_commit_at,_commit_hash,_id,_item,_version,_commit,description,tags,date,pdf-url,nature,title,url,timestamp,pdf-content,decision,_item_full_hash,_changed_columns
2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,159,159,1,952,Telcos were not found in breach of the PDPA for charging subscribers for the provision of Caller Number Non-Display value added services.,"[""Consent"", ""Not in Breach"", ""Information and Communications"", ""Singtel"", ""Starhub"", ""M1""]",2019-06-06,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision---3-Telcos---06062019.pdf,Consent,No Breach of the Withdrawal of Consent Obligation by Telcos,https://www.pdpc.gov.sg/all-commissions-decisions/2019/06/no-breach-of-the-withdrawal-of-consent-obligation-by-telcos,2019-06-06,"PERSONAL DATA PROTECTION COMMISSION

[2019] SGPDPC 12
Case No DP-1609-B0229

In the matter of an investigation under section 50(1)
of the Personal Data Protection Act 2012
And

1. Starhub Mobile Pte Ltd
2. M1 Limited
3. Singtel Mobile Singapore Pte.
Ltd.
… Organisations

DECISION

Data protection – Consent obligation – Withdrawal of consent

Starhub Mobile Pte Ltd, M1 Limited and Singtel Mobile
Singapore Pte. Ltd.
[2019] SGPDPC 12
Yeong Zee Kin, Deputy Commissioner — Case No DP-1609-B0229

6 June 2019.
Background
1

The present matter arose from a complaint made by an individual mobile

subscriber (“Complainant”), in relation to the current industry practice of
mobile network operators charging for the provision of Caller Number NonDisplay (“CNND”) services. The CNND service is offered on a per-line basis
affecting all out-going calls made using a particular telephone number. When
activated by a subscriber, the CNND service essentially prevents the
subscriber’s telephone number from being displayed on call recipients’ devices.
2

The Organisations are the three mobile network operators in Singapore.

They offer a range of telecommunication services to subscribers, in particular,
mobile telephony services. They also offer CNND as an optional value-added
service to their subscribers. All the Organisations share a common practice of
charging subscribers for the provision of CNND services, although the precise
charges differ from Organisation to Organisation.
3

The key question which has to be determined in this case is whether

section 16 of the Personal Data Protection Act 2012 (“PDPA”) prohibits
organisations from imposing charges for the provision of CNND services. The

Starhub Mobile Pte Ltd and others

[2019] SGPDPC 12

findings and grounds of decision based on the Commission’s investigation are
set out below.
Material Facts
4

The Complainant is an individual subscriber of StarHub Mobile Pte Ltd

(“StarHub”)’s mobile services. He had written to StarHub to request the
withdrawal of his consent to the disclosure of his telephone number to parties
receiving his calls.
5

In response, the Complainant was informed by StarHub that, if he

wished to prevent his telephone number from being displayed to call recipients,
he would need to activate StarHub’s CNND value-added service. He was also
informed that a one-time activation charge and monthly recurring charges were
applicable.
6

The Complainant was not agreeable to pay the charges for activating the

CNND value-added service. He expressed the view that, as he was exercising
his right under the PDPA to withdraw consent to the disclosure of his personal
data, he should not be required to pay any charges for the CNND value-added
service in order to prevent his telephone number from being displayed to call
recipients.
7

Against this backdrop, the Complainant raised this matter to the

Commission. As the practice of charging for CNND services is common to all
the Organisations, the Commission commenced an investigation into the
practices pertaining to the CNND services of all three Organisations.
Conveyance/withholding of calling party’s telephone number from recipient

2

Starhub Mobile Pte Ltd and others

8

[2019] SGPDPC 12

In the course of its investigation, the Commission obtained a range of

information from the Organisations pertaining to the manner in which a calling
party’s telephone number is conveyed to a call recipient during a telephone call,
as well as details pertaining to the implementation of the CNND value-added
service. Investigations disclosed the following:
(a)
All mobile and fixed line operators in Singapore are
interconnected using international telephony signaling protocols, e.g.,
signaling system no. 7 and session initiation protocol. Under the
arrangements for interconnection adopted by the Organisations, a
caller’s telephone number will be passed on by the caller’s network
operator to the receiving network operator as part of the conveyance of
a telephone call.
(b)
The transmission of the calling party’s telephone number by the
calling party’s operator to the recipient’s operator takes place regardless
of whether the calling party has activated CNND services. The calling
party’s network does not remove the calling party’s telephone number
from being transmitted. The difference in handling the caller’s number
lies in indicators as to whether the phone number should be displayed or
hidden from the recipient.
(c)
If the call recipient has activated caller ID (also known as caller
line identity or “CLI”) services, the recipient operator’s network will
forward the calling party’s telephone number to the recipient’s device.
Otherwise, the calling party’s telephone number will not be forwarded
to the recipient’s device, and the recipient’s device would not display
the incoming caller’s telephone number. Currently, the vast majority of
Singapore mobile subscribers have enabled CLI services.
(d)
The flow of the caller’s telephone number from the caller to the
caller ID display at the call recipient’s device when the call recipient has
activated the CLI services for his telephone line takes place in the
following manner:

3

Starhub Mobile Pte Ltd and others

[2019] SGPDPC 12

(i)

When the caller dials the call recipient’s telephone number
using his phone, the call will be routed from the caller’s
originating local exchange to the recipient’s local
exchange, which could be in the same or different
telecommunication company’s network, based on the preplanned call routing arrangement. The originating local
exchange will be able to determine which telephone
communications company the call recipient has subscribed
to and will try to establish a call with the designated
recipient’s local exchange through the adopted signalling
protocols.

(ii)

If the call recipient’s telephone is connected to the call
recipient’s telephone network, after the call is routed
successfully, an acknowledgement awaits the call recipient
to pick up the call, which is typically translated to the
ringing of the telephone. At this stage, the caller’s
telephone number is reflected on the call recipient’s
telephone as caller ID display. The call is considered
established after the call recipient picks up/accepts the call.

(iii) Where the caller has activated CNND for his telephone line
or where the call recipient has not activated CLI for his
telephone line, the caller’s ID will not be shared with the
call recipient.
(e)
The CNND services offered by the Organisations allow callers’
telephone numbers to be hidden from call recipients even if these call
recipients have subscribed to caller ID services. The Organisations’
CNND services are based on recommendations promulgated by the
Telecommunication Standardisation Sector of the International
Telecommunication Union (“ITU-T”). In addition to per-line CNND, it
is also possible to offer CNND on a per-call basis although the
Organisations have not made CNND available on a per-call basis. Each
of the Organisations imposes its own set of charges on its subscribers
for the CNND service. Typically, the charges consist of a combination
of a one-time activation charge and monthly recurring charges.
(f)
If a calling party has subscribed for CNND services, when a
telephone call is initiated, the calling party’s network operator would

4

Starhub Mobile Pte Ltd and others

[2019] SGPDPC 12

transmit a CNND indicator, together with the calling party’s telephone
number, through the originating telephone network to the recipient’s
network operator. The function of the CNND indicator is to mark the
caller’s telephone number as “Presentation Restricted”, which would
notify the recipient’s network operator not to forward the calling party’s
telephone number to the recipient’s device.
(g)
In order for the calling party’s telephone number to be withheld
from the recipient, the recipient network operator’s cooperation is
needed to honour the CNND indicator, by recognising the indicator and
withholding the calling party’s telephone number from the recipient’s
device.
(h)
As such, the successful withholding of the calling party’s
telephone number from the call recipient is ultimately dependent on
cooperation between the caller’s network operator and the recipient
network operator. In this regard, the Commission understands that the
Organisations have adopted common standards for CNND services, and
as between themselves will typically honour one another’s CNND
indicators.
Findings and Basis for Determination
9

The key issue to be determined in this case is whether the Organisations

have contravened section 16 of the PDPA by requiring individual subscribers to
pay charges for the CNND value-added service, in order to withhold their
telephone number from being disclosed to call recipients.

10

In addressing the aforementioned key issue, it is pertinent to briefly

address a couple of preliminary issues that were raised in the course of the
Commission’s investigation into this matter, namely:
(a)

whether telephone numbers constitute personal data; and

5

Starhub Mobile Pte Ltd and others

(b)

[2019] SGPDPC 12

whether express consent is required for the disclosure of

telephone numbers to call recipients.
Whether telephone numbers constitute personal data
11

In some of their representations to the Commission, the Organisations

suggested that mobile telephone numbers do not constitute personal data for the
purposes of the PDPA. In this regard, the Organisations asserted that a call
recipient would not be able to identify a calling party simply by looking at the
telephone number displayed.
12

I do not think that that such an assertion accords with the definition of

“personal data” under the PDPA. Section 2 of the PDPA defines “personal
data” to mean:
“data, whether true or not, about an individual who can be
identified –
(a)

from that data; or

(b)

from that data and other information to which the
organisation has or is likely to have access”.

[Emphasis added.]

13

In relation to whether telephone numbers constitute personal data, the

Commission has stated in the Advisory Guidelines for the Telecommunication
Sector that:
“Telephone numbers and International Mobile Equipment
Identity (“IMEI”) numbers

6

Starhub Mobile Pte Ltd and others

[2019] SGPDPC 12

2.3 Where an individual is identifiable from the data, such as a
combination of the individual’s name, address and telephone
number, then such data is personal data. In cases where the
individual cannot be identified from that data alone (such as a
device identifier in itself), such data may still be personal data if
the organisation has or is likely to have access to other
information that will allow the individual to be identified when
taken together with that data…
2.4 In the telecommunication context, an individual’s mobile
telephone number is likely to be personal data as it may uniquely
identify, or be uniquely associated with, that individual…”1
[Emphasis added.]
14

Additionally, the Commission’s Advisory Guidelines on Key Concepts

in the Personal Data Protection Act also identifies personal mobile telephone
numbers as a unique identifier, and hence personal data on its own:
“Certain types of data can on its own, identify an individual, for
instance biometric identifiers which are inherently distinctive to an
individual, such as the face geometry or fingerprint of an individual.
Similarly, data that has been assigned to an individual for the purposes
of identifying the individual (e.g. NRIC or passport number of an
individual) would be able to identify the individual from that data
alone.
Such data which, on its own, constitutes personal data, is referred to as
“unique identifier” in these guidelines. Data that the Commission
generally considers unique identifiers include:
…
Personal mobile telephone number

1

PDPC, Advisory Guidelines for the Telecommunication Sector at [2.3] – [2.4].

7

Starhub Mobile Pte Ltd and others

[2019] SGPDPC 12

…”
15

Mobile use in Singapore has grown in leaps and bounds. Just in terms of

figures alone, there were altogether 8,381,900 mobile subscriptions in
Singapore as of March 2018, and a mobile population penetration rate of
149.3%.2 It was also reported that 7 in 10 Singaporeans use social media on
mobile, which, according to the survey, is double of the global average.3 Given
the multitudinous uses of mobile in today, mobile numbers have increasingly
been used as a form of identification or verification of individuals, including for
online transactions, mobile payments, and social networking. This works on the
general premise that an issued mobile number is unique, and no two same
mobile numbers should be in operation at the same time. Hence, a mobile
number acts as a unique address for which individuals may be contacted or
receive messages or information on their mobile phones. In this regard, mobile
numbers double up as a unique identifier of the individual.

16

This role of a personal mobile telephone number as a unique identifier

is further strengthened by the mobile telephone number portability policy such
that an individual is able to retain and keep his mobile telephone number when
he switches to another service provider. This is one of the reasons that caller ID
is popular with mobile phone subscribers – a subscriber is able to identify the

2

https://www.imda.gov.sg/industry-development-facts-andfigures/telecommunications/statistics-on-telecom-services/statistic-on-telecomservice-for-2018-jan

3

http://www.businesstimes.com.sg/consumer/7-in-10-singaporeans-use-social-media-onmobile-double-global-average-survey

8

Starhub Mobile Pte Ltd and others

[2019] SGPDPC 12

caller through the caller’s telephone number if the subscriber had programmed
the caller’s telephone number in his telephone directory.
17

Also, when one of the Organisations uses a subscriber’s personal mobile

telephone number, for example to establish a telephone call or for logging call
data for billing purposes, that Organisation is using that personal mobile
telephone number as a unique identifier of the individual subscriber.
18

There is, however, a distinction between land lines and mobile telephone

numbers. The foregoing discussion is concerned with mobile telephone
numbers. A land line terminates at premises that are, more likely than not,
shared: e.g. residence of a family or place of business of an organisation. It is
the recognition of this key distinction that the aforementioned advisory
guidelines limit its policy guidance to treating mobile telephone numbers
personal data without adopting a similar approach for land lines. Consumers and
organisations also do not treat land lines as personal.
19

From the perspective of the call originating network, the Organisation

transmitting its subscriber’s mobile telephone number will be transmitting
personal data since it has full subscriber details. From the perspective of the
recipient of the call, the reality today is that a significant number of calls will
be matched with an address book entry in the recipient’s mobile phone and will
thus identify the caller, or the recipient may recognise the number. Hence, I am
satisfied that the guidance set out in the Advisory Guidelines referred to above
would be applicable in the context of the present case, and that it would be
entirely relevant and reasonable to proceed with the analysis in this case on the
basis that subscribers’ mobile telephone numbers constitutes personal data.

9

Starhub Mobile Pte Ltd and others

[2019] SGPDPC 12

Deemed consent for disclosure of subscriber identity to telephone call
recipients
20

The Advisory Guidelines for the Telecommunication Sector sets out the

following guidance in relation to consent and the withdrawal of consent for the
disclosure of a subscriber’s telephone number to receiving parties:4
“Provision of subscriber identity for calls or text messages
3.8 Currently, when a subscriber who is an individual makes a
telephone call or sends a text message, his telephone number
(which may be personal data relating to him) would typically be
disclosed to the receiving party and both the subscriber and
receiving party’s telecommunication operators, unless the
subscriber had chosen to have his telephone number ‘blocked’/
‘unlisted’. Telecommunication operators may wish to obtain the
consent of the individuals for the purpose of such disclosures to
recipients of his calls and messages.
3.9 Even if the telecommunication operators do not obtain such
actual consent, given established practice, the Commission is of
the view that a subscriber who opts to have an ‘unblocked’/ a
‘listed’ telephone number would typically be aware that the
telephone number would be collected, used or disclosed for the
purpose of identifying that subscriber to other parties. Where the
telephone number is personal data relating to a subscriber, a
subscriber with an ‘unblocked’/ a ‘listed’ telephone number
initiating a call or sending a message may be deemed to have
consented to the collection, use or disclosure of the number for
the purpose of identifying himself to the receiving party, since
the subscriber would have voluntarily provided the data, and it
would be reasonable for the subscriber to have done so.

4

PDPC, Advisory Guidelines for the Telecommunication Sector at [3.8] – [3.11].

10

Starhub Mobile Pte Ltd and others

[2019] SGPDPC 12

3.10 Conversely, a subscriber who has opted for a ‘blocked’/ an
‘unlisted’ number at the outset would not be considered to have
consented to the collection, use or disclosure of the number for
that purpose. A subscriber with an ‘unblocked’/ a ‘listed’
telephone number who subsequently applies to ‘block’/ ‘unlist’
that telephone number would be considered to have withdrawn
consent for the collection, use or disclosure of that telephone
number for the purpose of identifying himself to other parties
when making a call or sending a message.
3.11 Where an individual subscriber is deemed to have given
consent for disclosure of his telephone number by one
telecommunication operator to another telecommunication
operator for the purpose of identifying himself to the recipient of
his call or message, consent may be deemed to have been given
to the collection, use or disclosure of the telephone number by
that other telecommunication operator for the same purpose.
Alternatively, consent may not be required if the purpose for
collection, use or disclosure of the personal data falls within an
exception, such as when it is required or authorised under
written law.”
[Emphasis added.]
21

I understand that currently the Organisations obtain express consent

from subscribers for the collection, use and disclosure of their telephone
numbers for the purpose of identifying them to receiving parties. This is a good
practice although, as the Advisory Guidelines for the Telecommunication
Sector establish, not strictly necessary. A subscriber who has opted for an
‘unblocked’ or ‘listed’ telephone number may be deemed to have consented to
the collection, use or disclosure of his telephone number for the purpose of

11

Starhub Mobile Pte Ltd and others

[2019] SGPDPC 12

identifying himself to recipients of his calls.5 It naturally follows that, the
Organisations would be able to rely on deemed consent to collect, use or
disclose the subscriber’s telephone number for the purpose of identifying the
subscriber to call recipients.
Whether the Organisations have contravened section 16 of the PDPA
22

Turning to the key issue raised in this case, section 16 of the PDPA

provides that individuals may at any time withdraw any consent given or
deemed to be given under the PDPA in respect of the collection, use or
disclosure of their personal data for any purpose.
23

Section 16(3) of the PDPA is particularly relevant, and states that an

organisation:
“shall not prohibit an individual from withdrawing his consent
to the collection, use or disclosure of personal data about the
individual, but this section shall not affect any legal
consequences arising from such withdrawal”.
[Emphasis added.]

24

Section 16(3) of the PDPA may be seen as comprising two limbs,

namely that:
(a)

an organisation shall not prohibit individuals from withdrawing

consent; and

5

Section 15(1) of the PDPA; and PDPC, Advisory Guidelines for the
Telecommunication Sector at [3.9].

12

Starhub Mobile Pte Ltd and others

(b)

[2019] SGPDPC 12

any legal consequences arising from such withdrawal shall not

be affected.
25

It is necessary to construe both limbs of section 16(3) of the PDPA

holistically. While section 16(3) of the PDPA is clearly intended to ensure that
individuals are not prohibited from exercising their right to withdraw consent,
it also expressly preserves any legal consequences arising from such
withdrawal.
26

It is also pertinent to refer to section 11(1) of the PDPA, which imposes

a general standard of reasonableness on organisations in meeting their
responsibilities under the PDPA. Section 11(1) of the PDPA states:
“In meeting its responsibilities under this Act, an organisation
shall consider what a reasonable person would consider
appropriate in the circumstances.”
27

At this juncture, it should be highlighted that the provision of CLI

services serves important societal purposes, including helping to reduce calls
made to harass or scam individuals and to speed up law enforcement
investigations where a caller’s telephone number is required for the purposes of
criminal investigations. Additionally, given that most mobile telephone
subscribers have CLI and that Over-The-Top telephone services such as calls
made through smartphone applications do not provide the ability to the caller to
mask his telephone number, the provision of CLI services has become a baseline
expectation of all users of modern mobile telephone networks: call recipients
expect to know the identity of the caller. Consumers’ expectations to be able to
identify an incoming caller as a basic functionality is also clearly embedded into
the design and manufacture of mobile phones as mobile phone manufacturers
universally incorporate the ability to display caller ID as a basic and essential

13

Starhub Mobile Pte Ltd and others

[2019] SGPDPC 12

feature of modern mobile phones. This functionality is integrated with the
contact list functionality such that display caller ID is matched with contact
details whenever a call is received, and the caller’s name is displayed by the
mobile phone when the call is connected. This modern convenience enables the
subscriber to decide whether to answer the call from an identified contact; and
some subscribers prefer not to take calls when the display caller ID does not
match a known contact.
28

Under the signaling standards adopted by fixed and mobile network

operators in Singapore, a caller’s telephone number will be transmitted by the
calling party’s network to the receiving party’s network by default as part of the
conveyance of a telephone call.
29

In order for calling parties to withhold their telephone numbers from

being displayed to call recipients (the vast majority of whom currently have
caller ID enabled), action has to be taken on the part of the Organisations, in
terms of transmitting and giving effect to the relevant “Presentation Restricted”
indicator.
30

Against this backdrop, I understand from the Organisations’

representations that, for CNND services to be implemented and offered as an
option to subscribers, the Organisations have had to invest in relatively complex
IT systems which are, amongst other things, able to automatically and in real
time instruct the mobile network to either implement or deactivate the CNND
depending on whether the caller is a CNND subscriber and which would be able
to manage the customer sign-up for CNND and the database of CNND
customers. Regular and continuous tests and updates to the IT systems are also
required to ensure that CNND continues to work accurately when there is an
update to interconnected systems, whenever new handsets are introduced into

14

Starhub Mobile Pte Ltd and others

[2019] SGPDPC 12

the Singapore market by the Organisations, when new roaming partners are onboarded by the Organisations and when new technologies and platforms (such
as VoLTE and VoWiFi) are deployed.
31

Perhaps in a nod to the infrastructure investment and operational costs

required in order to provide consumer choice in both CLI and CNND services,
the International Telecommunication Union (“ITU”) provides charging
principles for supplementary services such as for the charging of both CLI and
CNND services, but has left it to individual member country to formulate its
own policy decision with respect to charging for such services. The ITU is an
agency of the United Nations specializing in information and communication
technologies and, amongst other things, allocates global radio spectrum and
satellite orbits. In its ITU-T Rec D.232, ITU provides for charging principles
for supplementary service as follows:
“2.1 Number Identification
This subclause provides charging principles for the supplementary
services, Calling Line Identification Presentation (CLIP), Calling line
Identification Restriction (CLIR), Connected Line Identification
Presentation (COLP), Connected Line Identification Restriction
(COLR) and Malicious Call Identification (MCID). Detailed description
of the services are provided in Recommendations 1.251.3 (CLIP),
1.251.4 (CLIR), 1.251.5 (COLP), 1.251.6 (COLR and 1.251.7 (MCID).
2.1.1 Charging principles
Innovation of the display or restriction service may be charged for by:
a) Inclusion in the rental charges raised against customers; or
b) The setting of a separate subscription charge;
c) A per event charge; or
d) Combinations of a) to c).”

15

Starhub Mobile Pte Ltd and others

32

[2019] SGPDPC 12

Given established practice as discussed above and the inherent nature of

a telephone call, whereby a calling party’s telephone number is by default
transmitted to the recipient network operator and typically forwarded to the call
recipient’s device, it would not be unreasonable for the network operator to
charge a reasonable fee for the costs it incurs to provide the CNND and restrict
the number from being disclosed to the call recipient. Also, given the
competitive marketplace in the provision of telecommunications services in
Singapore, market forces can be expected to determine the range of service
charges that any of the Organisations will be able to impose for the CNND
service. The relevant charges for the Organisations’ CNND services are publicly
accessible and can be obtained by subscribers relatively easily, and that any
charges payable by individual subscribers to the Organisations for CNND
services would have a legal basis stemming from the contract between
subscribers and the Organisations.
33

In summary, users of modern mobile telecommunications services

expect to be able to identify a caller and mobile telephone handset
manufacturers have incorporated CLI as a basic and essential feature. CLI now
plays a societal role, enabling consumers to order their private lives and exercise
choice in how they wish to be contacted or to decline taking calls. In order to
provide consumers with this choice, significant ongoing investment have to be
made by the Organisations to maintain CNND services for its subscribers. The
ITU also recognises that there may be a need to charge for both CLI and CNND
services. In our domestic market, the price of these services are contained by
competitive market forces. With the provision of CNND services as a value
added service, consumers have access to a paid service to restrict the sharing of
their personal mobile phone numbers.

16

Starhub Mobile Pte Ltd and others

34

[2019] SGPDPC 12

Given the consumer expectations and reliance on CLI and how CLI is

fundamentally embedded into the design and operation of mobile telephone
systems and handsets, and the additional infrastructure investments and
operational costs required to provide consumer choice for CLI and CNND, it is
not unreasonable that the Organisations impose a reasonable charge for these
services. I have no doubt that a reasonable person would consider it appropriate
for the Organisations to charge a caller to prevent his telephone number from
being displayed to the call recipient, failing which the Organisation may inform
the subscriber that the Organisations are unable to provide the caller with
telecommunications services if he wishes to withdraw such consent. An
example which illustrates the application of this can be found in the Advisory
Guidelines on Key Concepts in the PDPA, which states:6
“An individual wishes to obtain certain services from a telecom
service provider, Operator X and is required by the telecom
service provider to agree to its terms and conditions for
provision of the services. Operator X can stipulate as a condition
of providing the services that the individual agrees to the
collection, use and disclosure of specified types of personal data
by the organisation for the purpose of supplying the subscribed
services. Such types of personal data may include the name and
address of the individual as well as personal data collected in
the course of providing the services such as the individual’s
location data. The individual provides consent for those
specified types of personal data but subsequently withdraws that
consent.
The withdrawal of consent results in Operator X being unable to
provide services to the individual. This would in turn entail an
early termination of the service contract. Operator X should

6

PDPC, Advisory Guidelines on Key Concepts in the PDPA at [12.45].

17

Starhub Mobile Pte Ltd and others

[2019] SGPDPC 12

inform the individual of the consequences of the early
termination, e.g. that the individual would incur early
termination charges.”
35

I am therefore of the view that the provision of CNND is less a means

to withdraw consent for the disclosure of the caller’s personal mobile telephone
number to the call recipient but rather a separate service to allow a caller to
maintain anonymity. Accordingly, where an individual subscriber requests his
telecommunications service provider to mask his telephone number when he
calls another phone number, the Organisations are in compliance with section
16 if they inform the subscriber that he may do so by subscribing and paying
for CNND services failing which the Organisation is unable to provide the
telecommunications service to the subscriber. By doing so, the Organisations
would have informed the subscriber of the legal consequences arising from such
withdrawal pursuant to section 16(2) of the PDPA.
36

Having carefully considered all the relevant circumstances of the present

case, and for the reasons set out above, I find that the Organisations have not
breached section 16 of the PDPA in respect of the charges imposed on
subscribers for providing CNND value-added services, and that take no further
action is required in this matter.

YEONG ZEE KIN
DEPUTY COMMISSIONER
FOR PERSONAL DATA PROTECTION

18

",Not in Breach,d14207cb5ac452bf33a3e97f370a686be33c72ca,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]"
2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,160,160,1,952,"A financial penalty of $30,000 was imposed on Ncode Consultant for failing to put in place reasonable security arrangements to prevent unauthorised access and modification to an IT system provided to a school. The failure resulted in unauthorised access and modification of students’ personal data.","[""Protection"", ""Financial Penalty"", ""Education"", ""School"", ""MOE""]",2019-06-06,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision---Ncode-Consultant---060619.pdf,Protection,Breach of Protection Obligation by Ncode Consultant,https://www.pdpc.gov.sg/all-commissions-decisions/2019/06/breach-of-protection-obligation-by-ncode-consultant,2019-06-06,"Ncode Consultant Pte Ltd

[2019] SGPDPC 11

PERSONAL DATA PROTECTION COMMISSION

[2019] SGPDPC 11
Case No DP-1712-B1471

In the matter of an investigation under section 50(1)
of the Personal Data Protection Act 2012
And
Ncode Consultant Pte Ltd
… Organisation

DECISION

Ncode Consultant Pte Ltd

[2019] SGPDPC 11

Ncode Consultant Pte Ltd

Tan Kiat How, Commissioner — Case No DP-1712-B1471

6 June 2019
Background
1

This is a case of 6 students using teachers’ login credentials to access

Victoria School’s NTRIX School Management system (“NTRIX”). The
students were able to obtain the login credentials of teachers by exploiting a
SQL vulnerability found in NTRIX (the “Incident”). Ncode Consultant Pte Ltd
(“Ncode”) supplied NTRIX to various schools, including Victoria School.
Victoria School is a school organised and conducted directly by the Ministry of
Education (“MOE”).
2

On 5 December 2017, the Government Technology Agency of

Singapore on behalf of MOE reported to the Personal Data Protection
Commission (the “Commission”) that the NTRIX system for Victoria School
suffered a total of 84 unauthorised logins (the “Unauthorised Logins”)
between 3 August to 17 October 2017.
3

Following an investigation into the matter, the Commissioner found

Ncode in breach of section 24 of Personal Data Protection Act 2012 (“PDPA”).

Ncode Consultant Pte Ltd

[2019] SGPDPC 11

Material Facts
4

Ncode is a school administrative system developer, and has been

working with schools since 1994. NTRIX is a web application/portal managed
by Ncode. There were 3 levels of users (i) student/parent; (ii) teaching/nonteaching employees; and (iii) administrator. By logging in with their respective
passwords, teachers could enter examination scores and comments. Students
and parents could also login to view results.
5

At the time of the Incident and Unauthorised Logins, there were 2792

records of students’ personal data stored as part of Victoria School’s instance of
NTRIX. In each record, the students’ personal data may include all or some of
the following information: student name, admission number, residential
address, mobile number, parents’ names and contact details, subject proficiency
rating at primary 6, current examination scores at Victoria School and
examination summary ratings (collectively, “Personal Data”).
6

The Incident and the Unauthorised Logins exposed the Personal Data to

risk of unauthorised access, use and modification. In addition, the unauthorised
users could view confidential data of the students (e.g. examination results
before it is published). There were also 11 instances of modification of
examination results for 10 students. The investigations revealed no evidence of
mass data exfiltration. The unauthorised modifications to the examination
results were rectified by Victoria School, and there was no impact on the
students’ grades.
7

Ncode took the following remedial actions after discovery of the

unauthorised access on 11 October 2017:

2

Ncode Consultant Pte Ltd
(a)

[2019] SGPDPC 11

12 to 13 October 2017: Two factor authorisation (2FA) was

introduced for Victoria School’s employee logins to NTRIX;
(b)

14 to 17 October 2017: Ncode identified and fixed the SQL

injection1 vulnerability that led to the Unauthorised Logins;
(c)

21 October 2017: Ncode fixed all high risk items found using

OWASP ZAP2 active scan;
(d)

February 2018: Ncode informed all of its developers of the

proper use of the security scanning tools VCG3 and OWASP ZAP.
Ncode also installed automatic security scans and committed to conduct
penetration testing as scheduled. In addition, Ncode’s Data Protection
Officer was instructed to review Ncode’s data protection policies; and
(e)

March 2018: Ncode initiated the use of the correct features of

automatic testing tools to actively test NTRIX for vulnerabilities
The Commissioner’s Findings and Basis for Determination
8

It is not disputed that the Personal Data is “personal data” as defined in

section 2(1) of the PDPA. There is no question or dispute that Ncode falls within
PDPA’s definition of “organisation”. In the course of investigations, it was

1

SQL injection is a code injection technique, used to attack data-driven applications, in
which nefarious SQL statements are inserted into an entry field for execution (e.g. to
dump the database contents to the attacker).

2

OWASP ZAP (short for Zed Attack Proxy) is an open-source web application security
scanner.

3

VCG (short for Visual Code Grepper) is an automated security review tool that handles
C/C++, C#, Java, VB and PL/SQL.

3

Ncode Consultant Pte Ltd

[2019] SGPDPC 11

determined that Ncode was at all material times an independent third party
service provider to, and therefore was not acting on behalf of, MOE. Neither did
Ncode raise the applicability of section 4(1)(c) at any time. In the circumstances,
section 4(1)(c)4 of the PDPA does not apply.
Whether Ncode complied with its obligations under section 24 of the PDPA
9

Ncode was appointed to supply NTRIX to Victoria School as well as to

set up, host and maintain NTRIX for Victoria School for the period 1 January
2017 to 31 December 2017 pursuant to an Invitation to Quote (“ITQ”) and the
annexed Quotation Conditions of Contract read together with Ncode’s ITQ
Submission dated 14 December 2016 (collectively referred to as the
“Contract”). Pursuant to the Contract, Ncode assisted Victoria School to
upload the relevant databases containing the Personal Data for use with NTRIX
and was obliged to comply with MOE IT Security Specifications for Schoolmanaged Systems (“MOE IT Security Specs”).
10

It is not disputed that Ncode’s scope of work in the Contract included

processing Personal Data in NTRIX nor that it was in possession or control of
the Personal Data. The Commissioner therefore finds that Ncode was acting as
a data intermediary of Victoria School.

4

Section 4(1)(c) of the PDPA provides that “any public agency or an organisation in the
course of acting on behalf of a public agency in relation to the collection, use or
disclosure of personal data is not subject to the obligations under Parts III to VI of the
PDPA”

4

Ncode Consultant Pte Ltd
11

[2019] SGPDPC 11

In the circumstances, Ncode had an obligation to put in place reasonable

security arrangements to protect the Personal Data which was in its possession
and/or under its control.5
12

Based on the investigations, there were 2 causes of the Incident and the

Unauthorised Logins:
(a)

The exploitation, by one of the students, of the NITRIX’ SQL

injection vulnerability using a publicly available SQLMap tool to
discover usernames and encoded passwords stored as part of NTRIX for
employee and administrator logins. The passwords were then decoded
and shared with other unauthorised users. This allowed the unauthorised
users to gain access to the Personal Data and make changes.
(b)

The passwords found in the NITRIX system were not encrypted

or hashed but were merely encoded in Base 64. The passwords were
easily decoded with a publicly available online decoder. Once this was
done, they were linked to the usernames of the account holders. The
decoded passwords could then be used to access the web application
with a legitimate existing user account.
13

SQL injection vulnerability was, at the material time, and still is, a

common and well known information technology security threat used by
hackers to access computer systems without authorisation. The SQLMap
injection program used in the Incident did not require sophisticated knowledge
in order to exploit the SQL injection vulnerability found in NTRIX. Detecting
and fixing such a basic form of SQL injection vulnerability did not require

5

See Section 4(2) read together with section 24 of the PDPA

5

Ncode Consultant Pte Ltd

[2019] SGPDPC 11

specialist IT security skills but is within the expertise of the average software
developer.
14

Further, paragraph 16.4(g) of the MOE IT Security Specs specifically

highlighted SQL injection vulnerability flaws and required such flaws to be
rectified in the application system by Ncode before deployment. Regular
security vulnerability scanning was also required under paragraph 21.13 of the
MOE IT Security Specs. Security scanners would have detected the SQL
injection vulnerability found in NTRIX if used with the correct settings and
features. However, Ncode failed to use the features available in security
scanning tools like VCG and OWASP ZAP to actively detect common software
vulnerabilities like the SQL injection vulnerability in this case.
15

Also, encoding passwords using Base64 is not a reasonable security

arrangement to protect the Personal Data, as these may be easily reversed with
publicly available online decoder as was done in this case. In the case of
ComGateway (S) Pte Ltd [2017] SGPDPC 19, the Commissioner found that
encoding a Shipment ID using Base64 is not an actual means of encryption.
Base64 is a common and simple encoding scheme, easily decoded through
publicly available decoding tools. ComGateway was found in breach of Section
24 of the PDPA because the URL of the Shipping Webpage unique to each
customer (by virtue of the Shipment ID encoded in Base 64) could be easily
manipulated and ComGateway did not put in place security measures to address
this vulnerability.
16

Investigations showed that the 2 causes of the Incident as well as the

Unauthorised Logins were due to the inexperience of Ncode’s engineers in IT
security. An engineer with reasonable IT security knowledge would have (i)

6

Ncode Consultant Pte Ltd

[2019] SGPDPC 11

detected and fixed the basic form SQL injection vulnerability; and (ii) applied
adequate password protection measures for all passwords.
17

In responses to Notices to Produce, Ncode admitted that its engineers

were unfamiliar with IT security and lacked basic understanding of the correct
settings/features of security scanners needed to detect SQL injection
vulnerability. These engineers also did not understand the basic features of
encoding, hashing and encrypting to protect passwords properly. In fact,
paragraph 8.4 of the MOE IT Security Specs required Ncode to ensure its
technical and security personnel are trained in IT security and are aware of the
security implications of the work performed. There is no excuse for Ncode’s
failure to train the relevant employees in IT security.
18

The investigations also revealed that the NTRIX system had other

vulnerabilities which were undetected. These included Broken Session
Management6 and Cross-site scripting7. While these vulnerabilities were not
exploited in the Incident or in respect of the Unauthorised Logins, they exposed
the Personal Data stored in NTRIX to unauthorised access.
19

In addition, the Incident not only resulted in unauthorised access, but

also unauthorised modification of students’ examination results. While there
was no harm suffered by the students as Victoria School managed to rectify the
unauthorised modifications, this will not always be the case. The Commissioner
would like to emphasize that the failure to put in place reasonable security

6

A weakness that allows a hacker to either capture or bypass authentication methods
due to improper management of sessions

7

Enables a hacker to inject client side scripts allowing the hacker to bypass access
controls

7

Ncode Consultant Pte Ltd

[2019] SGPDPC 11

arrangements to prevent unauthorised modification is a serious breach of an
organisation’s obligation to protect personal data. Changes to examination
results could have had an impact on the academic performance of the students
affected.8 In this regard, an attacker may stealthily make unauthorised
modifications which may be difficult to detect, and consequentially cause
significant harm. Possible security arrangements to prevent unauthorised
modification include automatic notification when changes are made to static
historical personal data or the need for a higher level of access rights to make
any changes to such personal data, given the significance of examination results
to students’ academic performance.
20

For the reasons above, the Commissioner finds Ncode in breach of

section 24 of the PDPA.
The Commissioner’s Directions
21

Given the Commissioner’s findings that Ncode is in breach of section

24 of the PDPA, the Commissioner is empowered under section 29 of the PDPA
to issue Ncode such directions as it deems fit to ensure compliance with the
PDPA. This may include directing Ncode to pay a financial penalty of such
amount not exceeding S$1 million.
22

In assessing the breach and determining the directions, if any, to be

imposed on Ncode in this case, the Commissioner took into account the
following aggravating factors:

8

See “ASEAN Scholar at SMU jailed 16 weeks for hacking into professor’s computer
and changing grades” (The Straits Times, 8 November 2017), where changes were
made by the accused person to give himself better grades.

8

Ncode Consultant Pte Ltd
(a)

[2019] SGPDPC 11

Ncode’s business includes processing of minors’ personal data.

It is therefore imperative that reasonable security arrangements ought to
have been in place to protect the personal data of minors; and
(b)

Ncode should have easily detected and rectified the well-known

SQL injection vulnerability that existed in its basic form.
23

The Commissioner also took into account the following mitigating

factors:
(a)

Ncode cooperated fully with the investigations; and

(b)

There was no evidence of mass exfiltration of personal data as a

result of the Incident or the Unauthorised Logins.
24

Having considered all the relevant factors of this case, the Commissioner

hereby directs Ncode to pay a financial penalty of S$30,000.00 within 30 days
from the date of the Commissioner’s direction, failing which, interest at the rate
specified in the Rules of Court9 in respect of judgment debts, shall accrue and
be payable on the outstanding amount of the financial penalty until the financial
penalty is paid in full.
Representations made by the Organisation
25

The Organisation in its letter to the Commission dated 19 December

2018 stated that while they concurred with the facts and findings set out in this
Decision, they had requested for a reduction of the financial penalty quantum.

9

Cap 322, R5, 2014 Rev Ed.

9

Ncode Consultant Pte Ltd

[2019] SGPDPC 11

They made this request on the basis that they had cooperated fully with
investigations as well as took prompt action to remediate the breach.
26

The Commissioner had already taken into consideration the above

points in coming to its decision on the financial penalty.
27

The Organisation had also referred to the financial penalties imposed on

other organisations. However, the facts in the decisions referred to by the
Organisation were not identical to the facts in this case.
28

In particular, the Organisation cited 3 cases in which the organisations

that were in breach of their obligations under the PDPA were imposed a
financial penalty that was less than that imposed on the Organisation. The cases
cited by the Organisation was Re ComGateway (S) Pte Ltd [2017] SGPDPC 19,
Re WTS Automotive Services Pte. Ltd. [2018] SGPDPC 26 and Re Propnex
Realty Pte Ltd [2017] SGPDPC 1. However, the major difference between these
3 cited cases and the current matter is that this matter, unlike the cases cited by
the Organisation, included the personal data of minors. Organisations ought to
protect the personal data of minors to a higher standard and the unauthorised
access or disclosure of personal data of minors is an aggravating factor when
the quantum of financial penalty to be imposed is determined.
29

The Commissioner is, therefore, of the view that the financial penalty

imposed in this case is justified, in particular given the aggravating factors set
out above at paragraph 22.

YEONG ZEE KIN
DEPUTY COMMISSIONER
FOR COMMISSIONER FOR PERSONAL DATA PROTECTION

10

",Financial Penalty,cd0fda368ff2ddf7bd4e60f1e5481232e55c0544,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]"
2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,161,161,1,952,"A financial penalty of $4,000 was imposed on Option Gift for failure to conduct sufficient testing before deployment of a programme script which resulted in an unauthorised disclosure of up to 426 individuals’ personal data.","[""Protection"", ""Financial Penalty"", ""Others"", ""Online Portal""]",2019-06-06,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision---Option-Gift-Pte-Ltd---060619.pdf,Protection,Breach of the Protection Obligation by Option Gift,https://www.pdpc.gov.sg/all-commissions-decisions/2019/06/breach-of-the-protection-obligation-by-option-gift,2019-06-06,"PERSONAL DATA PROTECTION COMMISSION

[2019] SGPDPC 10
Case No DP-1806-B2242, DP-1806-B2243 and DP-1806-B2244

In the matter of an investigation under section 50(1)
of the Personal Data Protection Act 2012
And
Option Gift Pte Ltd
… Organisation

DECISION

Option Gift Pte Ltd
[2019] SGPDPC 10
Tan Kiat How, Commissioner — Case No DP-1806-B2242, DP-1806-B2243 and DP-1806B2244

6 June 2019

Background

1

On 12 June 2018, the Personal Data Protection Commission (the “Commission”) was

notified by the Organisation of the unintended disclosure of up to 426 individuals’ personal
data due to a coding error in its system. The Commission subsequently received complaints
from 2 of the affected individuals on 12 and 13 June 2018 respectively.
2

Following an investigation into the matter, the Commissioner found the Organisation

in breach of section 24 of Personal Data Protection Act 2012 (“PDPA”) and sets out below his
findings and grounds of decision based on the investigations carried out in this matter.

Material Facts

The Portal

3

The Organisation maintains Uniqrewards (the “Portal”), an online portal through

which national servicemen (“NSmen”) may redeem credits and gifts given by the Ministry of
Defence (“MINDEF”) and the Ministry of Home Affairs (“MHA”) in recognition of their
good performance during in-camp training or courses, or to celebrate certain events, such as
the birth of a child. An NSman may log into the Portal and submit his redemption request,
following which he would instantly receive a confirmation email that his order(s) are being
processed (“Confirmation Emails”). Besides the NSman concerned, the customer service
team of the Organisation would also receive a copy of the Confirmation Email by way of blind

Option Gift Pte Ltd

[2019] SGPDPC 10

carbon copy.

4

These Confirmation Emails are generally sent via a service account linked to the Portal.

The service account is hosted by an external vendor which has a password expiry policy of 180
days. While the employee concerned had previously reset the service account password before
its expiry, he had failed to do so punctually in the latest round due to an oversight and a lack
of reminders or warnings on password expiry. This led to 427 NSmen not receiving any
Confirmation Emails for their redemption requests submitted between 22 May 2018 and 24
May 2018. This issue was detected by the Organisation on 23 May 2018.

The Incident

5

To rectify the issue, the Organisation wrote a separate programme script to regenerate

and send out the Confirmation Emails which the Portal had previously failed to send out due
to the service account’s password expiration. The programme script was intended to achieve
the following objectives:

(a)

accurately reflect the redemption request submitted by the NSman concerned
and some of his basic details (i.e., his login identification, email address,
delivery address and mobile number) on each regenerated Confirmation Email;
and

(b)

6

send the Confirmation Email only to its intended recipient.

The format of these Confirmation Emails were identical. To achieve objective (a), the

programme script was meant to generate each of the 427 Confirmation Emails by extracting
the relevant details of the intended recipient from the Organisation’s backend database and
including these details as part of the content of the email. To achieve objective (b), the
programme script was meant to address the Confirmation Email only to the intended recipient’s
email address. This process performed by the programme script was iterative, and all 427
Confirmation Emails were to be generated in the same manner.

7

The programme script, however, did not behave as envisioned. While the content of
3

Option Gift Pte Ltd

[2019] SGPDPC 10

each of these Confirmation Emails was correctly generated by the programme script, the
programme script left the email address(es) of the recipient(s) of the preceding Confirmation
Emails in the “To:” field of the email each time a new Confirmation Email was generated (the
“Error”). It merely added on the intended recipient’s email address, instead of replacing the
previous recipient’s email address with the intended recipient’s.
8

In practice, this resulted in the first recipient of the Confirmation Email receiving the

Confirmation Email that was intended for him as well as the Confirmation Emails of all the
other 426 recipients. The second recipient received the Confirmation Email which was intended
for him as well as the Confirmation Emails of the subsequent 425 recipients; the second
recipient would not have received the Confirmation Email of the first recipient as the second
recipient’s email address would not have been included in the Confirmation Email generated
for the first recipient. Likewise, the third recipient received the Confirmation Email generated
for him as well as the Confirmation Emails generated for the subsequent 424 recipients; the
third recipient would not have received the Confirmation Emails generated for the first and
second recipients as the third recipient’s email address would not have been included in the
Confirmation Emails generated for the first and second recipients. This pattern of addressing
the Confirmation Emails continued until the last recipient, who received only the Confirmation
Email intended for him.
9

This Error resulted in the personal data of up to 426 NSmen being accidentally

disclosed (the “Incident”). These personal data comprised the relevant NSman’s:

10

(a)

login identification for the Portal;

(b)

email address;

(c)

delivery address; and

(d)

mobile number.

After discovering the Incident, the Organisation took the following steps to mitigate the

damage caused:

4

Option Gift Pte Ltd
(a)

[2019] SGPDPC 10

On 12 June 2018, the Organisation:

(i)

emailed all the affected NSmen an apology and requested for them to
delete

all

emails

not

intended

for

them

from

redemption@uniqrewards.com; and

(ii)

(b)

notified the Commission of the Incident.

On 13 June 2018, all the affected NSmen received a text message from
MINDEF and MHA respectively apologising for the Incident and requesting the
deletion of the same emails.

(c)

In July 2018, the Organisation gave all the affected NSmen a gift voucher worth
S$80 as a gesture of apology.

11

In addition to the above, the Organisation introduced the following further steps to

prevent the recurrence of the Incident:

(a)

All future changes to the Portal would be subjected to a secondary check during
the development testing stage. Specifically, the person conducting integration
testing would be required to print out the expected output in the development
environment and have it validated by a checker before starting the user
acceptance test.

(b)

All coding scenarios would have a separate person reviewing the source code
written by the developer.

(c)

The Organisation began work to enhance the Portal’s backend system to allow
Confirmation Emails to be resent directly.

(d)

The Organisation introduced a standard operating procedure to document the
process of resending Confirmation Emails. Under this procedure, only
authorised users, with the approval of the Organisation’s data protection officer,

5

Option Gift Pte Ltd

[2019] SGPDPC 10

may resend Confirmation Emails. An audit trail would also be created during
this process.

(e)

The Organisation would deploy an application, Sonarcloud, to analyse the
quality of source codes. Sonarcloud would be used to detect bugs,
vulnerabilities and code smells1 during the development process.

Findings and Basis for Determination

12

As a preliminary point, section 4(1)(c) of the PDPA excludes an organisation which

acts on behalf of a public agency in relation to the collection, use or disclosure of personal data
from Parts III to VI of the PDPA (i.e., the data protection provisions). Nevertheless, the
Commission’s investigations revealed that the Organisation was a subcontractor of MINDEF
and MHA and was not engaged by both public agencies to act on their behalf as a data
intermediary. As such, section 4(1)(c) does not apply to the Organisation and the Organisation
is required to comply with the data protection provisions of the PDPA.

13

The main issue for determination is whether the Organisation breached section 24 of

the PDPA. Section 24 of the PDPA requires an organisation to protect personal data in its
possession or under its control by taking reasonable security steps or arrangements to prevent
unauthorised access, collection, use, disclosure, copying, modification, disposal or similar
risks.

14

As the administrator of the Portal, the Organisation had full possession and control over

the personal data that the Portal collects, uses, discloses and processes at all material times.
Accordingly, the Organisation had full responsibility for the security of the Portal, any changes
to it, as well as the personal data processed by it. In this regard, the Commissioner found that
the Organisation had failed to conduct sufficient testing before rolling out the programme
script.
15

In this case, software testing (i.e., development testing and user acceptance testing) was

carried out on the programme script prior to its actual implementation. Investigations revealed
1

A code smell refers to anything in the code of a programme that may signal a deeper issue in the code.

6

Option Gift Pte Ltd

[2019] SGPDPC 10

a fundamental flaw in designing the test scenarios. The test scenario consisted of generating all
427 test emails but instead of picking up the recipient emails from a list of email addresses,
each email was hardcoded to be sent to the same internal email address. Unsurprisingly, the
Error, which would only have manifested itself if there was more than one recipient, was not
detected. A more thoroughly designed test scenario that more closely approximated the
anticipated real world deployment environment could have included:
(a)

the use of several test email addresses;

(b)

the programme script retrieving these test email addresses from a database (e.g.
the main database of email addresses or a database of email addresses created
for the job) instead of using a single hardcoded email address; and

(c)

the programme script being used to send the Confirmation Emails to the
retrieved test email addresses.

16

For the reasons above, the Commissioner finds the Organisation in breach of section 24

of the PDPA.

The Commissioner’s Directions

17

Given the Commissioner’s findings that the Organisation is in breach of section 24 of

the PDPA, the Commissioner is empowered under section 29 of the PDPA to issue the
Organisation such directions as it deems fit to ensure compliance with the PDPA. This may
include directing the Organisation to pay a financial penalty of such amount not exceeding S$1
million.

18

In assessing the breach and determining the directions, if any, to be imposed on the

Organisation in this case, the Commissioner took into account the following mitigating factors:

(a)

the Organisation voluntarily notified the Commission of the breach;

(b)

the Organisation fully cooperated with the Commission’s investigations;

7

Option Gift Pte Ltd
(c)

[2019] SGPDPC 10

the Organisation took prompt action to mitigate the effects of the breach by
informing the affected individuals via email on the same day (12 June 2018)
and offering them a voucher worth $80 in July 2018; and

(d)

the Organisation took prompt corrective action to resolve the vulnerability and
further remedial measures to enhance its backend system to prevent the
recurrence of similar incidents.

19

In consideration of the relevant facts and circumstances of the present case, the

Commissioner hereby directs the Organisation to pay a financial penalty of $4,000 within 30
days from the date of this direction, failing which interest, at the rate specified in the Rules of
Court in respect of judgment debts, shall accrue and be payable on the outstanding amount of
such financial penalty until the financial penalty is paid in full.
20

The Commissioner has not set out any further directions for the Organisation given the

remediation measures already put in place.

YEONG ZEE KIN
DEPUTY COMMISSIONER
FOR COMMISSIONER OF PERSONAL DATA PROTECTION

8

",Financial Penalty,08f497403f3bd5aebb619dd326e88dc095e681c8,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]"
2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,162,162,1,952,A warning was issued to H3 Leasing for disclosing personal data online without the consent of the individual concerned.,"[""Consent"", ""Warning"", ""Transport and Storage"", ""Vehicle rental""]",2019-06-06,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision---H3-Leasing---06062019.pdf,Consent,Breach of the Consent Obligation by H3 Leasing,https://www.pdpc.gov.sg/all-commissions-decisions/2019/06/breach-of-the-consent-obligation-by-h3-leasing,2019-06-06,"PERSONAL DATA PROTECTION COMMISSION

[2019] SGPDPC 9
Case No DP-1803-B1859

In the matter of an investigation under section 50(1) of the Personal Data Protection
Act 2012

And

H3 Leasing

… Organisation

DECISION

H3 Leasing

[2019] SGPDPC 9

H3 Leasing

[2019] SGPDPC 9

Yeong Zee Kin, Deputy Commissioner — Case No DP-1803-B1859
6 June 2019
Background
1.

The complaint concerns the disclosure of personal data without consent by H3

Leasing (the “Organisation”). The Organisation is in the business of rental of motor
vehicles in Singapore.

2.

The Complainant was a member of the public who had come across a post on

social media by the Organisation disclosing scanned images of the NRIC of another
individual (“Affected Individual”). The personal data disclosed by virtue of this
comprised the full name, residential address, date of birth, NRIC number, NRIC photo
and the thumbprint image of the Affected Individual (the “Personal Data Set”). On 8
March 2018, the Complainant filed a complaint with the Personal Data Protection
Commission (the “Commission”) in relation to the disclosure of the Personal Data Set
by the Organisation.
3.

The key issue raised by the Complaint is whether the Organisation had the

consent required under section 13 of the Personal Data Protection Act 2012 (the
“PDPA”) to disclose the Personal Data Set of the Affected Individual in the manner
and for the purposes which they did.
4.

Following an investigation into the matter by the Personal Data Protection

Commission, I found the Organisation in breach of section 13 of the PDPA.
2

H3 Leasing

[2019] SGPDPC 9

Material Facts

5.

On 15 December 2017, the Affected Individual rented a motor vehicle from the

Organisation. He voluntarily provided a copy of his NRIC and entered into an
agreement with the Organisation for that purpose.

6.

Subsequently, the Affected Individual went into rental arrears and ceased

contact with the Organisation. The Organisation was unable to locate him or the motor
vehicle and made a police report concerning the apparent disappearance of the
Affected Individual and the motor vehicle. The Organisation subsequently disclosed
images of the Affected Individual’s NRIC, which contained the Personal Data Set,
through a public Facebook post to warn others about the Affected Individual and to
solicit information from the general public on the whereabouts of the motor vehicle.
Findings and Basis for Determination
7.

Section 13 of the PDPA provides that an Organisation shall not collect, use or

disclose personal data about an individual unless:

(a)

the organisation obtains the consent of the individual for the collection,
use or disclosure of his personal data (in accordance with section 14 of
the PDPA);

(b)

the individual is deemed to consent to the collection, use or disclosure
of his personal data (in accordance with section 15 of the PDPA); or

(c)

collection, use or disclosure of his personal data is permitted or required
under the PDPA or any other written law.

8.

In this case, the rental agreement entered into by the Organisation and the

Affected Individual did not specify any purposes for which the Organisation could
disclose his personal data. There was no other document setting out such purposes
3

H3 Leasing

[2019] SGPDPC 9

and the Organisation admitted that it had not obtained the consent of the individual to
disclose his personal data. As such, I find that the Organisation did not have consent
for the disclosure of the Personal Data Set in the manner, and for the purposes, that
it did.

9.

It is also clear to me that none of the exceptions to consent in the Fourth

Schedule to the PDPA permit such disclosure. The purposes of the Organisation in
making the public Facebook post were to warn others about the Affected Individual
and to solicit information from the public on the whereabouts of the missing vehicle.
These matters do not fall within any of the exceptions in the Fourth Schedule.
10.

One question which may arise is whether the Organisation could have relied on

the exception to consent in paragraph 1(i) of the Fourth Schedule. That exception
permits an organisation to disclose of an individual’s personal data without consent
where it is necessary to do so in order for the organisation to recover a debt owed by
individual to the organisation. In my view, disclosure of the Personal Data Set via a
public Facebook post would be too broad a disclosure and would not be necessary for
the purpose of recovering a debt. Furthermore, disclosure of the scanned image of an
NRIC (with all the data therein) in such a manner would neither be necessary nor
appropriate.
11.

As regards deemed consent, although the rental agreement between the

Organisation and the Affected Individual did not expressly specify the purposes for
which the Organisation could collect, use or disclose the Affected Individual’s personal
data, the Affected Individual had provided his personal data to the Organisation for
purposes relating to the rental of the motor vehicle and deemed consent under section
15 of the PDPA would apply in respect of such purposes. The scope of deemed
consent permits the Organisation to use and disclose the Affected Individual’s
personal data to other allied service providers as necessary to provide the primary
service of motor vehicle rental. However, in my view, these purposes would not extend
to permitting the Organisation to disclose his full NRIC details on social media for the
purpose of warning others about the Affected Individual or soliciting information from
4

H3 Leasing

[2019] SGPDPC 9

the public on the whereabouts of the missing vehicle. Accordingly, deemed consent
under section 15 of the PDPA does not apply to the disclosure in this case.

12.

In light of the above, I find that the Organisation had disclosed the personal

data of the Affected Individual without consent and is therefore in breach of section 13
of the PDPA.
Conclusion
13.

In assessing the appropriate enforcement action in this case, I took into account

the following:

(a)

The Organisation’s prompt action to remove the Personal Data Set from
the public Facebook page;

14.

(b)

The number of individuals affected; and

(c)

The impact of the breach.

Taking into account the factors listed above, I have decided to issue a warning

to the Organisation for the breach of its obligation under section 13 of the PDPA.

YEONG ZEE KIN
DEPUTY COMMISSIONER
FOR PERSONAL DATA PROTECTION

5

",Warning,975a9880e3865b938caf22061b31d292c5d3e479,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]"