Please find a summary of PDPC enforcement actions for the period Oct to Nov 2016 below:

---

1.  4 Nov 2016: My Digital Lock Pte. Ltd. (“MDL”) –  WARNING

On 4 Jan 2016, the PDPC received a complaint that MDL’s director had disclosed personal data by posting publically viewable screenshots of the Complainant’s WhatsApp conversations with MDL’s director (including his personal mobile number and residential address) on MDL’s director’s Facebook page.  MDL is a seller of digital locks and doors.

MDL and the Complainant were involved in legal proceedings concerning remarks made by the Complainant about alleged defects of a gate bought from MDL.  MDL claimed that it was to send screenshots of the Complainant’s WhatsApp conversations (containing the Complainant’s Personal Data) to MDL’s lawyer in connection with the Court proceedings, MDL’s director had posted the screenshots on Facebook, which was fully accessible by the public, but they were removed within an hour.

MDL’s director responded that the Complainant’s Personal Data was disclosed in his personal or domestic capacity, the Personal Data he disclosed was publicly available data and was disclosed pursuant to investigations and proceedings.

The PDPC held that the manner and the mode which MDL’s director used to transfer personal data was ‘wholly inappropriate’. Even though screenshots were removed within an hour, the PDPC found that there was ‘substantial risk’ that the Complainant’s personal data would be viewed. The PDPC also held that as MDL’s director was acting in his course of employment when he disclosed the Complainant’s personal data , MDL was also deemed to have taken part in the disclosure of the personal data. MDL was issued with a Warning for breaching its obligations under Sections 13 (Consent Required) and 24 (Protection of Personal Data) of the PDPA.

The takeaway is that one should not use social media platforms to transfer personal data and that there should be adequate security arrangements in place to prevent unauthorised access or interference when transferring personal data (e.g. access control or password-encrypted access and not over social media which was available to the public at large).

---

2.  4 Nov 2016: Smiling Orchid (S) Pte Ltd (“Smiling Orchid), T2 Web Pte Ltd (“T2”), Cybersite Services Pte Ltd (“Cybersite”) and East Wind Solutions Pte Ltd (“Eastwind”) – SMILING ORCHID FINED $3,000, T2 AND CYBERSITE ISSUED ADVISORY NOTICES AND EASTWIND NOT INVOLVED

On 24 Nov 2014, the PDPC received a complaint in relation to the failure of the Smiling Orchid, a food caterer, to put in reasonable security measures on its website to prevent disclosure of their customers’ personal data.

Smiling Orchid owns the rights to two different domains, namely, smilingorchid.com and smilingorchid.com.sg.  Customers can place orders for Smiling Orchid’s bakery and catering services through its website.

On 1 Aug 2014, the Complainant placed an order on Smiling Orchid’s website for a workplace event.  On or around 10 Nov 2014, the Complainant did a random search of his full name on www.yahoo.com.sg and among the search results was a URL link to a website containing details of the Complainant’s Order, including his full name, residential address, mobile number, workplace address and workplace email address.

On 11 and 18 Nov 2014, the Complainant reported the data breach Incident to Smiling Orchid but did not receive any response. Thereafter, the Complainant lodged a complaint with the PDPC.

T2 is a web design and development company and was engaged by Smiling Orchid to design the Smiling Orchid webpage and build a Content Management System (“CMS”) to manage Smiling Orchid’s bakery and catering content on its website on 29 Jul 2008.  T2 created the design and HTML code but outsourced the development of the entire CMS to a freelancer, who in turn subcontracted the actual development of the CMS to “developers based in China”. There are no records available about (i) how the CMS was tested by the developer; or (ii) systematic acceptance tests done by the respective contractor.

Cybersite was the domain and website hosting provider for Smiling Orchid from 3 April 2014 to 3 April 2016 and had the personal data of Smiling Orchid’s customers stored in its servers in Singapore. Since 24 April 2015, Smiling Orchid has changed its hosting providers and T2 has been hosting Smiling Orchid’s website via Pozhub Solutions Pte Ltd, but Cybersite continued to host the domain name.

East Wind is the new IT service provider to Smiling Orchid that was engaged after the occurrence of the data breach to help Smiling Orchid with ensuring basic security and prevention of its portal and infrastructure.

After PDPC’s investigations, Smiling Orchid was fined $3,000 for being in breach of the Protection Obligation of the PDPA and had to comply with the directions, including put in place the security arrangements for the new website to protect the personal data that was collected, or may be collected, by Smiling Orchid, conduct a web application vulnerability scan of the new website and patch all vulnerabilities identified by such vulnerability scan.

The PDPC also issued advisory notices to T2 and Cybersite, while East Wind was found not to be involved in any way at the material time.

Although Smiling Orchid is a SME without internal IT knowledge and expertise, as an organisation under the PDPA, it is ultimately responsible for protecting the personal data in its possession even though it had outsourced the hosting, support and maintenance of its online ordering system and corporate website. The PDPC found that Smiling Orchid “had not even considered” that it was required to implement reasonable security measures to protect the personal data under its control. Next, even though it had 2 domains under its control, it had only taken remedial actions with regards to 1 domain.

The PDPC also found that data controllers that engage service providers to act as data intermediaries or processors must be clear about the extent of the services that such service providers are to provide. This would mean that any reasonable security measures would have to be clearly stipulated in the contract between the data controller and the service provider.

---

3.  24 Nov 2016: Jump Rope (Singapore) – WARNING

The Complainant in this case was a former employee of Jump Rope; a non-profit society which provides training on the sport of rope skipping to Singapore schools.

The Respondent alleged that the Complainant had breached his contract of employment with them. As a result, the Respondent terminated the Complainant’s employment and revoked his certification which he had received from the Respondent.

The President of the Respondent then decided to send an email to about 30 Singapore school informing them that the Complainant (name and NRIC were stated on the email) had been blacklisted and that his employment and certification had been revoked. The Respondent stated that the intent of the Respondent in doing so was to notify the schools to help them decide who to engage as a rope skipping instructor.

It is clear that consent for disclosure of the Complainant’s personal data in an email communicating that he had been blacklisted was not obtained. This is not a case where consent was obtained earlier in time when he was first employed; and there is no evidence to show that the Complainant was notified nor gave consent for disclosure, before or after the Complainant had been disciplined and dismissed. In a suitable case, there can be valid business or legal reasons for the blacklisting to be disclosed in order to warn the Respondent’s clients, notwithstanding that it may contain some personal data about the Complainant. It may not be desirable to expect organisations to obtain consent from the person(s) that is the subject of the disciplinary action, dismissal and blacklisting, as consent is unlikely to be forthcoming in all cases. However, the organisation should still comply with the neighbouring obligations of consent, namely, the notification obligation and the purpose limitation obligation. This means disclosing the blacklist containing the former employee’s personal data only for purposes that a reasonable person would consider appropriate in the circumstances, and notifying the former employee about the disclosure to be made.

The PDPC held that this disclosure by the Respondent failed to meet the requirement of reasonableness. In the absence of evidence that the Complainant’s post-employment conduct had put the Respondent’s trade reputation or potential clients at risk, the Respondent’s measure of writing to name and shame the Complainant is not an appropriate or reasonable step to take. The PDPC also did not find any business or legal reasons that justified the Respondent’s actions in writing to its clients to inform them of the blacklisting

The PDPC decided to issue a warning to the Respondent, and considered that the potential adverse effect or consequence on the Complainant from the disclosure of such information to third parties, in particular, the impact on future engagements of the Complainant’s services for jump rope activities, the Respondent ought to have taken the extra care and precautions in relation to the protection and disclosure of personal data of the Complainant.

A warning was deemed adequate as the disclosures were made to a small number of Government schools, the disclosed Personal Data was limited; and that the Respondent had been co-operative and forthcoming with the PDPC in its investigations.

---

Contact P2D Solutions now if you have a PDPA related query about your organisation!