_commit_at,_commit_hash,_id,_item,_version,_commit,description,tags,date,pdf-url,nature,title,url,timestamp,pdf-content,decision,_item_full_hash,_changed_columns 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,186,186,1,952,Credit Bureau (Singapore) was not found to be in breach of the PDPA in relation to the information contained in its Enhanced Consumer Credit Report.,"[""Not in Breach"", ""Finance and Insurance""]",2018-05-14,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds_of_Decision_Credit_Bureau_Singapore_140518.pdf,,No Breach of Accuracy and Retention Obligations by Credit Bureau Singapore,https://www.pdpc.gov.sg/all-commissions-decisions/2018/05/no-breach-of-accuracy-and-retention-obligations-by-credit-bureau-singapore,2018-05-14,"PERSONAL DATA PROTECTION COMMISSION Case No DP-1707-B0946 [2018] SGPDPC [14] In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Credit Bureau (Singapore) Pte Ltd … Organisation DECISION Credit Bureau (Singapore) Pte Ltd [2018] SGPDPC [14] Mr. Yeong Zee Kin, Deputy Commissioner — Case No DP-1707-B0946 14 May 2018 Background 1 This complaint concerns the accuracy and retention of the Complainant’s personal data by Credit Bureau (Singapore) Pte Ltd (“the Organisation”). The Organisation is a consumer credit bureau. It aggregates credit-related information from its participating members. The risk profiles of individuals are presented in its Enhanced Consumer Credit Report (“ECCR”). 2 The complainant had a bankruptcy application taken out against him in June 2012. The bankruptcy application was withdrawn by the creditor in July 2012. The Complainant was given a “HX” risk grade in this ECCR. A “HX” risk grading meant that there could be a past or existing bankruptcy record associated with the Complainant. The Complainant felt that a “HX” risk grading was inaccurate as he thought that it implied that he had an outstanding bankruptcy record or was not creditworthy. He therefore requested the Organisation to amend his risk grading. 3 The Organisation informed the Complainant that it was its practice to display bankruptcy-related data for 5 years. The Complainant then lodged a complaint against the Organisation to the Personal Data Protection Commission Credit Bureau (Singapore) Pte Ltd [2018] SGPDPC 14 on 24 May 2017. The complaint was that the Organisation had retained his personal data when it was no longer necessary for legal or business purposes. Findings and Basis for Determination 4 This case concerns the accuracy and retention obligations under the Personal Data Protection Act (“PDPA”), with respect to the bankruptcy information in the ECCR. In particular, the issues are: a. Whether the Organisation had made a reasonable effort to ensure that the personal data it had collected was accurate and complete pursuant to section 23(b); and b. Whether the Organisation had retained the Complainant’s personal data when it was no longer necessary for legal or business purposes pursuant to section 25 of the PDPA. Did the Organisation breach Section 23(b) of the PDPA? 5 Section 23(b) of the PDPA requires an organisation to make a reasonable effort to ensure that the personal data collected by or on behalf of the organisation is accurate and complete if the personal data is likely to be disclosed by the organisation to another organisation. 6 In this case, the Organisation had explained that a “HX” rating merely meant that there was a past or existing bankruptcy record associated with the individual concerned. A “HX” rating did not represent that the individual was a bankrupt. The Organisation had also cautioned creditors against upfront rejection of credit applications of applicants with “HX” ratings. This buttresses 2 Credit Bureau (Singapore) Pte Ltd [2018] SGPDPC 14 the Organisation’s positon that “HX” rating alone does not determine creditworthiness. 7 According to the Association of Banks in Singapore (“ABS”), financial institutions (“FIs”) consider information from several sources when making lending decisions. Apart from searches with credit bureaux, FIs also conduct public registry searches1. Records from the Insolvency & Public Trustee Office (“IPTO”) also showed that he was not a bankrupt. FIs would have been able to obtain the same information on the Complainant when conducting their own due diligence. Generally, FIs’ creditworthiness assessment vary according to their risk appetite, internal assessment policies, portfolio delinquency and loss experience. Did the Organisation breach section 25 of the PDPA? 8 Section 25 of the PDPA requires an organisation to cease retaining its documents containing personal data, or remove the means by which the personal data can be associated with particular individuals, as soon as it is reasonable to assume that the purpose for which that personal data was collected is no longer served by retention of the personal data; and retention is no longer necessary for legal or business purposes. 9 The Organisation displays bankruptcy-related information for 5 years in its ECCR.2 This aligns with the display period of the publicly available Insolvency Search maintained by the Insolvency & Public Trustee Office. The 1 2 Including publicly available litigation and bankruptcy information. Including “HX” ratings. 3 Credit Bureau (Singapore) Pte Ltd [2018] SGPDPC 14 5-year retention policy gives FIs useful credit history of potential borrowers. Along with other information sources, this facilitates FIs’ lending decisions. 10 I do not think that a 5-year display period for bankruptcy-related information is unreasonable. The Organisation provides credit reporting services and the retention of bankruptcy-related information in order to deliver its services is a valid business purpose. Conclusion 11 For the reasons set out above, I do not think that the Organisation has breached section 23(b) or 25 of the PDPA. YEONG ZEE KIN DEPUTY COMMISSIONER PERSONAL DATA PROTECTION 4 ",Not in Breach,00dfc6779bc3e2fa6234e35d2fe5563a6e0d7bf6,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,187,187,1,952,MyRepublic was found not in breach of the consent obligation with respect to the use of an individual’s personal data for debt recovery purposes.,"[""Not in Breach"", ""Information and Communications""]",2018-05-14,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds_of_Decision_MyRepublic_140518.pdf,,No Breach of Consent Obligation by MyRepublic,https://www.pdpc.gov.sg/all-commissions-decisions/2018/05/no-breach-of-consent-obligation-by-myrepublic,2018-05-14,"PERSONAL DATA PROTECTION COMMISSION [2018] SGPDPC 13 Case No DP-1701-B0463 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And MyRepublic Limited … Organisation DECISION MyRepublic Limited [2018] SGPDPC 13 Yeong Zee Kin, Deputy Commissioner — Case No DP-1701-B0463 14 May 2018 Background 1 The Complaint concerns the use of a customer’s personal data by MyRepublic Limited’s (the “Organisation”) appointed debt collection company, Apex Credit Management Pte Ltd (“Apex Credit”), for the purpose of debt recovery. The Organisation is a telecommunications company which provides fibre broadband services in Singapore. 2 The Complainant terminated his account with the Organisation on 25 September 2016. He claimed that he did not have any outstanding debt with the Organisation. However, he was subsequently contacted by Apex Credit on two occasions. The purpose was to pursue payment of outstanding amounts purportedly owed to the Organisation. First was via letter sent to the Complainant on 3 October 2016. Second was via a phone call on 10 October 2016. The Organisation disclosed that its systems had identified the Complainant’s account for debt collection based on its debt aging status. MyRepublic Limited 3 [2018] SGPDPC 13 This case concerns section 131 of the Personal Data Protection Act 2012 (“PDPA”). In particular, the issues are: (a) Whether consent was given by the Complainant for his personal data to be used for debt collection purposes; and (b) whether it was reasonable for the Organisation to have deemed that the Complainant was in debt at the material time. (a) Whether consent was given by the Complainant for his personal data to be used for debt collection purposes? 4 When customers sign up for the Organisation’s services, their consent were obtained for the use of their personal data for debt management purposes. This was accomplished through the Organisation’s terms and conditions, which state: “By having the Services we provide activated in your premises and/or by using them you are giving us your consent to use your personal information for … credit assessment, debt management, preventing fraud… .” [Emphasis added] 5 The Complainant had therefore consented for his personal data to be used for debt management when he signed up for the Organisation’s services. 1 Section 13 of the PDPA requires either that (a) the individual gives, or is deemed to have given, his consent to the collection, use or disclosure of his personal data; or (b) collection, use or disclosure without consent is required or authorised under the PDPA or any other written law. 2 MyRepublic Limited (b) [2018] SGPDPC 13 Was it reasonable for the Organisation to deem that the Complainant was in debt at the material time? 6 The incident was caused by an administrative time-lag in the Organisation’s systems. Investigations disclosed the following: The bank GIRO deduction for the amount owed by the Complainant to the Organisation was successfully processed on 28 September 2016. The Organisation’s aging report to identify “terminated” and “suspended” accounts with outstanding payments was updated for records up to 29 September 2016, 2359 hours. Although The bank GIRO deduction report was received by the Organisation on 29 September 2016, it was only updated on 30 September 2016. As a result, the Complainant’s account was included in the aging report and sent to Apex Credit on 30 September 2016. Based on the aging report received, Apex Credit commenced debt collection efforts against the Complainant. 7 I am mindful that while the PDPA imposes data protection obligations on organisations, the Act does not demand infallibility in an organisation’s personal data processing activities and systems. Rather, it requires organisations to do what is reasonable to fulfil their obligations. Batch processing of arrears status is commonly practiced. In this case, administrative time-lag was one day. Debt collection efforts took place within a short span of 8 days and it immediately ceased once Apex Credit was informed by the Complainant that the outstanding payment had been settled. 8 I find that a weekly update of customers’ account status to be a reasonable practice. I also note that the inconvenience to the Complainant was no more than a letter and phone call, both of which were private communications directed to him. Apart from annoyance and the displeasure of having to deal with requests to repay a debt that he had already settled, there 3 MyRepublic Limited [2018] SGPDPC 13 was no embarrassment or harm caused. I am therefore of the view that the Organisation has not breached section 13 of the PDPA. YEONG ZEE KIN DEPUTY COMMISSIONER FOR PERSONAL DATA PROTECTION 4 ",Not in Breach,660bde1be84f105fe469f14ec38d8fcfc2ccc1f7,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,188,188,1,952,A warning was issued to Watami Food Service Singapore for failing to make reasonable security arrangements to prevent unauthorised access of employees’ personal data stored online.,"[""Protection"", ""Warning"", ""Accommodation and F&B""]",2018-05-14,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds_of_Decision_Watami_Food_Service_Singapore_140518.pdf,Protection,Breach of the Protection Obligation by Watami Food Service Singapore,https://www.pdpc.gov.sg/all-commissions-decisions/2018/05/breach-of-the-protection-obligation-by-watami-food-service-singapore,2018-05-14,"PERSONAL DATA PROTECTION COMMISSION [2018] SGPDPC [12] Case No DP-1711-B1312 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Watami Food Service Singapore Pte Ltd … Organisation DECISION Watami Food Service Singapore Pte Ltd Watami Food Service Singapore Pte Ltd [2018] SGPDPC [12] Mr. Yeong Zee Kin, Deputy Commissioner — Case No DP-1711-B1312 14 May 2018 1. Watami Food Service Singapore Pte Ltd (the “Organisation”) is in the restaurant business. On 10 November 2017, information was received the Organisation’s internal Staff Code Name List (the “List”) was accessible via its website. The List contained personal data of 405 employees of the Organisation, namely their full names and staff codes. 2. The List was to facilitate the entry of new employee staff codes into the Organisation’s point-of-sale system. This information is not current as it was dated between 2009 and 2013. The List was meant for internal use within the Organisation. 3. The Organisation did not know when or why the List was uploaded into the Organisation’s website server. As there was no restriction on access, the List was indexed by search engines and made publicly searchable online. The URL containing the List was subsequently removed by Fairwin International Limited (“Fairwin”), a vendor the Organisation engaged to maintain its website. 4. The Organisation was in possession and/or control of the personal data in the List. Section 241 of the Personal Data Protection Act (“PDPA”) required the Organisation to protect the personal data in the List. This included protection against risk of unauthorised access. 5. I rely on the common law concept of res ipsa loquitur in this case as the Organisation is unable to explain how the List which it maintained for internal use was uploaded onto its 1 Section 24 of the PDPA requires an organisation to protect personal data in its possession or under its control by taking reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks. 2 Watami Food Service Singapore Pte Ltd website. The Organisation also did not exercise reasonable control of the information on its website, since it was not aware that the List has been accessible on its website and searchable via online search engines. 6. Neither did it adopt reasonable steps to monitor against information leak on its website. The period that the List was thus exposed could possibly have commenced from 2013, but could also have been a shorter period. The Organisation’s poor oversight and control did not enable it to establish the period of exposure. As a result, the personal data of its staff remained on its website undetected until being contacted by the PDPC. Exercising better oversight of its website content could have led to an earlier discovery and removal of the URL giving access to the List. 7. In the course of investigations, it was further discovered that the Organisation failed to train its staff to protect the personal data in its possession or control. The Organisation’s privacy policy included proper personal information management. However, its staff were not trained in protecting personal data other than occasional reminders, for example to use alphanumeric passwords. No formal instructions were given to staff on the Organisation’s data protection policies or other forms of data protection training. 8. Accordingly, I find that the Organisation did not put in place reasonable security arrangements to protect personal data in its possession or control against risk of unauthorised access. The Organisation is therefore in breach of section 24 of the PDPA. 9. In assessing the breach and determining the directions to be imposed on the Organisation, I took into account the following: a. The Organisation’s prompt instruction to Fairwin to delete the URL on its website; b. The Organisation’s cooperation in the investigation; and c. Its remedial measures, where the Organisation restricted access to the website server to only one person, also reminded all staff that all documents containing sensitive personal data should be password-protected and not be uploaded online. 10. In view of the factors noted above, I have decided to issue a warning to the Organisation for the breach of its obligation under section 24 of the PDPA as neither further directions nor a financial penalty is warranted in this case. YEONG ZEE KIN DEPUTY COMMISSIONER PERSONAL DATA PROTECTION COMMISSION 3 ",Warning,f45717d03de524b6fa179a72b9fc9f78d3267b40,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,189,189,1,952,A warning was issued to Information Technology Management Association (Singapore) for failing to put in place reasonable security measures to prevent the accidental disclosure of the personal data of 28 individuals via email.,"[""Protection"", ""Warning"", ""Information and Communications""]",2018-05-14,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds_of_Decision_Information_Technology_Management_Association_Singapore_140518.pdf,Protection,Breach of the Protection Obligation by Information Technology Management Association Singapore,https://www.pdpc.gov.sg/all-commissions-decisions/2018/05/breach-of-the-protection-obligation-by-information-technology-management-association-singapore,2018-05-14,"PERSONAL DATA PROTECTION COMMISSION [2018] SGPDPC 11 Case No DP-1708-B1019 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Information Technology Management Association (Singapore) … Organisation DECISION Information Technology Management Association (Singapore) Information Technology Management Association (Singapore) [2018] SGPDPC 11 Mr. Yeong Zee Kin, Deputy Commissioner — Case No DP-1708-B1019 14 May 2018 1. On 10 August 2017, the Organisation informed the Commission of its inadvertent disclosure of personal data. The facts disclose a straightforward breach of section 24 of the Personal Data Protection Act 2012 (“PDPA”). 2. The Organisation engaged a travel service provider to organise a study trip for 49 delegates. On 8 August 2017, the Organisation received an email with two attachments from the travel service provider. One attachment was a list containing full names, gender, nationality, dates of birth and passport numbers of 28 delegates (the “List”). 3. The Organisation forwarded the email to the 49 delegates on 10 August 2017. The List was inadvertently included in the email. This resulted in the inadvertent disclosure of the personal data in the List. 4. One delegate provided feedback to the Organisation on the List. Upon notification of the error, the Organisation promptly emailed an apology to the 28 delegates. It subsequently contacted all 49 recipients and requested that they delete the copy of the List that they had received. 5. The issues to be determined in this case are: a. Whether the Organisation breached section 24 of the PDPA to protect the personal data in the List; and b. Whether the Organisation breached section 12(a) of the PDPA to develop and implement policies and practices to comply with the Act. 2 Information Technology Management Association (Singapore) Did the Organisation breach section 24? 6. An organisation must protect personal data in its possession or under its control under section 24 of the PDPA (“Protection Obligation”). In this regard, it must take reasonable steps to prevent unauthorised access, copying, modification, or disposal personal data. 7. The Organisation’s core business was running a membership programme. Its functions involved frequent sending of emails including personal data. The Commissioner’s Guide to Preventing Accidental Disclosure when Processing and Sending Personal Data (published on 20 January 2017) states that employees should ensure that attachments are checked and verified that they are for the intended recipients. In this case, the Organisation had failed to do so when sending the email containing the List to all 49 recipients. The result was the personal data in the List being disclosed to delegates who were not intended to receive such data of other delegates. The Organisation was therefore found in breach of section 24 of the PDPA. Did the Organisation breach section 12(a)? 8. Section 12(a) required the Organisation to develop and implement policies and practices to comply with the PDPA. 9. The Organisation had a Personal Data Protection Statement (“PDP Statement”). It outlined how collected personal data might be used. It also stated that access to personal data was limited to employees who needed to process it. Likewise, personal data would be shared on a need-to-know basis. For external communications, personal data would be shared only when there was a “legitimate reason”. An employee was assigned to process all personal data handled by the Organisation. The employee had previously attended formal training on the requirements of the PDPA and had been briefed on the Organisation’s protection of personal data. 10. It was assessed that the Organisation’s PDP Statement complied with the requirement under section 12(a) to develop policies to meet its obligations under the PDPA. Its attempts to limit access to personal data to the employee who had been given PDPA compliance training was assessed to comply with the requirement to implement the policies in its PDP Statement. Finally, the Organisation’s efforts to implement its personal data protection polices under section 12(a) were taken as forms of practices on the ground to help employees to manage the risk of unauthorised disclosure of or access to personal data through emails and other external communications. 11. Accordingly, the Organisation was not found in breach of section 12(a) of the PDPA. Remedial measures taken 3 Information Technology Management Association (Singapore) 12. Following the incident, the Organisation required employees to review all emails and attachments before sending or forwarding. They are also required to check whether personal data is being sent to unintended and/or unauthorised recipients. 13. In assessing this case, I took into account the following: a. The Organisation’s prompt action to inform all 49 delegates to delete the List; b. The Organisation’s voluntary notification of the incident and cooperation in the investigation; and c. The Organisation’s remedial measures assessed to be reasonable to address risk of similar incidents. 14. In view of the factors noted above, I decided to issue a warning to the Organisation for the breach of its obligation under section 24 of the PDPA as neither further directions nor a financial penalty is warranted in this case. YEONG ZEE KIN DEPUTY COMMISSIONER PERSONAL DATA PROTECTION COMMISSION 4 ",Warning,1738f6c24182e6507b40b564d5a960c96b9d29d0,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]"