG’s data protection policy was formalised during the month that the data breach occurred and could have been formalised after the unauthorised disclosure took place;
- There was no evidence to show that steps had actually been taken to implement such policy prior to the breach; and
- Further, FMSG admitted that its staff had no training whatsoever regarding their data protection obligations.
The PDPC found that FMSG had breached its Protection Obligation under section 24 of the PDPA. The PDPC issued the following directions to FMSG:
- To review its policy for the protection of personal data in relation to its order fulfilment process;
- To develop procedures to ensure effective implementation of its data protection policy; and
- To conduct training to ensure that its staff are aware of, and will comply with, the requirements of the PDPA when handling personal data.
- An organisation has certain obligations with respect to personal data that it has collected and which is holds or has control over. One such obligation is to put in place policies and measures to protect the personal data and to prevent unauthorised use, disclosure or alteration. Policies pertinent and adapted to the organisation’s business and processes ought to be crafted and disseminated to staff. Such training sessions and subsequent implementation should also be formally documented.
- It is also important for the management of a company to “buy-in” to adopting good data protection practices for the company. It is from this starting point – the management level – that the company’s policies and practices be formulated with data protection in mind. From there, such good data protection policies and practices can permeate down to and be adopted at the staff level of the company.
- Management has to actively supervise employees and takes responsibility for creating a culture of security-awareness.
- The PDPC took into account as mitigating factors that (i) the unauthorized disclosure was to a single-person; (ii) the data disclosed was not sensitive and (iii) no evidence that the disclosure resulted in actual loss or harm.