There were 2 PDPC enforcement actions published for Jan 2017. Details are as follows:

1.  JP Pepperdine Group Pte. Ltd. (“JPP”) – JPP FINED $10,000

On 25 Oct Jan 2015, the PDPC received a complaint that anyone could access the personal data of JPP members that had joined JPP’s membership programme either by entering a randomly simulated membership number on a web page designed by third-party vendor Ascentis, or by not entering anything on the JPP’s website’s search bar and clicking search.  This web page was only meant to be used internally and for a one-off promotion in 2013.

At the time of the investigation, JPP, which operates restaurants such as Jack’s Place and Eatzi Gourmet, had approximately 30,000 members. Personal data that was publicly accessible through the webpage included, names of members, gender, marital status, nationality, race, NRIC/Passport number, date of birth, mobile phone number, home phone number, email addresses, residential addresses, and other membership account details.

The PDPC also found that Ascentis was not a data intermediary for JPP as there was no evidence that Ascentis processed any personal data on behalf of JPP.  Ascentis’s role was limited to designing the web page for JPP according to their instructions.

The PDPC found JPP in breach of Section 24 of the Personal Data Protection Act (PDPA), and imposed the S$10,000 financial penalty.  PDPC mentioned that the data breach could have been prevented or the impact reduced if JPP had ensured that:

  1. The web page was inaccessible to the public from the start;
  2. It had reviewed the information in its own membership brochures, at which point it would have realised that members of public were being mistakenly redirected to the incorrect web page (intended for internal use) instead of JPP’s membership portal; or
  3. Removing the web page once the 2013 event had ended.

Takeaways

  1. Make sure that web pages, especially those which collect personal data, have adequate security controls designed or built into it. Furthermore, these web pages should be rigorously tested to ensure that personal data cannot be easily accessed by members of the public.
  2. Do not repurpose web pages designed for internal one-off purposes, especially web pages without proper security and access controls, for personal data collection, processing and storage for other uses
  3. The onus of ensuring that personal data is protected always falls on the data owner. Security requirements should be agreed upon and included in the website designers’ initial scope of work and not as an afterthought.

2.  Propnex Realty Pte Ltd (“PropNex”) – PROPNEX FINED $10,000

On 28 Dec 2015, the PDPC received a complaint in relation received a complaint from the Complainant in relation to the publication online of the PropNex’s internal Do Not Call list containing the personal data of 1765 individuals (“PropNex DNC List”), including the Complainant and her sisters.

The personal data contained in the PropNex DNC List, such as names, mobile and home phone numbers, full or partial residential addresses and email addresses, were accessible online via a PDF of the list dated 29 Jul 2015.

The PDPC was notified after the Complainant and her sisters had been receiving marketing calls and messages from various telemarketers on their mobile phones despite no consent being given. After speaking to one of the telemarketers, the Complainant found out that her contact details were available online through the above-mentioned PDF.

The PDPC’s report disclosed that the PropNex DNC List was disseminated internally as a PDF file in the company’s Virtual Office System (“VOS”), which was only available to its agents and staff through authenticated login. However, there was no password security for the Propnex DNC List itself and the authentication for the VOS only worked for web pages and not documents such as PDF files.

Further, the VOS was intended to be used for the sharing and dissemination of forms and templates and not sensitive documents.  However, this was neither formally recorded nor communicated to PropNex’s employees.  As such, over time, this design limitation remained a vulnerability but was overlooked.

The PDPC imposed a S$10,000 financial penalty on PropNex after finding that it failed to take reasonable security measures to protect the personal data in its possession and was in breach of Section 24 of the PDPA.

Takeaways

  1. Organisations are to ensure that documents containing personal data are at least password protected, if not encrypted.
  2. Organisations have to understand design limitations of any systems, especially file sharing systems, before implementation, so as to be aware and to prevent any potential data breach vulnerabilities from occurring.
  3. Employees should always be trained and kept up to date on how to use any system an organisation implements and things which they need to avoid doing. This training should also be formally recorded.

Contact P2D Solutions now if you have a PDPA related query about your organisation!

Enforcement

TALK TO US TODAY

For more information on how we can help your company comply with the PDPA easily and cost-effectively, contact us for a FREE consultation.

SERVICES
CONTACT US