_commit_at,_commit_hash,_id,_item,_version,_commit,description,tags,date,pdf-url,nature,title,url,timestamp,pdf-content,decision,_item_full_hash,_changed_columns 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,135,135,1,952,"A warning was issued to Barnacles Pte. Ltd. for failing to put in place reasonable measures to protect the personal data of individuals who had made dining reservations via its website; and retaining such personal data when it no longer had any legal or business purpose to retain it. As a result, the personal data of 149 individuals were accessible over the Internet.","[""Protection"", ""Warning"", ""Accommodation and F&B"", ""Dining reservations"", ""F&B""]",2019-10-10,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Summary-Decision---Barnacles.pdf,Protection,Breach of the Protection Obligation by Barnacles,https://www.pdpc.gov.sg/all-commissions-decisions/2019/10/breach-of-the-protection-obligation-by-barnacles,2019-10-10,"PERSONAL DATA PROTECTION COMMISSION Case No. DP-1904-B3652 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Barnacles Pte. Ltd. SUMMARY OF THE DECISION 1. Barnacles Pte Ltd (the “Organisation”) operates a website which enables its customers to make reservations to dine at its restaurant. For this purpose, it collected certain personal data from its customers such as their name, contact number, email address and date and time of their reservation, amongst other information (the “Personal Data”). However, when the Organisation developed its website, the Organisation did not instruct the vendor it appointed to develop the website to implement security arrangements to protect the Personal Data. The Organisation also made no effort to verify whether any security arrangements had been put in place by its appointed vendor. As a result, the Personal Data was accessible over the Internet, for example, if a search was made on a customer’s name using an Internet search engine. The Organisation ceased operations in January 2019 but continued to retain the Personal Data until May 2019, even though it did not have any legal or business purpose to retain the Personal Data other than to fulfil or decline its customers’ reservations. 2. Following a complaint against the Organisation in April 2019, the Personal Data Protection Commission found that the Personal Data of 149 individuals had been exposed to the risk of unauthorised disclosure as a result of the Organisation’s failure to make security arrangements to protect the Personal Data and/or to cease to retain the Personal Data once it no longer had any legal or business purpose to retain it. In the circumstances, the Deputy Commissioner for Personal Data Protection found the Organisation in breach of sections 24 and 25 of the Personal Data Protection Act 2012 and decided to give a warning to the Organisation. ",Warning,ca4aa8642a9f0116f05bea853cfe7f4261e535a5,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,136,136,1,952,A warning was issued to ERGO Insurance Pte. Ltd. for failing to protect the personal data of its policyholders from unauthorised disclosure via its internet portal. The personal data of 57 policyholders were mistakenly disclosed to other insurance intermediaries.,"[""Protection"", ""Warning"", ""Finance and Insurance""]",2019-10-10,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Summary-Decision---Ergo-Insurance.pdf,Protection,Breach of the Protection Obligation by ERGO Insurance,https://www.pdpc.gov.sg/all-commissions-decisions/2019/10/breach-of-the-protection-obligation-by-ergo-insurance,2019-10-10,"PERSONAL DATA PROTECTION COMMISSION Case No. DP-1810-B2869 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And ERGO Insurance Pte. Ltd. SUMMARY OF THE DECISION 1. ERGO Insurance Pte Ltd (the “Organisation”) is a general insurer and operates an internet portal (the “Portal”) which enables its insurance intermediaries, who are not the Organisation’s employees, to request for documents of policyholders represented by the intermediaries. These documents contain the policyholders’ personal data such as their names, addresses, car registration numbers, genders, nationalities, NRIC numbers, dates of birth and contact numbers (the “Personal Data”). 2. The Organisation voluntarily informed the Personal Data Protection Commission on 15 October 2018 that it had earlier discovered, on 11 September 2018, that some of its insurance intermediaries had been incorrectly sent documents of policyholders who were represented by other insurance intermediaries (the “Incident”). The Incident arose when some insurance intermediaries (the “Intermediaries”) requested for documents of policyholders which they represent through the Portal. However, the Organisation’s application and printer servers had been shut down for a scheduled system downtime and when they were restarted, the Organisation’s employees had failed to follow the correct restart process. They were supposed to start both servers at the same time but this was not done as the starting of the printer server initially failed. This resulted in documents with duplicate document IDs being generated and hence the wrong documents being sent to the Intermediaries. As a result of the Incident, the Personal Data of 57 individuals were mistakenly disclosed to the Intermediaries. 3. The Personal Data Protection Commission found that the Organisation did not have in place a clearly defined process to restart its application and printer servers and a sufficiently robust document ID generation process (such as including a timestamp as part of the document ID) to prevent the duplication of document IDs. In the circumstances the Deputy Commissioner for Personal Data Protection found the Organisation in breach of section 24 of the Personal Data Protection Act 2012 and decided to give a warning to the Organisation. No directions are required as the Organisation implemented corrective measures that addressed the gap in its security arrangements. ",Warning,2eda8279b0e8c55d340038ea44d528dc61b77f48,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,137,137,1,952,"Financial penalties of $4,000 and $7,000 were imposed on Zero1 and XDel respectively for failing to put in place reasonable measures to protect the personal data of the subscribers of Zero1.","[""Protection"", ""Protection"", ""Financial Penalty"", ""Financial Penalty"", ""Information and Communications"", ""Information and Communications"", ""Mobile"", ""Telco"", ""Courier""]",2019-10-10,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision---Zero1-and-XDel.pdf,"Protection, Protection",Breach of the Protection Obligation by Zero1 and XDel,https://www.pdpc.gov.sg/all-commissions-decisions/2019/10/breach-of-the-protection-obligation-by-zero1-and-xdel,2019-10-10,"PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC 37 Case No DP-1803-B1866 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Zero1 Pte. Ltd. XDEL Singapore Pte. Ltd. … Organisations DECISION Zero1 Pte. Ltd. XDEL Singapore Pte Ltd [2019] SGPDPC 37 Tan Kiat How, Commissioner — Case No DP-1803-B1866 16 September 2019. Background 1 Zero1 Pte. Ltd. (“Zero1”) is a Mobile Virtual Network Operator founded in 2017. In order to deliver its SIM cards to its customers, Zero1 contracted XDEL Singapore Pte Ltd (“XDEL”) for courier services. In the course of delivering the SIM cards, XDEL inadvertently disclosed the personal data of Zero1’s customers. Central to this case is the question of whether XDEL and Zero1 (collectively referred to as the “Organisations”) had made reasonable security arrangements to protect the personal data of Zero1’s customers pursuant to their obligations under the Personal Data Protection Act 2012 (“PDPA”). Material Facts 2 In March 2018, XDEL was appointed by Zero1 to deliver SIM cards to the latter’s subscribers. Zero1’s subscribers would register for mobile services using Zero1’s website. After their application had been processed, Zero1 would provide to XDEL the subscriber’s information (including the subscriber’s name, NRIC number, delivery address and contact number), the SIM card number and the subscriber’s preferred time of delivery. In the event that the customer had authorised another person to receive the SIM card on his or her behalf (an Zero1 Pte. Ltd. and XDEL Singapore Pte. Ltd. [2019] SGPDPC 37 “authorised recipient”), the authorised recipient’s information (name, NRIC number, contact number and delivery address) would additionally be provided to XDEL. 3 Each Zero1 subscriber was provided with a unique URL link which would allow them to access a customised delivery notification webpage through which they could monitor the status of their SIM card delivery (the “notification webpage”). It was through the notification webpages that the information of the subscribers and authorised recipients (the “Personal Data”) were accessed. 4 The first batch of SIM card deliveries took place between 8 and 9 March 2018. 333 URLs linking to notification webpages containing the Personal Data of 292 individuals were sent out in support of this first batch of deliveries. Investigations revealed that there was unauthorised access (“Unauthorised Access”) to 175 of the URLs which contained Personal Data. These URLs were accessed by 82 unique IP addresses over a span of about 34 hours, between 12 and 13 March 2018. 5 The Unauthorised Access was discovered after a post on an online forum thread warned other users not to reveal their Zero1 account numbers in public, indicating that it was possible to access another individual’s delivery notification if one was able to determine another subscriber’s membership number. The membership number of another subscriber was not difficult to determine as the membership numbers were generated in sequential order. 6 Further investigations uncovered the following causes leading to the unauthorised access of the Personal Data: 2 Zero1 Pte. Ltd. and XDEL Singapore Pte. Ltd. (a) [2019] SGPDPC 37 Each notification webpage URL comprised of what XDEL called an “A code” and a “B code”. A sample notification webpage URL took the following form: “https://www.xdel.com/ib/?A=00000000&B=4CC5”. In this example, the A-code is 00000000 and the B-code is 4CC5. (b) The A code is a Zero1 subscriber’s membership number and also the consignment note value, which, as noted above, is a sequentially generated number. (c) The B code is the last 4 characters of a calculated code, generated using a SHA1 hash on the consignment note number, with a secret salt. The B code served as a confirmation code. It was meant to secure the URLs against unauthorised access. The webpage was supposed to return the delivery status only when the correct B code of 4-character length was presented. The calculated B code of 4 characters meant that it was unlikely that an individual would be able to guess the correct code based on the A code, as there would have been 65,536 possible combinations. (d) According to XDEL, the notification webpage system was developed in-house. In the course of investigations, XDEL admitted that its developer had failed to test for the scenario where a blank B code was presented. (e) If B codes containing less than 4 characters were presented, the system would only check that the partial code presented matched the ending characters of the correct code. As such, if someone guessed the A code of a subscriber (which as mentioned above was easy enough to do given that the A code is a sequentially generated subscriber number) and left the B code blank, the system would identify this as a correct 3 Zero1 Pte. Ltd. and XDEL Singapore Pte. Ltd. [2019] SGPDPC 37 code, and unauthorised access would be granted to the subscriber’s personal data. By altering the A code values, this allowed individuals to see another person’s delivery orders and their personal data. Accordingly, the Unauthorised Access would likely have been prevented if the system was programmed to check the complete B Code instead of a partial code. The Commissioner’s Findings and Basis for Determination The Relevant PDPA Provisions 7 In respect of this matter, the relevant provision is Section 24 of the PDPA. Section 24 requires an organisation to protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks (the “Protection Obligation”). Preliminary Issues 8 It is not disputed that the Personal Data is “personal data” as defined in section 2(1) of the PDPA. There is no question or dispute that the Organisations fall within PDPA’s definition of an “organisation”. 9 It is also not disputed that the Protection Obligation applies to both Zero1 and XDEL: (a) The personal data of the Zero1 customers and the authorised recipients originated from Zero1 and was under Zero1’s possession and/or control. For this reason, Zero1 had the obligation under section 4 Zero1 Pte. Ltd. and XDEL Singapore Pte. Ltd. [2019] SGPDPC 37 24 of the PDPA to protect the personal data of its customers and that of the authorised recipients. (b) XDEL was the data intermediary for Zero1. XDEL had entered into the “Service Agreement for the Provision of Domestic Courier Services” on 1 March 2018 (the “service agreement”). Pursuant to the agreement, XDEL was to provide for the storage of SIM cards, packing materials, and delivery service. Clause 11 of the Agreement stated that XDEL would “process the Personal Data” strictly for the purposes of providing the stated services to Zero1. This would necessarily encompass the processing of the personal data of Zero1’s subscribers for the purposes of delivery. By virtue of section 4(2) of the PDPA, XDEL had the same obligation under section 24 of the PDPA to protect the personal data Zero1’s subscribers and that of the authorised recipients. 10 The key issue is therefore whether the Organisations had protected the Personal Data in its possession and under its control by making reasonable security arrangements to prevent unauthorised access and similar risks. Both Organisations failed to make reasonable security arrangements 11 After a review of all the evidence obtained by PDPC during its investigation and for the reasons set out below, the Commissioner is of the view that both Organisations had failed to make reasonable security arrangements to protect the personal data in its possession and control, and both have thereby breached the Protection Obligation under section 24 of the PDPA. A. Breach of the Protection Obligation by Zero1 5 Zero1 Pte. Ltd. and XDEL Singapore Pte. Ltd. 12 [2019] SGPDPC 37 Zero1 was aware of the use of the notification webpage and had defined the type of information contained on the webpage. Presumably, Zero1 had assessed the necessity and risks of the personal data displayed on the notification webpage. Zero1 ought also to have satisfied itself that XDEL had put in place the reasonable security arrangements indicated in the service agreement, before allowing the webpage to be put into use. Zero1 failed to demonstrate it had done the above. It had relied entirely on the warranty with regard to data protection in the service agreement, as well as customer references provided by XDEL. 13 Reasonable security arrangements in this case would entail minimally making an effort to identify the possible risks and seeking assurance that the data intermediary had taken steps to protect against those risks. Unfortunately, Zero1 failed to do either. In fact, Zero1 were not even aware of the security arrangements undertaken by XDEL; neither did it make any effort to identify potential risks associated with the notification webpage. Zero1 has cited a lack of ability and expertise to audit XDEL’s notification webpage source code as a reason for not doing so. This cannot be a valid defence as what is required is not technical oversight but an identification of foreseeable risks, and then requiring XDEL to take reasonable measures to address them. The extent of Zero1’s due diligence in the circumstances did not require technical knowledge, but risk identification and assessment. For instance, Zero1 could have identified the risk as whether a stranger coming across the website would be able to makes changes to it and retrieve a subscriber’s information; similarly, whether all information displayed on the notification page was necessary for the subscriber to monitor his SIM card delivery. Having articulated the risks, Zero1 ought to have worked with XDEL on assessing the likelihood of their occurrence, impact on subscribers should the risk occur and what steps XDEL could propose that would be reasonably effective in preventing the occurrence of the identified 6 Zero1 Pte. Ltd. and XDEL Singapore Pte. Ltd. [2019] SGPDPC 37 risks and, should they nevertheless occur, minimise the impact of the risks. This process does not require technical expertise on the part of Zero1; and allows it to rely on XDEL to provide the technical expertise during the risk assessment and mitigation discussion. 14 It is therefore assessed that Zero1 did not meet the standard of having reasonable security arrangements in place. B. Representations submitted by Zero1 15 Zero1 submitted its representations to the PDPC after a preliminary decision was issued: (a) Zero1 had taken measures to identify and mitigate potential risks. As Zero1 did not have technical capabilities in coding, cyber security or data encryption, it relied on XDEL’s declarations and assurances of its capabilities and track record. Zero1 also visited XDEL’s operation centre to audit its processes and was satisfied that there were no foreseeable risk; and (b) It is unreasonable to expect Zero1 to pinpoint the possible avenues by which personal data could be compromised. The Incident could not have been pre-empted by Zero1 without the relevant experience and technical knowledge. 16 Zero1 had previously highlighted that they lack technical expertise and this has already been dealt with at paragraph 13 above. It should be pointed out that while Zero1 may have audited the operation centre, this does not detract from the matters raised in paragraph 12 above. 7 Zero1 Pte. Ltd. and XDEL Singapore Pte. Ltd. 17 [2019] SGPDPC 37 In relation to the 2nd point raised in paragraph 15(b), what was required is for Zero1 to have engaged XDEL on the security arrangements that it had put in place to protect the personal data on the notification webpage, including generating URLs using the membership number and the B Code. This did not require technical expertise on the part of Zero1. It is in the failure to do so that the present breach is found. 18 In the circumstances, the Commissioner maintained his finding that Zero1 is in breach of section 24 of the PDPA. C. Breach of the Protection Obligation by XDEL 19 XDEL created the notification webpage system knowing that it would be used to contain the personal data of Zero1 subscribers and their designated authorised recipients. 20 XDEL ought to have taken reasonable security arrangements to protect the personal data from unauthorised access. The reasonable arrangements in this case include adequate testing to verify that the measures were correctly implemented. In this regard, XDEL had implemented the B code to prevent unauthorised access of the notification webpage. The B code would have prevented unauthorised access had it worked as intended. 21 However, while XDEL tested the notification webpages to make sure they could not be accessed by an incorrect B code, they failed to test for scenarios where the B code was absent or when an incomplete B code was used. Since the B code was, by design, a 4-character field, it would seem obvious that the module should have been designed to cater for the situation where the B code did not meet this condition and thereafter to test for this scenario. Given that the B code was crucial to the verification of the user and granting the user 8 Zero1 Pte. Ltd. and XDEL Singapore Pte. Ltd. [2019] SGPDPC 37 access to the user's personal data, tests should have been conducted to ascertain the behaviour of the webpage in the absence of the B code. Their failure to do such tests rendered their efforts to reasonably secure the Personal Data hosted on the notification webpage insufficient. 22 Accordingly, it is assessed that XDEL, like Zero1, did not meet the standard of having reasonable security arrangements in place. XDEL’s failure to meet this standard is more serious than that of Zero1, given that XDEL was the party that was responsible for the webpage notification system that failed. D. Representations by XDEL 23 XDEL submitted representations to the PDPC on the quantum of the financial penalty only. It asked for a reduction of the financial penalty quantum as it had recently incurred expenses to relocate to new premises. As this is not a mitigating factor or relevant in determining the financial penalty quantum, the Commissioner has decided to maintain the initial financial penalty quantum. Given its current cash flow considerations, the Commissioner has varied his directions to XDEL, as set out below, to allow XDEL to pay the financial penalty in instalments. The Commissioner’s Directions 24 Having found the Organisations to be in breach of section 24 of the PDPA, the Commissioner is empowered under Section 29 of the PDPA to give the Organisations such directions as he deems fit to ensure compliance with the PDPA. 9 Zero1 Pte. Ltd. and XDEL Singapore Pte. Ltd. 25 [2019] SGPDPC 37 In determining the appropriate directions to be imposed on each of the Organisations, the Commissioner has taken into account the following aggravating factors: (a) The Personal Data disclosed, which included the personal addresses of the subscribers and authorised recipients, as well as their NRIC numbers, was sensitive in nature. (b) Approximately 292 individuals were affected by the unauthorised access. 26 The following mitigating factors have also been taken into account: (a) Zero1 voluntarily notified the PDPC that the Personal Data of the subscribers and authorised individuals had been breached. (b) XDEL acted swiftly to rectify the notification webpage system. By 13 March 2018, they had managed to modify the code checking function on the webpage to check for the length of the confirmation code, thereby correcting the technical vulnerability. XDEL also added an “alert trigger” that would notify its IT department if an IP address entered 3 or more consecutive wrong codes, as an additional control to prevent any further unauthorised access. 27 Having considered all the relevant factors of the case, including the relative responsibilities and culpabilities of both organisations, the Commissioner hereby makes the following directions: (a) Zero1 is to pay a financial penalty of $4,000.00 within 30 days from the date of the Commissioner’s direction, failing which interest at the rate specified in the Rules of Court in respect of judgment debts shall 10 Zero1 Pte. Ltd. and XDEL Singapore Pte. Ltd. [2019] SGPDPC 37 accrue and be payable on the outstanding amount until the financial penalty is paid in full; and (b) XDEL is to pay a financial penalty of $7,000.00 in 3 instalments as set out below, failing which, the full outstanding amount shall become due and payable immediately and interest at the rate specified in the Rules of Court in respect of judgment debts shall accrue and be payable on the outstanding amount of the financial penalty until the financial penalty is paid in full: (i) 1st instalment of $2,500 within 30 days from the date of the Commissioner’s direction; (ii) 2nd instalment of $2,500 within 60 days from the date of the Commissioner’s direction; and (iii) 3rd instalment of $2,000 within 90 days from the date of the Commissioner’s direction, 28 Given the remediation efforts undertaken by the Organisations, no further directions relating to the breach itself are issued. YEONG ZEE KIN DEPUTY COMMISSIONER FOR COMMISSIONER FOR PERSONAL DATA PROTECTION 11 ","Financial Penalty, Financial Penalty",f6fb3aeaa2483b2aa1c8060f6e827d7401bf887c,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,138,138,1,952,"A financial penalty of $1,000 was imposed on Advance Home Tutors for failing to put in place reasonable security arrangements to protect the personal data collected from its tutors and for not developing and implementing data protection policies and practices necessary to ensure its compliance with PDPA.","[""Protection"", ""Accountability"", ""Financial Penalty"", ""Education"", ""Tuition""]",2019-10-10,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision---Advance-Home-Tutors.pdf,"Protection, Accountability",Breach of the Protection and Accountability Obligations by Advance Home Tutors,https://www.pdpc.gov.sg/all-commissions-decisions/2019/10/breach-of-the-protection-and-accountability-obligations-by-advance-home-tutors,2019-10-10,"PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC 35 Case No DP-1806-B2218 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Advance Home Tutors … Organisation DECISION Advance Home Tutors [2019] SGPDPC 35 Yeong Zee Kin, Deputy Commissioner — Case No DP-1806-B2218 12 September 2019 Facts of the Case 1 On 7 June 2018, the Personal Data Protection Commission (the “Commission”) received a complaint that personal data of many individuals had apparently been disclosed without authorisation on the Organisation’s website, www.advancetutors.com.sg (the “Website”). Upon investigation, the Commission found the following facts leading to this apparent unauthorised disclosure of personal data. 2 The Organisation is a sole proprietor who provides “matching services” through the Website between freelance tutors and prospective clients seeking tuition services. 3 In January 2017, the Organisation engaged a freelance web developer based in the Philippines (the “Developer”) to provide the following services: (a) to design and develop the Website; and (b) to migrate the existing databases and files of the Organisation’s old website to the Website. 1 Advance Home Tutors 4 [2019] SGPDPC 35 At that point in time, 834 freelance tutors had signed up with the Organisation and some of these tutors had chosen to upload their educational certificates to the Website’s server (the “Server”) via the Website. These certificates would be used by the Organisation to evaluate the suitability of the tutors for prospective jobs. In addition, copies of a tutor’s certificates were to be disclosed on the tutor’s public profile on the Website if the tutor consented to such disclosure. Out of the tutors who had uploaded educational certificates, a total of 152 tutors (the “Affected Individuals”) had not consented to disclosure of their educational certificates on their public profile. 5 The Developer subsequently migrated the educational certificates of the tutors who had uploaded them to the Website and stored them in an image subdirectory of a public directory found on the Server (the “Image Directory”). These directories were not secured with any form of access controls and were accessible by the public via the Internet if the path to the relevant directory was typed into a web browser. Furthermore, no measures were taken to prevent automatic indexing of the Image Directory by Internet search engines. This resulted in the contents of the Image Directory, including the educational certificates of the Affected Individuals, showing up in search results on Google after the Website went live on 17 October 2017. 6 On 6 April 2018, the Organisation informed the Developer to make certain changes to the Website in order to disclose the education certificates of consenting tutors on their public profile pages on the Website. The Organisation provided written instructions to the Developer to “migrate all existing tutor profiles from the [old website] to the [Website]”, and to “impose all pre-existing conditions in the [old website] to the [Website] when migrating the tutors”. 2 Advance Home Tutors [2019] SGPDPC 35 According to the Organisation, one of the pre-existing conditions of the old website was to only disclose educational certificates of tutors who had consent. 7 The Organisation also represented that it had provided the following verbal instructions to the Developer: (a) to “hide the educational certificates of tutors who did not give consent”; (b) to “respect and protect the privacy and confidentiality of all the data that is present in AHT website”; (c) it “should not disclose or share any of the personal data or AHT Admin user account details with a third party”; and (d) to “ensure users’ data is protected as AHT had entrusted them for the purpose of IT services”. 8 Acting on the Organisation’s instructions, the Developer wrote a coding script to enable the retrieval and display of the educational certificates from the Image Directory. However, the coding script lacked a validation condition to ensure that only educational certificates of tutors who had consented to disclosure were disclosed on the tutors’ profile pages on the Website. This resulted in all of the educational certificates found in the Image Directory, including those of the Affected Individuals, being retrieved and publicly disclosed on the Website through the tutors’ respective profile pages. 9 The disclosure of the Affected Individuals’ educational certificates (described at [5] and [8] above) resulted in the unauthorised disclosure their personal data which were found on their respective educational certificates (the “Incident”). The disclosed personal data included data such as the individual’s name and NRIC number, educational institutions attended and grades attained for each subject (the “Disclosed Data”). 3 Advance Home Tutors 10 [2019] SGPDPC 35 Separately, during the Commission’s investigations, the Organisation admitted that it had not developed or implemented any data protection policies relating to its compliance with the Personal Data Protection Act 2012 (the “PDPA”). Remedial measures taken by the Organisation 11 After being notified of the Incident, the Organisation took the following steps to mitigate the effects of the breach and to prevent its reoccurrence: (a) deleted all the educational certificates that were stored in the Image Directory; (b) ceased retention of any educational certificates received from the tutors; (c) requested Google to remove any cached copies of the educational certificates from the Image Directory; (d) conducted a penetration test to discover and address any gaps in respect of its security arrangements in respect of the Website and its server; (e) removed all front-end access to the “Search Tutor” and “Tutor Profile” pages of the Website; (f) engaged an external system analyst to check the work which may be performed by the Developer in future; and (g) developed a data protection policy. Findings and Basis for Determination Whether the Organisation had breached section 24 of the PDPA 4 Advance Home Tutors 12 [2019] SGPDPC 35 Although the Organisation had engaged the Developer to provide various services, the Organisation retained possession and control over the Disclosed Data at all material times. It was responsible for the security arrangements to be implemented on the Website and its back-end system, as well as to protect the Disclosed Data. 13 Section 24 of the PDPA requires an organisation to protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal and similar risks. 14 To determine whether the Organisation was in breach of section 24, the relevant question is whether it had put in place reasonable security arrangements to safeguard the Disclosed Data hosted on the Website and its Server. As the Disclosed Data included the NRIC numbers of the tutors concerned, it should be borne in mind that NRIC numbers are of special concern as they are “a permanent and irreplaceable identifier which can be used to unlock large amounts of information relating to the individual”.1 Further, the Commission’s Advisory Guidelines on the PDPA for NRIC and Other National Identification Numbers (issued 31 August 2018) at [2.4], albeit not effective at the time of the breach, points to the risks and potential impact of any unauthorised use or disclosure of personal data associated with an individual’s NRIC; and the expectation that organisations are to provide a greater level of security to protect NRIC numbers in its possession or control. 15 As the Organisation had engaged the Developer to develop the Website, the onus is on the Organisation to ensure that its security requirements for the 1 Re Habitat for Humanity Singapore Ltd [2018] SGPDPC 9 at [19] 5 Advance Home Tutors [2019] SGPDPC 35 Website and Server will be and have been met by the Developer. As part of this, the Organisation could have done the following2: (a) emphasised the need for personal data protection to the Developer by making it part of the written contract; (b) when discussing the Developer’s scope of work, required that any changes the Developer made to the Website did not contain vulnerabilities that could expose the personal data, and to discuss whether the Developer had the necessary technical and nontechnical processes in place to prevent the personal data from being exposed, accidentally or otherwise; and (c) tested the Website before any new changes went live to ensure that the Organisation’s instructions to the Developer were properly implemented and that the Website was sufficiently robust and comprehensive to guard against a possible cyberattack. 16 The Organisation admitted to the Commission that “there was a lack of technical expertise within Advance Home Tutor to protect personal data”, including the lack of expertise “on how to make the technical assessment and ensure that the assessment is robust enough for adequate protection for personal data”. This is also evident from the fact that the Organisation had required the Developer to migrate the information of its then-existing tutors from the old website to the Website “with the exact same conditions imposed” 2 Further information on the steps that the Organisation should have taken when outsourcing the development of its Website may be found in the Commission’s Guide to Building Websites for SMEs. 6 Advance Home Tutors [2019] SGPDPC 35 on the old website, without having any idea of how its old website had been configured. 17 Similar to Re Tutor City [2019] SGPDPC 5 (“Tutor City”), the Organisation also did not: (a) communicate any specific security requirements to the Developer to protect the personal data stored on the Server; (b) make reasonable effort to find out and understand the security measures implemented by the Developer for the Website; (c) attempt to verify that the security measures implemented had indeed “respect[ed] and protect[ed] the privacy and confidentiality of all the data that is present on the Website” to the extent expected by the Organisation; and (d) 18 conduct any reasonable security testing (e.g. penetration tests). To be clear, the lack of knowledge on the PDPA or expertise in the area of IT security is not a defence against the failure to take sufficient steps to comply with section 24 of the PDPA. There were resources, including the guides published by the Commission, and skilled personnel available that the Organisation could have relied on to increase its knowledge in the relevant areas or to assist it in complying with its obligations under the PDPA. 19 Related to the above, I note that the Organisation’s purported instruction to the Developer to “respect and protect the privacy and confidentiality of all the data that is present on the Website” does not constitute a security measure. The Organisation should have reviewed the security standard implemented on 7 Advance Home Tutors [2019] SGPDPC 35 the Website and provided its Developer the intended use cases and identify foreseeable risks.3 20 More generally, although the Organisation asserted that it had provided verbal instructions to the Developer (see [7] above), these have not been substantiated by any evidence. According to the document entitled “Project Scope” entered into between the Organisation and the Developer, there was no specification relating to the security arrangements that the Developer was required to design into the Website and its back-end system. The Organisation ought to have entered into a written agreement with the Developer that clearly stated the standard of compliance that the Organisation expected its Website and Server to have with the PDPA, and the Developer’s responsibilities in this regard. 21 As regards security testing, while the Organisation had conducted some testing of the Website from the functionality perspective, i.e., to verify that certificates of consenting tutors were disclosed on their profile pages, it did not check the profile pages of non-consenting tutors to ensure their certificates were not disclosed. It also did not check if the Website contained any other vulnerabilities that posed a risk to the personal data hosted on the Server. Had the Organisation done a proper security test, the lack of access controls for the certificates hosted on the Image Directory and the unauthorised disclosure of the certificates of non-consenting tutors on their profiles would have been apparent. It would then have been able to take the necessary steps to rectify these security issues. That said, I understand that the Organisation has, since the Incident, procured the Developer to conduct a penetration test and resolve the high risk issues identified by it. 3 Re Tutor City [2019] SGPDPC 5 at [18] 8 Advance Home Tutors 22 [2019] SGPDPC 35 As regards the lack of access controls, it has been observed in Tutor City (at [21] to [23]) that technical measures are available that prevent indexing of images by web crawlers: viz, 23 (a) First, the Organisation could have placed these documents in a folder of a non-public folder/directory. (b) Second, the Organisation could have placed these documents in a folder of a non-public folder or directory, with access to these documents being through web applications on the server. (c) Third, the Organisation could have placed these documents in a sub-folder within the Public Directory but control access to files by creating a .htaccess file within that sub-folder. This .htaccess file may specify the access restrictions (e.g. implement a password requirement or an IP address restriction). In view of the above, I find the Organisation in breach of section 24 of the PDPA. Role of the Developer 24 The Developer’s role in data migration constitutes “processing” within the meaning of the PDPA. One of the causes for the breach of the protection obligation may be traced to the migration of educational certificates to the Image Directory which was publicly accessible and could be indexed by search engines: see discussion at [4] above. As the Developer is in, and supplied the Services from, the Philippines, I intend to refer this aspect of the case to the Philippines National Privacy Commission. 9 Advance Home Tutors [2019] SGPDPC 35 Whether the Organisation had breached section 12 of the PDPA 25 Section 12 of the PDPA requires an organisation to develop and implement policies and practices that are necessary for the organisation to meet its obligations under the PDPA. Although the Organisation is a sole proprietorship with no employees, it collects a significant amount of personal data from the tutors and clients seeking tuition services via the Website. As such, it is required to have an external data protection policy which sets out its practices relating to such personal data and the purposes for which the tutors’ and students’ personal data are collected, used and disclosed by the Organisation. 26 In view of the Organisation’s admission that it had not developed and implemented any such policies, I also find the Organisation in breach of section 12 of the PDPA. Representations by the Organisation 27 In the course of settling this decision, the Organisation made representations to waive the imposition financial penalty for the following reasons: (a) The Organisation is a small home business which does not generate much revenue. If the proposed financial penalty is imposed, the Organisation would take 5 to 6 years to recover the financial penalty amount based on its annual revenue; (b) As a sole proprietor, the Organisation’s director neglected operational duties of the business in order to assist the 10 Advance Home Tutors [2019] SGPDPC 35 Commission with the investigations into the Incident. This resulted in a significant drop in the Organisation’s annual revenue in 2018 and its revenue has yet to recover; (c) The Organisation incurred significant costs in undertaking remedial and preventive actions following the Incident; (d) This is the first time a data breach involving the Organisation has occurred; and (e) The Organisation compared the present case to Tutor City with similar facts where only a warning had been issued taking into account the number of affected individuals, the type of and duration for which personal data was at risk, and the remedial actions taken. 28 While accepting full responsibility of its breach of Section 12, the Organisation also asserted in its representations that based on the grounds of decision of Tutor City, it “…implicitly understood that [Tutor City] also had no policies and practices meeting the PDPA obligations set in place. However, they were not found in breach of the Section 12”. 29 With respect to the Organisation’s representations comparing the present case to Tutor City, I would like to emphasize that my decision is based on the unique facts of each case. While the facts may appear similar in 2 cases, my decision in each case takes into consideration the specific facts of the case and the totality of the circumstances so as to ensure that the decision and direction(s) are fair and appropriate for that particular organisation. In this regard, I would highlight that Section 12 of the PDPA was never an issue of 11 Advance Home Tutors [2019] SGPDPC 35 concern in Tutor City as the organisation in question did, in fact, have the requisite policies and processes. Accordingly, this is not a point that would need to be reflected in Tutor City. Unlike Tutor City, I have decided that a financial penalty is warranted in this case because the Organisation has been found in breach of Sections 12 and 24 of the PDPA, and there was a larger number of individuals’ personal data at risk in the present case. I have also taken into consideration the fact that the duration for which personal data was at risk in the present case is significantly shorter than Tutor City. 30 Having carefully considered the representations, I have decided to reduce the financial penalty to $1,000. The quantum of financial penalty has been calibrated after due consideration of the Organisation’s financial circumstances and to avoid imposing a crushing burden on the Organisation. Although a lower financial penalty has been imposed in this case, the quantum of financial penalty should be treated as exceptional and should not be taken as setting any precedent for future cases. Outcome 31 In assessing the breaches and determining the directions to be imposed on the Organisation in this case, I also took into account the following mitigating factors: (a) the Organisation fully cooperated with the Commission’s investigations; and (b) the Organisation took prompt action to mitigate the effects of the breaches and prevent reoccurrence of similar breaches. 12 Advance Home Tutors 32 [2019] SGPDPC 35 In consideration of the relevant facts and circumstances of the present case, I hereby direct the Organisation: (a) to put in place a data protection policy to comply with section 12 of the PDPA within 60 days of this direction; (b) to inform the Commission within 7 days of implementing the above; and (c) to pay a financial penalty of $1,000 within 30 days from the date of this direction failing which, interest at the rate specified in the Rules of Court in respect of judgment debts shall accrue and be payable on the outstanding amount of such financial penalty until the financial penalty is paid in full. YEONG ZEE KIN DEPUTY COMMISSIONER FOR PERSONAL DATA PROTECTION 13 ",Financial Penalty,6d5126ad62fbafa12fb94c50aff6b767e9edb84c,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,139,139,1,952,"Amicus Solutions and a financial consultant were issued directions, including to pay financial penalties of $48,000 and $10,000 respectively, for breaches of the PDPA. Amicus Solutions failed to notify and obtain consent for the disclosure of individuals’ personal data that it sold to the financial consultant who used such personal data for telemarketing purposes.","[""Consent"", ""Notification"", ""Financial Penalty"", ""Admin and Support Services"", ""Finance and Insurance""]",2019-10-10,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision--Amicus-Solutions-Pte-Ltd---Another.pdf,"Consent, Notification",Breach of the Consent and Notification Obligations by Amicus Solutions and a Financial Consultant,https://www.pdpc.gov.sg/all-commissions-decisions/2019/10/breach-of-the-consent-and-notification-obligations-by-amicus-solutions-and-a-financial-consultant,2019-10-10,"PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC [33] Case No DP-1610-B0290 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And (1) Amicus Solutions Pte. Ltd. (UEN No. 201534661R) (2) Ivan Chua Lye Kiat … Organisations DECISION Amicus Solutions Pte. Ltd. & Anor. [2019] SGPDPC 33 Amicus Solutions Pte. Ltd. & Anor. [2019] SGPDPC 33 Tan Kiat How, Commissioner — Case No DP-1610-B0290 30 August 2019 1 The Personal Data Protection Commission (the “Commission”) received a complaint regarding the unauthorised collection and use of personal data to market financial products. Investigations were commenced into the alleged unauthorised sale and disclosure of personal data by a data broker and the unauthorised collection and use of the personal data for telemarketing purposes. Upon conclusion of investigations and consideration of the totality of evidence, the Commissioner found Amicus Solutions Pte. Ltd. (“Amicus”) and Mr Ivan Chua Lye Kiat (“Mr Chua”) to be in breach of the Personal Data Protection Act 2012 (“PDPA”) for the reasons set out in these grounds. Material Facts 2 An independent life insurance brokerage company (the “Insurance Brokerage”) appointed Mr Chua as a financial adviser director to provide financial advisory services and to market financial products distributed by the Insurance Brokerage to prospective clients in accordance with the terms set out in a Financial Adviser Representative Agreement. He oversees a team of financial adviser representatives. Their main products are Eldershield related insurance policies targeted at individuals over 40 years old. 2 Amicus Solutions Pte. Ltd. & Anor. 3 [2019] SGPDPC 33 It is undisputed that Mr Chua and the financial adviser representatives in his team are not employees of the Insurance Brokerage but independent agents. As independent agents, they receive a commission for each sale but are not in an employer-employee relationship with the Insurance Brokerage nor are they entitled to any employee benefits such as employer Central Provident Fund contributions and/or medical benefits. 4 One of Mr Chua’s primary roles as a financial adviser director is to seek out new customers. Mr Chua mainly relied on referrals from existing customers but he also engaged telemarketers to make cold calls to potential customers. These telemarketers are independently sourced with no assistance of or referrals from the Insurance Brokerage; telemarketers are directly engaged by Mr Chua or the financial adviser representatives in his team. 5 Amicus is an organisation that provides business and consultancy management services and claims to be able to provide business opportunities and marketing plans with its database. It claims to have 1.8 million contacts which it markets as being in compliance with the PDPA and the Personal Data Protection (Do Not Call Registry) Regulations 2013. Aside from the sale of data, Amicus also offers a range of services such as purchasing property ownership information (including caveats) on behalf of property agents, data mining and Do Not Call (“DNC”) Registry scrubbing services. 6 During investigations, Mr Chua was upfront in admitting that he had purchased telemarketing leads from Amicus both before and after 2 July 2014, the date when Parts III to VI of the PDPA (“Data Protection Provisions”) came into effect (the “Appointed Day”). Mr Chua represented that before the Appointed Day, Amicus sold personal data (including the individual’s name, mobile number, gender and birthday) at S$0.50 to S$1.00 per record. After the 3 Amicus Solutions Pte. Ltd. & Anor. [2019] SGPDPC 33 Appointed Day, the products that were offered by Amicus changed. The previous product was no longer offered but it now offered different products. For Mr Chua’s commercial purposes, the product that he was interested in was the sale of telephone numbers of individuals above 40 years old (which was his team’s target demographic), each of which was sold for between S$0.01 to S$0.02. 7 Mr Chua provided two datasets that he claimed to have purchased from Amicus after the Appointed Day. The information disclosed in these datasets are set out in the table below: Information Disclosed List 1     List 2     Number of records in the List partial NRIC number, i.e. 11,384 the first 4 digits (for some entries); partial date of birth (for those that did not include a partial NRIC number);1 gender; and mobile phone number partial NRIC number, i.e. 10,074 the first 4 digits (for some entries); partial date of birth; gender; and mobile phone number 1 Amicus admitted that the information it sold to Mr Chua included partial NRIC numbers (i.e. the first 4 digits) but denied that the information contained the individuals’ date of birth. 4 Amicus Solutions Pte. Ltd. & Anor. 8 [2019] SGPDPC 33 Telemarketers engaged by Mr Chua and his team relied on the information in these datasets to help generate leads and sales for the team by making cold calls to the individuals in the datasets. Mr Chua informed the Commission that Amicus had sold both Lists 1 and 2 to him and confirmed that he did not purchase such lists from any other source at the time. While Amicus admitted that it sold Mr Chua two datasets, it disputed Mr Chua’s account that both Lists 1 and 2 were sold to him after the Appointed Day. By Amicus’ account, it only sold Mr Chua one dataset after the Appointed Day though it was unable to identify which of the two lists (i.e. Lists 1 and 2) it had sold to Mr Chua. 9 Amicus also admitted to selling the following dataset to another individual on another occasion after the Appointed Day at S$0.10 per record in the course of the investigations: Information Disclosed List 3 10    age; gender; and mobile phone number Number of records in the List 1,200 However, Amicus denied any wrongdoing in selling the datasets with the type of personal data found in Lists 1, 2 and 3 (the “datasets”) as it contended that the information in the datasets was not personal data to begin with. It also argued that the information in the datasets was publicly available data that it collected from public sources such as Government Gazettes and records of the Singapore Land Authority (“SLA”) and the Accounting and Corporate Regulatory Authority (“ACRA”), and the information in the datasets 5 Amicus Solutions Pte. Ltd. & Anor. [2019] SGPDPC 33 was collected before the Data Protection Provisions came into effect on the Appointed Day. 11 During investigations, Amicus was unable to give a satisfactory explanation regarding the source of the information in the datasets. Investigations were not able to establish with any degree of certainty when the lists were compiled or obtained, nor where the lists were sourced from [Redacted] (Replaced with Mr L), who is in charge of the day-to-day operations of Amicus, gave evidence on behalf of Amicus and initially claimed that the personal data was obtained from publicly available sources. However, he subsequently claimed that the personal data was obtained from organisers of surveys, meetings and seminars as well as call centres but was unable to name any of the seminars or meetings from which Amicus had purportedly collected the information or the organisations that conducted the surveys or operated the call centres when queried. Thereafter, he claimed that the personal data was obtained from telemarketing and Multi-Level Marketing (“MLM”) companies, though he was again unable to name any of these companies, nor provide any proof of purchase. Finally, upon further questioning, Amicus represented that the information in the datasets was actually collected before the Appointed Day. He confirmed that he did not collect personal data found in the datasets from publicly available sources. Number of datasets sold 12 As a preliminary issue, while Amicus and Mr Chua disagreed over the number of datasets that Amicus sold Mr Chua after the Appointed Day2, an 2 See paragraph 8 above. 6 Amicus Solutions Pte. Ltd. & Anor. [2019] SGPDPC 33 evaluation of the evidence in its entirety shows Mr Chua’s evidence to be more credible for the following reasons: (a) Mr Chua offered the two lists that he claimed to have purchased from Amicus after the Appointed Day even though it was to his detriment. The Commission had commenced investigations on the basis of information provided by a complainant who had requested for anonymity. At the time Mr Chua volunteered the two lists, he was only aware that a complaint had been made against him but was not aware of the information which was provided to the Commission. Hence, the fact that he volunteered information that he knew could be detrimental to himself spoke to his openness and willingness to cooperate with investigations; (b) although both lists were not dated and he was unable to produce any receipts, Mr Chua was able to produce a screenshot of an email dated 22 March 2016 containing List 1 from one [Redacted] (Replaced with Mr N) from Amicus; (c) both Lists 1 and 2 only contain partial NRIC numbers, partial date of births, gender and mobile phone numbers. They did not contain names of the individuals. The evidence is that Amicus only started selling lists without names after the PDPA came into effect. Before the PDPA came into effect they sold lists with full names and these lists were more valuable than those sold after the PDPA came into effect. Given that Lists 1 and 2 do not contain full names, it is more likely than not that both these lists were sold after the PDPA came into effect; and 7 Amicus Solutions Pte. Ltd. & Anor. (d) [2019] SGPDPC 33 Mr Chua was very cooperative throughout the investigation and there was no evidence to suggest that he had been anything less than forthcoming. 13 In contrast, as described in paragraph 11 above, Amicus had prevaricated during investigations and was unable to give a satisfactory explanation regarding the source of the information in the datasets and was unable to provide any documentary evidence on the dates Lists 1 and 2 were sold. Further, Amicus appeared to have intentionally limited the documentary trail in respect of the sale of Lists 1 and 2. According to Mr Chua, despite allowing its clients, including Mr Chua, to pay for its DNC scrubbing services by cheque, Amicus required cash payment for the lists. Amicus confirmed that it required Mr Chua to pay cash. It is suspicious that a company that has two commercial transactions with the same customer will allow payment for one by cheque but require payment by cash for the other. This conduct is less than straightforward. The reason provided by Amicus for requiring cash payment was that Amicus needed Mr Chua to verify the data in person. The reason provided does not in any way explain why Amicus could not accept cheque payments from Mr Chua when he collected the lists in person. 14 For the foregoing reasons, the following assessment is based on Mr Chua’s evidence that Amicus had sold him two datasets (i.e. Lists 1 and 2) after the Appointed Day. Findings and Basis for Determination 15 The issues for determination are: (a) whether the information disclosed in the Lists constituted personal data; 8 Amicus Solutions Pte. Ltd. & Anor. (b) [2019] SGPDPC 33 whether Amicus had collected, used and/or disclosed personal data without consent and/or notification; and (c) whether Mr Chua used and/or disclosed the personal data without consent and/or notification. Whether the information disclosed constituted personal data 16 Section 2(1) of the PDPA defines “personal data” to be data, whether true or not, about an individual who can be identified from that data; or from that data and other information to which the organisation has or is likely to have access. 17 The information disclosed in all three datasets are as follows: Information Disclosed List 1     List 2   Number of entries in the List partial NRIC number, i.e. 11,384 the first 4 digits (for some entries); partial date of birth (for those that did not include a partial NRIC number);3 gender; and mobile phone number partial NRIC number, i.e. 10,074 the first 4 digits (for some entries); partial date of birth; 3 Amicus admitted that the information it sold to Mr Chua included partial NRIC numbers (i.e. the first 4 digits) but denied that the information contained the individuals’ date of birth. 9 Amicus Solutions Pte. Ltd. & Anor. List 3 18 [2019] SGPDPC 33   gender; and mobile phone number    age; gender; and mobile phone number 1,200 As mentioned at paragraphs 11 and 12 above, although Amicus admitted that it sold datasets containing individuals’ mobile phone numbers, age range and gender, it contended that no personal data was disclosed in the datasets because it was “sufficiently anonymised”. The datasets did not disclose the individual’s name, NRIC number, address or any unique personal information but only included truncated NRIC numbers (i.e. only the first 4 digits) and dates of birth (i.e. only the month and year of birth). 19 There are certain types of information that are unique identifiers, which are capable of identifying an individual in and of themselves. The Advisory Guidelines on Key Concepts in the PDPA sets out a non-exhaustive list of information that the Commission generally considers to be unique identifiers (at [5.10]): (a) Full name; (b) NRIC number or FIN (foreign identification number); (c) Passport number; (d) Personal mobile telephone number; (e) Facial image of an individual (e.g. in a photograph or video recording); 10 Amicus Solutions Pte. Ltd. & Anor. 20 [2019] SGPDPC 33 (f) Voice of an individual (e.g. in a voice recording); (g) Fingerprint; (h) Iris image; and (i) DNA profile. In Re My Digital Lock Pte Ltd [2018] SGPDPC 3 (at [11]), the Commission observed that information will generally only be considered to be a unique identifier if there is a one-to-one relationship between the information and the individual, i.e. the information is not typically associated with more than one individual: There are certain types of information that in and of themselves are capable of identifying an individual. The Advisory Guidelines on Key Concepts in the PDPA (revised on 27 July 2017) (“Key Concepts Guidelines”) at [5.10] provides a list of information that is considered to be capable of doing so. While such information is capable of identifying an individual, it does not necessarily mean that anyone in possession of the information will be able to do so. The touchstone used to compile the list is the one-to-one relationship of the information and the individual. Information on the list is not typically associated with more than one individual, either scientifically (eg biometric signature and DNA profile), by convention (eg NRIC number) or as a matter of social norms (eg personal mobile phone number). [Emphasis added.] 21 The lists were sold for the purpose of generating leads for the sale of Eldershield and other personal insurance policies. A natural inference is that the mobile numbers in the lists were personal mobile numbers. As a personal mobile phone number is generally tied to an individual subscriber who uses it 11 Amicus Solutions Pte. Ltd. & Anor. [2019] SGPDPC 33 as his/her individual contact number to the exclusion of others, it is prima facie personal data given its one-to-one relationship. 22 The “redacted” or truncated NRIC numbers in the datasets do not conform to the Commission’s published advisory guidelines on redaction of NRIC numbers which are designed to minimise the risk of re-identification. On the contrary, the key piece of information that the “redacted” NRIC number was intended to convey was the age of the person that it is associated with given that it is well known that the first 4 digits of the NRIC discloses the year of registration (and accordingly, the age) of the individual. It is trite that NRIC numbers are the same as Birth Certificate numbers that are assigned upon registration of birth, which has to take place within x days/weeks of birth. Hence, there was every intention to convey information about the year of birth of the individual associated with the personal mobile phone number. 23 Accordingly, although the information disclosed in the datasets did not include the names of the individuals, the information is still personal data as defined in section 2(1) of the PDPA because the individuals in List 1 and 2 were identifiable directly or indirectly through their year of birth and personal mobile numbers. 24 Likewise, the individuals in List 3 were directly identifiable through their personal mobile phone numbers. Whether the Organisations breached section 13 and/or section 20 of the PDPA 25 As the PDPA defines “organisation” to include “any individual, company, association or body of persons, corporate or unincorporated”, each of Mr Chua and Amicus is an organisation under the PDPA. As mentioned in Re 12 Amicus Solutions Pte. Ltd. & Anor. [2019] SGPDPC 33 Spring College International [2018] SGPDPC 15 (at [10]), the PDPA adopts a consent-first regime and the concepts of notification of purpose and consent are closely intertwined. Pursuant to section 13 of the PDPA, unless an exception to consent is applicable, organisations are generally required to obtain the consent of an individual before collecting, using and/or disclosing the individual’s personal data (“Consent Obligation”). Consent must be obtained from the individual with reference to the intended purpose of the collection, use or disclosure of the personal data. The organisation’s collection, use and disclosure of personal data are limited to the purposes for which notification has been made to the individuals concerned. In this regard, organisations have an obligation under section 20 of the PDPA to inform individuals of the purposes for which their personal data will be collected, used and/or disclosed, on or before collecting the personal data in order to obtain consent (“Notification Obligation”). 26 As observed in Re Sharon Assya Qadriyah Tang [2018] SGPDPC 1 (at [13]), the buying and selling of leads that comprise personal data of individuals are activities that fall under the scope of the PDPA: The PDPA governs the collection, use and disclosure of personal data by organisations. Given that the leads which the Respondent had purchased or sold comprised of personal data of individuals, these were activities that fell under the scope of the PDPA. In respect of the purchase of leads by the Respondent, in which the Respondent acquired personal data from the seller of the transaction, this amounted to a “collection” of personal data under the PDPA by the Respondent. In respect of the sale of leads by the Respondent, in which the Respondent provided personal data to the buyer of the transaction, this amounted to a “disclosure” of personal data under the PDPA by the Respondent. [Emphasis added.] 13 Amicus Solutions Pte. Ltd. & Anor. [2019] SGPDPC 33 Amicus 27 As the organisation with possession and control in respect of the personal data in the datasets that it compiled and sold, Amicus has a duty to comply with the data protection obligations under the PDPA, specifically the Consent and Notification Obligations. However, Amicus contended that it was not necessary for it to obtain consent or to notify individuals before selling the datasets because, among other things4: (a) the information was collected before the Consent and Notification Obligations came into force; or (b) 28 the information was publicly available. As stated above, Amicus had been prevaricating during investigations without providing a clear and consistent explanation as to when and how the personal data in the Lists were obtained, nor their source. Taking its case at the highest, the following analysis takes each of these possible defences separately as each, if successful, can stand independently. Personal data collected before the Appointed Day 29 One of Amicus’ main defences was that the information in the datasets was collected before the Data Protection Provisions came into force and Amicus was therefore not subject to the Consent and Notification Obligations in relation to the personal data that it collected, used and/or disclosed. Section 19 of the PDPA allows organisations to continue to use personal data collected before the 4 Amicus also argued that it was not required to obtain consent and notify the individuals before selling the datasets because the information contained in the datasets are not personal data. We refer to our findings on this issue at paragraphs [18] to [24] above. 14 Amicus Solutions Pte. Ltd. & Anor. [2019] SGPDPC 33 Appointed Day for the same purposes for which the personal data was collected without obtaining fresh consent, unless consent for such use is withdrawn. As such, it may be possible for an organisation to continue using personal data that was purchased or obtained before the Appointed Day without consent or notification if such use falls within the purposes of collection, provided that there was no indication that the individual did not consent to the continued use5. 30 However, section 19 of the PDPA only covers the use of personal data collected before the Appointed Day and not the disclosure of personal data. As was held in Re Sharon Assya Qadriyah Tang (at [22] and [23]), the grandfathering provision in section 19 of the PDPA would not apply to instances where the organisation had been selling personal data before the Appointed Day, and continued to sell personal data after the Appointed Day: However, in this case, the Respondent went beyond using the personal data for her own telemarketing purposes, and proceeded to sell personal data to third parties. The “grandfathering” provision only permits the continued “use” of personal data for the purposes for which the personal data was collected. Such “use” does not extend to “disclosure” of personal data unless, as set out at paragraph 23.1 of the Advisory Guidelines, the disclosure “is necessarily part of the organisation’s use of such personal data”. In the case of the sale of personal data, the disclosure of personal data is the main activity being carried out, and is not incidental to any of the organisation’s own uses of the personal data. Thus, it is not a disclosure “that is necessarily part of the organisation’s use of such personal data”. The Commission has stated this position in its Advisory Guidelines as an example: Organisation XYZ has been selling databases containing personal data. This would be considered a disclosure of 5 Re Sharon Assya Qadriyah Tang (at [20]) 15 Amicus Solutions Pte. Ltd. & Anor. [2019] SGPDPC 33 personal data and not a reasonable existing use under section 19. After the appointed day, XYZ needs to ensure that consent has been obtained before selling these databases again. [Emphasis added.] Consequently, the grandfathering provision would not apply to the instances where the Respondent had been selling personal data before the Appointed Day, and continued to sell personal data after the Appointed Day. In respect of personal data that was not sold before the Appointed Day, it is all the more so that the Respondent cannot rely on the grandfathering provision, because there was never an existing practice of selling the personal data in the first place, and hence there is no “use” to be carried on in respect of the personal data. [Emphasis added.] 31 Moreover, even if Amicus had collected the personal data before 2 July 2014, that permitted it to disclose by way of sale, it would have had to obtain fresh consent for such purposes of disclosure after the Appointed Date. Needless to say, Amicus was not able to provide evidence of either during the course of investigations. As mentioned at paragraph 11 above, Amicus was unable to satisfactorily explain the source of the personal data in the datasets. During the course of the investigation, Amicus first claimed that the information was collected from surveys, meetings and seminars, but subsequently represented that it was collected from telemarketing and MLM companies. Nevertheless, even if the individuals had provided their personal data during surveys or at meetings and seminars, or even if the personal data was collected from telemarketing or MLM companies, Amicus did not provide any evidence that the individuals concerned had provided fresh consent after the Appointed Date for their personal data to be disclosed by way of sale to telemarketers. In this regard, Amicus acknowledged that it could have sought consent given that it 16 Amicus Solutions Pte. Ltd. & Anor. [2019] SGPDPC 33 possessed the individuals’ full NRIC numbers and personal mobile phone numbers but conceded that it did not do so. 32 In the circumstances, there was a clear breach of the Consent and Notification Obligations under the PDPA in respect of Amicus’ sale of the datasets containing personal data after the Appointed Day. Publicly available exception 33 The alternate defence that Amicus raised during the investigations, but which it subsequently dropped, was that the information in the datasets was publicly available information obtained from public sources, such as records of registered doctors, lawyers and engineers published on Government Gazettes, and records from SLA and ACRA. The PDPA sets out an exception for the collection, use and disclosure of personal data that is publicly available.6 However, by Amicus’ own admission, the Government Gazettes only contained the names and organisations of certain individuals, which did not form part of the information that was found in the datasets it sold after the Appointed Day. Representations by Amicus and an affiliated company 34 Amicus and an affiliated company, Ilied.com Pte. Ltd. (“Ilied”), submitted written representations to the Commission (the “Representations”) after Amicus received a copy of the Preliminary Decision. The Representations were signed off by Mr L. In the Representations, Ilied and Amicus raised the following three points: 6 Paragraph 1(c) of the Second Schedule to the PDPA; paragraph 1(c) of the Third Schedule to the PDPA; and paragraph 1(d) of the Fourth Schedule to the PDPA. 17 Amicus Solutions Pte. Ltd. & Anor. [2019] SGPDPC 33 (a) Ilied was the organisation that sold the datasets, and not Amicus; (b) List 1 was transacted before the Appointed Day; and (c) The datasets did not contain personal data as they had been truncated and anonymised, and further, that personal mobile phone numbers are not personal data per se. The identity of the organisation which sold the datasets 35 The Representations enclosed two invoices issued by Ilied in support of the assertion that it was Ilied which had sold the data (the “Invoices”). The first Invoice, for the sum of $1,900, was dated 25 June 2014 and was issued for “Leads Born 1973, 1975”. The second Invoice, for the sum of $1,138, was dated 22 March 2016 and was issued for “Data Sales”. 36 Ilied is an affiliate of Amicus and together with Amequity Solutions Pte Ltd (“Amequity”), are part of a group of closely related companies managed by Mr L, with some of the shareholders and directors being common across the said affiliated companies. 37 The Commission has reviewed the Representations and the additional evidence and finds that on a balance of probabilities, Amicus sold the data. 38 Ilied attempted to use the Invoices as incontrovertible proof that it was Ilied, and not Amicus, which had sold the datasets. However, Mr L, Mr N and [Redacted] (Replaced with Ms J), the Director and shareholder of Amicus, Ilied and other affiliated companies, stated in their statements to the Commission that Amicus, Ilied and all affiliated companies operated as a single entity, with no clear demarcation between the companies. The entire group of companies was, 18 Amicus Solutions Pte. Ltd. & Anor. [2019] SGPDPC 33 in effect, headed by Mr L. Ilied individually had no real function but was merely used “for receipt purpose”7 and it did not even have a bank account.8 The facts suggest that Ilied’s issuance of the Invoices was merely an administrative arrangement and that Ilied, in fact, did not engage in data sales. 39 Furthermore, Amicus’ vacillation in its responses to the Commission also suggests that Amicus’ new claim that Ilied was the data seller should be treated with circumspection. As noted at paragraph 52(d) below, Amicus was inconsistent in its responses and kept changing its account of the facts. In particular, Amicus provided inconsistent accounts on the source of the personal data, initially claiming that it was collected from publicly available sources, subsequently claiming that it was collected from surveys, meetings and seminars, and finally claiming that it was collected from telemarketing and MLM companies. Amicus was also inconsistent in its statements concerning Amequity. Amicus stated in the Representations that Amequity “is not into data business, but credit collection by banks”. However, in the same Representations, Amicus also stated that one of the lists of personal data, dated 5 March 2014, had been sold by Amequity. 40 Amicus, through its representatives Mr N and Mr L, admitted initially that it was Amicus that sold the datasets. This was corroborated by Mr Chua. Mr N explained Ilied’s issuance of the receipt by stating that Ilied, like Amequity, had no real function but was used for “receipt purpose”. Mr L also admitted in his statement given on 3 February 2017 that “data selling is purely 7 Mr N’s statement dated 30 April 2019. 8 Mr L’s statement dated 30 April 2019. 19 Amicus Solutions Pte. Ltd. & Anor. [2019] SGPDPC 33 done by Amicus”. There is no reason to distrust the consistent evidence of all three individuals, reflected in separate statements recorded at different times. 41 Amicus subsequently tried to explain this away by saying that Mr L’s statement referred to above at paragraph 40 were made “with reference to the business done by Amicus vis-à-vis Amequity”, and that “the term Amicus was used loosely to refer to company that do data sales [sic]”. Amicus further claimed that it had “confused itself” to be the seller because the Commission’s Notice to Require Production of Documents and Information (“NTP”) was addressed to it. If it was true that both Amicus and Ilied engaged in data selling, this would have been operative on Mr L’s mind when answering the NTP and at the very least raised the possibility that it may have been Ilied which sold the data instead, earlier in the investigations. The fact that all three individuals, Mr N, Mr L and Mr Chua, were consistent in omitting to mention Ilied during the investigations shows that it was only Amicus that was engaged in data sales. The reasonable explanation is that while the invoices may have been issued by other companies affiliated to Amicus, such as Ilied or Amequity, it was Amicus that in fact engaged in data sales and Ilied and Amequity’s part in the arrangement was to merely issue invoices. 42 For the above reasons, it is more likely than not that Amicus sold the data to Mr Chua. Accordingly, the assertion in the Representations that it was Ilied which had sold the data cannot be accepted. Date of transaction for List 1 43 Ilied claimed that the first Invoice was a receipt for List 1, and as the first Invoice was dated 25 June 2014, List 1 was transacted before the Appointed Day. However, it is unlikely that the first Invoice was a receipt for List 1. The 20 Amicus Solutions Pte. Ltd. & Anor. [2019] SGPDPC 33 quantity reflected on the first Invoice is 19,000, whereas the quantity of records in List 1 was 11,384. On the facts, it is more likely that List 1 was transacted on 22 March 2016, i.e. after the Appointed Day, for the following reasons: (a) As noted at paragraph 12(b) above, Mr Chua was able to produce a screenshot of an email from Mr N, containing List 1. The email was dated 22 March 2016, which was the same as the date on the second Invoice; (b) The second Invoice, which was dated 22 March 2016, was more likely to be the receipt for List 1; (c) Mr N corroborated in his statement that List 1 was sold on 22 March 2016; (d) List 1 contained personal data of individuals born in 1976 whereas the first Invoice was issued for “Leads Born 1973, 1975”; (e) The second Invoice reflected a quantity of 11,380, which was closer to the quantity of records in List 1 than the quantity reflected in the first Invoice; and (f) As noted at paragraph 18 above, List 1 contained truncated personal data. As noted in paragraph 45 below, the truncation had apparently been done in an attempt to comply with the requirements of the PDPA and, as such, List 1 was more likely to have been transacted after the Appointed Day. 44 In view of the above factors, the weight of the evidence points to the fact that List 1 was transacted after the Appointed Day. 21 Amicus Solutions Pte. Ltd. & Anor. [2019] SGPDPC 33 Whether the datasets contained personal data 45 In the Representations, Ilied claimed that it sought to comply with the requirements of the PDPA by truncating and anonymising the personal data. As noted at paragraph 22 above, the “redacted” or truncated NRIC numbers in the datasets do not conform to the Commission’s published advisory guidelines on redaction of NRIC numbers. The “redacted” NRIC numbers were intended to, and did in fact, convey information about the year of birth of the individual associated with the personal mobile phone number. 46 Ilied further claimed in the Representations that its research showed that an individual’s mobile phone number is likely to be personal data as it may be uniquely associated with an individual, but stopped short of admitting that all mobile phone numbers were personal data. In this regard, Ilied has not raised any evidence or arguments to suggest that the personal mobile phone numbers disclosed in the datasets were not personal data. As stated at paragraphs 19 to 21 above, personal mobile numbers are prima facie personal data as they are unique identifiers. Mr Ivan Chua 47 As observed in Re Sharon Assya Qadriyah Tang (at [13]), the purchase of leads, in which the buyer acquired personal data from the seller of the transaction amounts to a “collection” of personal data under the PDPA by the buyer. It is not disputed that Mr Chua collected personal data when he bought the Lists from Amicus and used the personal data to market his team’s financial products. By his own admission, the personal data was collected and used in breach of the Consent and Notification Obligations. Mr Chua also admitted that while he received verbal assurance from Amicus that the information in the 22 Amicus Solutions Pte. Ltd. & Anor. [2019] SGPDPC 33 datasets was obtained from caveats and was “legal”, he did not probe further as to how, where and when Amicus obtained the personal data, or whether Amicus had obtained consent and provided notification to the individuals concerned. 48 In this regard, reference is made to the UK Information Commissioner’s Office’s (“ICO”) decision in The Data Supply Company, where a data broker was found to be in breach of the Data Protection Act 1998 for obtaining customer data from various sources and selling the data to third party organisations for the purposes of direct marketing. The individuals were not informed that their personal data would be disclosed to the data broker, or the organisations to which the data broker sold the data on to, for the purpose of sending direct marketing text messages. The ICO issued a monetary penalty of £20,000 and gave the following guidance in the Monetary Penalty Notice (at [22] to [25]): Data controllers buying marketing lists from third parties must make rigorous checks to satisfy themselves that the third party obtained the personal data fairly and lawfully, that the individuals understood their details would be passed on for marketing purposes, and that they have the necessary consent. Data controllers must take extra care if buying or selling a list that is to be used to send marketing texts, emails or automated calls. The Privacy and Electronic Communications Regulations 20003 specifically require that the recipient of such communications has notified the sender that they consent to receive direct marketing messages from them. Indirect consent (ie consent originally given to another organisation) may be valid if that organisation sending the marketing message was specifically named. But more generic consent (eg marketing ‘from selected third parties’) will not demonstrate valid consent to marketing calls, texts or emails. Data controllers buying in lists must check how and when consent was obtained, by whom, and what the customer was 23 Amicus Solutions Pte. Ltd. & Anor. [2019] SGPDPC 33 told. It is not acceptable to rely on assurances of indirect consent without undertaking proper due diligence. Such due diligence might, for example, include checking the following:        How and when was consent obtained? Who obtained it and in what context? What method was used – eg was it opt-in or opt-out? Was the information provided clear and intelligible? How was it provided – eg behind a link, in a footnote, in a popup box, in a clear statement next to the opt-in box? Did it specifically mention texts, emails or automated calls? Did it list organisations by name, by description, or was the consent for disclosure to any third party? Is the seller a member of a professional body or accredited in some way? Data controllers wanting to sell a marketing list for use in text, email or automated call campaigns must keep clear records showing when and how consent was obtained, by whom, and exactly what the individual was told (including copies of privacy notices), so that it can give proper assurances to buyers. Data controllers must not claim to sell a marketing list with consent for texts, emails or automated calls if it does not have clear records of consent. It is unfair and in breach of the first data protection principle to sell a list without keeping clear records of consent, as it is likely to result in individuals receiving noncompliant marketing. [Emphasis added.] 49 While there is no uniform industry standard in relation to how a buyer should verify whether the seller has obtained the consent of the individuals, the positions articulated by the ICO must be right. A reasonable person would likely undertake proper due diligence, such as seeking written confirmation that the personal data sold was actually obtained via legal sources or means, or inquire further as to whether the individuals had provided their consent and were 24 Amicus Solutions Pte. Ltd. & Anor. [2019] SGPDPC 33 notified of the disclosure, and if so, obtain a sample of such consent and notification. 50 Similarly, organisations that sell datasets should ensure that they obtain and maintain clear records of consent so that proper assurances can be given to buyers. Directions 51 Having found Amicus and Mr Chua to be in breach of sections 13 and 20 of the PDPA, the Commissioner is empowered under section 29 of the PDPA to give such directions as he deems fit to ensure compliance with the PDPA. 52 In assessing the breach and determining the directions to be imposed on Amicus, the following aggravating factors were taken into account: (a) the personal data disclosed included NRIC numbers which constitute personal data of a sensitive nature; (b) Amicus profiteered from the sale of personal data. It admitted that it sold the personal data to others besides Mr Chua; (c) Amicus was unhelpful and was not forthcoming in its responses to the Commission during the investigation; and (d) Amicus was inconsistent in its responses and kept changing its account of the facts. 53 The following aggravating and mitigating factors were taken into account in assessing the breach and determining the directions to be imposed on Mr Chua: 25 Amicus Solutions Pte. Ltd. & Anor. [2019] SGPDPC 33 Aggravating factors (a) the personal data was purchased with the intention to market goods and services to individuals for financial gain; and Mitigating factors (b) Mr Chua had cooperated fully with the investigation and played an important and integral role in the investigation. He was forthcoming and admitted to his wrongdoing at the first instance. 54 There are strong policy reasons for taking a hard stance against the unauthorised sale of personal data, which were set out in Re Sharon Assya Qadriyah Tang (at [30]): The Commissioner likewise takes a serious view of such breaches under the PDPA. There are strong policy reasons for taking a hard stance against the unauthorised sale of personal data. Amongst these policy reasons are the need to protect the interests of the individual and safeguard against any harm to the individual, such as identity theft or nuisance calls. Additionally, there is a need to prevent abuse by organisations in profiting from the sale of the individual’s personal data at the individual’s expense. It is indeed such cases of potential misuse or abuse by organisations of the individual’s personal data which the PDPA seeks to safeguard against. In this regard, the Commissioner is prepared to take such stern action against organisations for the unauthorised sale of personal data. [Emphasis added.] 55 The profiting from sale of personal data by organisations without consent of individuals is the kind of activity which the PDPA seeks to curb and will be dealt with severely. In order to prevent abuse by organisations profiting 26 Amicus Solutions Pte. Ltd. & Anor. [2019] SGPDPC 33 from the sale of personal data at the individual’s expense, the Commission may take into account any profits from the unauthorised sale of personal data in calculating the appropriate financial penalty to be imposed. 56 Having considered all the relevant factors of this case, the following directions are made: To Amicus: (a) to pay a financial penalty of $48,000 (including $2,900 for the profit made from the sale of Lists 1 and 2) within 30 days from the date of the Commissioner’s direction, failing which interest at the rate specified in the Rules of Court in respect of judgment debts shall accrue and be payable on the outstanding amount of such financial penalty until the financial penalty is paid in full; (b) to cease the disclosure (sale) of the personal data of all the individuals immediately; (c) to cease the retention of the said personal data within seven (7) days from the date of the Commissioner’s direction, to the extent that such personal data was collected and/or disclosed in breach of the PDPA; and (d) to submit a written confirmation to the Commission by no later than 1 week after each of the above directions in (b) and (c) have been carried out. To Mr Ivan Chua: 27 Amicus Solutions Pte. Ltd. & Anor. (e) [2019] SGPDPC 33 to pay a financial penalty of $10,000 within 30 days from the date of the Commissioner’s direction, failing which interest at the rate specified in the Rules of Court in respect of judgment debts shall accrue and be payable on the outstanding amount of such financial penalty until the financial penalty is paid in full; (f) to cease the use (telemarketing) of the personal data of all the individuals immediately; (g) to cease the retention of the said personal data within seven (7) days from the date of the Commissioner’s direction, to the extent that such personal data was collected in breach of the PDPA; and (h) to submit a written confirmation to the Commission by no later than 1 week after each of the above directions in (f) and (g) have been carried out. YEONG ZEE KIN DEPUTY COMMISSIONER FOR COMMISSIONER FOR PERSONAL DATA PROTECTION 28 ",Financial Penalty,f9c77b604588fd22b9623d2884cfc03d6a7dbbb3,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]"