There were 5 PDPC enforcement actions published from Jun 2017 to Jul 2017. Details are as follows:
1. 20 Jun 2017: DataPost Pte Ltd (“DPL”) – DPL FINED $3,000 AND ISSUED WITH DIRECTIONS
DataPost Pte Ltd (“DPL”) printed and mailed out financial statements relating to the Overseas-Chinese Banking Corporation Ltd’s (“OCBC”) Supplementary Retirement Scheme (“SRS”) to OCBC’s customers. One customer (“the recipient”), however, discovered that she had received two additional SRS statements belonging to two other OCBC customers, in addition to her own SRS statement. The following information was disclosed in the SRS statements:
- Cash balance; and
- Types, quantity, and valuation of asset holdings.
OCBC alerted the PDPC to the incident, and informed that the recipient had received the additional SRS statements on or about 17 June 2016.
According to DPL’s internal investigations, the cause of the data breach was due to human error by the operator on duty on 4 May 2016. DPL’s findings were that the operator manually checked the first envelope generated by the test run, but mistakenly concluded that the three statements contained therein all belonged to the same person. With the mistaken belief that the three statements belonged to the same individual, the second and third layers of checks were then by-passed, and the envelope was sent out without anyone realising that it contained two extra statements.
The print cycle also created a risk of unauthorized /unwanted disclosure as the first three statements of a print cycle would always be placed in a single envelope by the printing machine.
While DPL had data protection policies and processes in place, the PDPC is of the view that the processes in place did not meet the reasonable standards expected of DPL. There were two main issues with DPL’s processes:
- Significant risk of the first envelope containing the statements of more than one individual (which may subsequently lead to an unauthorised disclosure of personal data); and
- Too much reliance on the operator to ensure that the first batch of statements were correctly sorted out and separated into the different envelopes, before sending out.
The PDPC found DPL’s processes to be inadequate given the sensitivity of the personal data involved and that it was incumbent on DPL to ensure that its QC measures could not be so easily bypassed. The PDPC also found that simple additional precautions would have led to the breach being avoided.
For the reasons above, the Commission finds that DPL had not put in adequate security arrangements to protect personal data. Accordingly, the Commission finds DPL in breach of section 24 of the PDPA and imposed a financial penalty of S$3,000/- on DPL as well as the following directions:
- Conduct a review of its internal working procedure relating to data printing and enveloping operations, in particular to tighten the application of quality control checks;
- Improve the training of all operators and quality checkers involved in its printing and enveloping operations; and
- Review its personal data protection policy to determine if it needs to be updated to suit its current operations.
- Do not place too much reliance on an individual to ensure that errors do not occur;
- An organisation needs to put in place a proper system of checks and supervision over an individual’s actions or any process;
- The PDPC finds financial information particularly was sensitive in nature and is a significant aggravating factor, which warranted a financial penalty as a matter of general deterrence.
2. 20 June 2017: Hazel Florist & Gifts Pte Ltd (“Hazel”) – WARNING ISSUED
Sometime in August 2016, Hazel delivered a gift hamper to the Complainant. The Complainant on unwrapping the gift hamper discovered that order forms (the “Order Forms”) were used as fillers to cover the bottom of the hamper he received. The personal data of other individuals were clearly visible on these Order Forms. The Complainant complained of this disclosure of personal data by Hazel to the PDPC on 5 September 2016.
It was found that personal data of approximately 24 unique individuals were either written or printed on the Order Forms that were disclosed to the Complainant. The personal data visible in the Order Forms were the names, delivery addresses, and telephone numbers of the recipients and the reasons the gift hampers were ordered for the recipients.
During PDPC’s investigation, it was discovered that Employee Y, a recent hire who was only on the job for about a month, was tasked to pack the Complainant’s gift hamper. The Designated Filler Material for the hampers was kept at the allocated area had run out while Y was wrapping the Complainant’s gift hamper. Order Forms were not Designated Filler Material. Y however took the Order Forms which were placed in a box within the Production Department’s workspace and used them as fillers for the Complainant’s gift hamper instead. The Order Forms in this box, were easily accessible by any of Hazel’s employees, related to orders for gift hampers or floral bouquets that the Production Department had already packed or arranged and were meant to be disposed.
Once Y finished packing the Complainant’s gift hamper, another employee tasked to perform quality control checks ensured that the hamper contained the items ordered. However, it would have been impossible to check what filler material was used for the Complainant’s gift hamper as the filler material was covered with an opaque sheet.
After investigations, the PDPC found that Hazel was not in compliance with the Protection Obligation under Section 24 of the PDPA as Hazel failed to implement reasonable security arrangements that protected the personal data found in the Order Forms from unauthorised disclosure through Y’s use of Order Forms as fillers. Hazel’s instruction to its employees to only use Designated Filler Material for packing gift hampers without any accompanying measures reasonably ensuring that the instruction was carried out by its employees did not satisfy the protection obligation.
While the PDPC noted that data protection training could serve as a security arrangement, Hazel also did not provide any data protection training and only communicated its instruction on the use of Designated Filler Material to its employees through on-the-job training. It was not designed to include training on data protection. This lack of training and supervision while on the job showed in Y’s clear lack of awareness on the importance of data protection as anyone with a basic idea of the importance of protecting personal data would not have used the Order Forms as packing material.
The PDPC noted that while Hazel had in place a Data Protection Policy, the Data Protection Policy merely restated Hazel’s data protection obligations in very general terms and did not provide Hazel’s employees with specific practical guidance on how to handle personal data in their day-to-day work or how to comply with section 24 of the PDPA.
Hazel has taken the following remedial actions to help prevent the disclosure of personal data found in Order Forms in the future:
- Reminders not to use documents containing personal data of customers as packaging materials and to only use designated packaging materials have been posted at all employee workspaces;
- Meetings and group discussions were held with employees to emphasise the above reminders;
- Limiting access to the box containing Order Forms meant for disposal to only authorised employees by securing it with a lock; and
- Hazel is revising its Order Forms so that the forms will only state the delivery address, the date and time of delivery, and the product code.
In view of the factors that personal data of limited sensitivity was only disclosed to 1 person and that Hazel has taken the necessary remedial actions and was co-operative during the investigation, the Commission has decided to issue a Warning to the Organisation for the breach of its obligations under section 24 of the PDPA.
- Merely training an employee on her work/operational role does not constitute a security arrangement. Data protection training and constant supervision for employees who come into contact with personal data is a must for all organisations;
- An organisation’s Data Protection Policy has to provide the organisation’s employees with specific practical guidance on how to handle personal data in their day-to-day work or how to comply with the PDPA. The Data Protection Policy must be explained clearly to the employees so that the employees understand what is required of them under the Policy; and
- Be fully co-operative during PDPC investigations.
3. 12 June 2017: Exceltec Property Management Pte Ltd (“Exceltec”), Management Corporation Strata Title Plan No 2956 (“MCST 2956”)and Strata Land Property Consultants Pte Ltd (“Strata Land”) – NO BREACH OF THE PDPA
Although the three cases involve different residents and managing agents of condominiums, the facts of the three cases are substantially similar and the legal issues involved are identical. Therefore, this consolidated decision is issued for the three cases.
This decision arises from three separate cases involving Management Corporation Strata Title (“MCSTs”) and managing agents (collectively, the “Organisations”) of condominiums posting documents containing the personal data of subsidiary proprietors (hereinafter will be referred to as “residents”) on notice boards. The nature of the complaints was that the disclosures made of these personal data was an infringement of the Personal Data Protection Act 2012 (“PDPA”).
Summaries of the 3 complaints are listed in the table below:
|No. ||Relevant parties ||Documents Involved ||Personal Data Involved ||Nature of Complaint |
|(1) Draft minutes of meeting|
(2) Voter list
|(1) Names and unit numbers|
(2) Names and unit numbers, and voting shares
|Disclosure of personal data without notification or consent.|
|Voter list||Names and unit numbers||Duration of the disclosure of personal data was for longer than necessary.|
|Voter list||Names, unit numbers, and voting shares||– Disclosure of personal data without notification or consent.|
– Duration of the disclosure of personal data was for longer than necessary.
– Disclosure of personal data ought not to be made on multiple notice boards.
There are two data protection obligations under the PDPA that are relevant to the disclosures that were made by the Organisations – the Consent Obligation and Notification Obligation.
Based on the Organisations’ representations to the PDPC, they had not notified their respective residents of the purpose of the disclosure of the voter lists or minutes of meeting, nor did they obtain the residents’ consent to disclose their personal data.
However, Section 13(b) of the PDPA provides for an exception to the need for consent to be obtained – it states that an organisation shall not disclose personal data unless the disclosure without the consent of the individual is required or authorised under the PDPA or any other written law. In the present case, the other written law in question is the Building Maintenance and Strata Management Act (Cap. 30C) (Rev. Ed. 2008) (“BMSMA”).
Hence, the PDPC found that the disclosures made by the Organisations of the residents’ names in the voter lists were in compliance with the Consent Obligation and Notification Obligation, pursuant to Paragraph 7 of the First Schedule of the BMSMA.
Accordingly, the PDPC also takes the view that the names, unit numbers, and voting shares of the residents (which are, for all intents and purposes, the same as the share value of the apartment) are publicly available information under the PDPA and there was no need for the Organisations to obtain consent from the residents or provide prior notification to the residents before the Organisations disclosed the names, unit numbers, and voting shares of the residents.
In light of the above, the PDPC is of the view that the above exceptions are applicable, and that the Organisations are neither in breach of the Consent Obligation or Notification Obligation in respect of the residents’ personal data.
As to the complaint of whether the Organisations had disclosed personal data for longer than necessary, the PDPC considered that the voter list is intended to establish both the persons who are entitled to attend and vote at the meeting and also the share value or voting rights of each of such persons, it stands to reason that the voter list may be displayed on the notice board for as long a duration as the minutes of meeting. The PDPC bore in mind that the minutes of meeting must be displayed for at least 14 days. Taking this minimum period of displaying as the basis for comparison, it is the PDPC’s view that keeping the voter list posted on the notice board for 2 months is not an unduly protracted period.
In this case, for the reasons above, the PDPC finds that MCST 2956 and Strata Land are not in breach of the PDPA in respect of the duration of the disclosures that were made.
The final issue of whether there was a requirement that the disclosure of the voter lists had to be made on multiple the notice boards of the condominium unit. The PDPC ruled that there are no restrictions to the voter list being disclosed on multiple notice boards under the PDPA. Accordingly, Strata Land is not in breach of the PDPA for disclosing the voter list on multiple notice boards.
In conclusion, the PDPC determined that the Organisations have not breached the Consent and Notification Obligations under the PDPA in relation to the disclosure of personal data in the voter lists and minutes of meeting, and has decided to take no further action in respect of the complaints made.
- Any personal data recorded in minutes should be relevant to the proceedings and necessary to ensure a full and accurate record of the conduct of the meeting. In a case where personal data is disclosed without being in any way relevant to the agenda of the meeting, the PDPC may take the appropriate enforcement action;
- MCSTs and managing agents should generally only keep the voter list and minutes of meetings that contain personal data on notice boards for only a reasonable period of time. Good data protection practices dictate that the period of exposure of personal data and the length of such exposure should be minimised as far as possible, even if the disclosure is, in and of itself, permitted under the PDPA;
- There are no restrictions to the voter list being disclosed on multiple notice boards under the PDPA.
4. 29 Jun 2017: THE MANAGEMENT CORPORATION STRATA TITLE PLAN NO. 3696 (“MCST 3696”) AND EAGLE EYE SECURITY MANAGEMENT SERVICES PTE LTD (“Eagle Eye”) – WARNINGS ISSUED TO BOTH ORGANISATIONS
On or around Dec 2015, the PDPC had previously investigated a complaint in relation to the failure by a security company to safeguard the visitor logbook of Prive Executive Condominium (the “Condominium”), which contained personal data of the visitors. The security company, Spear Security Force Pte. Ltd., was found in breach of Section 24 of the Personal Data Protection Act 2012 (“PDPA”) for leaving the logbook unattended and failing to institute reasonable protection for said logbook.
A similar breach took place again at the Condominium. This time round, the breach took place under another security company, Eagle Eye, which was engaged by MCST 3696, for its security services.
The incident took place in the evening of 16 Oct 2016. The Complainant had observed that a logbook that was placed on a table next to the gantry into the Condominium was left unattended. The Complainant subsequently took photographs to show that the logbook was left open on the table and unattended by the security guards. These photographs were sent to the PDPC for its investigation.
The logbook was used to record the attendance and details of the coaches who conduct swimming lessons at the Condominium. The logbook would therefore contain the dates and times of entry into the Condominium and the NRIC numbers of the coaches.
Based on the PDPC’s investigation, there was no security guard attending to the logbook from the hours of 8 pm to 10.30 pm. There was supposed to be a night-shift security guard to be stationed at the table where the logbook was located, but the guard had reported ill that evening, and his replacement had only arrived for duty at 10.30 pm. Accordingly, the only security guards that were in the vicinity from 8 pm to 10.30 pm were the security guards that were stationed at the guardhouse, away from the gantry.
Although the security guards were stationed at the guardhouse, Eagle Eye claimed that they were within close proximity of the logbook, and keeping an eye whilst in the guardhouse.
MCST 3696 and Eagle Eye also claimed that the security guards had previously been specifically instructed to close the logbook when not in use and to keep the book in the guardhouse if no security guard was stationed at the table. Additionally, they claimed that these security guards were reminded to exercise due care and diligence to safeguard personal data; were advised on the PDPA; and warned about severity of penalty for disclosure of personal data.
Following the data breach incident, MCST 3696 and Eagle Eye had removed the table at the Condominium gantry so that all visitor registrations would only be done at the guardhouse. This was to ensure that the logbook was kept in the guardhouse at all times.
The recording and safekeeping of the logbook were activities that fall under the definition of “processing” of personal data under Section 2(1) of the PDPA. Given that MCST 3696 had engaged Eagle Eye to carry out such services (as part of the overall security services), Eagle Eye was a data intermediary to MCST 3696 (the organisation) in relation to the handling and safekeeping of the logbook.
As an organisation, MCST 3696 has the primary role and duty to protect personal data in its possession or control under Section 24 of the PDPA. MCST 3696 held the primary role and duty to protect personal data, even though it had engaged a data intermediary to protect the personal data as well. This principle has been elucidated previously in the case of The Cellar Door Pte Ltd and Global Interactive Works Pte. Ltd. As for Eagle Eye, although it has fewer obligations to meet under the PDPA, it still needs to protect personal data in its possession under Section 24 of the PDPA. While Eagle Eye had a data protection policy in place, the policy was spartan in terms of the policies that govern the protection of the logbook and did not elaborate further on how these may be translated into actual practices or processes to protect the logbook.
In relation to Eagle Eye, the PDPC found Eagle Eye to be in breach of its obligations under Section 24 of the PDPA.
With regards to MCST 3696, it had the primary and shared responsibility with Eagle Eye to protect personal data.
The need to meet this primary responsibility ought to have been drawn into sharp focus for MCST 3696, as this was not the first time that the hired security guards of the Condominium had left the logbook unattended. However, the MCST 3696 had failed to meet this primary responsibility to protect personal data. As mentioned above, the Commission has found a lack of adequate policies and processes that were in place to protect personal data. Next, it was already established above that there was no system in place at the Condominium for the safekeeping of the logbook at all times. Additionally, it would appear that the only thing that the MCST 3696 did was to remind the security guards at the meeting to secure the logbook, which fell far short of providing that supervision and oversight for protection of personal data.
Given the MCST 3696’s failure to provide that supervision and oversight to ensure the security of the personal data in the logbook, the PDPC finds MCST 3696 to also be in breach of Section 24 of the PDPA.
In view that Eagle Eye and MCST 3696 have taken reasonably adequate steps to remedy the lapses, during the course of the investigations, the PDPC has decided not to impose any directions against them. Instead, the PDPC has decided to issue a Warning against Eagle Eye and MCST 3696 for the breach of their respective obligations under Section 24 of the PDPA.
- NRIC numbers are generally considered to be of a sensitive nature, as it is widely used for business purposes and transactions with the government, and could be used to cause harm should such information fall into the wrong hands;
- It is not enough for an organisation to simply provide instructions to employees on how to safekeep personal data. Without having actual processes or practices in place to protect personal data, any organization’s instructions are but empty instructions with little effect. Without having written policies or practices, it would be difficult to promulgate the policies or practices effectively to the employees and staff of the organisation;
- An organisation has to ensure that its policies are contextualised to its operations, so that they are pertinent and relevant to the organisation’s work or operations on the ground, and meaningful and useful to employees in the context of their work or responsibilities; and
- Taking reasonably adequate steps to remedy the lapses that had led to a data breach might result in a less severe enforcement action for the organization (getting a warning instead of directions issued against the organization) .
5. 6 Jul 2017: Orchard Turn Developments Pte. Ltd. (“OTD”) – FINED $15,000 AND ISSUED WITH DIRECTIONS
OTD is the property manager of ION Orchard, a retail mall in Singapore. OTD runs the ION+ Rewards Loyalty Programme (“ION’s Loyalty Programme”), which awards its members points based on their purchases made at the mall. Super e-Management Limited (“Super-E”), a Hong Kong-based IT service provider, manages the IT system for ION’s Loyalty Programme.
In this case, the Complainant received two unauthorised emails, purportedly sent by the OTD promoting “free” ION+ Reward points. Investigations discovered that an unknown perpetrator had gained unauthorised access to a server that held personal data of the OTD’s members. The perpetrator then used an application on the compromised server to send the unauthorised emails to the OTD’s members using their personal data that was held in the server.
In order to send email updates to its subscribers, OTD would transfer a subscriber list containing personal data of the OTD’s subscribers to the EDM server automatically every day. OTD would then send these emails through a web application hosted on the EDM server (“EDM Application”), which was configured to allow access to users with an administrative account (“admin account”). After OTD had sent out the emails, personal data of the subscribers were not purged but were instead retained on the EDM server. The personal data set that was stored on the EDM server comprised a subscriber’s name, email address, birthdate, and membership registration date.
On 26 Dec 2015, an unknown perpetrator gained unauthorised access to the EDM Application using valid admin account credentials to access the subscriber list. The perpetrator then crafted unauthorised emails, which looked like they were genuine emails from OTD, promoting “free” ION+ Reward points (the “Phishing Emails”) to the subscribers; before proceeding to send these Phising Emails out to 24,913 subscribers, which was slightly over half the entire subscriber pool. If the subscriber made any selections, the subscriber would be directed to more advertisement pages which may request for the subscriber’s personal data, such as the subscriber’s mobile phone number or email address.
Subsequently, Super-E received an alert from the EDM server and discovered that an Internet Protocol address (IP address) from Egypt had successfully logged into the system, and had sent out the Phishing Emails to OTD’s subscribers. After discovery of the data breach, Super-E disabled the EDM server to prevent further dispatches of Phishing Emails to OTD’s subscribers. On 27 and 29 Dec 2015, OTD sent emails to the affected subscribers informing them of the Phishing Emails that had been sent.
OTD also engaged KPMG Services Pte. Ltd. (“KPMG”) to conduct an investigation into the data breach incident. KPMG found that the cause of the incident appeared to be “an unauthorised access using ‘admin’ credentials via the EDM application” as well as several issues with the security of the EDM server, i.e. the operating system of the EDM server was not patched or hardened, thus exposing the EDM server to potential exploitation. In all, it was revealed that the EDM Application had 24 known vulnerabilities that could be exploited.
The PDPC also identified other issues concerning the security of the members’ personal data. Foremost of them was the absence of policies or practices to safeguard the admin account passwords. Additionally, there should not be a sharing of credentials amongst users. When credentials are shared among multiple users, it is difficult to ensure accountability as it is difficult to track the activity of each individual using the common set of credentials.
In view of all of the relevant facts and circumstances, the Commission finds that OTD did not make reasonable security arrangements to protect personal data and is in breach of section 24 of the PDPA and ordered OTD to pay a financial penalty of S$15,000 as well as issued the following directions to OTD:
- within 60 days from the date of the PDPC’s direction to:
- patch all the system vulnerabilities identified by KPMG Reports dated 8 March 2016 and 19 April 2016;
- conduct a penetration test on the Internet-facing portion of the system and rectify weaknesses that have been identified; and
- implement a password management policy and conduct training for staff on password management best practices;
- by no later than 14 days after the above action has been carried out, OTD shall submit to PDPC a written update providing details on (i) the results of the penetration test; (ii) the measures that were taken by the Organisation to patch all system vulnerabilities; and (iii) the password management policy and the training.
- Do not retain any personal data online or on a server once it is not needed. The longer unneeded personal data is retained, the higher the risk of online attacks and external threats and breaches occurring. This can be addressed by way of an appropriate retention policy and/ or sufficient IT hardening measures.
- Once a server is known to hold or process personal data, an organisation has obligations to protect the personal data by ensuring that the personal data in transit to and from the server, and the personal data held at rest in the server, are adequately protected.
- Organisations have to put in place proper password management practices and policies, which encompass the regular changing of admin account passwords and the prohibition against sharing admin account credentials amongst multiple users. This is also supported by foreign authorities.
- Patching is one of the common tasks that all system owners have to perform in order to keep its security measures current against external threats. The failure to patch applications and systems regularly was a failure to protect against known system vulnerabilities.
- By adopting a data protection-by-design approach, it is conceivable that no more than modest enhancements would be necessary to meet the standards expected for compliance with the PDPA’s Protection Obligation.
- The fact that the Organisation was generally cooperative and forthcoming in providing timely responses to the PDPC and that the Organisation took prompt remedial action after being alerted to the data breach incident was taken into consideration.