_commit_at,_commit_hash,_id,_item,_version,_commit,description,tags,date,pdf-url,nature,title,url,timestamp,pdf-content,decision,_item_full_hash,_changed_columns 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,6,6,1,952,"Directions were issued to Kingsforce Management Services to ensure the implementation of regular patching, updates and upgrades for all software and firmware supporting its website(s) and application through which personal data in its possession may be accessed.","[""Protection"", ""Directions"", ""Employment"", ""Protection"", ""Patching""]",2023-05-11,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/GD_KingsforceManagementServicesPteLtd_100323.pdf,Protection,Breach of the Protection Obligation by Kingsforce Management Services,https://www.pdpc.gov.sg/all-commissions-decisions/2023/05/breach-of-the-protection-obligation-by-kingsforce-management-services,2023-05-11,"PERSONAL DATA PROTECTION COMMISSION [2023] SGPDPCS1 Case No. DP-2202-B9480 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Kingsforce Management Services Pte Ltd SUMMARY OF THE DECISION 1. On 31 January 2022, the Personal Data Protection Commission (the “Commission”) was notified by Kingsforce Management Services Pte Ltd (the “Organisation”) of the sale on RaidForums, on or about 27 December 2021, of data from its jobseeker database (the “Incident”). 2. The affected database held approximately 54,900 jobseeker datasets, comprising name, address, email address, telephone number, date of birth, job qualifications, last and expected salary, highest qualification and other data related to job searches. 3. External cyber security investigators identified outdated website coding technology, with critical vulnerabilities, as the cause of the Incident. 4. The Commission accepted the Organisation’s request for handling under the Commission’s expedited breach decision procedure. The Organisation voluntarily provided and unequivocally admitted to the facts set out in this decision, and to breach of section 24 of the Personal Data Protection Act (“the PDPA”). 5. The Organisation admitted work had not been completed on the website at launch owing to contractual disputes with the developer. The Organisation subsequently engaged IT maintenance vendors in an effort to ensure the security of the website. However, maintenance had been ad-hoc and limited to troubleshooting functionality issues from bugs, glitches and/or when a page failed to load. 6. In breach of the Protection Obligation, the Organisation failed to provide sufficient clarity and specifications to its vendors on how to protect its database and personal data. In Re Civil Service Club, the Commission had pointed out that organisations that engage IT vendors can provide clarity and emphasize the need for personal data protection to their IT vendors by a) making it part of their contractual terms, and b) reviewing the requirements specifications to ensure that personal data protection is reflected in the design of the end-product.1 Further, post-execution of the contract, an organization is also expected to exercise reasonable oversight over its vendor during the course of the engagement to ensure that the vendor is protecting the personal data by adhering to the stipulated requirements.2 1 Re Civil Service Club [2020] SGPDPC 15. 2 Re WTS Automotive Services Pte Ltd [2019] PDP Digest 317 at [16] and [17]. 7. Another breach of the Protection Obligation by the Organisation was failure to conduct reasonable periodic security reviews, including vulnerability scans, since the launch of its website. The requirement for and scope of reasonable periodic security reviews had long been established in the published decisions of the Commission.3 The PDPC’s Guide to Data Protection Practices for ICT Systems also emphasized the need to periodically conduct web application vulnerability scanning and assessments, post deployment, as a basic practice to ensure compliance with the Protection Obligation under the PDPA.4 8. The Organisation is therefore found to have breached the Protection Obligation under section 24(a) of the PDPA. 9. In deciding the enforcement action in this case, the Commission considered the Organisation’s efforts towards website security, cooperation throughout the investigation, voluntary admission of breach of the Protection Obligation and the prompt remediation taken. The last included immediate suspension of its website, and the engagement of a new developer to develop a new and enhance web application. The Commission also notes that the affected personal data was no longer or accessible following the shutdown of RaidForums. In the circumstances, the Commission directs the Organisation to do the following: a. To submit to the Commission, within twenty-one (21) days from the date of issue of this Direction, a plan to ensure regular patching, updates and upgrades 3 See, eg, Re WTS Automotive Services Pte Ltd [2019] PDP Digest 317; Re Bud Cosmetics Pte Ltd [2019] PDP Digest 351; and Re Watami Food Service Singapore Pte Ltd [2019] PDP Digest 221. 4 Pages 21 and 22 of the Guide to Data Protection Practices for ICT Systems. for all software and firmware supporting its website(s) and applications through which personal data in its possession may be accessed. b. To state whether it intends to implement the plan by engagement of qualified external services or by relying on its own resources, and if by engagement of qualified external services, to state in detail the job specifications for software and firmware patching, updates, and upgrades to be stipulated to the vendor. c. To outline each implementation step with deadlines to ensure that the entire implementation is completed within sixty (60) days from the date of issue of this Direction. The following is the provision of the Personal Data Protection Act 2012 cited in the above summary: Protection of personal data 24. An organisation shall protect personal data in is possession or under its control by making reasonable security arrangements to prevent(a) unauthorized access, collection, use, disclosure, copying, modification or disposal, or similar risks; and (b) the loss of any storage medium or device on which personal data is stored. ",Directions,55f101a661c1696120dbd78b07f569b7bba4c9db,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,8,8,1,952,"Directions were issued to The Law Society of Singapore to conduct a security audit of its technical and administrative arrangements for accounts with administrative privileges that can access directly and/or create access to personal data, and to rectify any gaps identified. This is pursuant to a data breach incident where The Law Society’s servers were subjected to a ransomware attack.","[""Protection"", ""Directions"", ""Professional"", ""Scientific and Technical"", ""Ransomware"", ""Patching"", ""Security"", ""Password""]",2023-05-11,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/GD_LawSocietyofSingapore_140323.pdf,Protection,Breach of the Protection Obligation by The Law Society of Singapore,https://www.pdpc.gov.sg/all-commissions-decisions/2023/05/breach-of-the-protection-obligation-by-the-law-society-of-singapore,2023-05-11,"PERSONAL DATA PROTECTION COMMISSION [2023] SGPDPC 4 Case No. DP-2102-B7850 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And The Law Society of Singapore … Organisation DECISION 1 The Law Society of Singapore Yeong Zee Kin, Deputy Commissioner — Case No. DP-2102-B7850 14 March 2023 Introduction 1 On 4 February 2021, the Law Society of Singapore (the “Organisation”) notified the Personal Data Protection Commission (the “Commission”) of a ransomware attack on its servers which had encrypted and denied the Organisation access to the personal data of its members and former members (the “Incident”). The Commission commenced investigations to determine whether the circumstances behind the Incident disclosed any breaches by the Organisation of the Personal Data Protection Act 2012 (“PDPA”). Facts of the Case 2 The Organisation is a body corporate established under the Legal Profession Act 1966 and represents members of the legal profession in Singapore. Every advocate and solicitor called to the Singapore bar is a statutory member of the Organisation as long as they have a practising certificate in force. At the material time, the Organisation stored the personal data of its current and former members (“Members”) in one of its servers for the purposes of carrying out its statutory functions. 2 3 The Organisation had implemented an off-the-shelf secure VPN solution, FortiOS, to manage remote access to its servers (the “VPN System”). The Organisation also engaged a vendor (the “Vendor”) to provide IT support services, including maintenance of the VPN System. For completeness, the Vendor was not the Organisation’s data intermediary as it did not access or process the personal data of the Members in the course of carrying out its IT support services. 4 The Organisation also implemented antivirus / malware detection software at the servers, and password complexity requirements for its users’ accounts. In particular, account passwords had a maximum lifespan of 3 months before a compulsory change was required. 5 Additionally, the Organisation had in place a written data protection policy and conducted data protection training for its staff highlighting cybersecurity threats such as phishing and ransomware. Periodic emails on data protection awareness and reminders were also sent to staff. The Incident 6 On 27 January 2021, a threat actor gained access to the account of the Organisation’s IT administrator (“compromised admin account”) and used this to create a new account with full administrative privileges. Using this new account, the threat actor moved through the Organisation’s network without detection and located the Organisation’s servers. The threat actor then executed a ransomware attack on the servers, encrypting their contents. 3 7 A total of 16,009 Members’ personal data was affected in the Incident, including each Member’s full name, residential address, date of birth, and NRIC number. Other data items were also affected but they are either in the nature of business contact information or publicly available information. 8 The attack was detected on the same day by antivirus / malware detection software deployed by the Organisation. The Organisation took immediate steps to remove the new administrator account created by the threat actor and restored the servers to their original state from secured back-ups. Remedial actions 9 Following the Incident, the Organisation also took the following remedial actions: (a) Removed unused administrator accounts and initiated password resets for all administrator accounts; (b) Reduced privileged access for the compromised admin account (to create new administrator accounts); (c) Hired an in-house cybersecurity professional to take charge of the Organisation’s IT security matters; (d) Implemented multi-factor authentication (“MFA”) for all VPN access; and (e) Implemented VPN IP location whitelisting to allow only Singapore-based IP addresses. Findings and Basis for Determination 4 10 The Commission’s investigation centred on whether the Organisation had breached its obligation under Section 24 of the PDPA to protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks (the “Protection Obligation”). As the Vendor was not the Organisation’s data intermediary, the Protection Obligation in this case was borne solely by the Organisation. Findings from the investigations 11 Investigations disclosed that there could have been multiple threat actors targeting the Organisation or the same group of threat actors targeting the Organisation through multiple channels – through brute force attacks, phishing email, and exploiting the unpatched VPN vulnerability of the VPN System. 12 Brute-force attacks. Around ten days before the Incident, multiple unsuccessful login attempts using a “guest” account were found since 18 January 2021. There were also further unsuccessful attempts made using random accounts. However, investigations did not surface evidence that the initial entry by the threat actor had been via a successful brute force attack on the compromised admin account. 13 Phishing emails. Investigations also revealed that the Organisation was attacked by the Netwalker ransomware, most commonly introduced via phishing emails. From the Vendor’s explanations, the administrator of the compromised admin account could have received a phishing email with a link and entered his credentials. However, investigations did not surface evidence of any phishing email relevant to this 5 ransomware; neither was there evidence that the compromised admin account’s credentials was obtained by a threat actor through phishing. 14 Vulnerability of the VPN System. At the material time before the Incident, MFA was not implemented for the Organisation’s administrator access to its servers. This meant that once authenticated, an admin user had rights to create new accounts, assign privileged security groups, and access all of the Organisation’s servers without the need for a second factor. 15 Investigations revealed that there was a vulnerability in the VPN System which could be exploited to gain access credentials if left unpatched (the “Vulnerability”). This was assessed to be a possible way in which the threat actor obtained the credentials of the compromised admin account: (a) Around November 2020, a file containing more than 45,000 session links and IP addresses for the VPN System of affected organisations (including the Organisation) was found posted in online forums by someone who had obtained the information by exploiting the Vulnerability. (b) Without patching the VPN System’s firmware, each session link would disclose the credentials of users in plain text, including passwords. (c) The date/time of the online publication (i.e. November 2020) was sufficiently proximate to the threat actor’s successful intrusion in January 2021 using the compromised admin account. 6 16 From the foregoing, it would appear that of the three possible attack vectors, the vulnerability in the VPN System could have given the threat actor entry into the Organisation’s environment. No breach of the Protection Obligation for omission to patch the Vulnerability 17 The developer of the VPN System, Fortinet, had disclosed the Vulnerability as early as 24 May 2019. It released an Operating System (“OS”) upgrade to remedy the issue, which contained the updates to remedy the issue. The VPN System had a user interface (“UI”) through which the OS upgrade availability could be notified. According to the Vendor, the Vendor had regularly checked the UI if OS upgrades were available but there were no prompts of updates available for download prior to the Incident. According to the Organisation, it was only after it communicated the issue to the developer, after the incident, that the UI subsequently prompted availability of some patches that included the OS upgrade remedying the Vulnerability. 18 The Commission recognises that organisations may rely on vendors engaged to provide IT security maintenance to obtain and apply needed software upgrades and patches. If so, the Protection Obligation requires organisations to stipulate such requirements clearly in writing as part of the job specifications of such vendors. In this case, patching of the VPN System had been a specific obligation explicitly outsourced by the Organisation to the Vendor via contract. 19 In addition to clearly stipulating the vendor’s scope of IT maintenance and/or development work, organisations are expected to exercise reasonable oversight over the vendor’s performance of the subcontracted services, including patching – Re 7 Smiling Orchard (S) Pte Ltd and Ors [2016] SGPDPC 191. There should be a clear meeting of minds as to the services the service provider has agreed to undertake and organisations must follow through with procedures to check that the outsourced provider is delivering the services. 20 The Commission appreciates that the technical nature of information on software patching and upgrades limits the degree of oversight that many organisations can exercise on vendor performance in this regard. The Commission notes that the Organisation had put in place a process to ensure that there were maintenance logs in respect of the Vendor’s activities. Thus, the Organisation, to its credit, had put in place a system to monitor its Vendor’s activities. In technical areas where the Organisation depends on its Vendor’s technical expertise, this is reasonably adequate. The situation may be different if there was a very well-publicised issue with a wellknown commercial solution (e.g. vulnerabilities affecting a network router) that the Organisation ought to know that it uses. In such situations, the Organisation might be at least expected to query its Vendor about whether it is exposed and ask for a remediation plan. But this is probably limited to well-known and well-publicised issues in mass media. 21 Carefully weighing the above circumstances, the Commission has decided that: (a) it had been reasonable for the Organisation to rely on the Vendor to perform software security patching, including of the Vulnerability, and (b) that the Organisation 1 See also Singapore Health Services Pte. Ltd and Integrated Health Information Systems Pte Ltd [2019] SGPDPC 3. 8 had in this case discharged its duty of oversight of the Vendor’s patching function. Therefore the Organisation has not breached the Protection Obligation. Breach of the Protection Obligation by the Organisation in other aspects 22 Investigations revealed that the password for the compromised admin account was “Welcome2020lawsoc”. Despite this password complying with the Organisation’s own password complexity rules, the Organisation acknowledged that this was a weak password and vulnerable to dictionary attacks due to the use of a full word and the Organisation’s name. As highlighted in Chizzle Pte Ltd [2020] SGPDPCR 1, a password that meets complexity rules in form could still be regarded as a weak password if it was easily determined and vulnerable to brute force attacks. In that case, the password “Chi!zzle@2018” incorporated the organisation’s name and was determined to be a weak password. Further, the Organisation informed that the compromised admin account’s password had been used for more than 90 days and had not been changed every 3 months, as required by the Organisation’s password policy. In the circumstances, the Organisation failed to enforce its password policy in relation to the compromised admin account. 23 In the Commission’s recent Guide to Data Protection Practices for ICT systems2, it has been observed that unauthorised access is one of the most common types of data breaches. This can happen, for example, through the use of a weak password which is easily guessed by hackers. To remediate this, it may be practical to look into implementing processes in ICT systems to minimise risk of brute force 2 Published on 14 September 2021, replacing the Guide to Data Protection by Design for ICT systems published on 31 May 2019, after the Incident. 9 attacks (e.g. a pre-defined number of failed login attempts) and ensure information is accessed only by the authorised/authenticated persons performing the intended activities. Additionally, as 2FA or MFA becomes more broadly available, the adoption of these tools should become the norm for accounts with administrative privileges, for systems managing sensitive data or large volumes of personal data3. 24 Next, the Organisation also did not conduct a review of its security arrangements within the last 3 years prior to the Incident. Regular assurance checks help organisations ensure that ICT security controls developed and configured for the protection of personal data are properly implemented and practised4. In Re WTS Automotive Services Pte Ltd [2018] SGPDPC 265, the Commission emphasised (at [18]) for the need for regular review of security arrangements and tests to detect vulnerabilities. 25 For the above reasons, the Organisation is found to have negligently breached the Protection Obligation by (i) using an easily guessable password for the compromised admin account, (ii) failing to change the password for the compromised admin account at reasonable intervals, and (iii) failing to conduct any periodic security reviews in the three years leading up to the Incident. 3 See the Commission’s recent release of the handbook on common causes of data breaches in How to Guard against Common Types of Data Breaches published on 24 May 2021 (at page 13), after the Incident; See Love Bonito Singapore Pte Ltd [2022] SGPDPC 3. 4 See the Guide to Data Protection Practices for ICT systems. 5 See also Jigyasa [2020] SGPDPC 9. 10 The Deputy Commissioner’s Decision 26 Notwithstanding that the Organisation’s breaches of the Protection Obligation were not directly related to the Incident, the Commission’s role is not limited to investigating only the immediate or proximate causes of a data breach incident 6. In determining whether directions (if any) should be given to the Organisation pursuant to Section 48I of the PDPA, and/or whether a financial penalty ought to be imposed pursuant to Section 48J of the PDPA, the Deputy Commissioner took into consideration the relevant facts and circumstances of the case, and in particular the following factors: (a) The Organisation’s breaches of the Protection Obligation were not the most proximate cause of the Incident (which was the VPN Vulnerability); (b) The datasets affected in the Incident were not of a higher sensitivity (e.g. personal data of a financial or medical nature); (c) The risk of unauthorised access to the Members’ personal data was limited due to early detection of the unauthorised access, which also allowed prompt containment and restoration of the servers to its original state; (d) There was no evidence of any exfiltration or misuse of the personal data of the Members; and (e) 27 The Organisation took prompt remedial actions in response to the Incident. For the above reasons, it is adequate for directions to be issued in this case. The Deputy Commissioner hereby directs the Organisation to: (a) Engage qualified security service providers to conduct a thorough security audit of its technical and administrative arrangements for the security, 6 See Love Bonito Singapore Pte Ltd [2022] SGPDPC 3. 11 maintenance, creation and removal of accounts with administrative privileges that can access directly and/or create access to personal data in the possession or control of the Organisation; (b) Furnish to the Commission within 14 days a schedule stating the scope of the security audit; (c) Provide the full security audit report to the Commission, by no later than 60 days from the date of the issue of this direction; (d) Rectify any security gaps identified in the security audit report, review and update its personal data protection policies as applicable, and (e) Inform the Commission within 1 week of completion of rectification and implementation in response to the security audit report. YEONG ZEE KIN DEPUTY COMMISSIONER FOR PERSONAL DATA PROTECTION 12 ",Directions,7d6096f9562cfde74f556a2117cc264960050a02,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,13,13,1,952,Directions were issued to CPR Vision Management Pte Ltd to conduct a security audit of its technical and administrative arrangements for the protection of personal data in its possession or control and rectify any security gaps identified in the audit report. This is pursuant to a data breach incident where CPR Vision Management Pte Ltd’s server and network storage devices were subjected to a ransomware attack.,"[""Protection"", ""Directions"", ""Others"", ""Ransomware"", ""Data Intermediary"", ""Retention""]",2023-02-10,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---CPR-Vision-Management-Pte-Ltd---071222.pdf,Protection,Breach of the Protection Obligation by CPR Vision Management Pte Ltd,https://www.pdpc.gov.sg/all-commissions-decisions/2023/02/breach-of-the-protection-obligation-by-cpr-vision-management-pte-ltd,2023-02-10,"PERSONAL DATA PROTECTION COMMISSION [2022] SGPDPCS 17 Case No. DP-2207-B8974 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And CPR Vision Management Pte Ltd L’Oreal Singapore Pte Ltd L’Occitane Singapore SUMMARY OF THE DECISION 1. The Personal Data Protection Commission (the “Commission”) received data breach notification reports from (i) L’Oreal Singapore Pte Ltd (“L’Oreal”) on 29 October 2021 and (ii) L’Occitane Singapore Pte Ltd (“L’Occitane”) on 1 November 2021 respectively of a ransomware attack on their customer relationship management (“CRM”) system vendor, CPR Vision Management Pte Ltd (the “Organisation”). The Organisation is a data intermediary that helped to process personal data collected by L’Oreal and L’Occitane. 2. The ransomware attack affected a server and three network attached storage (“NAS”) devices in the Organisation’s office (“office network”), and led to the Page 1 of 6 encryption of the personal data belonging to 83,640 L’Occitane’s customers and 35,079 L’Oreal’s customers, which included their name, address, email address, mobile number, NRIC number, date of birth, age, gender, race, nationality, loyalty points and amount spent. 3. The Organisation requested, and the Commission agreed, for this matter to proceed under the Expedited Decision Breach Procedure. To this end, the Organisation voluntarily and unequivocally admitted to the facts set out in this decision. It also admitted to a breach of the Protection Obligation under Section 24 and the Retention Limitation Obligation under Section 25 of the Personal Data Protection Act (the “PDPA”). 4. The Organisation’s internal investigations found the threat actor had first gained access to the office network via a compromised user account VPN connection on 13 October 2021 before executing the ransomware attack on or about 15 October 2021. However, due to the limited data logs available on the Organisation’s FortiGate firewall and VPN appliance, the Organisation was not able to determine how the threat actor gained access to the compromised user account VPN. As part of the immediate remediation efforts, the Organisation reset the credentials of the compromised user account VPN and the password credentials of all VPN accounts across the Organisation. Page 2 of 6 5. The Organisation admitted that its endpoint security solution would have been able to detect and block the unauthorised entry attempts to the office network affected in the Incident. However, the Organisation failed to extend the deployment of this protection solution to the affected office network. This could have been because the domain controller server within the affected office network had been earmarked to be decommissioned after the data was copied to MS365 Sharepoint. Another reason for the omission may have been the fact that the Organisation set up the affected office network for business continuity purposes, when it shifted to its new premises, sometime between 6 – 9 April 2020, on the eve of the nation-wide COVID-19 circuit breaker in Singapore. 6. The Commission finds the Organisation in breach of the Protection Obligation as it failed to have reasonable security arrangements in place to protect the personal data in its possession and control. As a CRM system vendor, the Organisation processes and processed a high volume of web traffic containing personal data on behalf of many e-commerce retailers, including L’Oreal and L’Occitane, and would ordinarily be held to a higher standard. The Organisation’s omission to deploy its endpoint security solution to the affected office network suggests that the Organisation failed to maintain an inventory of its data assets. 7. Even if there were extenuating circumstances in April 2020 which could have partly excused the Organisation’s omission to include the affected office network in its data inventory, it was inexcusable for the Organisation to let this state of affairs Page 3 of 6 persist for more than one and-a-half years, from April 2020 until October 2021. We should add however, that as part of its remediation efforts, the Organisation has since ensured that its endpoint security solution was deployed to all office and enduser devices. 8. The Organisation also admitted to being in breach of the Retention Limitation Obligation. The Organisation admitted that the affected personal data in the Incident had been legacy content, which should have been deleted together with the domain controller server earmarked for decommissioning, and for which no business or legal purpose existed for retention. The Organisation highlighted however, that this lapse was not in accordance with its own data retention policy. Had the Organisation complied with the Retention Limitation Obligation and deleted the personal data in question, the Incident would not have amounted to a breach of the Retention Limitation Obligation under the PDPA. 9. In the course of our investigations, L’Oreal furnished documentary evidence which showed that L’Oreal had specifically instructed the Organisation, pursuant to its data retention policies, to delete the affected personal data on 26 March 2021. This was duly acknowledged by the Organisation, and the Organisation furnished a purported Certificate of Destruction dated 17 May 2021 stating that the personal data had been deleted on 6 May 2021. Page 4 of 6 10. Similarly, L’Occitane also raised its concerns that the Organisation failed to seek its prior written consent before duplicating the personal data to other nonproduction environments. 11. The Commission is satisfied that neither L’Oreal nor L’Occitane had any knowledge of the retention and storage of the legacy personal data by the Organisation on the affected NAS device; and neither had any control over the NAS device used by the Organisation to store the personal data affected by the ransomware attack. Both L’Oreal and L’Occitane had also adequately provided in their contracts with the Organisation to ensure compliance with the Protection and Retention Limitation Obligations under the PDPA. The Commission is therefore of the view that despite the personal data breach incident, L’Oreal and L’Occitane had acted consistently with and complied with the relevant obligations under the PDPA. 12. Having considered the circumstances set out above, including the Organisation’s upfront admission of liability, and the fact that data analysis conducted by the data security team of the Organisation’s parent company did not uncover any evidence to suggest that data exfiltration or modification had occurred, the Commission considered that it would be most appropriate in lieu of imposing a financial penalty, to direct the Organisation to comply with the following action: a. Conduct a thorough security audit (with report) of its technical and administrative arrangements for the protection of personal data in its possession or control; b. Rectify any security gaps identified in the security audit report; Page 5 of 6 c. Conduct a comprehensive review of all of the Organisation’s databases containing personal data to ensure full compliance with the Retention Limitation Obligation under Section 25 PDPA; d. Review and update the personal data policies of the Organisation as applicable, including clarification of the roles of data intermediaries and vendors in complying with the Retention Limitation Obligation under section 25 of the PDPA, within 60 days from the date the security audit report is delivered to the Organisation; and e. Inform the Commission within 1 week of the completion of the steps directed above. The following are the provision of the Personal Data Protection Act 2012 cited in the above summary: Protection of personal data 24. An organisation must protect personal data in its possession or under its control by making reasonable security arrangements to prevent – (a) unauthorised access, collection, use, disclosure, copying, modification or disposal or similar risks and; (b) the loss of any storage medium or device on which personal data is stored. Retention of personal data 25. An organisation must cease to retain its documents containing persona data, or remove the means by which the personal data can be associated with particular individuals, as soon as it is reasonable to assume that – (a) the purpose for which the personal data was collected is no longer being served by retention of the personal data; and (b) retention is no longer necessary for legal or business purposes. Page 6 of 6 ",Directions,7e9168136ea5e122bc3f4577c70535e0fc6c7689,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,15,15,1,952,"Directions were issued to Thomson Medical to conduct scan of the web to ensure no publication of affected personal data online and to include in the review of its application deployment process, measures such as the arrangements for security testing and the implementation of data retention policy. This is pursuant to a data breach incident from an unsecured Health Declaration Portal which enabled public access to visitors' personal data.","[""Protection"", ""Directions"", ""Healthcare""]",2022-12-19,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Thomson-Medical-Pte-Ltd---140922.pdf,Protection,Breach of the Protection Obligation by Thomson Medical,https://www.pdpc.gov.sg/all-commissions-decisions/2022/11/breach-of-the-protection-obligation-by-thomson-medical,2022-12-19,"PERSONAL DATA PROTECTION COMMISSION [2022] SGPDPCS 15 Case No. DP-2010-B7246 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Thomson Medical Pte. Ltd. SUMMARY OF THE DECISION 1. On 26 October 2020, the Personal Data Protection Commission (the “Commission”) was notified that the Thomson Medical Pte. Ltd. (the “Organisation”) Health Declaration Portal was not secure, enabling public access to the personal data of visitors (the “Incident”) stored in a CSV (comma separated values) file. 2. Visitor data collected on the Organisation’s Health Declaration Portal had been stored concurrently in a publicly-accessible CSV file as well as a secured 1 database from 16 April 2020, when the health declaration portal was first used by the Organisation to 8 September 2020, when the storage of the visitor data was changed to only the secured database instead of the CSV file. The CSV file was hosted on the Organisation’s web server. 3. The Organisation admitted that, contrary to the instructions given to the employee to switch the data storage from the CSV file to secured database exclusively, and the organisation’s protocols, its in-house developer had omitted to remove a software code, causing the visitor data to be stored in the CSV file and the same in-house developer had omitted to change the default web server configuration, thereby allowing public access to the hosted CSV file. The switch to storage in a secured database would have ensured access controls by requiring user login ID and secure password protection, as well as encryption of data transfers using SSL certificates. The access controls would ensure that only authorized users would be able to access the data. 4. The Commission’s investigations revealed that the affected CSV file contained the personal data of 44,679 of the Organisation’s visitors, including the date and time of visit, temperature, type of visitor (purpose of visit), name of visitor, name of newborn, contact number, NRIC/FIN/passport number, doctor/clinic name or room visiting, and answers to a health declaration questionnaire (which included a declaration by the visitor that he/she did not have any symptoms or recent exposure to the Covid-19 virus). 2 5. The Organisation accepted that it was in breach of the Protection Obligation under section 24 of the Personal Data Protection Act (“PDPA”). The Commission finds that the Organisation had breached section 24 of the PDPA for two reasons. 6. First, even though the Organisation’s existing policies required the visitor data collected to be stored in a secured database, the Organisation failed to ensure that there were processes in place to ensure these policies and instructions would be complied with. The Organisation stated that the in-house developer had been the only staff in its IT department familiar with the programming language used for the health declaration form. This, however, should not have prevented the Organisation, as an example, from requiring the in-house developer to demonstrate to another staff member, and for that staff member to verify that the storage instructions had been complied with. As noted in Re Aviva Ltd [2017] SPDPC 14, relying solely on individual employees to perform their tasks diligently, with no oversight or supervision, is not a reasonable security arrangement. 7. Second, the Organisation failed to conduct reasonable pre-launch testing before the Health Declaration Portal went live. While acceptance testing and some technical tests were conducted, there had been no security testing to verify that there were access controls to the visitor data collected. 3 8. Having said that, it is a mitigating fact that the Organisation’s in-house developer sought to comply with the Organisation’s policies and swiftly rectified the software code on 8 September 2020, when he first discovered the coding error whilst updating the health declaration questionnaire. 9. The forensic investigator engaged by the Organisation did not uncover any evidence that the disclosed data had been exported and posted online, including on the Dark Web. The Organisation’s server logs also revealed that the CSV file was only accessed 4 times from 3 different local IP addresses. Given the timing of the access instances, it is probable that these instances were made by the complainant and by the Commission when investigating this matter, which suggests that the impact of this Incident was limited. 10. The Commission noted a parallel between the facts of this case and Re Spear Security Force Pte. Ltd. [2016] SGPDPC 12, in that both cases arose from a single complaint about a potential breach of the PDPA, with no other evidence suggesting that the personal data had actually been exposed to unauthorised third parties due to the lapses by the Organisation. 11. The personal data exposed here included the clinic or room that the individual intended to visit, and the reason for the visit. This could be to seek treatment, accompany a patient, or a business visit made by a sales representative of a pharmaceutical or medical device company. While the personal data exposed 4 included some health-related information, this had essentially been health declaration information for the purpose of containment of the pandemic. The information did not in fact reveal any potentially sensitive information such as whether the visitor was Covid-19 positive.1 12. The personal data disclosed is also not on par with Re Singapore Health Services Pte. Ltd.& Ors. [2019] SGPDPC 3 (“Singhealth”). In the Singhealth case, we recognised the sensitivity involved in the exposure of the affected individuals’ personal data in their “clinical episode information, clinical documentation, patient diagnosis and health issues and Dispensed Medication Records” as the information and personal data affected may allow one to deduce the condition for which a patient had sought treatment, and may lead to the unintended disclosure of serious or socially embarrassing illnesses.2 While there is some personal data in the present case which may reveal the clinic which an affected individual had sought treatment, this is of a much more limited scope as compared to the Singhealth case. 13. The Commission accepted that the Organisation took prompt remedial action to contain the exposure. This include removing the affected CSV file and changing all the passwords to the database, even though it was not affected by the Incident. To prevent a recurrence of a similar incident, the Organisation also 1 Cf Re Terra Systems Pte Ltd [2021] SGPDPC 7. 2 See Re Singapore Health Services Pte. Ltd.& Ors. [2019] SGPDPC 3, at [139]. 5 reviewed its application deployment process to take into consideration data security, and rectified all potential gaps discovered during a vulnerability scan. 14. Given the lack of evidence suggesting that personal data had actually been exposed to unauthorised third parties due to the lapses by the Organisation and the limited impact of the Incident, the Commission considered that it would be most appropriate in lieu of imposing a financial penalty, to impose directions. 15. Another factor which prompted the Commission to impose directions in lieu of a financial penalty was the fact that at the material time, such health declaration information was widely collected across the island. There was also a corresponding acceptance and support from members of the public of the need for the collection of such health declaration information in order for the relevant authorities to effectively respond to and control the potential spread of COVID19. 16. Given the above, the Commission directs the Organisation to carry out the following within 60 days: a. In relation to the Organisation’s remedial action of reviewing its application deployment process to take into consideration data security, i. The Organisation shall ensure that the intended measures include arrangements for reasonable pre-launch security testing 6 to be conducted before the launch of any new website, application, portal or other online feature for the processing of personal data; and ii. The Organisation shall ensure that the intended measures include the development and implementation of a data retention policy to meet the Retention Limitation Obligation under section 25 of the PDPA. b. In relation to the Organisation’s remedial action of scanning the Dark Web for evidence of exfiltration of the personal data, i. The Organisation shall conduct a scan of the Clear/Surface Web, as well as a renewed scan of the Dark Web to confirm that there is no evidence of publication of the affected personal data online. c. By no later than 14 days after the above actions have been carried out, the Organisation shall submit to the Commission a written update providing details of the actions taken. The following provision(s) of the Personal Data Protection Act 2012 had been cited in the above summary: Protection Obligation 24(a) Failure to protect personal data in its possession or under its control by making reasonable security arrangements to prevent – 7 (a) unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks 8 ",Directions,2e2e404473e7fa064a0c51315f167b10b4810806,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,17,17,1,952,Directions were issued to both Shopify Commerce Singapore and Supernova to put in place a process to ensure compliance with the Transfer Limitation Obligation following a data breach incident of Shopify Inc's database.,"[""Transfer Limitation"", ""Directions"", ""Others"", ""Data Intermediary""]",2022-11-18,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/GD_Supernova-Pte-Ltd_06102022.pdf,Transfer Limitation,Breach of the Transfer Limitation Obligation by Shopify Commerce Singapore and Supernova,https://www.pdpc.gov.sg/all-commissions-decisions/2022/11/breach-of-the-transfer-limitation-obligation-by-shopify-commerce-singapore-and-supernova,2022-11-18,"PERSONAL DATA PROTECTION COMMISSION [2022] SGPDPC 7 Case No: DP-2103-B8147 / DP-2206-B9935 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And (1) Supernova Pte Ltd (2) Shopify Commerce Singapore Pte Ltd … Organisation DECISION Page 1 of 12 Supernova Pte Ltd & Anor Yeong Zee Kin, Deputy Commissioner — Case No. DP-2103-B8147/ DP-2206-B9935 6 October 2022 Introduction 1 On 8 October 2020, the Personal Data Protection Commission (the “Commission”) was notified by Supernova Pte Ltd (“SNPL”) of a data breach incident of Shopify Inc’s database affecting the personal data of certain Singapore-based customers (the “Incident”). The Commission commenced investigations to determine whether the circumstances relating to the Incident disclosed any breaches of the Personal Data Protection Act 2012 (“PDPA”). Facts of the Case Background 2 Shopify Inc (“Shopify”) is a company based in Canada that operates an e- commerce platform for online retailers to conduct sales (the “Platform”). SNPL is an online retailer that began using the Platform in 2018 to sell its products to customers. Shopify provided payment processing and other services (the “Services”) to SNPL pursuant to the Shopify Plus Agreement, executed by Shopify and SNPL on 4 December 2018. Shopify Commerce Singapore Pte Ltd (“Shopify SG”) acted as the Page 2 of 12 Asia-Pacific data sub-processor of Shopify pursuant to the Shopify Data Processing Addendum to the Shopify Plus Agreement, and its role was confined to collecting customer personal data (including SNPL’s) via the Platform and transferring the data out of Singapore to Shopify for both Purchase Processing and Platform Processing. 3 The Platform collected personal data from customers of its online retailers for two broad sets of purposes. First, to facilitate billing, payment and shipping on behalf of the Platform’s online retailers (“Purchase Processing”). Second, for Shopify’s own commercial and administrative purposes. This mainly included the collection of consumer personal data through the Platform’s own consumer-facing applications and services e.g. Shop Pay (collectively, “Platform Processing”). Granted, for Platform Processing, users of the Platform included customers of merchants who are on the Platform, such as SNPL’s customers. Nevertheless, customer personal data was being collected and processed by Shopify for its own purposes, and not on behalf of merchants. 4 On 1 July 2019, the Shopify Plus Agreement (including the Shopify Data Processing Addendum) was assigned to Shopify SG (the “Assignment”). At the material time, SNPL had no knowledge of the Assignment as no notice of assignment was required. Consequently, the relationship between the parties was reconfigured in the following manner: (a) For Purchase Processing, Shopify SG became the data intermediary of SNPL, and was responsible for processing personal data on behalf of SNPL. Page 3 of 12 The flow of SNPL’s customer personal data did not change - Shopify SG continued to collect SNPL’s customer personal data and transferred this to Shopify to carry out Purchase Processing on its behalf. (b) For Platform Processing, Shopify SG became the data controller of the customer personal data collected through the Platform and its customer-facing applications, including the personal data of the customers of merchants who use the Platform (such as SNPL). In such circumstances, personal data from such users are collected by Shopify SG and processed for its purposes and not on behalf of the merchants. The flow of customer personal data also did not change, as Shopify SG continued to transfer personal data of users of its Platform to Shopify to carry out Platform Processing. The Incident 5 Between June to September 2020, two Philippines-based service contractors of Shopify that were engaged through a third party, illegally accessed and exfiltrated certain customer personal data stored in Shopify’s systems, which had been collected via the Platform for Purchase Processing (the “Incident”). This included customer personal data of SNPL. Shopify became aware of this on 15 September 2020 and informed SNPL on 18 September 2020. 6 The customer personal data affected in the Incident included full names, email addresses, billing addresses, shipping addresses, phone numbers, bank identification Page 4 of 12 numbers, IP addresses, last 4 digits of the customer payment cards, and purchase histories of 23,928 individuals. Findings and Basis for Determination 7 Neither SNPL nor Shopify SG were responsible for the security of Shopify’s systems in Canada holding the personal data affected in the Incident. Nevertheless, both organisations were bound by section 26 of the PDPA. Transfer limitation obligation under section 26 of the PDPA 8 Section 26(1) of the PDPA provides that an organisation shall not transfer any personal data to a country or territory outside Singapore except in accordance with requirements prescribed under the PDPA to ensure that organisations provide a standard of protection to personal data so transferred that is comparable to the protection under the PDPA (the “Transfer Limitation Obligation”). The requirements applicable to the aforementioned transfers of personal data from SNPL and Shopify SG to Shopify were those prescribed in Part III of the Personal Data Protection Regulations 2014 (“PDPR 2014”)1. In particular: (a) Regulation 9(1)(b) of the PDPR 2014 requires an organisation that transfers personal data to a country or territory outside of Singapore to take appropriate steps to ensure that the recipient of the personal data is bound by legally 1 The PDPR 2014 governs the transfers of personal data prior to 1 February 2021. Transfers of personal data after 1 February 2021 are governed by the Personal Data Protection Regulations 2021. Page 5 of 12 enforceable obligations to provide to the transferred personal data a standard of protection that is at least comparable to that under the PDPA; and (b) Regulation 10(1)(b) and 10(1)(c) provide that such legally enforceable obligations include may be imposed on the recipient by contract or binding corporate rules (subject to Regulation 10(2) and 10(3) respectively). Breach of the Transfer Limitation Obligation by SNPL 9 When SNPL entered into the Shopify Plus Agreement on 4 December 2018, it was aware that by using the Platform its customer personal data would be transferred to Shopify, which was outside Singapore, for Purchase Processing. Shopify was SNPL’s data intermediary, whilst Shopify SG was Shopify’s data sub-processor as explained in paragraph 2. 10 SNPL (as the data controller of its customers’ personal data) had been notified, in the Shopify Plus Agreement, that its customer personal data may be transferred out of Singapore for the purpose of Purchase Processing, and was obligated to comply with the Transfer Limitation Obligation vis-à-vis the personal data collected by Shopify / Shopify SG for Purchase Processing. Section 4(3) of the PDPA provides that an organisation shall have the same obligation under the PDPA in respect of personal data processed on its behalf and for its purposes by a data intermediary as if the personal data were processed by the organisation itself. Such obligations include the Page 6 of 12 Transfer Limitation Obligation. As stated in the Commission’s Advisory Guidelines on Key Concepts in the PDPA2: “Considerations for organisations using data intermediaries 6.20 Section 4(3) provides that an organisation has the same obligations under the PDPA in respect of personal data processed on its behalf by a data intermediary as if the personal data were processed by the organisation itself. As such, it is good practice for an organisation to undertake an appropriate level of due diligence to assure itself that a potential data intermediary is capable of complying with the PDPA. … Overseas transfers of personal data 6.22 Where an organisation engages a data intermediary to process personal data on its behalf and for its purposes, the organisation is responsible for complying with the Transfer Limitation Obligation in respect of any overseas transfer of personal data. This is regardless of whether the personal data is transferred by the organisation to an overseas data intermediary or transferred overseas by the data intermediary in 2 Advisory Guidelines on Key Concepts in the PDPA (Rev 1 October 2021) Page 7 of 12 Singapore as part of its processing on behalf and for the purposes of the organisation. 6.23 The Transfer Limitation Obligation requires that an organisation ensures that personal data transferred overseas is protected to a standard comparable with the Data Protection Provisions. The onus is on the transferring organisation to undertake appropriate due diligence and obtain assurances when engaging a data intermediary to ensure that it is capable of doing so. In undertaking its due diligence, transferring organisations may rely on data intermediaries’ extant protection policies and practices, including their assurances of compliance with relevant industry standards or certification.” (emphasis added) 11 The Transfer Limitation Obligation required SNPL to ensure, prior to transferring customer personal data for processing by Shopify, that Shopify provided a standard of protection to transferred personal data that was comparable to the protection under the PDPA. This obligation did not abate by virtue of the Assignment on 1 July 2019, even though SNPL claimed that it was not made aware of the Assignment. At all times, SNPL was responsible for complying with the Transfer Limitation Obligation for its transfer to Shopify (initially) and Shopify SG (latterly). Even though Shopify SG assumed legal responsibility as SNPL’s data intermediary Page 8 of 12 supposedly without informing SNPL, the flow of SNPL’s customer personal data was not altered, as Shopify SG continued to transfer SNPL’s customer personal data outside of Singapore (i.e. to Shopify) for Purchase Processing. 12 In connection with this, the onus laid with SNPL to put in place the relevant contractual clauses to ensure the protection of its personal data to a standard comparable to the PDPA. However, investigations revealed that SNPL did not do so. The omission to put in place contractual clauses to ensure such comparable protection began with the start of their commercial arrangement. SNPL stated that, in 2018, it carried out a due diligence assessment of Shopify’s approach to data protection before entering into the Shopify Plus Agreement and migrating its online retail activities to the Platform (“2018 Due Diligence Exercise”). However, this assessment was inadequate as it failed to ensure that there were binding contractual clauses requiring personal data transferred between them to be protected to a standard comparable to the PDPA. 13 Accordingly, SNPL failed to comply with the Transfer Limitation Obligation. Breach of the Transfer Limitation Obligation by Shopify SG 14 For the Purchase Processing of customer personal data discussed in the preceding paragraphs, Shopify SG acted as SNPL’s data intermediary and was thus not bound by the Transfer Limitation Obligation. Page 9 of 12 15 However, Shopify SG must also comply with the Transfer Limitation Obligation in relation to the personal data collected for Platform Processing. This is because Shopify SG was processing customer personal data for its own purposes, and was thus the data controller, while Shopify is the data intermediary. 16 In connection with this, investigations revealed that there were no legally binding obligations, in the form of contracts or binding corporate rules within the Shopify group, requiring Shopify to provide PDPA-comparable protection to personal data transferred from Shopify SG to Shopify for processing. While the Shopify Data Processing Addendum makes references to certain data protection legislation applicable to the European Union and the State of California, it did not cover the PDPA. During the course of investigations, Shopify indicated that it would “be putting in place binding corporate rules governing the transfer of merchants’ customers’ data between group entities” and furnished a draft APAC Cross-Border Whitepaper to the Commission. Whilst this was a step in the right direction, it did not retrospectively allow Shopify SG to regularise its intra-group data transfers to ensure compliance with the Transfer Limitation Obligation at the material time. 17 In view of the foregoing, Shopify SG failed to comply with the Transfer Limitation Obligation in respect of Platform Processing of personal data. The Deputy Commissioner’s Directions 18 In determining what directions (if any) should be given to the organisations pursuant to section 48I of the PDPA, and/or whether the Organisation should be Page 10 of 12 required to pay a financial penalty under section 48J of the PDPA, the factors listed at section 48J(6) of the PDPA were considered. In particular, the Commission placed emphasis on the fact that SNPL and Shopify SG had been highly cooperative with the Commission’s investigations. 19 On 18 July 2022, SNPL made representations to the Commission requesting for additional time to comply with the above direction. In consideration of SNPL’s limitations as a small and medium enterprise, SNPL’s deadline to comply with the direction is extended from 60 days to 6 months. 20 Having considered all the relevant factors of this case, SNPL is hereby directed to take the following actions: (a) SNPL is to put in place within 6 months a process to ensure compliance with the Transfer Limitation Obligation under section 26 of the PDPA in any future engagement of services that may involve the processing of personal data outside of Singapore on behalf of SNPL; and (b) Shopify SG is to put in place within 60 days a process to ensure compliance with the Transfer Limitation Obligation under section 26 of the PDPA in any future engagement of its services that may involve the processing of personal data outside of Singapore. 21 Specific to SNPL’s transfer of personal data for the purpose of Purchase Processing to Shopify in Canada, the following observations may be helpful. The Page 11 of 12 Association of Southeast Asian Nations (“ASEAN”) adopted and endorsed the Model Contractual Clauses (“ASEAN MCCs”), which are meant to facilitate cross-border transfers of personal data. These provide a standard for business-to-business (B2B) transfers that can be used by enterprises of any scale, but are especially helpful for small and medium enterprises. When using them, businesses may adapt these clauses as necessary for their commercial arrangements. 22 The Commission recognises the ASEAN MCCs as meeting the requirements of the Transfer Limitation Obligation under the PDPA: see PDPC’s Guidance for the Use of ASEAN Model Contractual Clauses for Cross Border Data Flows in Singapore (published 22 January 2021). Using the ASEAN MCCs can ease B2B transfers between Singapore and other jurisdictions such as Canada. In carrying out the directions, SNPL may therefore wish to consider relying on and adapting, as necessary, the ASEAN MCCs. YEONG ZEE KIN DEPUTY COMMISSIONER FOR PERSONAL DATA PROTECTION Page 12 of 12 ",Directions,a460c9f6da7d242e2c26bf56c9b5bc6bd47df7e7,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,22,22,1,952,"Directions were issued to Budgetcars to put in place appropriate contractual provisions, conduct a security audit of its technical and administrative arrangements for the security and maintenance of its website and rectify any security gaps identified in the audit report. This is pursuant to a data breach incident where personal data could be accessed by changing a few digits of the tracking ID.","[""Protection"", ""Directions"", ""Transport and Storage""]",2022-08-11,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Budgetcars-Pte-Ltd---06072022.pdf,Protection,Breach of the Protection Obligation by Budgetcars,https://www.pdpc.gov.sg/all-commissions-decisions/2022/07/breach-of-the-protection-obligation-by-budgetcars,2022-08-11,"PERSONAL DATA PROTECTION COMMISSION [2022] SGPDPCS 13 Case No. DP-2108-B8798 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Budgetcars Pte. Ltd. SUMMARY OF THE DECISION 1. On 25 August 2021, the Personal Data Protection Commission (the “Commission”) received a complaint that the delivery tracking function (the “Tracking Function Page”) on the website of Budgetcars Pte Ltd (the “Organisation”) could be used to gain access to the personal data belonging to another individual. By changing a few digits of a Tracking ID, the complainant could access the personal data of another individual (the “Incident”). 2. The Organisation is a logistics company delivering parcels to customers (“Customers”) on behalf of retailers (“Retailers”). 3. The personal data of 44,357 individuals had been at risk of unauthorised access. The datasets comprised name, address, contact number and photographs of their signatures. 4. The Tracking Function Page was set up in December 2020 to allow Retailers and Customers to (i) keep track of the delivery status of their parcels; and (ii) confirm the identity of individuals to collect parcels on their behalf (where applicable). The Tracking IDs were generated by Retailers and comprised either sequential or nonsequential numbers. Although generated by Retailers, the Organisation adopted the Tracking IDs for use on its own Tracking Function Page that allowed their customers to track their deliveries, which would disclose personal data listed above. The Protection Obligation therefore required the Organisation to ensure that there were reasonable access controls in its use of the Tracking IDs for giving access to an individual’s personal data. 5. The risk of unauthorised access to personal data from altering numerical references, both sequential and non-sequential, have featured in the published decisions of the Commission in Re Fu Kwee Kitchen Catering Services [2016] SGPDPC 14, and more recently, in Re Ninja Logistics Pte. Ltd. [2019] SGPDPC 39. Insecure direct object reference has long been a well-known security risk to personal data. The Organisation failed to have reasonable access control to the affected individuals’ personal data when it simply adopted Tracking IDs generated by the Retailers without factoring in this risk. 6. The Organisation also admitted that it did not have in place a process to protect personal data through proper safeguards by archiving personal data relating to a completed delivery order after a reasonable period of time has lapsed. To reduce the risk of access to personal data through frontend applications, they should be removed and archived within a reasonable time. The Organisation’s failure to do so resulted in more personal data at risk in the Incident than should have been the case. 7. In the circumstances, the Organisation is found to be in breach of section 24 of the PDPA. 8. Upon being notified by the Commission of the Incident, the Organisation took the following remedial measures after the Incident: a. Removed all personal data from the Tracking Function Page; b. Engaged its IT solutions provider to re-examine management of the Tracking Function Page; c. Post-delivery expiry of Tracking ID after 14 days; and d. Implemented checks to prevent sequential Tracking IDs from being uploaded onto the Tracking Function Page. 9. The Commission accepted the Organisation’s request for this matter to be handled under the Commission’s expedited breach decision procedure. This meant that the Organisation voluntarily provided and unequivocally admitted to the facts set out in this decision. The Organisation also admitted that it was in breach of section 24 of the Personal Data Protection Act (the “PDPA”). 10. In Re Ninja Logistics Pte. Ltd. cited above, the organisation had been aware of the risk from manipulation of Tracking IDs. However, a counter-measure which the organisation initially introduced was abandoned due to operational issues and was not replaced. This resulted in a significantly larger dataset (>1.2 million) that was exposed to the risk of unauthorised access over a period of close to 2 years. In comparison, the number of affected individuals in the present case was lower as the Organisation was only handling deliveries for a few Retailers at the time of the Incident. 11. Having considered the circumstances set out above and the factors listed in section 48J(6) of the PDPA, including (i) the Organisation’s upfront voluntary admission of liability; and (ii) the prompt remedial action undertaken by the Organisation, the Commission considered that it would be appropriate not to require the payment of a financial penalty but to direct the Organisation to do the following: a. To put in place the appropriate contractual provisions to set out the obligations and responsibilities of both the data controller and data intermediary to protect the Organisation’s personal data, and the parties’ respective roles in protecting the personal data; b. To engage qualified security service provider to conduct a thorough security audit of its technical and administrative arrangements for the security and maintenance of its website that contains personal data in the Organisation’s possession or control; c. Provide the full security audit report to the Commission, no later than 60 days from the date of the issue of this direction; d. Rectify any security gaps identified in the security audit report, review and update its personal data protection policies as applicable within 60 days from the date the security audit report is provided; and e. Inform the Commission within 1 week of completion of rectification and implementation in response to the security audit report. The following is the provision of the Personal Data Protection Act 2012 cited in the above summary: Protection of personal data 24. An organisation shall protect personal data in its possession or under its control by making reasonable security arrangements to prevent – (a) unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks; and (b) the loss of any storage medium or device on which personal data is stored. ",Directions,f58b11a86b70faf2534d0dbe08ee7f22ddbeaeb9,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,23,23,1,952,Directions were issued to Crawfort to conduct a security audit of its technical and administrative arrangements for its AWS S3 environment and rectify any security gaps identified in the audit report. This is pursuant to a data breach incident where Crawfort's customer database were offered for sale in the dark web.,"[""Protection"", ""Directions"", ""Finance and Insurance""]",2022-07-14,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Crawfort-Pte-Ltd---070622.pdf,Protection,Breach of the Protection Obligation by Crawfort,https://www.pdpc.gov.sg/all-commissions-decisions/2022/07/breach-of-the-protection-obligation-by-crawfort,2022-07-14,"PERSONAL DATA PROTECTION COMMISSION Case No. DP-2106-B8446 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Crawfort Pte. Ltd. SUMMARY OF THE DECISION 1. On 9 June 2021, Crawfort Pte. Ltd. (the “Organisation”) notified the Personal Data Protection Commission (the “Commission”) of the sale of the Organisation’s customer data on the dark web (the “Incident”). 2. The personal data of 5,421 customers were affected. The datasets affected comprised NRIC images (front and back), PDF copies of loan contract (containing all the information in the NRIC, age, email address, contact number and loan amount) and PDF copies of income document (payslip, CPF statements or IRAS Notice of Assessment). 1 3. The Organisation engaged external cyber security teams to investigate the Incident. The investigation identified an opened S3 server port in the Organisation’s AWS environment as the cause of the Incident. 4. The Organisation explained that it had opened the S3 server port for one week during a data migration exercise sometime on or about 15 April 2020 for business continuity purposes. On 3 April 2020, the Singapore government had announced that the country will enter into a Circuit Breaker to contain the spread of COVID-19. All non-essential workplaces, including the Organisation, had to be closed from 7 April 2020. In order to continue its business, the Organisation had to pivot its operations so as to allow its staff to work from home and its customers to make loan applications remotely. Within a very short period, the Organisation had to carry out the data migration exercise and as a result, overlooked conducting a risk assessment prior to conducting the data migration exercise. 5. The opened S3 server port connected directly to the S3 server hosting the S3 buckets, which contained the affected personal data. The open remote port enabled attempts to connect to the Organisation’s AWS environment from the internet. Furthermore, the S3 bucket containing the affected personal data was publicly accessible due to a misconfiguration of the S3 bucket. As a result, the threat actor was able to gain access to the publicly accessible S3 bucket during the one-week period. 2 6. The Organisation the following remedial measures after the Incident: a. Reset and reconfigured all whitelisted IPs to AWS server; b. Reset and reconfigured all VPNs; c. Limited the whitelisted IP addresses to its web portal; d. Conducted a penetration test; e. Monitored the dark web to ensure that data was not circulated; f. Engaged independent cyber security consultant to carry out investigation, study the IT infrastructure and propose improvements to their systems; and g. Notified affected individuals. 7. The Commission accepted the Organisation’s request for this matter to be handled under the Commission’s expedited breach decision procedure. This meant that the Organisation had voluntarily provided and unequivocally admitted to the facts set out in this decision. The Organisation also admitted that it was in breach of section 24 of the Personal Data Protection Act (the “PDPA”). 8. The Organisation admitted that it failed to conduct a reasonable risk assessment before carrying out the data migration exercise. There was no access control to the S3 bucket containing the affected personal data during the week-long migration exercise. This, coupled with the open port, allowed the threat actor to gain access to the affected personal data. 3 9. In the circumstances, the Organisation is found to be in breach of section 24 of the PDPA. 10. Having considered the circumstances set out above and the factors listed in section 48J(6) of the PDPA, including (i) the Organisation’s upfront voluntary admission of liability which significantly reduced the time and resources required for investigations; and (ii) the prompt remedial actions undertaken by the Organisation, the Commission considered that it would be most appropriate in lieu of imposing a financial penalty, to direct the Organisation to comply with the following: a. To engage qualified security service provider to conduct a thorough security audit of its technical and administrative arrangements for the security and maintenance of its AWS S3 environment that contains personal data in the Organisation’s possession or control; b. Provide the full security audit report to the Commission, no later than 60 days from the date of the issue of this direction; c. Rectify any security gaps identified in the security audit report, review and update its personal data protection policies as applicable within 60 days from the date the security audit report is provided; and d. Inform the Commission within 1 week of completion of rectification and implementation in response to the security audit report. 4 The following provision(s) of the Personal Data Protection Act 2012 had been cited in the above summary: Protection of personal data 24. An organisation shall protect personal data in its possession or under its control by making reasonable security arrangements to prevent – (a) unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks; and (b) the loss of any storage medium or device on which personal data is stored. 5 ",Directions,e2755a8249f833e1c234b8532991f2dc6896ee30,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,37,37,1,952,Directions were issued to ACL Construction (S) for breach of the PDPA in relation to failure to appoint a data protection officer and no policies and practices in place to comply with the PDPA.,"[""Accountability"", ""Directions"", ""Construction"", ""No DPO""]",2022-04-21,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision--ACL-Construction-S-Pte-Ltd--030222.pdf,Accountability,Breach of Accountability Obligation by ACL Construction (S),https://www.pdpc.gov.sg/all-commissions-decisions/2022/03/breach-of-accountability-obligation-by-acl-construction,2022-04-21,"PERSONAL DATA PROTECTION COMMISSION Case No. DP-2107-B8598 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And ACL Construction (S) Pte Ltd SUMMARY OF THE DECISION 1. On 2 June 2021, the Personal Data Protection Commission (the “Commission”) was notified that data from ACL Construction (S) Pte Ltd (the “Organisation”), a company that provides pre-fabricated structures, structural steel products and construction services, was being offered for sale on the darkweb by one “Prometheus” (the “Incident”). 2. Investigations revealed that a few days ago, three ACL staff - a designer and two sales executives had experienced difficulties when they tried to log in to access their files. Thereafter, the ACL staff discovered that the files had been encrypted. The Organisation then sought external IT support. 3. The Organisation informed the Commission that the affected files contained the following data related to their projects: (i) Quotation folder – quotations (to clients and from suppliers), delivery orders, invoices and other supporting documents; (ii) Common folder – project document and photographs; and Page 1 of 3 (iii) Drawing folder – CAD drawings. 4. Our investigations revealed that the affected files contained the names of the Organisation’s customers, the relevant liaison person, their business contact number(s) and/or business email(s). As the names, business contact numbers and business emails were not provided by the individuals concerned for a personal purpose, they would constitute “business contact information” as defined under the Personal Data Protection Act (“PDPA”), and fall outside the scope of the Act by virtue of section 4(5) of the PDPA. Accordingly, while the Organisation may have suffered a data breach, no personal data was in fact affected. 5. This finding alone would have brought the matter to a close. However, in the course of our investigations, the Commission found out that the Organisation had failed to designate one or more individuals, commonly known as a Data Protection Officer (“DPO”), to be responsible for ensuring that the Organisation complies with the PDPA, as required under section 11(3) of the PDPA. The Organisation’s omission to have any data protection policies in place meant that it was also in breach of section 12(a) of the PDPA. 6. The Commission is cognizant that by virtue of the nature of the Organisation’s business, the Organisation primarily deals with business contact information from its corporate clients. Having said that, while no personal data may have been affected as a result of the Incident, the Organisation still has to comply with the accountability obligation, as set out in sections 11 and 12 of the PDPA so as to protect the personal data of its employees, and any other personal data it may incidentally process, come into control or possession of. Page 2 of 3 7. The Commission notes that after the Incident, the Organisation took prompt remedial actions and duly appointed a member of its staff to be responsible for ensuring that the Organisation complies with the PDPA. 8. Nonetheless, bearing in mind the Organisation’s low level of awareness of its obligations under the PDPA, the Commission considered that it would be most appropriate in lieu of imposing a financial penalty, to direct the Organisation to comply with the following: a. To develop and implement policies and practices to comply with the provisions of the PDPA; and b. Put in place a programme of compulsory training for employees of ACL on compliance with the PDPA when handling personal data. The following is the provision of the Personal Data Protection Act 2012 cited in the above summary: Compliance with PDPA 11(3). An organisation must designate one or more individuals to be responsible for ensuring that the organisation complies with the PDPA. Policies and practices 12(a). An Organisation must develop and implement policies and practices that are necessary for the organisation to meet the obligations of the organisation under the PDPA. Page 3 of 3 ",Directions,e5d93d363b4513ab709353939decc81ce04eb8a1,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,49,49,1,952,Directions were issued to J & R Bossini Fashion for breaches of the PDPA in relation to the transfer of Singapore-based individuals’ personal data to its parent company in Hong Kong and the protection of its employees’ personal data stored in its servers in Singapore.,"[""Protection"", ""Transfer Limitation"", ""Directions"", ""Wholesale and Retail Trade""]",2021-10-14,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---J--R-Bossini-Fashion-Pte-Ltd---18082021.pdf,"Protection, Transfer Limitation",Breach of the Protection and Transfer Limitation Obligations by J & R Bossini Fashion,https://www.pdpc.gov.sg/all-commissions-decisions/2021/10/breach-of-the-protection-and-transfer-limitation-obligations-by-j-r-bossini-fashion,2021-10-14,"PERSONAL DATA PROTECTION COMMISSION [2021] SGPDPC 9 Case No. DP-2006-B6440 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And J & R Bossini Fashion Pte Ltd … Organisation DECISION J & R Bossini Fashion Pte Ltd [2021] SGPDPC 9 Yeong Zee Kin, Deputy Commissioner — Case No. DP-2006-B6440 18 August 2021 Introduction 1 On 13 June 2020, J & R Bossini Fashion Pte Ltd (“the Organisation”) notified the Personal Data Protection Commission (“the Commission”) of a ransomware attack which had affected the IT systems of the Organisation’s group of companies on or around 27 May 2020 (“the Incident”). The Commission commenced investigations to determine whether the circumstances relating to the Incident disclosed any breaches by the Organisation of the Personal Data Protection Act 2012 (“PDPA”). Facts of the Case 2 The Organisation is a company incorporated in Singapore, and a subsidiary of Bossini International Holdings Limited, a company listed on the Stock Exchange of Hong Kong (“Bossini Holdings”). Bossini Holdings and its subsidiaries (“the Group”) are in the business of garment retail and brand franchising. 3 The Group’s IT systems and infrastructure across different regions (including Singapore) are centrally managed by Bossini Holdings from Hong Kong. While most of the Group’s production servers are located in Hong Kong, at the material time, the Organisation maintained two servers and various workstations for its staff in Singapore which were connected to the Group’s network in Hong Kong by way of a virtual private network (“VPN”). 2 Personal data collected by the Organisation 4 Sometime prior to 2017, the Organisation collected personal data from customers and prospective customers in Singapore for the purposes of administering a customer loyalty programme. The personal data collected comprised of each individual’s: (a) Name; (b) NRIC number, (c) Phone number, (d) Email address, (e) Residential address, (f) Date of birth; and (g) Gender. (collectively, “the Customer Data”) 5 The Customer Data was initially stored locally by the Organisation in its servers in Singapore. The Organisation transferred the Customer Data out of Singapore to a server in Hong Kong around July 2017, as part of a Group level consolidation exercise with a view to hosting the data in a cloud environment in the future. 6 Other than the Customer Data, the Organisation also collected and stored personal data pertaining to its employees in its Singapore servers. This included each employee’s: 3 (a) Name; (b) NRIC number, (c) Phone number, (d) Email address, (e) Residential address, (f) Date of birth; (g) Gender; (h) Marital status; (i) Salary details; (j) Bank account details, and (k) Medical claims records. (collectively, “the Employee Data”) The Incident 7 Sometime before 27 May 2020, attackers gained access to the Group’s network in Hong Kong by exploiting a vulnerability in the Group’s off-the-shelf VPN software. The vulnerability allowed the attackers to extract valid VPN credentials and bypass the Group’s perimeter network security measures. 4 8 The vulnerability exploited by the attackers had been fixed by a patch released by the VPN software developer in September 2019. However, Bossini Holdings had not deployed the patch for the Group as at the time of the Incident on 27 March 2020 (i.e. nine months later). The patch was subsequently deployed after the Incident on 3 June 2020. 9 After gaining a foothold into the Group’s network in Hong Kong, the attackers moved laterally across the Group and compromised various administrative and user accounts to conduct reconnaissance and escalate privileges. Eventually, with Group-level administrative privileges, the attackers disabled endpoint security systems across the Group and executed the ransomware attack. 10 The personal data of approximately 200,000 of the Group’s customers stored in the Hong Kong server was encrypted and rendered inaccessible in the Incident. Relevantly, this included the Customer Data of 154,213 customers originally collected by the Organisation in Singapore. Of this, the Customer Data of at least 14,082 Singapore customers was exfiltrated and exposed on the dark web. The Employee Data of 120 of the Organisation’s employees stored in the servers in Singapore was similarly encrypted and rendered inaccessible in the Incident. 11 All backups of the Customer Data and Employee Data maintained by Bossini Holdings and the Organisation were affected and encrypted in the Incident, and no data restoration was possible. Remedial actions 12 Following the Incident, the remedial actions of Bossini Holdings and the Organisation included: 5 (a) Appointing a leading cybersecurity vendor to contain the impact of the Incident and investigate its causes; (b) Publishing a data breach announcement on the Group’s website and via the Stock Exchange of Hong Kong; (c) Notifying affected customers via the email addresses provided when registering for the customer loyalty programme; (d) Blocking the IP addresses used by the attackers in the Incident and restricting outbound network traffic to limit the ability of any malware in the Group’s network to “call back” to the attackers; (e) Upgrading the VPN software to patch the vulnerability; (f) Enforcing multi-factor authentication for all remote access via VPN; (g) Enforcing a password change for all user account passwords and resetting all domain user credentials; (h) Performing a review to limit and restrict public-facing services on network perimeters; (i) Performing vulnerability scanning for critical servers to identify and rectify immediate risks; (j) Reviewing and enhancing endpoint protection tools; (k) Implementing monitoring of perimeter firewalls and planning upgrades to the server firewalls; and 6 (l) Engaging a third-party security operations centre to monitor the Bossini group’s network infrastructure. 13 For completeness, the Privacy Commissioner for Personal Data, Hong Kong (“PCPD”) was notified of the Incident by Bossini Holdings on 24 June 2020 and conducted its own compliance check. The Commission was informed that the PCPD would not be proceeding with any further investigations after considering the circumstances of the case and the remedial measures taken by Bossini Holdings. Findings and Basis for Determination 14 Based on the circumstances of the Incident, the Commission’s investigation focused on: (a) Whether the Organisation had breached its obligation under section 26 of the PDPA to transfer personal data to a country or territory outside Singapore in accordance with requirements prescribed under the PDPA (the “Transfer Limitation Obligation”) in respect of the Customer Data transferred to Hong Kong on 17 July 2017; and (b) Whether the Organisation had breached its obligation under section 24 of the PDPA to protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks (the “Protection Obligation”) in respect of the Employee Data encrypted in the Organisation’s servers in Singapore during the Incident. 15 For the reasons set out below, the Organisation was determined to have breached both the Transfer Limitation and Protection Obligations. 7 16 As a preface to the discussion below, it is relevant to highlight that both of the Organisation’s breaches were attributable to its failure to implement policies and practices to meet its obligations under the PDPA, as required by section 12 of the PDPA (“the Accountability Obligation”). 17 For corporate groups which engage in (i) centralisation of corporate functions involving intra-group dataflows and/or (ii) “outsourcing” of data processing activities to another member of the same group, policies and practices ought to be developed and implemented at the group level for the benefit of all members of the group. As stated in Everlast Projects Pte Ltd and others [2020] SGPDPC 20 (“Everlast”) at [13]: “(O)rganisations operating as a group of companies may comply with the Accountability Obligation through binding group-level written policies or intra-group agreements that set out a common and binding standard for the protection of personal data across all organisations in the same corporate group. These binding group-level written policies or intra-group agreements are akin to binding corporate rules (“BCRs”) imposed by an organisation on its overseas recipient of the personal data (in compliance with the Transfer Limitation Obligation under Section 26(1) of the PDPA), which oblige the overseas recipient to provide a standard of protection to the transferred personal data that is at least comparable to that under the PDPA. When the corporate group is a multinational corporation (“MNC”) and the Contracting Organisation (i.e. a member of a corporate group) transfers personal data to an overseas Servicing Organisation (i.e. an overseas member of the same corporate group), the binding group-level written policies, intra-group agreements or BCRs which meet the requirements of the Protection Obligation under section 24 of the PDPA 8 would also meet the requirements of section 26(1) of the PDPA (i.e. the Transfer Limitation Obligation)” Whether the Organisation breached the Transfer Limitation Obligation 18 As the Customer Data was transferred from Singapore to Hong Kong on 17 July 2017, the requirements in Part III of the Personal Data Protection Regulations 2014 (“PDPR”) 1 governed the Organisation’s compliance with the Transfer Limitation Obligation. 19 Regulation 9(1)(b) of the PDPR requires an organisation that transfers personal data outside of Singapore to take appropriate steps to ensure that the recipient of the personal data is bound by legally enforceable obligations to provide the transferred personal data a standard of protection at least comparable to that under the PDPA. Under regulation 10 of the PDPR, such legally enforceable obligations can be imposed on the recipient organisation under (a) any law (e.g. the law of the recipient country); (b) any contract between the parties2; (c) binding corporate rules3; or (d) any other legally binding instrument. 20 In the present case, the Organisation transferred the Customer Data to Bossini Holdings upon instruction and took no steps to ascertain whether the Customer Data would be accorded a comparable level of protection. In this regard, the transfer of the Customer Data was not made pursuant to any intra-group contracts, binding corporate rules, or other legally binding instrument. Accordingly, the Organisation failed to comply with regulation 9(1)(b) of the PDPR and was determined to have breached the Transfer Limitation Obligation. 1 For transfers which took place on or after 1 February 2021, the relevant requirements are those prescribed in Part 3 of the Personal Data Protection Regulations 2021. 2 For example, see Cigna Europe Insurance Company S.A.-N.V. [2019] SGPDPC 18. 3 For example, see Singapore Technologies Engineering Limited [2020] SGPDPC 21. 9 Whether the Organisation breached the Protection Obligation 21 At the time of the Incident, Bossini Holdings had implemented group-level security arrangements for all of the Group’s IT systems, including the Organisation’s servers in Singapore. Notwithstanding, the Employee Data remained in the Organisation’s possession in the servers in Singapore, and the Organisation bore the Protection Obligation in respect of the same. 22 It is appreciated that a corporate subsidiary in the circumstances of the Organisation, which is subject to group-level security arrangements managed centrally, may not have the autonomy or power to respond independently to a multinational data breach incident. Nevertheless, the standard of conduct expected of such organisations in order to comply with the Protection Obligation is not onerous. The following principles have been established in past decisions. (a) First, a subsidiary should not adopt group level data protection policies without considering whether these need to be adapted to their circumstances and contexts: Tiger Airways Singapore Pte Ltd and others [2017] SGPDPC 6 at [33]; and (b) Second, when there is centralisation of corporate functions, group level policies should be put in place in order that roles and responsibilities are clear: Everlast. 23 These twin principles provide the guard rails to guide organisations for establishing accountability within a group and how this should cascade. In gist, where there is centralisation of corporate functions, group level policies establish the scope of centralisation and the respective roles and responsibilities of members within the group. This is not dissimilar to a situation in which a data controller outsources certain data protection responsibilities to an external vendor. It is the data controller’s obligation to specify and document what 10 responsibilities the vendor has undertaken, failing which they remain those of the data controller. Once the group level policies are established, the relevant content then needs to be cascaded and adapted in the internal policies implemented by each member of the group at an organisational level. 24 As a subsidiary in a multinational corporate group, it is accepted that the Organisation had to implement the Group’s IT policies, including IT security practices. The reality is that its ability to influence these IT policies and how these practices were implemented was likely to also have been limited. Nevertheless in the present case, the Group had no group level policies, intra-group agreements, or binding corporate rules spelling out the data protection responsibilities of the respective members of the Group. This created uncertainty as to whether Bossini Holdings or the Organisation was responsible for software patching and security testing of the Organisation’s IT systems in Singapore. 25 It was also accepted that the security lapse and privilege escalation that enabled the attackers to overcome the Organisation’s endpoint protections in the Incident occurred abroad out of the control of the Organisation. If the Group had intended for Bossini Holdings to be centrally responsible for developing, implementing, and maintaining security arrangements for all of the Group’s IT systems (including those of the Organisation), this should have at least been documented in a binding group-level written policy. There was no evidence of the same, and accordingly, the Organisation continued to bear responsibility in relation to the Employee Data in its possession. 26 In the circumstances, the Organisation was determined to have breached the Protection Obligation. 11 The Deputy Commissioner’s Directions 27 Having considered all the relevant factors of this case, the Deputy Commissioner hereby directs the Organisation to: (a) within 30 days from the date of the direction accompanying this decision, put in place intra-group agreements, contracts, or binding corporate rules for compliance with sections 24 and 26 of the PDPA; and (b) inform the Commission of the completion of the above within 7 days of implementation. YEONG ZEE KIN DEPUTY COMMISSIONER FOR PERSONAL DATA PROTECTION 12 ",Directions,0705137f0dd7129af2528c049cc49cf5edda8502,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,56,56,1,952,Directions were issued to NUInternational Singapore and Newcastle Research and Innovation Institute for breach of the PDPA in relation to the transfer of Singapore-based individuals’ personal data to their ultimate parent company in the United Kingdom and related company in Malaysia.,"[""Transfer Limitation"", ""Directions"", ""Education"", ""Ransomware"", ""Consent""]",2021-09-21,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---NUI-and-NewRIIS--23062021.pdf,Transfer Limitation,Breach of the Transfer Limitation Obligation by NUInternational Singapore and Newcastle Research and Innovation Institute,https://www.pdpc.gov.sg/all-commissions-decisions/2021/09/breach-of-the-transfer-limitation-obligation-by-nuinternational-singapore-and-newcastle-research-and-innovation-institute,2021-09-21,"PERSONAL DATA PROTECTION COMMISSION [2021] SGPDPC 5 Case No. DP-2009-B7011 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And (1) NUInternational Singapore Pte Ltd (2) Newcastle Research and Innovation Institute Pte Ltd … Organisations DECISION (1) NUInternational Singapore Pte Ltd; (2) Newcastle Research and Innovation Institute Pte Ltd [2021] SGPDPC 5 Yeong Zee Kin, Deputy Commissioner — Case No. DP-2009-B7011 23 June 2021 Introduction 1 On 17 September 2020 and 13 November 2020, the Personal Data Protection Commission (the “Commission”) was notified of a ransomware attack relating to Newcastle Research and Innovation Institute Pte Ltd and NUInternational Singapore Pte Ltd (collectively known as the “Organisations”) in Singapore (the “Incident”). Facts of the case 2 The ransomware infected, on or around 30 August 2020, (a) a database in the United Kingdom, managed by the ultimate parent company of the Organisations (containing 1,083 records of Singapore-based individuals); and (b) a database in Malaysia, hosted by a related company of the Organisations (containing 194 records of Singapore-based individuals). These records containing personal data of the Singapore-based individuals were previously transferred from the Organisations to the ultimate parent company in the United Kingdom and the related company in Malaysia respectively. The Singapore-based individuals were a mix of staff members, undergraduates and/or post-graduate students of the Organisations. Their 2 personal data (comprising names and user account identifications) were exfiltrated by the threat actor. Findings and Basis for Determination 3 Section 26(1) of the PDPA stipulates that an organisation shall not transfer any personal data to a country or territory outside Singapore except in accordance with the requirements prescribed under the PDPA to ensure that organisations provide a standard of protection to personal data so transferred that is comparable to the protection under the PDPA (the “Transfer Limitation Obligation”). The requirements mentioned in section 26(1) were set out in Regulations 9 and 10 of the Personal Data Protection Regulations 2014 (which were in force at the time) (the “Transfer Regulations 2014”). The Transfer Regulations 2014 was recently amended (“the Transfer Regulations 2021”). The ensuing analysis and application of the Transfer Regulations 2014 is equally relevant for the Transfer Regulations 2021, which is in pari materia but for some re-numbering of the regulations. 4 The Transfer Regulations 2014 provides for a range of transfer mechanisms to ensure compliance with Section 26(1) of the PDPA, e.g. through legally enforceable obligations under any law, contracts, binding corporate rules or any other legally binding instruments. Within a group of companies, reliance on intra-group agreements and binding corporate rules is common for cross-border data transfers. They provide a flexible system for centralisation of corporate functions and services. The commercial decision would be driven by where these functions are best located, and intra-group agreements and binding corporate rules allow the group to establish a bespoke internal governance system to ensure that personal data is well managed 3 across the group. The Transfer Regulations 2014 (and 2021) support the adoption of intragroup agreements and binding corporate rules in the following manner. 5 Pursuant to Regulation 9(1)(b), the Organisations could have met the Transfer Limitation Obligation by taking appropriate steps to ensure that the recipients of the transferred personal data in United Kingdom and Malaysia were bound by legally enforceable obligations (in accordance with Regulation 10(1) of the Transfer Regulations 2014) to provide to the transferred personal data a standard of protection that is at least comparable to that under the PDPA. Regulation 9(1)(b) is now Regulation 10(1) in the Transfer Regulations 2021. Regulation 10(1) of the Transfer Regulations 2014 specifies that such legally enforceable obligations includes any law, a contract that complies with the conditions in Regulation 10(2), or binding corporate rules that meets the conditions set out in Regulation 10(3). These same regulations are now in Regulation 11 in the Transfer Regulations 2021. These regulations support the use of intra-group agreements1 and binding corporate rules2. 6 Investigations revealed that the Organisations did not put in place intra-group agreements, binding corporate rules or any other legally binding instrument to ensure that a standard of protection comparable to the PDPA is provided to personal data transferred within the group as required by Regulation 10(1). 7 In its responses to the Commission, the Organisations put forward the argument that they had met the Transfer Limitation Obligation under the PDPA by virtue of the fact that the laws of the United Kingdom applied to the receiving organisations within their group. I do not exclude the possibility that the data protection system that governs the receiving organisation 1 2 See Re Everlast Projects & Others [2020] SGPDPC 20 at [13]. See Re Singapore Technologies Engineering Limited [2020] SGPDPC 21. 4 may, on a proper analysis, provide comparable protection. However, based on the responses made by the Organisations to the Commission, I am not satisfied that the transferring organisation conducted this analysis and concluded that there would be comparable protection before the transfer. After the fact justification will not be accepted. 8 Of the 1,083 Singapore-based individuals whose personal data had been transferred to the ultimate parent company in the United Kingdom, the Organisations mentioned that 44 of these individuals, who were employees, had consented to the transfer of their personal data out of Singapore in their employment contracts. Regulation 9(3)(a) of the Transfer Regulations 2014 did provide for the Transfer Limitation Obligation to be met by obtaining the consent of individuals for the transfer of their data. However, to meet the consent requirement under Regulation 9(3)(a) of the Transfer Regulations 2014, Regulation 9(4) requires the Organisations to provide to the individuals a summary in writing of the extent to which their personal data, when transferred to a foreign country or territory, would be protected to a standard comparable to the PDPA. These requirements are now encapsulated in Regulations 10(2)(a) and 10(3) of the Transfer Regulations 2021. The procedural safeguards established by Regulation 9(3) of the Transfer Regulations 2014 makes the use of consent somewhat more cumbersome, as there is a need for consent to be refreshed whenever reorganisation of the group’s internal function leads to a relocation of that function in a different jurisdiction. This also does not enable the Organisations to benefit from the employment management exception to the requirement for consent. Be that as it may, this option is available for organisations that choose to rely on it. However on the evidence, this summary in writing was not provided by the Organisations to the 44 Singapore employees. 5 The Deputy Commissioner’s Directions 9 In view of the foregoing, I therefore find that the Organisations have failed to discharge their Transfer Limitation Obligation under section 26 of the PDPA. The Organisations are directed to do the following within 30 days from the date of this Decision: (a) put in place intra-group agreements or binding corporate rules for compliance with section 26 of the PDPA in relation to any personal data transferred out of Singapore3; (b) if relying on consent, review and make necessary changes to its consent and notification processes for compliance with section 26 of the PDPA and Regulation 10(3) of the Personal Data Protection Regulations 2021 in relation to any personal data transferred out of Singapore; and (c) inform the Commission of the completion of the above within 7 days of implementation. YEONG ZEE KIN DEPUTY COMMISSIONER FOR PERSONAL DATA PROTECTION 3 Refer to Regulation 11 of Personal Data Protection Regulations 2021, which is applicable at the present time. 6 ",Directions,3b598c8a7be71e58fadf5f81e6bf2476ad13c791,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,66,66,1,952,"Chapel of Christ the Redeemer failed to put in place reasonable measures to protect its members' personal data. Further, it did not have written policies and practices necessary to comply with the PDPA.","[""Accountability"", ""Protection"", ""Directions"", ""Others"", ""No Policy"", ""Access control"", ""Indexing""]",2021-04-15,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Chapel-of-Christ-the-Redeemer---290121.pdf,"Accountability, Protection",Breach of the Protection and Accountability Obligations by Chapel of Christ the Redeemer,https://www.pdpc.gov.sg/all-commissions-decisions/2021/04/breach-of-the-protection-and-accountability-obligations-by-chapel-of-christ-the-redeemer,2021-04-15,"PERSONAL DATA PROTECTION COMMISSION Case No. DP-2010-B7132 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Chapel of Christ the Redeemer SUMMARY OF THE DECISION 1. On 6 October 2020, Chapel of Christ the Redeemer (the “Organisation”) informed the Personal Data Protection Commission (the “Commission”) that a file (the “File”) containing personal data of 815 members’ name, NRIC, address, date of birth, marital status, email address, mobile and residential phone number was inadvertently disclosed online. 2. Investigations revealed that a staff had accidentally uploaded the File (which was supposed to be an internal document) onto the sub-directory on 24 November 2019. The Organisation only discovered the matter on 8 September 2020 when a member of the Organisation performed a Google search of another member’s name and found a Google search result of the File. 3. The Organisation admitted that there were no access controls to the sub-directory prior to the incident as the sub-directory was intended to be accessible to public. As a result, the File was indexed by search engines and showed up in online search results. The Organisation also admitted that at the time of the incident, the Organisation had not developed any internal policies and practices to ensure compliance with the Personal Data Protection Act 2012 (the “PDPA”). In particular, there was no system of checks for the uploading of files on the Organisation’s website. 4. Fortuitously, it appeared that the access to the File was minimal – based on Google Analytics Report, save for the Organisation’s member who discovered the File on the internet on 8 September 2020, there was only one other access to the File on 9 December 2019, and the access only lasted for approximately 1 minute. 5. Following the incident, the Organisation disabled the search engine indexing to the subdirectory, password-protected all files with members’ data, and implemented a weekly check of all files uploaded onto the website to detect any accidental uploading of incorrect files; and a policy to delete files that are on the website for more than three months. The Organisation has also informed the Commission that it intends to engage a consultant to conduct PDPA training for its staff, as well as to review the data protection processes within the Organisation to ensure compliance with the PDPA. 6. In view of the facts stated at [3] above, the Deputy Commissioner for Personal Data Protection found the Organisation in breach of section 12 of the PDPA (the obligation to develop and implement data protection policies and practices), and section 24 of the PDPA (the obligation to protect personal data in an organisation’s possession or under its control by making reasonable security arrangements). 7. In determining the directions to be imposed on the Organisation under section 29 of the PDPA, the following factors were taken into account: (a) The Organisations had voluntarily notified the Commission of the incident, fully cooperated with the Commission’s investigations and implemented prompt remedial measures to address the breach; and (b) There was minimal access to the File and no evidence that the personal data had been misused. 8. In the circumstances, the Deputy Commissioner would not be imposing any financial penalty on the Organisation. However, in light of the Organisation’s lack of the necessary data protection policies and practices, the Deputy Commissioner hereby directs the Organisation to: (a) Develop and implement internal data protection policies and practices to comply with the provisions of the Act within 90 days from the date of the direction, and (b) Inform the Commission within 1 week of implementation of the above. ",Directions,3af9997c53409121b23cd38f9ec106f784e3648c,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,76,76,1,952,"Directions were imposed on Everlast Projects, Everlast Industries (S) and ELG Specialist for breaches of the PDPA. First, the organisations failed to put in place reasonable measures to protect their employees’ personal data. Second, they did not have written policies and practices necessary to ensure its compliance with the PDPA.","[""Accountability"", ""Protection"", ""Directions"", ""Construction"", ""No Policy"", ""Ransomware""]",2020-12-18,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Everlast-Projects-and-Others---301020.pdf,"Accountability, Protection","Breach of the Accountability and Protection Obligations by Everlast Projects, Everlast Industries (S) and ELG Specialist",https://www.pdpc.gov.sg/all-commissions-decisions/2020/12/breach-of-the-accountability-and-protection-obligations-by-everlast-projects,2020-12-18,"PERSONAL DATA PROTECTION COMMISSION [2020] SGPDPC 20 Case No. DP-1908-B4369 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And (1) Everlast Projects Pte Ltd (2) Everlast Industries (S) Pte Ltd (3) ELG Specialist Pte Ltd … Organisations DECISION Everlast Projects Pte Ltd & Others [2020] SGPDPC 20 Everlast Projects Pte Ltd & Others [2020] SGPDPC 20 Yeong Zee Kin, Deputy Commissioner — Case No. DP-1908-B4369 30 October 2020 Introduction 1 On 29 September 2019, Everlast Projects Pte Ltd (“EPPL”) notified the Personal Data Protection Commission (“Commission”) that its server (“Server”) had been hacked and all the files within it were encrypted by ransomware sometime in August 2019 (the “Incident”). Facts of the Case 2 EPPL, Everlast Industries (S) Pte Ltd (“EIPL”) and ELG Specialist Pte Ltd (“ESPL”) (collectively, the “Organisations”) specialise in the supply and installation of architectural metal works, glass and aluminium products. The Organisations are owned by the same shareholder, managed by the same directors, and operate from common premises. Two of the Organisations also have a common name, “Everlast”. The Organisations operated like a group of companies and centralised their payroll processing, such that the human resources (“HR”) department of EPPL was in charge of processing payrolls of not only its own employees, but also the employees of EIPL and ESPL. The Organisations’ employees’ personal data were stored in the Server, which was owned and maintained by EPPL. 3 On 10 August 2019, EPPL discovered the Incident. EPPL had both an onsite physical backup and a secondary cloud backup of the contents of the Server. The physical backup was affected by the ransomware and rendered unusable. A total of 384 individuals were affected by the Incident (the “Affected Employees”): 2 Everlast Projects Pte Ltd & Others [2020] SGPDPC 20 Name of Organisation Number of employees affected EPPL 141 EIPL 239 ESPL 4 Total number of individuals 384 4 The types of personal data of the Affected Employees that were at risk of unauthorised access included the following (collectively, the “Personal Data Sets”): (a) Name; (b) NRIC/FIN number; (c) Date of birth; (d) Bank account details; and (e) Information relating to salary. 5 The cause of the ransomware infection was not identified. EPPL’s investigations could not determine how the ransomware gained entry to the Server. EPPL was also unable to confirm whether any of the Personal Data Sets had been exfiltrated as a result of the Incident. Upon discovery of the Incident, EPPL took prompt remedial action by ceasing to use the Server immediately. 6 Findings and Basis for Determination 7 The two issues to be determined in this case are as follows: (a) Whether the Organisations had each complied with their obligations under section 12 of the Personal Data Protection Act 2012 (the “PDPA”); and (b) Whether the Organisations had each complied with their obligations under section 24 of the PDPA. 3 Everlast Projects Pte Ltd & Others [2020] SGPDPC 20 Whether EPPL, EIPL and ESPL had each complied with their obligations under section 12 of the PDPA 8 Section 12 of the PDPA requires organisations to, inter alia, develop and implement policies and practices that are necessary for the organisation to meet its obligations under the PDPA, and to communicate information about such policies and practices to its staff (the “Accountability Obligation”). 9 In this regard, it is important to reiterate that an organisation’s Data Protection Policies should be documented in a written policy, as per Re Furnituremart.sg [2017] SGPDPC 7 at [14]: “[t]he lack of a written policy is a big drawback to the protection of personal data. Without having a policy in writing, employees and staff would not have a reference for the Organisation’s policies and practices which they are to follow in order to protect personal data. Such policies and practices would be ineffective if passed on by word of mouth, and indeed, the Organisation may run the risk of the policies and practices being passed on incorrectly. Having a written policy is conducive to the conduct of internal training, which is a necessary component of an internal data protection programme.” 10 As mentioned at [2], EPPL, EIPL and ESPL operated as a group of companies in the sharing of payroll processing services, which are centralised within the HR department of EPPL. The Commission recognises the commercial benefits which arise from centralising common corporate functions within a group of companies. In such situations, one entity (the “Servicing Organisation”) provides corporate services to other entities in the same corporate group (each a “Contracting Organisation”). If the shared common corporate services involve the processing of personal data, the Servicing Organisation would be acting as a data intermediary for each Contracting Organisation.1 11 The common corporate service shared by the Organisations in the present case was the payroll processing function. EIPL and ESPL were therefore permitted to collect, without consent, their respective Affected Employees’ Personal Data Sets and 1 See the Commission’s Advisory Guidelines on Key Concepts in the PDPA (revised 2 June 2020) at [6.28]. 4 Everlast Projects Pte Ltd & Others [2020] SGPDPC 20 disclose the same to EPPL for the purposes of managing the employment relationship.2 In these circumstances, EPPL was: (a) A data controller with respect to its own Affected Employees’ Personal Data Sets; and (b) EIPL and ESPL’s data intermediary with respect to their respective Affected Employees’ Personal Data Sets that EPPL was processing on their behalf. 12 The Organisations admitted that they did not have any written data protection policies and relied only on verbal instructions to employees. Although the Organisations are in the construction industry and, in this case, do not typically collect personal data from customers, the Accountability Obligation required the Organisations to put in place data protection policies in relation to the protection of personal data of their respective employees. 13 In this regard, organisations operating as a group of companies may comply with the Accountability Obligation through binding group-level written policies or intragroup agreements that set out a common and binding standard for the protection of personal data across all organisations in the same corporate group. These binding group-level written policies or intra-group agreements are akin to binding corporate rules (“BCRs”) imposed by an organisation on its overseas recipient of the personal data (in compliance with the Transfer Limitation Obligation under Section 26(1) of the PDPA), which oblige the overseas recipient to provide a standard of protection to the transferred personal data that is at least comparable to that under the PDPA. 3 Where the corporate group is a multinational corporation (“MNC”) and the Contracting Organisation transfers personal data to an overseas Servicing Organisation, the binding group-level written policies, intra-group agreements or BCRs which meet the 2 See Second Schedule of the PDPA, para 1(o) and Fourth Schedule of the PDPA, para 1(s). The Transfer Limitation Obligation under Section 26 of the PDPA requires an organisation that transfers personal data to a country or territory outside of Singapore to take appropriate steps to ensure that the recipient of personal data is bound by legally enforceable obligations to provide to the transferred personal data a standard of protection that is at least comparable to that under the PDPA. 3 5 Everlast Projects Pte Ltd & Others [2020] SGPDPC 20 requirements of the Protection Obligation under section 24 of the PDPA4 would also meet the requirements of section 26(1) of the PDPA in relation to the Protection Obligation.5 14 In the present case, the Organisations did not have any such binding group- level written policies, intra-group agreements or BCRs. In the circumstances, I find each of EPPL, EIPL and ESPL in breach of the Accountability Obligation. Whether EPPL, EIPL and ESPL had contravened section 24 of the PDPA 15 Section 24 of the PDPA requires an organisation to protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification or similar risks (the “Protection Obligation”). The obligation to make reasonable security arrangements does not attach unless the organisation is in possession or control of personal data. 16 As mentioned at [10], EPPL was (i) a data controller with respect to its own Affected Employees’ Personal Data Sets; and (ii) EIPL and ESPL’s data intermediary with respect to their Affected Employees’ Personal Data Sets that EPPL was processing on their behalf. In this regard, EPPL, EIPL and ESPL had possession and/or control of the Affected Employees’ Personal Data Sets at the material time. (a) EPPL was in possession and control of the Affected Employees’ Personal Data Sets. This was because the Organisations’ payroll processing functions were centralised within the HR department of EPPL. (b) While EIPL and ESPL did not have possession of their respective Affected Employees’ Personal Data Sets because they were centrally hosted on EPPL’s Server, I find that EIPL and ESPL remained in control of their respective Affected Employees’ Personal Data Sets as data controllers. This is because the 4 5 The Protection Obligation is explained at paragraph 14. See, for illustration, Re Cigna Europe Insurance Company S.A.-N.V. [2019] SGPDPC 18 at [13]. 6 Everlast Projects Pte Ltd & Others [2020] SGPDPC 20 processing of EIPL’s and ESPL’s Affected Employees Personal Data Sets by EPPL was for EIPL’s and ESPL’s respective business purposes.6 17 Each of the Organisations were therefore obliged to put in place reasonable security arrangements to protect the Affected Employees Personal Data Sets, including preventing the risk of unauthorised modification. In the present case, the Commission’s investigations into the Incident revealed that the ransomware had encrypted all the files in the Server and its physical backup, including the Affected Employees’ Personal Data Sets. The unauthorised modification of the Affected Employees’ Personal Data Sets by the ransomware made it unreadable and unusable. 18 It is well established that a data controller should have in place a written contract with its data intermediary that clearly specifies the data intermediaries’ obligation to protect personal data. 7 That said, the relationship between the Organisations is a relevant factor in determining the reasonable security measures expected of them to comply with the Protection Obligation. In this regard, for a group of companies, the written contract requirement between a Servicing Organisation and the Contracting Organisation may be met by binding group-level written policies, intra-group agreements or BCRs as discussed at [13] above. 19 In addition to a written agreement specifying data protection requirements, a Contracting Organisation should also implement operational processes so as to be able to exercise some form of supervision or control over the activities of the Servicing Organisation when it processes personal data on the Contracting Organisation’s behalf.8 Where the Servicing Organisation has specialised knowledge, skills and/or tools for processing personal data, having a robust audit framework could be an appropriate form of oversight. This may be particularly suited for MNCs which typically 6 See Re The Cellar Door Pte Ltd and another [2016] SGPDPC 22 at [17] – [18]; Re AIG Asia Pacific Insurance Pte Ltd [2018] SGPDPC 8 at [18]. 7 See the Commission’s Guide on Data Protection Clauses for Agreements relating to the Processing of Personal Data (20 July 2016) at [4]; Re Singapore Telecommunications Limited [2017] PDPC 4 at [14] 8 The Commission’s Advisory Guidelines on Key Concepts in the PDPA (revised 2 June 2020) at [17.5] provides that “[e]nsuring that IT service providers are able to provide the requisite standard of IT security” is an example of a technical measure an organisation may use to protect personal data. 7 Everlast Projects Pte Ltd & Others [2020] SGPDPC 20 conduct periodic internal and/or external audits and assessments to monitor compliance by each organisation within the corporate group.9 Conversely, small and medium-sized enterprises that only operate in Singapore are less likely to conduct such compliance audits on each organisation in the corporate group in the areas of cybersecurity and/or data protection. In such situations, appropriate oversight could involve more simple processes. For example, requiring the Servicing Organisation to explain to the Contracting Organisation the measures which would be taken to secure personal data, with appropriate documentation to evidence this process (e.g. written acknowledgement given by the Contracting Organisation to the Servicing Organisation), and provide regular reports showing that it has put these processes in place. 20 In the present case, both EIPL and ESPL failed to put in place reasonable security arrangements to ensure that EPPL (who was their data intermediary for the purposes of payroll processing) would protect their respective Affected Employees’ Personal Data Sets. There was no written contract, intra-group agreement or grouplevel written policies/BCRs setting out data protection requirements that EPPL was obliged to comply with when processing EIPL’s and ESPL’s respective Affected Employees’ Personal Data Sets. Notwithstanding that the Organisations conducted their business operations from the same premises, both EIPL and ESPL also did not implement any operational processes to supervise or exercise some form control over EPPL to ensure EPPL protected their Affected Employees’ Personal Data Sets. In the circumstances, I find each of EIPL and ESPL in breach of the Protection Obligation. 21 EPPL was also obliged to comply with the Protection Obligation. As mentioned in [10], it was: (i) a data controller with respect to its own Affected Employees’ Personal Data Sets; and (ii) EIPL and ESPL’s data intermediary with respect to their Affected Employees’ Personal Data Sets. The Commission’s Investigations revealed that EPPL did not put in place reasonable security arrangements to protect the Personal Data Sets as explained below: 9 As an example, see Re Cigna Europe Insurance Company S.A.-N.V. [2019] SGPDPC 18 at [7(c)]. 8 Everlast Projects Pte Ltd & Others (a) [2020] SGPDPC 20 EPPL did not install a firewall for the Server. Without a firewall, the Server and corporate network was vulnerable to web-based security threats;10 (b) EPPL did not conduct periodic security reviews of its IT systems, including vulnerability scans of the Server, to assess the overall security of its IT infrastructure. The requirement for organisations to conduct periodic security reviews of its IT systems has been emphasized in previous decisions. 11 Conducting regular information and communication technology (“ICT”) security audits, scans and tests to detect vulnerabilities help organisations to ensure that ICT security controls developed and configured for the protection of personal data are properly implemented. 12 The comprehensiveness of such security reviews should be scoped based on the organisation’s assessment of its data protection needs, and be conducted to a reasonable standard. The scope and level of the review would depend on the type of personal data to be protected. In this case, as the Personal Data Sets included personal data of a financial nature (e.g. information relating to bank accounts and salaries), a higher standard of periodic security review was required of EPPL in order to comply with the Protection Obligation. If EPPL had conducted a security review of its IT system to a reasonable standard, it would have discovered the absence of a firewall for the Server; and (c) EPPL was unable to provide any written IT security policies (e.g. password policy, policies for patching and updating of the company server, etc.). 13 In this regard, EPPL conceded that they did not know what was required in order to protect personal data in electronic form. 10 The Commission’s Guide to Securing Personal Data in Electronic Medium (20 January 2017) at [9.1] states as follows: “It is important for an organisation to ensure that its corporate computer networks are secure. Vulnerabilities in the network may allow cyber intrusion, which may lead to theft or unauthorised use of electronic personal data. Defences that may be used to improve the security of networks include: […] Firewalls”. 11 See, for example, Re WTS Automotive Services Pte. Ltd. [2018] SGPDPC 26 at [18], Re Bud Cosmetics [2019] SGPDPC 1 at [24] and Re Chizzle Pte. Ltd. [2019] SGPDPC 44 at [6] to [8]. 12 Commission’s Guide to Securing Personal Data in Electronic Medium (revised 20 January 2017) at [6.1]. 13 The Commission’s Advisory Guidelines on Key Concepts in the PDPA (revised 2 June 2020) at [17.5] provides that “[s]ecurity arrangements may take various forms such as administrative measures, physical measures, technical measures or a combination of these”. Having robust policies and procedures is an example of an administrative measure an organisation may implement by way of security arrangements. 9 Everlast Projects Pte Ltd & Others 22 [2020] SGPDPC 20 For the reasons above, I also find EPPL in breach of the Protection Obligation. Directions 23 In determining the directions, if any, to be imposed on EPPL, EIPL and ESPL under section 29 of the PDPA, I took into account the following factors: (a) The Organisations had voluntarily notified the Commission of the Incident; (b) The Commission did not receive any complaints of the Personal Data Sets being disclosed online or otherwise misused; (c) There was no evidence of exfiltration of the Personal Data Sets; and (d) An imposition of a financial penalty would impose a crippling burden and cause undue financial hardship due to the financial position of the Organisations. 24 Having considered all the relevant factors of this case, I direct EPPL, EIPL and ESPL to: (a) Develop and implement intra-group agreements or binding corporate rules that set out a common and binding standard for the processing of personal data when centralising common corporate activities within the group, within 90 days from the date of this direction; (b) Review and ensure that the internal policies within each of EPPL, EIPL and ESPL are in line with the standards set forth in the intra-group agreements or binding corporate rules, within 90 days from the date of this direction; and (c) Inform the Commission of the completion of the directions set out at [23(a)] and [23(b)] within one week. YEONG ZEE KIN DEPUTY COMMISSIONER FOR PERSONAL DATA PROTECTION 10 ",Directions,6bf33286d1c3d26557836242297e0273d9b08921,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,82,82,1,952,Directions were issued to Security Masters for failing to put in place reasonable security arrangements to prevent the unauthorised access of building visitors’ mobile numbers. A security personnel contacted the visitors to request return of visitor passes and send them Chinese New Year greetings.,"[""Protection"", ""Directions"", ""Others"", ""Text messages"", ""Mobile numbers"", ""Protection""]",2020-10-16,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Security-Masters-Pte-Ltd---21072020.pdf,Protection,Breach of the Protection Obligation by Security Masters,https://www.pdpc.gov.sg/all-commissions-decisions/2020/10/breach-of-the-protection-obligation-by-security-masters,2020-10-16,"PERSONAL DATA PROTECTION COMMISSION Case No. DP-2002- B5875 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Security Masters Pte Ltd SUMMARY OF THE DECISION 1. On 17 February 2020, Security Masters Pte Ltd (the “Organisation”) notified the Personal Data Protection Commission (the “Commission”) that a security employee had used the mobile phone numbers of eight building visitors to contact them to request their return of visitor passes and send them Chinese New Year greetings. 2. Investigation found that the Organisation did not put in place any standard operating procedure or guidelines for the retrieval and use of visitors’ personal data prior to the incident. This gap in security arrangements allowed the incident to occur. 3. The Deputy Commissioner for Personal Data Protection therefore found that the Organisation did not adopt reasonable steps to protect personal data in its possession or under its control against risk of unauthorised access. The Organisation was in breach of the Protection Obligation under section 24 of the Personal Data Protection Act 2012. 4. Following the incident, the Organisation restricted access to personal data to senior personnel and required all security personnel to sign an undertaking not to contact visitors in their personal capacity. However, structured training is needed to help its security personnel understand the importance of protecting the personal data they handled daily in their duties, such as National Registration Identification Card numbers, photographs and closed-circuit television footage. 5. On the above consideration, the Deputy Commissioner for Personal Data Protection hereby directs the Organisation to: a) Within 60 days from the date of the direction, revise its training curriculum to ensure that its security personnel understand i. the rationale for personal data protection; ii. the importance of consent and authorisation in the handling of personal data; and iii. the circumstances in which it would be appropriate to use and disclose personal data on social media platforms for work-related purposes; and b) Inform the Commission within 1 week of implementation of the above. ",Directions,e24e6989567857bec320cd7ad6365fd535330a52,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,105,105,1,952,Both MCST 4375 and A Best Security Management failed to put in place reasonable security arrangements to prevent the unauthorised disclosure of CCTV footage of an individual injured by a falling glass door at Alexandra Central Mall. MCST 4375 also failed to put in place policies and practices necessary for the organisation to comply with the PDPA.,"[""Protection"", ""Accountability"", ""Directions""]",2020-03-19,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/MCST-4375-and-Others---Decision---03022020.pdf,"Protection, Accountability",Breach of the Protection and Accountability Obligations by MCST 4375 and Breach of the Protection Obligation by A Best Security Management,https://www.pdpc.gov.sg/all-commissions-decisions/2020/03/breach-of-the-protection-and-accountability-obligations-by-mcst-4375-and-breach-of-the-protection-obligation-by-a-best-security-management,2020-03-19,"PERSONAL DATA PROTECTION COMMISSION [2020] SGPDPC 4 Case No. DP-1903-B3437 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And (1) Management Corporation Strata Title Plan No. 4375 (2) Smart Property Management (Singapore) Pte Ltd (3) A Best Security Management Pte Ltd … Organisations DECISION Management Corporation Strata Title Plan No. 4375 & Others [2020] SGPDPC 4 Yeong Zee Kin, Deputy Commissioner — Case No DP-1903-B3437 3 February 2020 Introduction 1 In late February 2019, a woman was injured when a glass door fell on her at the premises of Management Corporation Strata Title Plan No. 4375 (“MCST 4375”), also known as Alexandra Central Mall (the “Mall”). The Personal Data Protection Commission (the “Commission”) subsequently became aware that closed-circuit television (“CCTV”) footage showing the glass door falling on the woman was disclosed on the Internet (the “Incident”). Facts of the Case 2 At the time of the incident, MCST 4375 had appointed Smart Property Management (Singapore) Pte Ltd (“SPMS”) as its managing agent and A Best Security Management Pte Ltd (“ABSM”) to provide security services at the Mall. These appointments took effect from 1 July 2018 and 1 June 2018 respectively. SPMS’ scope of work as managing agent included supervising service providers such as ABSM to ensure it carried out its duties properly. 3 On 24 February 2019, the senior security supervisor from ABSM (the “SSS”) who was on duty at the Mall’s Fire Control Centre, saw a glass door fall on a woman at Level 4 of the Mall’s car park lift lobby (the “Accident”) through Management Corporation Strata Title Plan No. 4375 & Others [2020] SGPDPC 4 the CCTV monitors. The SSS immediately called for an ambulance and notified MCST 4375’s Property Officer and ABSM’s Operations Manager of the Accident. Shortly thereafter, MCST 4375’s Property Officer asked the SSS to send her a copy of CCTV footage of the Accident. In response to this request, the SSS replayed the portion of the CCTV footage showing the Accident (the “Relevant CCTV Footage”) and recorded it with his mobile phone. The SSS then sent the copy of the Relevant CCTV Footage which he had recorded on his mobile phone to a WhatsApp group chat consisting of the SSS, the Security Executive from ABSM (the “SE”) who was also on duty at the time of the Accident, and MCST 4375’s Property Officer. The SSS also sent a copy of the same footage to ABSM’s Operations Manager in a separate WhatsApp message. Subsequently, the SE forwarded a copy of the Relevant CCTV Footage to the cleaning supervisor (engaged by MCST 4375) on duty at the time of the Accident (the “Cleaning Supervisor”). The SE also told the Cleaning Supervisor to inform the cleaners not to enter the barricaded area (where the Accident occurred) when carrying out their cleaning duties. 4 On 25 February 2019, a member of the management council of MCST 4375 (the “Management Council Member”) requested a copy of the Relevant CCTV Footage from the SSS for purposes of relating to an emergency meeting of MCST 4375’s management council. The SSS sent the Management Council Member a copy of the Relevant CCTV Footage. The Management Council Member then forwarded the Relevant CCTV Footage via WhatsApp to the other members of MCST 4375’s management council for their information. 5 On or around 26 February 2019, a copy of the Relevant CCTV Footage was posted onto the video-sharing website YouTube. The YouTube video containing a copy of the Relevant CCTV Footage was subsequently made available through various websites on the Internet. 2 Management Corporation Strata Title Plan No. 4375 & Others 6 [2020] SGPDPC 4 Since the discovery of the Incident, MCST 4375 took the following remedial actions: (a) MCST 4375 replaced SPMS with a new managing agent with effect from 18 March 2019; and (b) An internal memorandum was issued to all MCST 4375 employees specifying that there shall be no distribution of any documents or media materials from the management office of MCST 4375, without prior approval from MCST 4375’s management council. Findings and Basis for Determination 7 For the reasons set out below, I find MCST 4375 in breach of Sections 12 and 24 of the PDPA and ABSM in breach of section 24 of the PDPA. I find SPMS not to be in breach of any of its obligations under the PDPA in relation to the Incident. Breach of Sections 12 and 24 of the PDPA by MCST 4375 8 Under section 24 of the PDPA, MCST 4375 had the primary responsibility of ensuring that there are reasonable security arrangements in place to protect personal data in its possession or under its control. It is not disputed that MCST 4375 had possession and/or control of the Relevant CCTV Footage. To the extent that an MCST has appointed a managing agent or vendor to process personal data on its behalf, it should have in place a written agreement 3 Management Corporation Strata Title Plan No. 4375 & Others [2020] SGPDPC 4 with clauses requiring them to comply with the relevant data protection provisions under the PDPA1. 9 In the present case, MCST 4375 had engaged ABSM to provide security services which included management of CCTV footage recorded via the Mall’s CCTV system. In the course of providing security services, ABSM was engaged to process personal data on behalf of MCST 4375, to wit, ABSM had to process video footages captured by the Mall’s CCTV network and system. In this case, the SSS retrieved CCTV footage recorded by the Mall’s CCTV system, made a recording of an extract (i.e. the Relevant CCTV Footage) and transmitted it to various parties. These actions amount to “processing” as the term is defined in section 2(1) of the PDPA. Hence, the true nature of the relationship between MCST 4375 and ABSM is that of a data controller and data intermediary. 10 The Commission’s investigations revealed that MCST 4375 had security arrangements in place to restrict access to the Fire Control Centre (which was the only place where CCTV footage could be viewed). However, MCST 4375 did not provide any instructions to ABSM or SPMS in relation to requests for access to personal data, as well as the management of CCTV footage in general. Given its duties (which included processing CCTV footage on behalf of MCST 4375), MCST 4375 should have had written instructions clearly setting out the relevant procedures to be followed by ABSM and SPMS if they received a request for access to, or disclosure of, any CCTV footage recorded at the Mall. In the circumstances, I find MCST 4375 in breach of Section 24 of the PDPA. 1See Re KBox Entertainment Group Pte. Ltd. [2016] SGPDPC 1 at [12] and 29(b)(ii); the Commission’s Guide on Data Protection Clauses for Agreements Relating to the Processing of Personal Data (20 July 2016) which provides sample data protection clauses that organisations may find helpful 4 Management Corporation Strata Title Plan No. 4375 & Others 11 [2020] SGPDPC 4 In addition, under section 12 of the PDPA, organisations are required to develop and implement policies and practices that are necessary for the organisation to meet the obligations of the organisation under the PDPA. The importance of data protection policies have been emphasized multiple times in previous decisions 2, as well as the Commission’s Advisory Guidelines for Management Corporations (issued on 11 March 2019) at [2.6]. 12 It emerged during the course of the Commission’s investigations that MCST 4375 had not developed or put in place any data protection policies. According to MCST 4375, it expected its managing agent (i.e. SPMS) to put in place the necessary policies and practices for MCST 4375 to comply with the PDPA. However, the contract between MCST 4375 and SPMS did not contain any requirements or clauses to this effect. MCST 4375 also conceded that it had not given any instructions to SPMS in this regard. In the circumstances, I also find MCST 4375 in breach of Section 12 of the PDPA. Breach of Section 24 of the PDPA by ABSM 13 As mentioned at [9], the security services provided by ABSM included the management of CCTV footage. This amounted to “processing” of personal data as defined in section 2(1) of the PDPA. ABSM was accordingly acting as a data intermediary of MCST 4375 in respect of the Relevant CCTV Footage. 14 At the material time, ABSM had a Personal Data Protection Policy, which specifically provided that ABSM would not disclose personal data to third parties without MCST 4375’s consent. ABSM also had Standard 2See Re Aviva Ltd 2017 SGPDPC 14 at [32]; Re M Stars Movers & Logistics Specialist Pte Ltd [2017] SGPDPC 15 at [31] to [37]; Re AgcDesign Pte Ltd [2019] SGPDPC 23 at [5] 5 Management Corporation Strata Title Plan No. 4375 & Others [2020] SGPDPC 4 Operating Procedures (“SOP”) outlining the standards of conduct expected of its employees. However, the SOP did not include provisions in relation to the recording, retrieving or disclosure of CCTV footage recorded at the Mall or the personal data captured therein. In addition, ABSM had a Crisis Report Flow Chart for the reporting of incidents (such as the Accident) which also did not contain any provisions relating to the handling of personal data. 15 Although the Relevant CCTV Footage contained personal data that was publicly available and consent for disclosure is not required, section 18(a) of the PDPA overlays the requirement that disclosure must nevertheless be for a reasonably appropriate purpose in the circumstances. In my view, the disclosure of the Relevant CCTV Footage by the SSS to MCST 4375’s Property Officer, ABSM’s Operation Manager, the SE and the Management Council Member was for a reasonably appropriate purpose. Pursuant to the Crisis Report Flow Chart, the SSS had to inform representatives of MCST 4375 and his supervisor (i.e. the ABSM Operation Manager) of the Accident. The SE was on duty at the time of the Accident and would have been working with the SSS to manage the situation post-Accident. As for the disclosure to the Management Council Member, members of the Management Council are representatives of an MCST and disclosure to them was akin to disclosure to MCST 4375. 16 However, the disclosure of the Relevant CCTV Footage by SE to the Cleaning Supervisor was unauthorised and in direct contravention of both ABSM’s Personal Data Protection Policy and Crisis Report Flow Chart. Given that the Relevant CCTV Footage contained personal data that was recorded in the Mall, ABSM’s Personal Data Protection Policy required the SE to obtain MCST 4375’s approval before sending a copy of the Relevant CCTV Footage to the Cleaning Supervisor. The SE’s failure to do so may be due, at least in 6 Management Corporation Strata Title Plan No. 4375 & Others [2020] SGPDPC 4 part, to the lack of any provisions in the SOP setting out the procedures to be followed before CCTV footage is disclosed. 17 It is well-established that proper training is a key security arrangement in an organisation’s compliance with the protection obligation under section 24 of the PDPA3. Proper staff training – which creates data protection awareness amongst employees, imparts good practices in handling personal data, and puts employees on the alert for threats to the security of personal data – is necessary to complement an organisation’s data protection policies. According to ABSM, both the SSS and SE were briefed on the PDPA in August 2018 when they were assigned to work at the Mall. However, the SE’s conduct evidenced a lack of knowledge or understanding of ABSM’s internal policies and procedures. 18 In my view, ABSM failed to properly train and communicate its internal policies and procedures in relation to the protection of personal data to its employees. In particular, ABSM should have had a written policy setting out the procedures to be followed in relation to the disclosure of CCTV footage and the personal data therein. In the circumstances, I find ABSM in breach of Section 24 of the PDPA. No Breach of the PDPA by SPMS 19 SPMS was also a data intermediary of MCST 4375 in relation to the personal data it processed on their behalf when carrying out its duties as managing agent. As a data intermediary, SPMS had an obligation under section 3Re National University of Singapore [2017] SGPDPC 5 at [15] – [28]; Re SLF Green Maid Agency [2018] SGPDPC 27 at [12]; Re SME Motor Pte Ltd [2019] SGPDPC 21 at [10] and Advisory Guidelines On Key Concepts in the Personal Data Protection Act (Revised 9 Oct 2019) at [17.5] 7 Management Corporation Strata Title Plan No. 4375 & Others [2020] SGPDPC 4 24 of the PDPA to put in place reasonable security arrangements to protect such personal data which was in its possession or under its control. 20 Notably, the personal data which is the subject of the present case was not in the possession or under the control of SPMS. In particular, the Relevant CCTV Footage was in the possession and under the control of ABSM and was within the scope of ABSM’s responsibilities as MCST 4375’s security services provider. Accordingly, it was not SPMS’ responsibility to put in place reasonable security arrangements to protect the Relevant CCTV Footage. 21 While SPMS’ duty as managing agent was to exercise a supervisory role over ABSM, the Commission’s investigations revealed that this was limited to exercising broad oversight over the attendance and performance of duties by ABSM’s employees. In both ABSM’s Personal Data Protection Policy and Crisis Report Flow Chart, SPMS did not have a role with respect to the management or approval of requests for access or disclosure of personal data. In particular, there was no requirement for ABSM’s employees to consult or seek approval from SPMS in relation to the disclosure of CCTV footage. The Incident accordingly did not arise due to SPMS’ lack of supervision over ABSM. 22 In the circumstances, I find that SPMS was not in breach of any of its obligations under the PDPA in relation to the Incident. 8 Management Corporation Strata Title Plan No. 4375 & Others [2020] SGPDPC 4 The Deputy Commissioner’s Directions 23 Having considered all the relevant factors in this case, I hereby direct: (a) MCST 4375 to: (i) Develop and implement policies necessary for the protection of personal data in its possession and/or under its control to meet its obligations under Section 12 of the PDPA within 60 days from the date of this decision; (ii) Put in place reasonable security arrangements, including policies necessary for the protection of personal data in its possession and/or under its control to meet its obligations under Section 24 of the PDPA within 60 days from the date of this decision; (iii) As part of the security arrangements to be put in place, conduct training to ensure that its staff are aware of, and will comply with, the requirements of the PDPA when handling personal data within 60 days from date of decision; and (iv) Inform the Commission of the implementation of each of the above within 1 week of implementation; and (b) ABSM to: (i) Put in place reasonable security arrangements, including policies necessary for the protection of personal data in its possession and/or under its control to meet its obligations under Section 24 of the PDPA within 60 days from the date of this decision; and 9 Management Corporation Strata Title Plan No. 4375 & Others (ii) [2020] SGPDPC 4 Inform the Commission of the implementation of the above within 1 week of implementation. YEONG ZEE KIN DEPUTY COMMISSIONER FOR PERSONAL DATA PROTECTION 10 ",Directions,c9534d20c08d9b7217ff8dd7e875c02139ab7e2a,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,106,106,1,952,"Directions were imposed on Henry Park Primary School Parents’ Association for breaches of the PDPA. First, the organisation failed to put in place reasonable measures to protect its members’ personal data. Second, it did not appoint a data protection officer. Lastly, it did not have written policies and practices necessary to ensure its compliance with the PDPA.","[""Protection"", ""Accountability"", ""Directions""]",2020-02-11,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---HPPA.pdf,"Protection, Accountability",Breach of the Protection and Accountability Obligations by Henry Park Primary School Parents' Association,https://www.pdpc.gov.sg/all-commissions-decisions/2020/02/breach-of-the-protection-and-accountability-obligations-by-henry-park-primary-school-parents-association,2020-02-11,"PERSONAL DATA PROTECTION COMMISSION Case No. DP-1903-B3531 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Henry Park Primary School Parents’ Association SUMMARY OF THE DECISION 1. Henry Park Primary School Parents’ Association (the “Organisation”) is a registered society whose membership comprised parent volunteers. To register as members of the Organisation, individuals provided to the Organisation their names, contact numbers, name of child and the child’s class in Henry Park Primary School (the “Personal Data Set”). The Organisation had a website at https://hppa.org.sg (the “Website”) where members could view their own account particulars upon logging in using their assigned user ID and password. 2. On 15 March 2019, the Personal Data Protection Commission (“the Commission”) received a complaint. The complainant informed that when she performed a Google search using her name, she found a search result of a webpage of the Website which disclosed her personal data (the “Incident”). 3. The Personal Data Sets of registered members were never intended to be disclosed online. The Website had been developed by a parent volunteer using the WordPress content management system. 4. The Organisation had conducted tests to verify that members who logged in to the Website could view their own account particulars. The Organisation also verified that account particulars could not be viewed when accessing the Website as a public user. Nevertheless, the Personal Data Set was crawled, indexed and searchable by Google. This points to a weakness in access control that had not been picked up by these rudimentary tests. 5. Security testing such as vulnerability scans would have identified the access control issue. The Organisation failed to conduct adequate security testing before launching the Website. On the above facts, the Commission found that the Organisation did not put in place reasonable security arrangements to protect the Personal Data Sets. 6. The Commission also found that the Organisation had not appointed a person to be responsible for ensuring its compliance with the Personal Data Protection Act 2012 (the “PDPA”). Further, the Organisation had not developed and implemented any policies and practices necessary for it to meet its obligations under the PDPA. 7. The Organisation had taken the Website offline after the Incident on 15 March 2019. On 14 November 2019, the Organisation had put online a new website that no longer allowed online access to the database of the Organisation’s members. The new website also included a data protection notice. 8. In the circumstances, the Deputy Commissioner for Personal Data Protection found the Organisation in breach of sections 11(3), 12 and 24 of the PDPA. In determining the directions, the Deputy Commissioner took into consideration that the Organisation was a volunteer organisation made up primarily of parents. The Organisation is directed to, within 60 days, (i) appoint one or more individuals to be responsible for ensuring that it complies with the PDPA, (ii) develop and implement internal data protection and training policies, and (iii) to put all volunteers handling personal data through data protection training. ",Directions,79c294efa7335db9a6489bfae8e1c1eedccbf23b,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,120,120,1,952,Saturday Club was found in breach of the PDPA for failing to put in place written policies and practices necessary to ensure its compliance with the PDPA. Saturday Club was directed to put in place a data protection policy to comply with the provisions of the PDPA and to conduct training to ensure its employees are aware of and comply with the requirements of the PDPA.,"[""Accountability"", ""Directions""]",2019-12-05,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Summary-Decision---Saturday-Club.pdf,Accountability,Breach of the Accountability Obligation by Saturday Club,https://www.pdpc.gov.sg/all-commissions-decisions/2019/12/breach-of-the-accountability-obligation-by-saturday-club,2019-12-05,"PERSONAL DATA PROTECTION COMMISSION Case No. DP-1906-B4109 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Saturday Club Pte Ltd SUMMARY OF THE DECISION 1. Upon investigation into a suspected data breach, it was found that Saturday Club Pte Ltd (the “Organisation”) had not developed any internal policies and practices that are necessary for it to meet its obligations under the Personal Data Protection Act 2012 (“PDPA”). In the circumstances, the Deputy Commissioner for Personal Data Protection found the Organisation in breach of section 12 of the PDPA and decided to issue the directions to the Organisation. ",Directions,d047195a60d37294c9b55687dc7b54978590b389,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,122,122,1,952,"Global Outsource Solutions was found in breach of the PDPA for failing to put in place reasonable security arrangements to protect the personal data collected by its website and for failing to develop and implement data protection policies. This resulted in the disclosure of personal data of customers on the organisation’s online warranty registration portal. Global Outsource Solutions was directed to develop and implement policies for data protection and staff training in data protection, and to put all employees handling personal data through such training.","[""Protection"", ""Accountability"", ""Directions""]",2019-12-05,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Summary-Decision---Global-Outsource.pdf,"Protection, Accountability",Breach of the Protection and Accountability Obligations by Global Outsource Solutions,https://www.pdpc.gov.sg/all-commissions-decisions/2019/12/breach-of-the-protection-and-accountability-obligations-by-global-outsource-solutions,2019-12-05,"PERSONAL DATA PROTECTION COMMISSION Case No. DP-1809-B2767 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Global Outsource Solutions Pte. Ltd. SUMMARY OF THE DECISION 1. Global Outsource Solutions Pte. Ltd. (the “Organisation”) provided warranties for products purchased by its clients’ customers. To be eligible for this warranty, customers registered their purchases with the Organisation via the Organisation’s website at http://www.globaloutsourceasia.com (the “Website”). The Organisation collected various personal data from such customers for this purpose, including personal information such as their name, email address, mailing address and contact number, and details of the customers’ purchases such as the name of the product purchased, the purchase date, the name of the retailer and the location of the physical store where the product was purchased (collectively, the “Personal Data”). 2. The Personal Data Protection Commission (“the Commission”) received a complaint on 23 September 2018 that the complainant could access the Personal Data of another individual when viewing a warranty registration summary page on the Website (the “Incident”). 3. The Organisation admitted to the occurrence of the Incident but was unable to identify the cause of the Incident. The Commission found that the Organisation had not provided any security requirements to the vendor it had engaged sometime in 2013 to develop the Website. Consequently, it had not reviewed the Website’s security arrangements or conducted any security testing on the Website. In the circumstances, the Organisation had not implemented reasonable security arrangements to protect the personal data collected by the Website (including but not limited to the Personal Data disclosed in the Incident) and is therefore in breach of section 24 of the PDPA. 4. The Commission also found that the Organisation did not have any internal data protection policies for its employees in relation to the handling of personal data for the purposes of registering products through the Website. This failure to develop and implement such internal data protection policies is a breach of section 12 of the PDPA. 5. The Organisation has since removed the warranty registration section on its website and is in the process of revamping its Website to incorporate the necessary security arrangements. The Organisation is directed to develop and implement policies for data protection and staff training in data protection, and to put all employees handling personal data through data protection training. ",Directions,ab0971aeb10525bfdeea3bf683966ddd8fc40f11,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,131,131,1,952,iClick was found in breach of the PDPA for failing to put in place written policies and practices necessary to ensure its compliance with the PDPA. iClick was directed to put in place a data protection policy to comply with the provisions of the PDPA; to develop a training programme for its employees and require them to attend the training.,"[""Accountability"", ""Directions"", ""Information and Communications""]",2019-11-04,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Summary-Decision---iClick-Media.pdf,Accountability,Breach of the Accountability Obligation by iClick Media,https://www.pdpc.gov.sg/all-commissions-decisions/2019/11/breach-of-the-accountability-obligation-by-iclick-media,2019-11-04,"PERSONAL DATA PROTECTION COMMISSION Case No. DP-1901-B3254 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And iClick Media Pte. Ltd. SUMMARY OF THE DECISION 1. Following a complaint against EU Holidays Pte Ltd, (“EU Holidays”), the Personal Data Protection Commission conducted an investigation to determine whether EU Holidays had contravened the Personal Data Protection Act 2012 (the “PDPA”). In the course of investigations, it was found that EU Holiday’s IT vendor, iClick Media Pte Ltd (the “Organisation”), had not developed any internal policies and practices that are necessary for it to meet its obligations under the PDPA. In the circumstances, the Deputy Commissioner for Personal Data Protection found the Organisation in breach of section 12 of the PDPA and decided to direct the Organisation to, within 60 days: 2. Put in place a data protection policy, including written internal policies, to comply with the provisions of the PDPA; 3. Develop a training programme for the Organisation’s employees in respect of their obligations under the PDPA when handling personal data and require all employees to attend such training; and 4. By no later than 7 days after the above actions have been carried out, the Organisation shall, in addition, submit to the Commission a written update. ",Directions,bf9f246a0db6172bb647c44e87dcaa6e5793dce4,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,143,143,1,952,Directions were issued to Avant Logistic Service for failing to make reasonable security arrangements to prevent the unauthorised disclosure of customers' personal data. The lapses resulted in personal data of customers being disclosed by an employee.,"[""Protection"", ""Directions"", ""Wholesale and Retail Trade""]",2019-08-02,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Avant-Logistic-Service-Pte-Ltd---300719.pdf,Protection,Breach of the Protection Obligation by Avant Logistic Service,https://www.pdpc.gov.sg/all-commissions-decisions/2019/08/breach-of-the-protection-obligation-by-avant-logistic-service,2019-08-02,"PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC 28 Case No DP-1802-B1709 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Avant Logistic Service Pte. Ltd. … Organisation DECISION Avant Logistic Service Pte. Ltd. [2019] SGPDPC 28 Yeong Zee Kin, Deputy Commissioner — Case No DP-1802-B1709 30 July 2019 Background 1 On 25 November 2017, a customer of Ezbuy Holdings Ltd. (“Ezbuy”) made a complaint to the Personal Data Protection Commission (the “Commission”) alleging that her personal data had been disclosed to another customer of Ezbuy without her consent by an employee of Avant Logistic Service Pte. Ltd. (the “Organisation”). The facts of this case are as follows. 2 Ezbuy provides an online e-commerce platform that allows its customers to shop for items from various online retailers and platforms around the world. It engaged the Organisation to provide delivery services in Singapore. The Organisation is an affiliate of Ezbuy and its delivery personnel are required to adhere to Ezbuy’s Privacy Policy and the terms and conditions in Ezbuy’s Employee Handbook and Ezbuy’s Delivery and Collection Standard Operation Procedure (“SOP”). 3 When a customer ordered an item through Ezbuy’s platform, they would be offered two modes of delivery, (i) delivery to a designated collection point 1 Avant Logistic Service Pte. Ltd. [2019] SGPDPC 28 (referred to by Ezbuy as “self-collection”), or (ii) delivery to the customer’s address. If the customer opted for self-collection, the customer would proceed to the designated collection point at a specified time. The delivery personnel there would verify their identity using their Ezbuy user ID or their mobile number registered with Ezbuy and then hand over the package with their item. 4 On 9 November 2017, the complainant scheduled to self-collect a package that she ordered from Ezbuy at a collection point in Bishan at around 6.30 p.m. One of the Organisation’s employees (referred to in this Decision as “OA”), was assigned to distribute packages there that evening. When the complainant met OA at the collection point, he gave the complainant two packages (the “Packages”) after verifying her identity. The complainant noticed that the Packages were not hers because they bore the user ID and mobile number of another person (referred to in this Decision as “CA”). According to the complainant, she informed OA of this but was told to take the Packages as they were tagged to her mobile number in the Ezbuy system. The complainant also alleged that OA asked her to inform Ezbuy’s customer service that the wrong packages had been sent to her. The complainant then left the collection point with the Packages. 5 CA arrived to collect the Packages shortly after the complainant left. OA informed her that someone else had already collected the Packages and told her 2 Avant Logistic Service Pte. Ltd. [2019] SGPDPC 28 that he would try to locate them and arrange for their subsequent delivery. At this time, OA did not realise that it was the complainant who had collected the Packages. 6 Later that night, OA sent CA screenshots of two delivery lists containing Ezbuy user IDs and mobile telephone numbers of some Ezbuy customers (the “Disclosed Data”). The first list that was sent contained the Ezbuy user IDs and mobile telephone numbers of eight Ezbuy customers who had been scheduled to collect their packages at Bukit Panjang. (This was apparently sent by mistake.) The second list contained the user IDs of four Ezbuy customers, including that of the complainant, who had been scheduled to collect their packages at Bishan. The telephone numbers in the second list were redacted by OA. However, OA also sent the complainant’s mobile telephone number to CA. OA explained to CA that he suspected that the complainant had collected the Packages because his records showed that the complainant had not collected her own packages. 7 CA eventually managed to find the complainant’s Facebook and Instagram pages using the complainant’s Ezbuy user ID as the complainant had used the same name (which was not her real name) for her Facebook, Instagram and Ezbuy user IDs. CA then sent a series of messages to the complainant via 3 Avant Logistic Service Pte. Ltd. [2019] SGPDPC 28 Facebook Messenger in order to recover the Packages. The complainant subsequently returned the Packages to Ezbuy. Remedial actions by Ezbuy and the Organisation 8 After being informed of the incident by the Commission, Ezbuy and the Organisation jointly undertook the following measures to prevent the unauthorised disclosure of customers’ personal data in the future: (a) All delivery personnel are required to request for both a customer’s user ID and mobile telephone number for verification during the self-collection process; (b) Ezbuy’s Delivery and Collection SOP was updated to comply with the provisions of the PDPA and to highlight the importance of the PDPA. In particular, a clause was added by Ezbuy stating that no customer information can be disclosed to any party under all circumstances, and that any unauthorised disclosure will lead to disciplinary action as listed in Ezbuy’s Employee Handbook; (c) A briefing was conducted to all delivery personnel to reinforce the instruction and policy that no customer’s personal data should be provided to any third party under all circumstances, and this briefing is repeated to all delivery personnel every morning; and 4 Avant Logistic Service Pte. Ltd. (d) [2019] SGPDPC 28 Ezbuy revised its Employee Handbook to include detailed enforcement and disciplinary actions to be taken for breach of confidentiality and employee misconduct, including any leak or sale of customer data. Findings and Basis for Determination Was the Disclosed Data personal data? 9 As a preliminary issue, I find that most of the Disclosed Data was personal data within the meaning of the PDPA. The term “personal data” is defined in section 2(1) of the PDPA as follows: “personal data” means data, whether true or not, about an individual who can be identified – (a) from that data [“Direct Identification”]; or (b) from that data and other information to which the organisation has or is likely to have access [“Indirect Identification”].” 10 The mobile telephone numbers disclosed by OA constitute personal data since they enable Direct Identification of the respective individuals. As explained in the Commission’s Advisory Guidelines on Key Concepts in the Personal Data Protection Act [at 5.9 to 5.10], an individual’s personal mobile 5 Avant Logistic Service Pte. Ltd. [2019] SGPDPC 28 telephone number is a ‘unique identifier’ and capable, on its own, of identifying the individual. 11 On the other hand, since Ezbuy user IDs do not enable Direct Identification, whether they qualify as “personal data” depends on whether they enable Indirect Identification. In this case, CA was able to find the complainant’s Facebook and Instagram pages and identify her using the complainant’s Ezbuy user ID. The complainant’s Ezbuy user ID therefore constitutes personal data under the PDPA, even though the user ID did not contain complainant’s real name, as it enabled Indirect Identification of the complainant. 12 Although organisations cannot be expected to know in advance if the user IDs of their customers enable Indirect Identification, they should not assume that user IDs per se do not constitute personal data as such an assumption may not, in fact, be true (as seen from this case). Organisations should therefore exercise prudence in handling user IDs. As there is no evidence that the other Ezbuy user IDs in the Disclosed Data allowed for Indirect Identification, I grant the Organisation the benefit of the doubt and accept that they do not constitute personal data. Nevertheless, it remains that the personal data of nine individuals (corresponding to the nine mobile telephone numbers 6 Avant Logistic Service Pte. Ltd. [2019] SGPDPC 28 disclosed) was disclosed without their consent or the authorisation of the Organisation. Whether the Organisation had made reasonable security arrangements 13 Section 24 of the PDPA requires organisations to protection personal data in their possession or under their control by making reasonable security arrangements to prevent unauthorised use, disclosure and similar risks. Although the Organisation’s delivery personnel were required to comply with Ezbuy’s Privacy Policy and Employee Handbook, this was, at the time of the incident, inadequate as they did not inform employees of exactly what they were required to do in order to protect customers’ personal data: (a) Ezbuy’s Privacy Policy only stated its commitment to ensuring security of customer information and that “suitable physical, electronic and managerial procedures” had been put in place to safeguard customer information; and (b) Ezbuy’s Employee Handbook only included a provision highlighting that customer information (among others) was confidential. 14 At the time of the incident, the Organisation had not made any effort to impress upon its delivery personnel the need to protect personal data in their possession. The Organisation did not have measures in place, such as policies 7 Avant Logistic Service Pte. Ltd. [2019] SGPDPC 28 or standard operating procedures, to prohibit the unauthorised use or disclosure of personal data by its delivery personnel. The Organisation also had not provided any instruction or training to its delivery personnel on the proper handling of personal data and on compliance with the PDPA. 15 In the course of the Commission’s investigation, the Organisation sought to rely on a clause in OA’s employment contract which prohibited him from disclosing confidential information, including customer information, without the Organisation’s prior consent (the “Confidentiality Clause”). While such clauses are relevant to an organisation’s security arrangements to protect personal data, they are insufficient on their own because they typically do not elaborate on what constitutes personal data, nor how employees should handle and protect it. Organisations are expected to provide their staff with specific, practical instruction on how to handle personal data and comply with the PDPA (Re Hazel Florist & Gifts Pte Ltd [2017] SGPDPC 9 at [18]). This is particularly important for the Organisation’s delivery personnel who frequently handle personal data and are on the frontline of the Organisation’s customer-facing operations where the potential for improper use and disclosure of personal data cannot be ignored. 16 In the circumstances, I find that the Organisation had not made reasonable security arrangements to protect the personal data comprised in the 8 Avant Logistic Service Pte. Ltd. [2019] SGPDPC 28 Disclosed Data. The Organisation is accordingly in breach of section 24 of the PDPA. 17 One additional point I wish to address is that when OA was asked about the incident, he claimed that he had given the complainant the Packages as the complainant had provided him with CA’s Ezbuy user ID and mobile telephone number for verification. As there is no evidence that the complainant and CA were known to each other, I do not find OA’s recollection of the events to be credible or acceptable. In any case, this does not detract from the above conclusion that the Organisation had failed to make reasonable security arrangements as required under section 24 of the PDPA. Outcome 18 Taking the totality of the circumstances into account, I have decided not to impose a financial penalty in this case. In particular, I note that: (a) The breach was a one-off incident, with few affected individuals and relatively little personal data disclosed (comprising the nine mobile telephone numbers and user IDs); (b) The Organisation took prompt remedial actions to prevent a recurrence of such an incident; and 9 Avant Logistic Service Pte. Ltd. (c) 19 [2019] SGPDPC 28 The Organisation was cooperative during investigations. Instead, I have decided to issue the following directions to the Organisation to ensure its compliance with the PDPA: (a) To put in place the appropriate written policies and process safeguards which are necessary for it to protect personal data in its possession or under its control within 30 days from date of this direction; (b) To arrange for personal data protection training for its staff within 60 days from date of this direction; and (c) To inform the Commission in writing of the completion of each of the above within 1 week of completion. YEONG ZEE KIN DEPUTY COMMISSIONER FOR PERSONAL DATA PROTECTION 10 ",Directions,080f1f19619de2e97b442d076d6b4f4a81f71d57,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,150,150,1,952,Directions were issued to SME Motor for failing to make reasonable security arrangements to prevent the unauthorised disclosure of individuals’ personal data. The lapses resulted in personal data of other customers being disclosed on the reverse side of an invoice document.,"[""Protection"", ""Directions"", ""Others"", ""Auto Repair and servicing"", ""Car""]",2019-07-04,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision---SME-Motor-Pte-Ltd---040719.pdf,Protection,Breach of the Protection Obligation by SME Motor,https://www.pdpc.gov.sg/all-commissions-decisions/2019/07/breach-of-the-protection-obligation-by-sme-motor,2019-07-04,"PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC 21 Case No DP-1901-B3318 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And SME Motor Pte. Ltd. … Organisation DECISION 1 SME Motor Pte. Ltd. [2019] SGPDPC 21 Yeong Zee Kin, Deputy Commissioner — Case No DP-1901-B3318 4 July 2019 Background 1 On 31 January 2019, the Personal Data Protection Commission (the “Commission”) received a complaint from an individual (the “Complainant”) in relation to the disclosure of other individuals’ personal data that had been printed on the reverse side of an invoice issued to the Complainant by SME Motor Pte. Ltd. (the “Organisation”). Material Facts 2 The facts of this case and circumstances leading to the breach bear some resemblance to the cases of Re SLF Green Maid Agency [2018] SGPDPC 27 and Re Furnituremart.sg [2017] SGPDPC 7. 3 The Organisation is in the business of auto repair and servicing. In an effort to be environmentally friendly, the Organisation had a practice of re-using scrap or unwanted paper documents by printing other documents on the reverse side. 4 The Complainant met with a car accident and brought her vehicle to the Organisation’s workshop for repair. The Complainant subsequently discovered 1 [2019] SGPDPC 21 SME Motor Pte. Ltd. that the Organisation had printed her workshop repair invoice on a piece of paper that contained the personal data of two other individuals (the “Personal Data”) on the reverse side. On 31 January 2019, the Complainant lodged a complaint with the Commission in relation to the disclosure of the Personal Data. 5 The Personal Data disclosed to the Complainant included the following: (a) the first individual’s name, National Registration Identification Card (“NRIC”) number, and insurance policy number; and (b) the second individual’s name, insurance policy number, and claim number. Findings and Basis for Determination 6 The issue that arises in this case for determination is whether the Organisation had complied with its obligations under section 24 of the PDPA. Section 24 of the PDPA requires an organisation to protect personal data in its possession or under its control by taking reasonable security steps or arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks. 7 As a preliminary point, the Organisation did not dispute that there was an unauthorised disclosure of the Personal Data. Having considered the material facts and circumstances, the Organisation did not have reasonable security measures in place to protect the Personal Data in its possession or under its control for the following reasons. 8 First, the Organisation failed to protect the Personal Data by not preventing the unwanted or scrap documents that contained personal data from 2 [2019] SGPDPC 21 SME Motor Pte. Ltd. being re-used or given to other customers, and by not providing instructions on the proper handling and disposal of such documents. While the Organisation’s Internal Guidelines set out some minimal storage and disposal procedures for general documents, there was no mention of any process or system for segregating unwanted or scrap paper containing personal data from the pile of papers designated for re-use by the Organisation’s employees. Given its silence on the practice of using the reverse side of documents containing personal data, I find that the Organisation’s Internal Guidelines did not amount to an adequate security arrangement. 9 Second, the Organisation did not train its employees to be aware that customers’ personal data could be at risk of unauthorised disclosure through the practice of re-using unwanted or scrap paper. During the investigation, the Organisation admitted that its employees used the reverse sides of unwanted documents for “environment protection” reasons. As noted in Re SLF Green Maid Agency [2018] SGPDPC 27 at [1], although the practice of re-using scrap or discarded paper is “highly commendable and environmentally-friendly… organisations must take care to ensure that there is no personal data on the scrap or discarded paper set aside for such re-use”. In this regard, the Organisation failed to show that it created employee awareness concerning the risk of unauthorised disclosure of personal data when re-using unwanted or scrap paper. 10 Third, the Organisation did not provide proper data protection training for its employees. It is well-established that proper training is a key security arrangement in an organisation’s compliance with the Protection Obligation.1 Re National University of Singapore [2017] SGPDPC 5 at [15] – [28] and Re SLF Green Maid Agency [2018] SGPDPC 27 at [12]. 1 3 [2019] SGPDPC 21 SME Motor Pte. Ltd. Proper staff training – which creates data protection awareness amongst employees, imparts good practices in handling personal data, and puts employees on the alert for threats to the security of personal data – is necessary to complement an organisation’s data protection policies. Seeing as the Organisation regularly handles sensitive personal data such as NRIC numbers, insurance policy numbers and claims information, it is crucial for the Organisation to provide properly structured, periodic data protection training to its employees to help them identify risks and protect the personal data collected, used and disclosed in the course of their employment. 11 Taking all of the above into consideration, I find that the Organisation did not comply with its obligation under section 24 of the PDPA to put in place reasonable security arrangements to protect the Personal Data in its possession or under its control. Remedial Actions by the Organisation 12 After being notified of the complaint on 26 February 2019, the Organisation undertook the following remedial actions: (a) implemented the following additional measures (“Additional Measures”): (i) all documents containing personal data are no longer to be re-used for printing; (ii) the office manager to review documents at least once a week to ensure that (i) is complied with; and 4 [2019] SGPDPC 21 SME Motor Pte. Ltd. (b) instructed the DPO and officer manager to inform all employees of the Internal Guidelines and Additional Measures, and re-train them in this respect. 13 However, these Additional Measures failed to establish robust data protection policies and practices concerning the re-use and secure disposal of unwanted or scrap documents containing personal data, which would prevent the recurrence of another unauthorised disclosure of personal data or the occurrence of a similar data breach. The Deputy Commissioner’s Directions 14 Given my findings that the Organisation is in breach of section 24 of the PDPA, I am empowered under section 29 of the PDPA to issue the Organisation such directions as I deem fit to ensure compliance with the PDPA. 15 In assessing the breach, and determining the directions to be imposed, I took into account the following mitigating factors: (a) only two individuals were affected by the data breach; (b) the Personal Data was only disclosed to a single individual; (c) there was no evidence to suggest any actual loss or damage resulting from the data breach; and (d) 16 the Organisation was cooperative during the investigations. Having considered all the relevant factors of this case, I do not think that a financial penalty is warranted and instead make the following directions: 5 [2019] SGPDPC 21 SME Motor Pte. Ltd. (a) the Organisation is to comply with the provisions of the PDPA by putting in place a data protection policy and internal guidelines, which include a procedure for the proper control and disposal of unwanted or scrap documents containing personal data, within 30 days from the date of this decision; (b) the Organisation is to conduct training to ensure that its staff are aware of, and will comply with, the requirements of the PDPA when handling personal data within 60 days from the date of decision; and (c) the Organisation is to inform the Commission of the completion of each of the above directions within 1 week of implementation. YEONG ZEE KIN DEPUTY COMMISSIONER FOR PERSONAL DATA PROTECTION 6 ",Directions,8817cb0bc39f451aa5b8c5d679937e87fcd26cf9,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,157,157,1,952,Directions were issued to GrabCar for failing to put in place reasonable security arrangements for GrabHitch drivers to protect the personal data of passengers that used GrabHitch services. Personal data of some GrabHitch passengers were disclosed by GrabHitch drivers without consent on social media.,"[""Protection"", ""Directions"", ""Transport and Storage"", ""PHV"", ""Private Hire Vehicle""]",2019-06-11,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision--Grabcar-Pte-Ltd-GrabHitch--110619.pdf,Protection,Breach of Protection Obligation by GrabCar,https://www.pdpc.gov.sg/all-commissions-decisions/2019/06/breach-of-protection-obligation-by-grabcar-directions,2019-06-11,"PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC 14 Case Nos DP-1702-B0508/DP-1703-B0613 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Grabcar Pte. Ltd. [UEN 201427085E] … Organisation ________________________________________________________ DECISION ________________________________________________________ Grabcar Pte. Ltd. [2019] SGPDPC 14 Grabcar Pte. Ltd. [2019] SGPDPC 14 Yeong Zee Kin, Deputy Commissioner – Case Nos DP-1702-B0508/DP-1703B0613 11 June 2019 Introduction and facts of the cases 1 This decision addresses, in the main, the obligations of an online ride- sharing platform and drivers who use the platform to provide carpool rides to passengers. Grabcar Pte Ltd (the “Organisation”) operates an online platform through the Grab mobile application (the “Grab App”) which enables individuals to book taxis or private cars for transportation services. The Grab App also provides a carpooling option, referred to in the app as “GrabHitch”. GrabHitch matches a passenger with a driver who is willing to give a lift to the passenger on the way to the driver’s destination in return for a fee. The Organisation states on its website,1 “GrabHitch is a social carpooling platform powered by everyday, non-commercial drivers giving you a lift along the way to cover petrol costs.”2 2 This decision relates to separate complaints by two passengers (the “Complainants”) who used GrabHitch to book carpool rides. The carpool rides were provided by two different drivers (the “Drivers”) on separate occasions. 1 www.grab.com/sg/hitch/ The Organisation’s website also states that GrabHitch is provided in compliance with the Road Traffic (Car Pools) (Exemption) Order 2015. 2 2 Grabcar Pte. Ltd. [2019] SGPDPC 14 Nevertheless, the two complaints are dealt with together in this decision as they both relate to similar issues, in particular, to the issue of disclosure of passengers’ personal data without consent by GrabHitch drivers. 3 The substance of each complaint was, in essence, that the Complainant’s personal data had been disclosed without consent on social media by the Driver who gave a ride to the Complainant. The details of the complaints are summarised below: (a) The first complaint alleged that the Driver involved had posted various data relating to the first Complainant on a public Facebook Group named “GrabHitch Singapore Community” (“GHSC”). These data included screenshots of messages between the Driver and the Complainant which had been sent through the Grab App and a typewritten post by the Driver which set out details of a dispute between the Driver and the Complainant and which identified the Complainant by name. The dispute in this case related to whether the Complainant should contribute to the payment of ERP charges and investigations revealed the reason that the Driver had made the posting was to seek views from other carpool drivers on how best to handle disputes relating to ERP charges. (b) The second complaint alleged that the Driver involved had posted various data relating to the second Complainant on a closed Facebook Group named “Uber/Grab SG Partners” (“UGSGP”). These data included (i) screenshots of messages between the Driver and the Complainant which had been sent through the Grab App and which included the Complainant’s mobile phone number; (ii) screenshots of 3 Grabcar Pte. Ltd. [2019] SGPDPC 14 the Grab App which showed the name of the Complainant and the Complainant’s pick-up and destination points; (iii) a screenshot of the Complainant’s Facebook Page which included her photograph, name and workplace; (iv) a typed out post by the Driver which detailed his dispute with the Complainant and disclosed the Complainant’s pick-up and destination points; and (v) a partial screenshot of SMS messages sent between the Driver and the Complainant, which included the Complainant’s mobile number. The Driver’s post in this case was about his dispute with the second Complainant on the payment of GrabHitch charges. It appeared that the Complainant had insisted that she pay for the ride by card through the Grab App although the app indicated that the complainant was to pay for her ride in cash. Investigations revealed that the reason that the Driver had posted the above information was because the Organisation could not contact the Complainant to inform her of the situation and because the Driver was of the view that this was a case of non-payment. 4 Investigations also revealed that similar postings had also been made by other drivers on GHSC. Generally, these postings disclosed information such as passengers’ names, photographs, ride details and the details of disputes between the drivers and their passengers. 5 The Organisation did not create or operate either the GHSC or UGSGP Facebook pages and investigations did not reveal any apparent link between the persons operating those pages and the Organisation. 4 Grabcar Pte. Ltd. [2019] SGPDPC 14 Issues arising 6 Under section 13 of the Personal Data Protection Act 2012 (the “PDPA”), organisations are prohibited from collecting, using or disclosing personal data about an individual unless the individual’s consent is obtained or collection, use or disclosure without consent is authorised or required under the PDPA or any other written law. 7 In addition, under section 24 of the PDPA, organisations are required to protect personal data in their possession or under their control by making reasonable security arrangements to prevent unauthorised disclosure and various other listed risks. 8 In the circumstances, two main issues arise: (a) whether the Drivers are “organisations” under the PDPA and if so, whether they had contravened section 13 of the PDPA in relation to the disclosure of the Complainants’ personal data on the GHSC and UGSGP Facebook pages; and (b) Whether the Organisation had contravened section 24 of the PDPA with respect to the protection of the Complainants’ personal data. First Issue - Are the Drivers “organisations” under the PDPA? GrabHitch drivers provide carpool rides in a personal capacity 9 The PDPA applies to organisations as defined under the PDPA. It is 5 Grabcar Pte. Ltd. [2019] SGPDPC 14 clear from the definition of “organisation” in section 2 of the PDPA that an individual may be an “organisation” for the purposes of the PDPA. However, section 4(1) of the PDPA further provides that Parts III to VI of the PDPA (which includes section 13) do not impose any obligations on any individual acting in a personal or domestic capacity. 10 GrabHitch drivers provide carpool rides on a non-commercial and non- profit basis in accordance with the Road Traffic (Car Pools) (Exemption) Order 2015 and as such are not required to obtain a Private Hire Car Driver’s Vocational Licence. In this regard, paragraph 3(1) of the said Order states that: “Subject to sub‑paragraph (2), the provisions specified in the Schedule do not apply to a person who uses a private motor car for the carriage of a passenger for hire or reward in the case where — (a) (b) (c) (d) (e) (f) (g) the person does not solicit for the passenger on a road or at a parking place or a public stand; the carriage of the passenger is incidental to the person’s use of the private motor car; the person informs the passenger, before the start of the carriage, of the person’s destination; the person agrees with the passenger, before the start of the carriage, on the date of, pick‑up and drop‑off points of, and the payment (whether in cash or in kind) for, the carriage; the amount or the value of any benefit in kind that the person collects from the passenger as payment does not exceed the cost and expenses incurred for the carriage of the passenger; if there is more than one passenger, the aggregate of the amount or the value of any benefit in kind that the person collects from each of the passengers as payment does not exceed the cost and expenses incurred for the carriage of all the passengers; and there is nothing in or on the private motor car displaying or referring to the fares for hiring the private motor car.” 6 Grabcar Pte. Ltd. 11 [2019] SGPDPC 14 Consistent with this, the Organisation has a Driver’s Code of Conduct for GrabHitch Drivers (the “Code of Conduct”) which sets out the terms on which a GrabHitch Driver may offer carpool rides. The Code of Conduct provides that: “Specific for carpooling, as mandated by the Law: i The motor vehicle used must be registered and insured in the name of the Driver and used by the Driver or any person by the Driver’s authority expressly provided to the Company, the insurer of the vehicle and the relevant authorities ii The motor vehicle must not be used for the carriage of goods other than samples, any instructional purposes for reward, or the carriage of passengers for hire or reward purposes. These mean the Driver must:  Not solicit for passengers on a road or parking place or public stand  Ensure the carriage of the passenger is incidental to the Driver’s use of his vehicle  Inform the passenger before the start of the carriage, of the Driver’s destination  Agree with the passenger, before the start of the ride, on the date, pick-up and drop-off points, and the payment (whether in cash or in kind) for, the carriage  Ensure that the amount or the value of any benefit in kind that the Driver collects from the passenger as payment does not exceed the cost and expenses incurred for the carriage of the passenger  Ensure that if there is more than one passenger, the aggregate of the amount or the value of any benefit in kind that the person collects from each passenger as payment does not exceed the cost and expenses incurred for the carriage of all the passengers; and 7 Grabcar Pte. Ltd.   12 [2019] SGPDPC 14 Ensure that there is nothing in or on the motor vehicle that displays or refers to the fares for the hiring of the motor vehicle Not exceed the local limit (if available) of car pool trips in each day on any motor vehicle” GrabHitch drivers agree to the Code of Conduct by virtue of their agreement with the Organisation as set out in the “Terms and Conditions for Singapore GrabHitch Drivers” (the “GrabHitch Terms”). In particular, in agreeing to the GrabHitch Terms, GrabHitch drivers agree that they “have read, understood, accepted and agreed with [the GrabHitch Terms], the conditions set out in the Driver’s Registration Form and the Driver’s Code of Conduct.” 13 In respect of the limit on carpooling trips that may be offered by a GrabHitch driver, the Organisation indicates the following in the “Frequently Asked Questions” section of its website (“FAQ”): “How many trips can I offer a day as a Hitch driver? Based on current carpooling regulations, non-commercial drivers can only complete 2 trips in a calendar day. While we appreciate your enthusiasm for carpooling, please note that 2 trips a day limit is set by LTA regardless of whichever platform you use. We hope that you won’t put yourself and your riders at risk as your insurance may not cover if you do more than 2 trips a day in total, combined across all platforms. For drivers who are worried their insurance does not cover GrabHitch rides, remember we are the ONLY carpooling service who has purchased additional insurance for extra coverage provided no regulations are breached.” 8 Grabcar Pte. Ltd. 14 [2019] SGPDPC 14 Based on the foregoing, I find that GrabHitch drivers provide carpool rides in their personal capacity. This is especially so given that GrabHitch drivers: (a) are not allowed to solicit for passengers on the road, parking places or public stands; (b) are to ensure that their carrying of a passenger is merely incidental to their use of the vehicle; (c) can only collect payment for the trip on the basis of a recovery of costs and expenses for each trip; and (d) 15 are only allowed to offer two carpool trips in each calendar day. In the circumstances, GrabHitch drivers who are providing carpool rides in accordance with the applicable terms and conditions (as detailed above) are not subject to the PDPA. Accordingly, the Drivers cannot be in breach of section 13 the PDPA. It goes without saying that had any of the Drivers exceeded the daily limit of two carpooling trips, they would not be considered to have provided the carpool rides in a personal capacity. Second Issue - Did the Organisation contravene section 24 of the PDPA? 16 Although the Organisation itself had not disclosed the Complainant’s personal data, the Organisation is also required to put in place reasonable security arrangements to protect the personal data of passengers using the Grab App. In this regard, personal data obtained through the Grab App would be in 9 Grabcar Pte. Ltd. [2019] SGPDPC 14 the possession or under the control of the Organisation. This includes personal data such as the name and mobile phone number of the Complainant and any other information which was associated with, and related to, the Complainant, such as the Complainant’s pick-up point and destination. However, personal data from the second Complainant’s Facebook page would not be regarded as being in the possession or under the control of the Organisation. 17 In relation to the protection of passengers’ personal data from unauthorised disclosure to third parties, the Organisation sets out the following in the Code of Conduct: “You are prohibited from posting passenger details in public forums including social media sites or sharing contact details. This is a violation of the Personal Data Protection Act.” 18 This is the sole measure which the Organisation had put in place to prevent unauthorised disclosure of passengers’ personal data on public forum sites which GrabHitch drivers may use. Investigations revealed that the two Drivers in question were unaware of the restriction in the Code of Conduct against posting passenger details on social media sites. 19 I find that merely including this restriction in the Code of Conduct is insufficient as a reasonable security arrangement to protect passengers’ personal data. The Organisation makes its platform available to facilitate the hitching of rides or carpooling as part of its suite of commercial services. It has foreseen the risk that GrabHitch Drivers may post passenger details on social media sites as evidenced by its Code of Conduct. It could have done more to inform GrabHitch drivers of the range of acceptable and unacceptable conduct. However, apart from this entry in the Code of Conduct, there is nothing to indicate that this provision had been drawn to the attention of GrabHitch drivers 10 Grabcar Pte. Ltd. [2019] SGPDPC 14 or that they understood the importance of protecting passengers’ personal data. Furthermore, as GrabHitch drivers are not subject to the PDPA, they may not be familiar with its provisions and the obligations imposed thereunder on organisations. 20 As has been held in Re Habitat for Humanity Singapore Ltd [2018] SGPDPC 9 and Re National University of Singapore [2017] SGPDPC 5, reasonable security arrangements can include policies and practices as well as training. The Organisation ought to have put in place more detailed guidance for GrabHitch drivers to educate them about the need to handle the personal data of their riders, obtained through the Grab App, with care. As GrabHitch drivers are occasional drivers who may not be aware of the Organisation’s obligations under the PDPA, the Organisation would have done well by introducing some form of online training for them. At the very least, the abovementioned restriction in the Code of Conduct could have been proactively highlighted to GrabHitch drivers. In its representations, the Organisation asserted that requiring it to train GrabHitch drivers would be onerous. This assertion was not substantiated and probably was premised on the assumption of a classroom style training. Training is a means of communication and instruction that may take various forms and is one of the security arrangements that may be implemented by the Organisation to meet its obligations under the PDPA. It is ultimately up to the Organisation to determine the appropriate security arrangements it ought to implement to comply with its PDPA obligations. In the circumstances, I have acceded to the Organisation’s request to amend the initial Directions issued in the preliminary Grounds of Decision to remove the direction to train GrabHitch Drivers and instead leave it to the Organisation to ensure that it implements reasonable security arrangements to prevent the misuse and unauthorised disclosure of passengers’ personal data. 11 Grabcar Pte. Ltd. [2019] SGPDPC 14 Representations made by the Organisation 21 The Organisation has made representations dated 21 November 2018 in respect of the Commission’s preliminary findings, asserting that they should not be found in breach of section 24 of the PDPA. Their central argument is that a GrabHitch driver does not drive in a “personal or domestic” capacity and should be considered an “organisation” that is required to comply with the PDPA in their own right. In support of this assertion the Organisation has highlighted the following factors: (a) By driving individuals who are not friends or family, the GrabHitch driver’s activities move out of the private sphere and into the public. Accordingly, GrabHitch drivers are not driving in a “personal or domestic” capacity. (b) GrabHitch drivers “maintain independence” from the Organisation in deciding on the precise details involved in the provision of GrabHitch services (e.g. how often they drive, where to go, how much payment to collect). GrabHitch drivers therefore “determine the purposes and means of processing the personal data” of the passengers, which is a defining characteristic of an organisation. 22 As a preliminary point, I would highlight that the Organisation’s obligation to protect personal data under section 24 in its possession or control remains whether or not GrabHitch Drivers drive in a personal or domestic capacity or in a capacity as organisations as defined under the PDPA. As such, the position adopted by GrabHitch that GrabHitch drivers are required to comply with the PDPA in their own right, does not address the finding that the 12 Grabcar Pte. Ltd. [2019] SGPDPC 14 Organisation is in breach of its obligation to protect personal data under section 24 of the PDPA. 23 It bears further repetition that in my view, the Organisation’s measure of merely stating in its Driver’s Code of Conduct that GrabHitch drivers are prohibited from posting passenger details as set out at [17] above is insufficient to fulfil the Organisation’s section 24 obligations, whether or not GrabHitch drivers are to be treated as organisations in their own right. 24 Turning to the specific positions taken by the Organisation as set out at [21] above, the first factor raised by the Organisation does not accord with the basic nature of the GrabHitch service, which is fundamentally a carpooling activity facilitated by the Grab App. Carpooling is a ride-sharing practice that private drivers engage in on a purely voluntary basis, and is best characterised as a social activity aimed at defraying the costs involved in owning and maintaining a private car and reducing road congestion. Human life is filled with interactions with people who are not friends or family, and it does not follow that the mere fact of interaction with strangers should elevate an act (in this case, carpooling) from the private to the public sphere. 25 In fact, the Organisation, in the FAQ material published on its own website3, seems to recognise that GrabHitch drivers are engaged in an activity that is fundamentally private in nature: 3 Quoted portions retrieved from https://www.grab.com/sg/hitch/, accessed 10 December 2018. 13 Grabcar Pte. Ltd. [2019] SGPDPC 14 “Why should I sign up with GrabHitch? What’s in it for me? As a Hitch Driver, you get to benefit in 3 big ways: Cover your petrol costs, make new friends and contribute to a car-lite Singapore! All these at your convenience! How is being a GrabHitch driver different from being a GrabCar driver? They’re not the same at all! GrabCar drivers are commercial, professional drivers who have to register a business, purchase commercial insurance, convert their car to a commercial vehicle at the LTA and then sign up in person at the Grab office. Since Hitch Drivers are everyday, non-commercial private car owners who are not driving as a profession, the sign up process is way easier. No need for commercial vehicle conversion nor insurance, simply launch the Grab app, take a couple of photos and submit them for verification. And you’re done! Am I still considered a Hitch Driver if I don’t drive regularly? Of course you are! As a social initiative, we wouldn’t want to stress you out by imposing any penalty for irregularity. So please go ahead and enjoy driving GrabHitch at your convenience! Why can’t I get a GrabHitch driver as easily as GrabCar or GrabTaxi? GrabHitch is meant as an advance booking service as we are powered by non-commercial, everyday drivers who give Hitch Riders a lift at their convenience. Hence, there may not always be any available Hitch Drivers who are heading the same way as you do at your specified time. To secure a higher chance of being matched, book as early as you could, even up to 7 days in advance! What else should I take note of as a Hitch Rider? 1. We are all about social carpooling and social carpooling is 14 Grabcar Pte. Ltd. [2019] SGPDPC 14 about being SOCIAL. Take the front seat and make new friends! Learn how to Hitch the right way here. 2. Your Hitch Driver is not a commercial driver like our GrabCar partners so they appreciate if you could treat them the same way you would treat a friend giving you a (discounted) lift to your destination! 3. Book in advance to maximise the chances of you getting a match! We can’t emphasise this enough but really, it helps to be a little kiasu. Book the night before for a morning commute or 2 hours ahead of your evening ride home.” [Emphasis added.] 26 As repeatedly stressed in the Organisation’s materials quoted above, as compared to professional GrabCar drivers, the GrabHitch service is one that is non-commercial, only provided at the drivers’ own convenience, and primarily motivated by a desire to be social and to reduce the need for car usage. For all intents and purposes, a GrabHitch driver is no different from a driver offering a lift to a roadside hitchhiker out of goodwill. It is thus apparent from the published material that a GrabHitch driver engages in the activity in a purely personal capacity. It is also apparent, their present representations regarding this matter notwithstanding, that the Organisation recognises this. In fact, the private and casual nature of being a GrabHitch driver appears to be a main selling point for the Organisation. 27 In their representations, the Organisation also seeks to assert that whether LTA regulates GrabHitch drivers or not should be irrelevant to the determination of whether or not the drivers should be considered an organisation. The Organisation states that doing so will mean that only regulated or licensed individuals will be considered organisations. I think that this argument takes the logic too far. There is no intention to link the ambit of 15 Grabcar Pte. Ltd. [2019] SGPDPC 14 organisations under the PDPA to regulated activities. The interpretation that I have adopted is consistent with the scheme that exempts carpooling activities from the requirement of vocational licensing established under the Road Traffic (Car Pools) (Exemption) Order 2015 (the “Exemption Order”). This is also consistent with how the Organisation has pitched GrabHitch through its FAQs and Code of Conduct for GrabHitch Drivers as discussed in [11], [13] and [25] above. 28 It is not because of a supposed lack of regulation that the GrabHitch drivers are not considered organisations. Instead, it is precisely due to the personal and domestic nature of the activity they are engaging in that they are not subject to the same regulations as a commercial private hire car driver. If anything, the exemption of carpooling from the requirements of vocational licensing reflect the inherently private nature of carpooling (and by extension, the GrabHitch service). This is certainly reflected in the Exemption Order, which only applies to “private motor cars”. In addition, under section 3(1)(b) of the Exemption Order “the carriage of the passenger is incidental to the person’s use of the private motor car [emphasis added]” – unlike a taxi or private hire driver, the raison d’etre of the GrabHitch driver is not the provision of transport; in other words, a GrabHitch driver is driving in a purely private capacity and the ferrying of a passenger in the context of a GrabHitch service is incidental to this private capacity. 29 The second factor raised by the Organisation relates to the “independence” of the GrabHitch drivers from the Organisation. The Organisation asserts that because a GrabHitch driver is able to decide when to provide GrabHitch rides, where to go, how payment is made and how much payment to collect, the Organisation has little control over the purposes and 16 Grabcar Pte. Ltd. [2019] SGPDPC 14 manner in which a GrabHitch Driver processes personal data. Following from the above, the Organisation asserts that pursuant to the EU General Data Protection Regulation, the drivers are “data controllers” who are able to “determine the purposes and means of the processing of personal data”. 30 The Organisation appears to have mistakenly equated the GrabHitch driver’s choice over whether to carpool with the control of purposes for, or the manner in, which personal data is collected, used or disclosed. In this regard, I note that the Grab App will automatically transmit the personal data (such as name and mobile number) of the GrabHitch passenger to the GrabHitch Driver. This is how the Organisation programmed the Grab App to work – the GrabHitch drivers have no input into this collection and use of the personal data. In fact, it is the Organisation that discloses the passengers’ personal data to the GrabHitch Drivers in the Organisation’s chosen manner and for the purposes the Organisation deems acceptable. 31 In the circumstances, the Organisation is in control of the personal data that it collects, uses and discloses when passengers wish to use the Organisation’s GrabHitch service. The “independence” of the GrabHitch driver as asserted by the Organisation is not the sole determinant as to whether he is an “organisation” under the PDPA. As I have concluded that the GrabHitch driver is not an “organisation” under the PDPA, it is unnecessary to delve into issues around joint controllership which may arise in respect of drivers for other services that the Organisation provides on its platform. 32 One final point bears highlighting. The activities of the GrabHitch driver are only made possible because of the Grab App. In providing the platform for private individuals (both drivers and passengers) to engage in the 17 Grabcar Pte. Ltd. [2019] SGPDPC 14 sharing economy, the Organisation bears responsibility for the personal data that it collects from passengers and uses to provide its services, and discloses to GrabHitch drivers. 33 In the circumstances, and after considering the representations made by the Organisation, I find that the Organisation is in breach of section 24 of the PDPA. Directions to the Organisation 34 Having found the Organisation to be in breach of section 24 of the PDPA, I am empowered under section 29 of the PDPA to give the Organisation such directions as I deem fit to ensure its compliance with the PDPA. 35 Taking into consideration the relevant facts in this matter, I hereby direct the Organisation to: (a) review and amend the Organisation’s policies and practices to provide detailed guidance for GrabHitch drivers on the handling of the personal data of their riders and to communicate to GrabHitch drivers all relevant policies and practices (including the amended policies and practices) within 120 days of this decision to protect the personal data in the possession or control of the Organisation from unauthorised disclosure by GrabHitch drivers; (b) implement any other reasonable security arrangements as necessary to comply with section 24 of the PDPA; and 18 Grabcar Pte. Ltd. (c) [2019] SGPDPC 14 to inform the Commission within seven days of the compliance with the above directions. 36 Given that only two individuals were directly affected by the unauthorised disclosure of personal data and in consideration of the type of personal data disclosed, I find that a financial penalty is not warranted in this matter. YEONG ZEE KIN DEPUTY COMMISSIONER PERSONAL DATA PROTECTION 19 ",Directions,b13cfd3e762e67fa7f3823843de7d5cae693b203,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,173,173,1,952,Directions were issued to SLF Green Maid Agency for failing to make reasonable security arrangements to prevent the unauthorised disclosure of individuals’ personal data.,"[""Protection"", ""Directions"", ""Others"", ""domestic helper""]",2018-12-13,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision---Green-Maid-Agency---131218.pdf,Protection,Breach of Protection Obligation by SLF Green Maid Agency,https://www.pdpc.gov.sg/all-commissions-decisions/2018/12/breach-of-protection-obligation-by-slf-green-maid-agency,2018-12-13,"PERSONAL DATA PROTECTION COMMISSION [2018] SGPDPC 27 Case No DP-1806-B2265 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And SLF Green Maid Agency … Organisation DECISION SLF Green Maid Agency [2018] SGPDPC 27 SLF Green Maid Agency [2018] SGPDPC 27 Yeong Zee Kin, Deputy Commissioner — Case No DP-1806-B2265 13 December 2018 1 This case arose out of the common practice of reusing scrap or discarded paper where the reverse side of the paper can still be used. This is highly commendable and environmentally-friendly, but organisations must take care to ensure that there is no personal data on the scrap or discarded paper set aside for such re-use. An employee of SLF Green Maid Agency (the “Organisation”) wrote information for the Complainant on a piece of paper which contained personal data of other individuals on the reverse side and gave the paper to the Complainant. This happened on two separate occasions. The key issue is whether this disclosure of personal data by the Organisation amounts to a breach of section 24 of the Personal Data Protection Act 2012 (“PDPA”). Material Facts 2 On 8 April 2018, the Complainant visited the Organisation’s office to enquire about engaging a foreign domestic worker. An employee of the Organisation assisted her and over the course of these enquiries, the employee handed the Complainant some paper on which he wrote information related to her query. The Complainant discovered that the reverse side of the paper contained personal data of other individuals. The Complainant informed the employee that the paper that was used should not have been given to the Complainant. 3 On 24 April 2018, the Complainant returned to the Organisation’s office and was served by the same employee. Again, over the course of the queries, she was provided information hand written on used paper. Similarly, the reverse side of the paper contained personal data of other individuals. 4 Over the two occasions, the following personal data was disclosed to the Complainant: (a) On the first occasion, the used side of the paper contained a photocopy of the front and back of an individual’s NRIC. 2 of 6 SLF Green Maid Agency (b) [2018] SGPDPC 27 On the second occasion, the used side of the paper was a letter detailing a family’s personal circumstances, explaining why a foreign domestic worker was required by them. The letter also contained four individuals’ names and two of their FIN numbers. In an accompanying portion of a contract, the same four individuals’ passport numbers and passport expiry dates were found; and (c) the same portion of a contract contained five other individuals’ names and NRIC numbers, with some accompanying signatures. Did the Organisation breach section 24 of the PDPA 5 Section 24 of the PDPA stipulates that an organisation shall protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks. It is undisputed that the personal data listed in paragraph 4 was disclosed without authorisation. The totality of the circumstances led me to conclude that the unauthorised disclosure stemmed from the Organisation’s lack of reasonable security arrangements to prevent such disclosure. I set out the factors leading to this conclusion below. 6 Organisations that re-use scrap paper should put in place reasonable security measures to prevent scrap paper containing personal data from being re-used or given to other clients. The security arrangements will have to involve at least two aspects: 7 (a) Implementing a system of processes backed up by policies, and (b) Training of staff to be aware of the risks and to be alert to spot them. In this case, investigations did not turn up any process or system within the organisation for segregating scrap paper containing personal data from the pile(s) of scrap paper that can be re-used by staff. 8 Neither were there any policies. In fact, the Organisation admitted that they did not have a detailed policy with respect to personal data protection nor did they provide staff with any formalised training on personal data. Instead, the Organisation relied on the management’s verbal directions to screen through all discarded paper and to destroy any paper that contained 3 of 6 SLF Green Maid Agency [2018] SGPDPC 27 personal data; and that only paper which did not contain personal data was to be re-used. The Organisation intimated, in written responses during investigations, that the following instructions were given to employees: “Physical Office Manning- Office should be manned continuously by staff during operating hour. In occasion that staff is alone in office and the need to leave the office, say go to the toilet, office should be locked. Do not leave office open but unattended. Management of Client’s data- Clients (Employer/customer and FDW) data should not be used or discussed loosely. Not even between staff and staff. Management insists that no loose talk on sensitive data like how rich is an employer and personal income, where employer stays, etc...Only on a need to know and authorized to know basis. Clients/FDW’s document. Individual client/FDW’s document are filed and serialized. Files are safe keep in cabinet within the office space which is locked after office hour. Access to Personal Computer. Instruction to all staff is that “outsider” person who is not authorized is not allowed to “touch” our personal computer. Ever happened before that a staff let a customer use her personal computer to check certain thing from website was reprimanded.” 9 To my mind, these instructions were insufficient and failed to establish the practices around the Organisation’s policy of using discarded paper that contained personal data. 10 The Organisation intimated that they prominently pasted a set of guidelines on handling personal data and provided a copy of a document entitled “Guidelines to Personal Data Protection” (“Organisation’s “Guidelines””). The relevant part of the Organisation’s “Guidelines” stated: “Proper Housekeeping Other than the document that Staff is working on at any point in time, no other unnecessary document, especially document with personal data should be lying around on the working table or other places.” … “Management of waste paper with personal information on it. Waste paper with personal data on them are not to be disposed of in public rubbish bin direct, unless data is permanently masked off by using permanent marker and is torn into small pieces.” (emphasis in original) 11 There are a couple of issues with the Organisation’s Guidelines. First, they do not address the re-use of discarded paper containing personal data directly. They deal with safekeeping and disposal of waste paper containing personal data. Second, investigations did 4 of 6 SLF Green Maid Agency [2018] SGPDPC 27 not uncover any evidence to substantiate that the Organisation’s Guidelines were provided to its employees. 12 Turning now to the importance of staff training as a security arrangement. It has been said before in Re: National University of Singapore [2017] SGPDPC 5 and it bears repeating that training is important to inculcate the right employee culture and establish the right level of sensitivity to personal data amongst staff. The organisation admitted that no training had been provided. The closest form of training in this matter was a verbal exhortation by management to screen scrap paper and to discard (and not to re-use) scrap paper that contained personal data. Clearly, this was insufficient to establish the right level of employee sensitivity to client personal data. These verbal instructions did not appear to have been effective on the employee who served the Complainant as he made the same mistake to the same client twice: he handed over to the Complainant scrap paper containing personal data of other individuals on two separate occasions and had failed to retrieve them even after the employee was informed by the Complainant that he should not re-use paper with personal data. 13 For a company like the Organisation that handles personal data of foreign domestic workers and clients on a daily basis (eg passport and income information), it is necessary for it to put in place a better system of staff training and awareness given the sensitive nature of personal data that it handles, as well as the volume. Merely disseminating guidelines and verbal instructions is insufficient. As noted in Re Aviva Ltd, whilst there is no specific distinction in the PDPA based on the sensitivity of the data, organisations are to ensure that there are appropriate levels of security for data of varying levels of sensitivity: [2018] PDP Digest 245 at [17]-[18]. NRIC and passport numbers and financial information would generally be considered more sensitive: Re Aviva Ltd at [17]. Structured and periodic training could have been implemented to protect personal data. 14 I therefore find that the Organisation was in breach of its obligation to protect personal data under section 24 of the PDPA as it did not implement reasonable security arrangements to protect the personal data found in the discarded papers. Since the incident, the Organisation has reminded its staff to comply with internal guidelines on personal data protection and the procedures for destroying documents containing personal data. They have also highlighted to the staff internal penalties for any failure to comply. 5 of 6 SLF Green Maid Agency [2018] SGPDPC 27 Deputy Commissioner’s Directions 15 Given my findings that the Organisation is in breach of section 24 of the PDPA, I am empowered under section 29 of the PDPA to issue the Organisation such directions as it deems fit to ensure compliance with the PDPA. This may include directing the Organisation to pay a financial penalty of such amount not exceeding S$1 million. 16 Taking into account the limited scope of the unauthorised disclosure, I do not think that a financial penalty is warranted and instead make the following directions: a. The Organisation is to conduct a review of its procedures to prevent the use of discarded or unwanted documents containing personal data within 30 days from the date of this Decision; b. The Organisation is to develop a training programme to ensure that all of its staff is aware of and will comply with the requirements of the PDPA when handling personal data within 60 days from the date of this Decision; c. The Organisation is to require all staff who have not attended data protection training to attend such data protection training in accordance with the training programme set out at (b) above within 30 days of the development of the training programme; and d. The Organisation is to inform the Commission of the completion of each of the above within 7 days of implementation. YEONG ZEE KIN DEPUTY COMMISSIONER PERSONAL DATA PROTECTION COMMISSION 6 of 6 ",Directions,db40f6c2dd8921428c1fe911f5570123eecd69e8,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,181,181,1,952,"Directions were issued to Singapore Cricket Association for failing to make reasonable security arrangements to prevent unauthorised disclosure of individuals’ personal data on its website, and for failing to put in place data protection policies.","[""Protection"", ""Accountability"", ""Directions"", ""Arts, Entertainment and Recreation""]",2018-08-21,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds_of_Decision_Singapore_Cricket_Association_and_Ors_210818.pdf,"Protection, Accountability",Breach of Protection Obligation by Singapore Cricket Association,https://www.pdpc.gov.sg/all-commissions-decisions/2018/08/breach-of-protection-obligation-by-singapore-cricket-association,2018-08-21,"PERSONAL DATA PROTECTION COMMISSION [2018] SGPDPC [19] Case No DP-1704-B0707 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And (1) Singapore Cricket Association (UEN No. S65SS0010H) (2) Massive Infinity Pte Ltd (UEN No. 201131950M) … Organisations DECISION Singapore Cricket Association & Ors [2018] SGPDPC 19 Singapore Cricket Association & Ors. [2018] SGPDPC [19] Yeong Zee Kin, Deputy Commissioner — Case No DP-1704-B0707 21 August 2018 1 This case concerns the unauthorised disclosure of the personal data of cricket players on the Singapore Cricket Association’s (“SCA”) websites (the “Incident”). On 20 April 2017, the Personal Data Protection Commission (the “Commission”) received a complaint regarding the unauthorised disclosure of personal data on the player profile pages on the SCA’s websites and commenced its investigations thereafter. The Deputy Commissioner’s findings and grounds of decision based on the investigations carried out in this matter are set out below. 2 The SCA is the official governing body of the sport of cricket in Singapore. It administers various cricket leagues in Singapore with more than 100 cricket clubs participating across several league divisions. The SCA owns the rights to the domain name www.singaporecricket.org (the “First Domain”), which has served as the SCA’s official website since August 2007 (“Website”). The SCA also owns the rights to the domain name, www.cricketsingapore.com (“Second Domain”). Both domains were accessible to the public and the hosting of both domains were set up and managed by the SCA or on its instructions. 3 All clubs and their players are required to register with the SCA in order to participate in any of the SCA leagues. To register new players, clubs are required to submit the following player personal data through the registration form on the SCA’s Website:1 1 (a) Player name; (b) Player photograph; Clubs were also required to provide information such as the season, league, division and club the player will be playing in as well as the player’s category, role, bowling style and batting style. Singapore Cricket Association & Ors 4 (c) NRIC/FIN number; (d) Date of birth; (e) Email address; and (f) Mobile number. [2018] SGPDPC 19 Player profile pages which showed the registered player’s name, photograph, player code (a unique identifier assigned to players upon registration) as well as player statistics (“Player Profile Information”) have been made available on the SCA’s Website since it was launched in August 2007. Player Profile Information was disclosed on the SCA’s Website to identify players participating in the leagues and to promote interest in the sport by providing the public information on the league players in the same way that some soccer and tennis players have public profiles.2 5 In February 2016, SCA engaged Massive Infinity Pte Ltd (“MI”), a Singapore-based web design and development company, to revamp its Website and design and develop a new custom web portal for SCA (“Revamped Website”) in accordance with the website development specifications provided to MI. 3 However, as the SCA’s website development specifications were set out in very general terms and did not specify the contents of the Revamped Website, details of the exact contents of the Revamped Website were communicated to MI in meetings, and through phone calls and Whatsapp text messages. 6 During the development and testing of the Revamped Website, the Second Domain was used as a trial or user acceptance testing site.4 In the course of conducting user acceptance tests, the SCA requested the inclusion of some additional pages to the Revamped Website, such as Given the SCA’s long-standing practice of publishing Player Profile Information on its Website, players were deemed to have consented to the disclosure of the Player Profile Information when they registered to participate in the league through their respective clubs. 3 Together with the Website revamp, the SCA also switched the web hosting company for the First Domain from an India-based web hosting company to one in Singapore. However, MI was only engaged to provide the user interface design and web development of a new custom web portal and did not provide web hosting services. 4 The Second Domain was removed by the SCA on 17 April 2017 after the First Domain had stabilised. MI had set up a staging environment (scastg.azurewebsites.net domain) (“Testing Domain”) for development and testing purposes. The Testing Domain was the only web hosting setup maintained by MI for development purposes and was closed soon after the code was pushed to the SCA’s testing environment, i.e. the Second Domain, on 17 November 2016. The Testing Domain was not accessible by search engines. 2 Singapore Cricket Association & Ors [2018] SGPDPC 19 the player profile pages. These additional pages were not part of the original design and were therefore not included in the design documents. Neither party was able to produce any evidence of instructions from the SCA on the type of player information that was to be shown on the new player profile pages. While the SCA represented that its intention was for the Revamped Website to show the same Player Profile Information that was on its original Website, it conceded that it did not expressly highlight the type of player information that was to be included on the player profile pages on the Revamped Website. 7 In the absence of any specific instructions on the required fields for the new player profile pages, MI created the new player profile pages based on the information collected from the SCA’s player registration page on the Website. Consequently, in addition to the Player Profile Information that had previously been disclosed on the Website, the new player profile pages included fields for personal data such as the player’s NRIC/FIN number, date of birth, email address and mobile number (the “Additional Player Personal Data”). 8 During the investigations, the parties gave conflicting accounts as to when the SCA was first shown the new player profile pages. MI represented that before the new player profile pages with actual player data were pushed to the Second Domain, mock-up player profile pages created using “dummy data” were sent to the SCA for its review. The Revamped Website, including the new player profile pages with actual player data from the database of registered players’ data that the SCA had provided to MI (“Registered Players Database”),5 was pushed to the Second Domain for the SCA’s review and approval on 17 November 2016. The SCA, however, represented that it had only discovered that contrary to its intention, the Additional Player Personal Data was disclosed after MI uploaded the new player profile pages on the Second Domain and subsequently on the First Domain. 9 The SCA and MI held a meeting on 28 November 2016 to review the changes that MI had made to the Revamped Website. However, the SCA claimed that at the time of the meeting, the new player profile pages were missing from the Revamped Website. MI, in turn, stated that as the SCA did not raise any issues with the new player profile pages at the meeting, MI 5 The SCA received the database of the registered players’ personal data from their previous vendor based in India. Singapore Cricket Association & Ors [2018] SGPDPC 19 assumed that the SCA had approved the content of the new player profile pages and they were to proceed to production as created. 10 The Additional Player Personal Data was made available on the First Domain on or around 9 January 2017 after the system was migrated from the staging server (i.e. the Second Domain). Upon discovering that the Additional Player Personal Data was disclosed on the new player profile pages, the SCA took steps to remove them from the player profile pages leaving only the Player Profile Information. 11 The Additional Player Personal Data was disclosed on the respective player profile pages and therefore publicly accessible for the following periods: (a) from the Second Domain, from 17 November 2016 until its removal on 6 February 2017; (b) from the First Domain, from around 9 January 2017 until its removal on 6 February 2017; and (c) cached versions of the Revamped Website continued to be listed among the search results on major online search engines until the SCA submitted a request for their removal in May 2017. 12 The parties were unable to determine conclusively the exact number of players whose personal data had been disclosed on the Revamped Website on the First and Second Domains. However, based on the number of pages cached by the search engines, the SCA estimated that as many as 100 players were affected. Findings and Basis for Determination 13 The main issues for determination are: (a) whether MI breached section 24 of the PDPA; (b) whether the SCA complied with its obligations under section 12(a) of the PDPA; and Singapore Cricket Association & Ors (c) 14 [2018] SGPDPC 19 whether the SCA breached section 24 of the PDPA. It was not disputed that the Player Profile Information and Additional Player Personal Data disclosed on the new player profile pages were “personal data” as defined in section 2(1) of the PDPA. Whether MI breached section 24 of the PDPA 15 Section 24 of the PDPA requires an organisation to protect personal data in its possession or under its control by taking reasonable security steps or arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks. MI was engaged by the SCA to revamp the Website and was subsequently instructed to create new player profile pages on the Revamped Website. The SCA gave MI a copy of the SCA’s Registered Players Database in order for MI to upload the players’ personal data to the new player profile pages. Accordingly, the Deputy Commissioner is satisfied that the personal data in the Registered Players Database was in MI’s possession or under its control at all material times and MI was required to make reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks. 16 However, MI intentionally disclosed the Additional Player Personal Data on the new player profile pages because it was under the impression that the SCA had intended for the Additional Player Personal Data to be disclosed on the new player profile pages. In this regard, seeing as MI relied on the SCA for directions as to the personal data that was to be disclosed on the player profile pages and there was no evidence that MI should have known what personal data was to be disclosed from the SCA’s instructions or from the circumstances, the Deputy Commissioner finds that MI did not act in breach of its Protection Obligation under section 24 of the PDPA when it disclosed the Additional Player Personal Data. Whether the SCA complied with section 12(a) of the PDPA 17 Section 12(a) of the PDPA imposes an obligation on organisations to develop and implement policies and practices that are necessary for the organisation to meet its obligations under the PDPA. The SCA represented, in a witness statement dated 12 June 2017 provided by Singapore Cricket Association & Ors [2018] SGPDPC 19 a representative authorised by SCA, that it did not have any internal guidelines and/or policies for the protection of personal data at the time of the Incident and that it was in the process of reviewing this and coming up with a data protection policy and guidelines.6 18 It bears repeating that the development and implementation of data protection policies is a fundamental and crucial starting point for organisations to meet their obligations under the PDPA.7 As the Deputy Commissioner highlighted in Re Aviva Ltd [2017] SGPDPC 14 (at [32]) on the role of general data protection policies: Data protection policies and practices developed and implemented by an organisation in accordance with its obligations under section 12 of the PDPA are generally meant to increase awareness and ensure accountability of the organisation’s obligations under the PDPA. 19 In this regard, the Deputy Commissioner agrees with the observations in the Joint Guidance Note issued by the Office of the Privacy Commissioner of Canada, the Office of the Information and Privacy Commissioner of Alberta and the Office of the Information and Privacy Commissioner for British Columbia that employees will be able to better protect personal data when they are able to first recognise when a matter involves data protection:8 Training and general education on privacy are very important. Our Offices have seen instances where issues were not identified as privacy issues when they should have been. As a result, appropriate steps were not taken to prevent or address privacy breaches. In other cases, we have seen a lack of awareness or appreciation for privacy risks on the part of employees result in the development of products or services that were not compliant with applicable privacy law. In Alberta, human error is the most common cause of reported breaches resulting in a real risk of significant harm to an individual. Examples include: misdirected faxes and mail, e-mail addresses viewable in mass e-mails, inappropriate disposal of documents, and disclosure of passwords. Employees will be able to better protect privacy when they are able to recognize a matter as one that involves personal information protection. 6 The SCA had a data protection officer but its data protection officer had not undergone any training on data protection matters. 7 Re M Star Movers & Logistics Specialist Pte Ltd [2017] SGPDPC 15 (at [25]). 8 Office of the Privacy Commissioner of Canada, Office of the Information and Privacy Commissioner of Alberta and the Office of the Information and Privacy Commissioner for British Columbia, Getting Accountability Right with a Privacy Management Program at p 13. Singapore Cricket Association & Ors [2018] SGPDPC 19 [Emphasis added.] 20 Therefore, by the SCA’s own admission, it failed to meet its obligations under section 12(a) of the PDPA. Whether the SCA complied with section 24 of the PDPA 21 The SCA obtained the Registered Players Database, which contained the personal data of all its registered players, from its previous vendor based in India. A copy of the Registered Players Database was handed over to MI “for a week” for MI to upload the players’ data onto the new player profile pages. The SCA alone had the right to determine whether and how many of the players’ personal data would be held and presented in the Revamped Website. Hence, the Deputy Commissioner is satisfied that the personal data in the Registered Players Database remained under the SCA’s control at all material times. 22 Having considered the matter, the Deputy Commissioner finds that the SCA failed to put in place reasonable security arrangements to protect the personal data in its control and therefore acted in breach of its Protection Obligation under section 24 of the PDPA. 23 Player profile pages were in the SCA’s original Website and the SCA’s eventual actions disclose its intention to retain player profile pages as a function of the Revamped Website. As stated in paragraph 5 above, the SCA did not provide sufficiently detailed requirements to MI. The omission of the player profile pages was eventually discovered during user acceptance testing. The SCA then requested that player profile pages be retained in the Revamped Website. Again, the SCA did not provide detailed requirements specifications and MI was left to devise player profile pages based on the information provided by players via the online registration form. Needless to say, this disclosed too much personal data. 24 Despite the fact that the inclusion of player profile pages had been made during the final stages of the project, the SCA failed to follow up to check that this function of the Revamped Website had been properly implemented. Such an omission is particularly egregious given its context and chronology. A flaw in the Revamped Website had been identified by the SCA and certain directions had been given to MI. One would expect that the natural behaviour of the owner of a website would be to ensure that identified flaws are properly fixed. The Singapore Cricket Association & Ors [2018] SGPDPC 19 omission of the player profile pages and how this has been resolved by MI ought to have been in the SCA’s consciousness. This betrays the SCA’s lackadaisical attitude towards protection of the personal data of registered players and sets the context for the severity of its negligence which is examined below. 25 First, the SCA provided a database of all existing players in its Registered Players Database to MI. It should have clarified whether its intention was for all the personal data in the Registered Players Database to be displayed in the new player profile pages. The SCA simply assumed that MI would replicate the same fields in the previous player profile pages. As owner of the Revamped Website, the onus is on the SCA to give clear instructions to MI. As a result of the SCA’s failure to state in clear terms the required fields to be created in the new player profile pages, the Additional Player Personal Data of as many as 100 registered players were disclosed on the First and Second Domains. 26 Second, considering that the registered players’ personal data would be disclosed in the new player profile pages, the SCA ought, at the very least, to have reviewed the new player profile pages before MI uploaded it to the First and Second Domains. Had the SCA done so, the disclosure of the Additional Player Personal Data could have been avoided. It bears repeating that this omission is especially egregious given the fact that the SCA had identified a flaw, which would have meant that this omission should have been in its consciousness, but it failed to follow up with ensuring that it had been properly addressed. 27 Simply assuming that MI would replicate the same fields in the previous player profile pages is a clear derogation of its protection obligation. The provision of proper and clear instructions to the designer and developer of a website that holds personal data can and should form part of the protection obligations of the organisation that owns it. In failing to do so, the SCA is in breach of the protection obligation. Further, as mentioned above, the Deputy Commissioner found that the SCA’s website development specifications lacked website content details. As a result, instructions and details of the SCA’s requirements were conveyed to MI piecemeal in meetings and through phone calls and Whatsapp text messages, which appears to have led to confusion and miscommunication between the parties as to the exact requirements for the Revamped Website. Singapore Cricket Association & Ors 28 [2018] SGPDPC 19 Regardless of whether the SCA was shown the new player profile pages at the 28 November 2016 meeting or earlier, the Deputy Commissioner finds that at least between 28 November 2016 and 6 February 2017,9 the SCA could have and ought to have, but failed to, discover and prevent the unauthorised disclosure of the Additional Player Personal Data on the new player profile pages. However, the SCA was unable to explain why it had failed to pick up on the unintended disclosure of the Additional Player Personal Data earlier or provide sufficient information on what arrangements or measures (if any) were implemented to review the changes made to the Website. 29 At this juncture, the Deputy Commissioner reiterates that organisations that engage service providers to process personal data on their behalf should clarify and properly document the nature and extent of service provided. 30 This was highlighted in Re Smiling Orchid (S) Pte Ltd and Ors. [2016] SGPDPC 19 (at [51]) where the Commissioner emphasised the need for a clear meeting of minds as to the services the service provider has agreed to undertake: It is unclear whether T2’s actions would have been different had it been engaged to do more than enhancing the design of the site. Data controllers that engaged outsourced service providers have to be clear about the nature and extent of services that the service provider is to provide. There must be a clear meeting of minds as to the services that the service provider has agreed to undertake, and this should be properly documented. Data controllers should follow through with the procedures to check that the outsourced provider is indeed delivering the services. In the absence of such clarity of intent and procedures, it is risky to hold that the outsourced service provider is a data intermediary. In any case, the Commission has found that T2 is not a data intermediary for the reasons set out at paragraphs 35 to 38 above. [Emphasis added.] 31 Also, as highlighted in the Guide on Building Websites for SMEs (at [4.2.1]), organisations that engage IT vendors to develop and/or maintain their websites should ensure that their IT vendors are aware of the need for personal data protection: 9 As mentioned above, the SCA removed the Additional Player Personal Data from the First and Second Domains on 6 February 2017. Singapore Cricket Association & Ors [2018] SGPDPC 19 Organisations should emphasise the need for personal data protection to their IT vendors, by making it part of their contractual terms. The contract should also state clearly the responsibilities of the IT vendor with respect to the PDPA. When discussing the scope of the outsourced work, organisations should consider whether the IT vendor’s scope of work will include any of the following:  Requiring that IT vendors consider how the personal data should be handled as part of the design and layout of the website.  Planning and developing the website in a way that ensures that it does not contain any web application vulnerabilities that could expose the personal data of individuals collected, stored or accessed via the website through the internet.  Requiring that IT vendors who provide hosting for the website should ensure that the servers and networks are securely configured and adequately protected against unauthorised access.  When engaging IT vendors to provide maintenance and/or administrative support for the website, requiring that any changes they make to the website do not contain vulnerabilities that could expose the personal data. Additionally, discussing whether they have technical and/or non-technical processes in place to prevent the personal data from being exposed accidentally or otherwise. [Emphasis added.] 32 Therefore, in light of the above, the Deputy Commissioner finds that the Organisation failed to make reasonable security arrangements to prevent unauthorised disclosure of the Additional Player Personal Data and is therefore in breach of section 24 of the PDPA. Directions 33 Having found that the SCA is in breach of sections 12(a) and 24 of the PDPA, the Deputy Commissioner is empowered under section 29 of the PDPA to give the SCA such directions as it deems fit to ensure compliance with the PDPA. 34 The Deputy Commissioner took into account the following factors in assessing the breach and determining the directions to be imposed: Aggravating factors Singapore Cricket Association & Ors (a) [2018] SGPDPC 19 the personal data disclosed included the registered players’ NRIC/FIN numbers; Mitigating factors (b) the SCA took prompt action to mitigate the impact of the breach by removing the Additional Player Personal Data from the player profile pages on the First and Second Domains soon after it discovered the Incident; and (c) 35 the SCA cooperated fully in the investigation. Having considered all the relevant factors of this case, the Deputy Commissioner hereby directs the SCA: (a) to develop and implement policies and practices that are necessary for the SCA to meet its obligations under the PDPA within 90 days from the date of this direction; (b) to conduct personal data protection training for its employees to ensure that they are aware of, and will comply with the requirements of the PDPA when handling personal data within 90 days from the date of this direction; and (c) to inform the office of the Commissioner of the completion of the above directions within 7 days of implementation. YEONG ZEE KIN DEPUTY COMMISSIONER PERSONAL DATA PROTECTION ",Directions,25d5268ed669c201d4b55ce4d00b7442bfa8671e,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,184,184,1,952,Directions were issued to Flight Raja Travels for failing to make reasonable security arrangements to prevent unauthorised disclosure of individuals’ personal data on its online travel booking system.,"[""Protection"", ""Directions"", ""Accommodation and F&B""]",2018-06-11,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds_of_Decision_Flight_Raja_Travels_Singapore_110618.pdf,Protection,Breach of Protection Obligation by Flight Raja Travels,https://www.pdpc.gov.sg/all-commissions-decisions/2018/06/breach-of-protection-obligation-by-flight-raja-travels,2018-06-11,"PERSONAL DATA PROTECTION COMMISSION Case No DP-1705-B0730 [2018] SGPDPC [16] In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Flight Raja Travels Singapore Pte. Ltd. … Organisation DECISION Flight Raja Travels Singapore Pte. Ltd. [2018] SGPDPC [16] Mr. Yeong Zee Kin, Deputy Commissioner — Case No DP-1705-B0730 11 June 2018 1 This complaint concerns a user of Flight Raja Travels Singapore Pte. Ltd’s (the “Organisation”) online travel booking system (the “Booking System”). While using the Booking System, the user was able to access information of other users (the “Incident”). 2 What happened was that after the user resumed his session after time- out, the Booking System showed him 45 sets of booking records. The booking records accessed by the user contained the personal data of 72 other individuals. This included name, passport number, booking ID, flight details (including the flight number, departing/ arrival date, time and airport), booking date, amount paid, and flight inclusions. 3 Investigations were commenced under section 50 of the Personal Data 4 Up to December 2016, the Booking System was accessed through Protection Act 2012 (the “PDPA”). The material facts of the case are as follows. browser login via the Organisation’s website. The Organisation then introduced a new application (the “New Mobile App”). The New Mobile App enabled access through mobile devices without login. It recognised the mobile device IDs of registered users stored as part of their account information. Flight Raja Travels Singapore Pte. Ltd. 5 [2018] SGPDPC 16 Proper change management would have included full system integration testing of the New Mobile App with the Booking System to detect any unintended effects from the changes. However, two unintended effects went undetected. They affected non-registered users who had just completed a booking via the Booking System through a browser, and had been registered by the Booking System as new users (“Newly Registered Users”). 6 The first unintended effect was to change the behaviour of the Booking System when Newly Registered Users resumed their sessions following a Time- out. A Time-out occurred if their sessions happened to be idle for 30 minutes. The System no longer redirected them to the homepage as it did before the changes. Instead, they stayed on the same page where they could access the “Dashboard”. 7 The second unintended effect was when the timed-out Newly Registered Users accessed the Dashboard tabs. The Dashboard’s “past” “upcoming” and “all” tabs disclosed the records of bookings by other individuals. Each tab could display a maximum 15 records thereby disclosing a total of 45 records. Findings and Basis for Determination 8 The Complaint pertains to the protection obligation under section 241 of the PDPA. In the context of the present case, when an organisation makes changes to a system that processes personal data in its possession or control, the organisation has to make reasonable arrangements to prevent any compromise to personal data. Section 24 of the PDPA requires an organisation to protection personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risk. 1 2 Flight Raja Travels Singapore Pte. Ltd. 9 [2018] SGPDPC 16 The Organisation omitted to test the effects of access through the New Mobile App with the existing access through browsers. Registered Users are identified by their mobile device IDs that are associated with their user account. However, newly Registered Users who completed bookings through browsers had no mobile device IDs stored in their accounts. 10 An integration test plan should have considered whether such newly registered users could be identified by other information in their accounts. However, in the absence of mobile device ID in a Newly Registered User’s account, the browser retrieved and displayed other booking records in the Dashboard tabs as mentioned above. 11 Further, session time-out was a likely occurrence. This included time- out of browser sessions of Newly Registered Users. An integration test plan ought to have anticipated this scenario. The Organisation was therefore found in breach of section 24 of the PDPA. 12 Having found that the Organisation is in breach of the PDPA, I am empowered under section 29 of the PDPA to issue the Organisation such directions as it deems fit to ensure compliance with the PDPA. In assessing the impact of the breach, I considered the fact that a specific set of circumstances was needed for the disclosure to have occurred, and such a coincidence is uncommon: (a) The user had never registered on the Website previously; (b) The user made a booking and made payment; (c) The user did not log our or close the browser window but instead left the page idle for 30 minutes; 3 Flight Raja Travels Singapore Pte. Ltd. 13 [2018] SGPDPC 16 (d) The user returned to the same webpage after 30 minutes; and (e) The user clicked on the dashboard hyperlink. The disclosure occurred only if payment had been made for one or more travel tickets. This meant that disclosure would likely have been to bona fide customers rather than other persons. Additionally, the nature of the flaw made it less readily detectable by an attacker, compared with misconfigured firewalls or unpatched servers for instance. 14 Further, I considered that disclosure to the complainant was limited to 45 sets of booking records disclosed. At a maximum, the bug exposed a total of 72 personal data sets of booking information. 15 Accordingly, I hereby direct the Organisation to carry out the following within 60 days: (a) Assess whether its application testing has been complete in order to discover and remedy any risk to personal data from the changes made to introduce the new mobile application function; (b) Furnish a report of the assessment as well as action taken in response; and 4 Flight Raja Travels Singapore Pte. Ltd. (c) [2018] SGPDPC 16 To put in place procedures and processes, to manage the risks to the personal data in its possession or control, when making changes to its applications, by implementing testing procedures and documenting the tests conducted. YEONG ZEE KIN DEPUTY COMMISSIONER PERSONAL DATA PROTECTION 5 ",Directions,4eac4f70563516f75e6e287250e8238d4776bb2e,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,185,185,1,952,Spring College International failed to notify and obtain consent from the parents of young students before disclosing online the students’ personal data for marketing purposes. Directions were issued to Spring College International.,"[""Consent"", ""Purpose Limitation"", ""Notification"", ""Directions"", ""Education""]",2018-05-24,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds_of_Decision_Spring_College_International_240518.pdf,"Consent, Purpose Limitation, Notification",Breach of Consent and Purpose Limitation Obligations by Spring College International,https://www.pdpc.gov.sg/all-commissions-decisions/2018/05/breach-of-consent-and-purpose-limitation-obligations-by-spring-college-international,2018-05-24,"PERSONAL DATA PROTECTION COMMISSION [2018] SGPDPC 15 Case No DP-1705-B0799 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Spring College International Pte. Ltd. … Organisation DECISION Spring College International Pte. Ltd. Mr Yeong Zee Kin, Deputy Commissioner — Case No DP-1705-B0799 24 May 2018 Background 1 This matter involves a private educational institution that posted information about its students, including their names and photographs, on a public social media page, in order to promote its courses. The Organisation operates a private educational institution, known as “Spring College International Pte. Ltd.” (“SCI”), that offers various academic courses to students of varying ages and levels. A complaint was made to the Personal Data Protection Commission (“PDPC”) regarding the unauthorised disclosure of a student’s personal data on the Organisation’s Facebook page. The complaint was made by the student’s parent (“the Complainant”). 2 The Commissioner’s findings and grounds of decision, based on the investigations carried out in this matter, are set out below. Material Facts 3 Since September 2010, the Organisation has maintained a Facebook page which is accessible to the general public, titled “Spring College International”. In December 2015, the Complainant enrolled her son (“Individual A”) as a student in SCI. Sometime thereafter, the Spring College International Pte. Ltd. [2018] SGPDPC 15 Complainant came across a post on the Organisation’s Facebook page, dated 24 April 2016 (“Post A”). The post contained the following text: Application for Supplementary Admissions Exercise for International Students 1 We are pleased to inform you that your application for admission to a secondary school through the Supplementary Admissions Exercise for International Students is successful. The results of your application are as follows: … 4 Post A further set out the following information about Individual A: full name; partially masked passport number; date of birth; application result for Supplementary Admissions Exercise for International Students (“AEIS”); primary school assigned to; level of study; and the length of Individual A’s study period in SCI. 5 The Complainant subsequently discovered that Post A had been indexed by Google’s search engine, and would be publicly displayed as a search result on Google if Individual A’s name was used as the search term. The summary on Google’s search results page displayed part of the information contained in Post A, including Individual A’s name, partially masked passport number and date of birth. 6 The Complainant informed the Organisation of her objection to the publication of her son’s details on its Facebook page, following which the Organisation took down Post A and took steps to render Post A nonindexable by online search engines. The Complainant also submitted a complaint to PDPC, in which the Complainant alleged that the Organisation had not obtained consent to publish her son’s personal data on its Facebook page. 2 Spring College International Pte. Ltd. 7 [2018] SGPDPC 15 In the course of the investigation, three other posts containing student data on the Organisation’s Facebook page were uncovered, dated on or around 25 April 2016: (a) Post B: data set of an individual student (“Individual B”), containing full name; partially masked FIN number; partially masked passport number; date of birth; photograph of Individual B standing under the Organisation’s wall logos, next to another individual; application result for AEIS; primary school assigned to; level of study; and the length of Individual B’s study period in SCI; (b) Post C: data set of an individual student (“Individual C”), containing full name; partially masked FIN number (without passport number); date of birth; photograph of Individual C standing, in between two other individuals, and under the Organisation’s wall logos; application result for AEIS; primary school assigned to; level of study; and the length of Individual C’s study period in SCI; and (c) Post D: titled “Top students of the preparatory course for AEIS”, containing information on multiple individual SCI students comprising full names; mugshots of these individuals; course duration; schools assigned to; and the level of study. 8 The Organisation did not dispute that the various Facebook posts contained the personal data of its students. The Organisation also did not deny responsibility for publishing the various Facebook posts. According to the Organisation, the various Facebook posts were made in order to share the activities and courses of SCI, for the purpose of 3 Spring College International Pte. Ltd. [2018] SGPDPC 15 creating brand awareness and attracting more students to register with SCI. Findings and Basis for Determination 9 The issues for determination are: (a) whether the Organisation had complied with its obligation under section 13 of the PDPA to obtain valid consent before disclosing the personal data of its students; and (b) whether the Organisation had complied with its obligation under section 18 of the PDPA to only use and disclose personal data for purposes (i) that a reasonable person would consider appropriate in the circumstances; and (ii) that its students have been informed of. The Consent and Notification Obligations 10 Under the PDPA, the concepts of notification of purpose and consent are closely intertwined. The PDPA adopts a consent-first regime. Unless an exception to consent applies, individual’s consent has to be sought: see section 13 of the PDPA, which imposes on an organisation the obligation to obtain the consent of an individual before collecting, using or disclosing that individual’s personal data (“Consent Obligation”). Consent must, of course, be obtained from the individual with reference to the intended purpose of collection, use or disclosure of that individual’s personal data; section 20 of the PDPA requires an organisation to notify an individual of such intended purpose (“Notification Obligation”). 4 Spring College International Pte. Ltd. [2018] SGPDPC 15 Personal Data Relating to Minors 11 At this juncture, it is relevant to note that this case involved the personal data of minors. Individual A was 9 years old at the time Post A was made; Individual B was 8 years old at the time Post B was made; and Individual C was 11 years old at the time Post C was made. Post D contained the personal data of numerous individuals who were also minors at the time the post was made. 12 As discussed in the PDPC’s Advisory Guidelines on the Personal Data Protection Act for Selected Topics (“Selected Topics Guidelines”), certain considerations may arise when dealing with the personal data of minors.1 In particular, where the personal data of a minor is involved, the issue of whether the minor is able to effectively give consent on his own behalf may arise. In this regard, organisations should take appropriate steps to ensure that the minor can effectively give consent on his own behalf, or if not, the organisation should obtain consent from an individual who is legally able to provide consent on the minor’s behalf, such as the minor’s parent or guardian.2 13 As stated in the Selected Topics Guidelines:3 8.1 The PDPA does not specify the situations in which a minor (that is, an individual who is less than 21 years of age) may give consent for the purposes of the PDPA. In general, whether a minor can give such consent would depend on other legislation and the common law… 1 PDPC, Advisory Guidelines on the Personal Data Protection Act for Selected Topics (revised 28 March 2017) at [8.1] to [8.13]. 2 Selected Topics Guidelines at [8.7] to [8.9]. 3 Selected Topics Guidelines at [8.1], [8.3], [8.5] to [8.6]. 5 Spring College International Pte. Ltd. [2018] SGPDPC 15 … 8.3 For situations where there is no legislation that affects whether a minor may give consent, the issue would be governed by the common law. In this regard, the Commission notes that there is no international norm on when minors may exercise their own rights under data protection laws… some countries have enacted legislation to specifically protect minors below a certain age. For example, in the United States, the Children’s Online Privacy Protection Act (“COPPA”) requires certain organisations to obtain verifiable parental consent to collect personal data from children under 13 years of age. … 8.5 The Commission notes that the age threshold of 13 years appears to be a significant one in relation to according protection to minors… 8.6 The Commission is of the view that organisations should generally consider whether a minor has sufficient understanding of the nature and consequences of giving consent, in determining if he can effectively provide consent on his own behalf for purposes of the PDPA… the Commission will adopt the practical rule of thumb that a minor who is at least 13 years of age would typically have sufficient understanding to be able to consent on his own behalf. However, where, for example, an organisation has reason to believe or it can be shown that a minor does not have sufficient understanding of the nature and consequences of giving consent, the organisation should obtain consent from an individual, such as the minor’s parent or guardian, who is legally able to provide consent on the minor’s behalf. [Emphasis added.] 14 While there was no allegation in this case that the Organisation had purported to obtain consent from individuals who lacked sufficient legal capacity to give such consent, it is nevertheless worth highlighting that it would be prudent for organisations to take additional precautions and/or safeguards when collecting, using or disclosing the personal data of minors, bearing in mind that there is “generally greater sensitivity surrounding the treatment of minors”.4 There is no magic in the age of 4 Selected Topics Guidelines at [8.12]. 6 Spring College International Pte. Ltd. [2018] SGPDPC 15 13 years as selected by the PDPC. The key determinant is whether the minor or young person is capable of understanding the nature and consequences of giving consent. The onus is on the organisation to determine whether consent may be obtained from a young person above the age of 13 years or whether, despite being above 13 years of age, it is more prudent to obtain consent from the young person’s parent or guardian. Restricting my analysis only to the circumstances of this case, I would have thought that the use of minors’ personal data to publicise and market the Organisation’s services is one of those purposes that an organisation ought to have conducted itself with a greater degree of prudence and should have sought consent from the young person’s parent or guardian, even if the young person had been older than 13 years. I probably would have come to a different conclusion if, for example, the young person was participating in a school activity and a photograph had been taken during the event and used by the organisation in its regular newsletter, college annual or blog that reports on its activities and sporting achievements. In any event, the minors in this case were all below 13 years and thus, even by the rule of thumb adopted in the Selected Topics Guidelines, consent ought to have been obtained from the minors’ parents or guardians. Whether the Organisation Complied with its Obligation to Obtain Consent for the Disclosure of its Students’ Personal Data 15 In its responses to the PDPC, the Organisation stated that, when registering with SCI, students (or their parents, as the case may be) would be required to sign an enrolment form which contained a term stipulating that they would adhere to SCI’s student handbook. The relevant term in the enrolment form is stated as follows: 7 Spring College International Pte. Ltd. [2018] SGPDPC 15 By signing the form, I acknowledge that I was informed that the course is on-going. I confirm that all documents provided by me are true. I have received and will adhere to the student handbook issued by SCI. 16 Clause 15.1 of SCI’s student handbook, entitled “Data Protection Notice & Consent”, states: 15.1 The information provided in Application Form is to enable to SCI to: (a) Administering and/or managing the application(s) for Admission and Enrolment; (b) Applicant’s Managing the Applicant’s relationship with SCI (including the announcement of statements or notices of the Applicant, sending the Applicant marketing, advertising and promotional information, including materials and information on courses in SCI, general student-related activities within SCI, as well as related talks, seminars and/or events via postal mail, electronic mail, SMS or MMS, fax and/or voice calls; and); (c) Processing the Applicant’s application(s) for scholarships and/or financial aid, and if successful, administering and/or managing the Applicant’s scholarship and/or financial aid programmes, which may include use of personal data for direct marketing purposes for event invitations, surveys and/or publicity of SCI’ financial aid programmes; (d) Responding to requests for information from public agencies, ministries, statutory boards or other similar authorities (e) Allow the compilation and analysis of statistics for marketing purpose [Emphasis added.] 17 Clauses 15.1(a) to (d) of the student handbook are concerned with matters that can best be described as administrative in nature. These clauses are not relevant to the disclosure of students’ personal data on the Organisation’s Facebook page in the present case. 8 Spring College International Pte. Ltd. 18 [2018] SGPDPC 15 In its responses to the PDPC, the Organisation sought to rely on clause 15.1(e) of its student handbook, in order to assert that it had obtained consent for the disclosure of its students’ personal data in its various Facebook posts. However, I do not think that clause 15.1(e) of the student handbook adequately covers the disclosure of personal data in the various Facebook posts by the Organisation in this case. Clause 15.1(e) contains a general reference to the “compilation and analysis of statistics”. The intent and purpose of statistical analysis is very different from the use in this case. Statistical analysis goes towards identifying how the Organisation may be more effective in delivering its services, in this case, educational services. This is an acceptable use of personal data, whether in an anonymised form, aggregated (or compiled) or even in personally identifiable form (with consent or in reliance on the research exceptions in the PDPA). Organisations ought to, and are encouraged to do so, in order that they understand their customers better and can fine tune their products or services to better cater to their customers’ needs and preferences. Of course, one of the ends is to enable the organisation to design its marketing strategy more effectively. The point to note is that the use of the data is indirect and goes towards a business function, in this case the Organisation’s marketing strategy. 19 The use of data directly in marketing is also a valid business purpose. But the intent and purpose is markedly different from statistical research. Marketing is intended to promote the organisation’s products or services to new or existing customers. While I am no expert in marketing practices, what I do know is that the profiling of positive examples and the association of an organisation’s products or services with success stories is not an uncommon practice. Its effectiveness is a question that each organisation that chooses to adopt such a practice 9 Spring College International Pte. Ltd. [2018] SGPDPC 15 needs to be satisfied with, and is not within the domain of personal data protection laws. What is within the domain of personal data protection laws is whether the individual whose image and other personal data will be used has consented to such use, or whether there is some other lawful justification that an organisation may rely upon. In this regard, the various Facebook posts published by the Organisation clearly identified students individually, and showed their details on an individual basis. It is clear that the Organisation’s aim of profiling these individuals was for marketing purposes with the intent to promote its services to new (or even existing) customers. In the premises, I do not think that the purpose for which such personal data was disclosed can reasonably be said to fall within a “compilation” or “analysis of statistics” for marketing purposes. On the contrary, the personal data was used directly as part of the Organisation’s marketing campaign by featuring success stories. Parenthetically, I had intimated in my earlier decision in Re My Digital Lock Pte. Ltd. [2018] SGPDPC 3 that this is an area where there is overlapping coverage between personal data protection law and the laws protecting privacy, specifically personality rights that may be protected under defamation law. In the present case, I have confined my analysis to breaches of the Consent and Notification Obligations under the PDPA. 20 The student handbook also contained the following Clause 15.5: 15.5 By attending school activities & event, you consent to the use of your photograph, voice, likeness, and image in any broadcasts of this event and in subsequent productions drawn from video or audio recordings of this event. The photographs and recordings may be published or broadcasted in the official SCI and affiliates’ publications and in publicity materials, including the SCI and affiliates’ websites and social media… 10 Spring College International Pte. Ltd. 21 [2018] SGPDPC 15 As Clause 15.5 of the student handbook refers to “photographs” and “publicity materials”, the Organisation could arguably rely on this clause of the student handbook for consent to post photographs of students on its Facebook page for publicity purposes, if such photographs were taken at events organised by the Organisation. The purposes that are notified by Clause 15.5 relates to how the Organisation may use video footage and photographs of its activities for publicity purposes. For such purposes, the primary focus is on the activities of the Organisation and the involvement of the individual students are secondary (although it may not be incidental or minor). The intent is to create favourable impressions of the Organisation by featuring its activities and perhaps even in its students’ achievements in sporting and other activities. This purpose is markedly different from profiling selected students and associating their academic achievements with the Organisation. In this type of use, the student becomes the subject and the focus. Where the student becomes the subject and the purpose is to associate his or her academic achievement for the commercial objectives of the Organisation, specific consent ought to be obtained, and this ought to be obtained from his or her parent or guardian, as the purpose of use has probably crossed into commercial use. Moreover, this clause of the student handbook would not cover the disclosure of other personal data on the Organisation’s Facebook page, such as students’ names, date of birth, school assigned to and level of study. 22 In light of the above, it follows that the Organisation has not complied with its Notification Obligation under section 20 of the PDPA, to inform the parents or guardians of its students, who are minors, of the purpose(s) for which the Organisation disclosed its students’ personal data on its Facebook page, in respect of Posts A, B, C and D minimally. 11 Spring College International Pte. Ltd. [2018] SGPDPC 15 The Organisation has, therefore, breached its Consent Obligation under section 13 of the PDPA to obtain consent from such minors’ parents or guardians for the same. 23 Further, given the finding that the Organisation has not complied with its Notification Obligation under section 20 of the PDPA, the Organisation is also in breach of section 18 of the PDPA. The Organisation’s Follow-Up Remedial Actions 24 As mentioned above, the Organisation took steps to remove Post A from its Facebook page and to make the post non-indexable by online search engines. Sometime after the aforementioned breaches had occurred, the Organisation represented that it had “created” a “Marketing Consent and Release Form” (“MRF”), which the Organisation then instructed its staff to use in order to obtain consent for using students’ personal data for marketing purposes. 25 An extract from the MRF reads: I, ____________________ (name), __________________(NRIC) irrevocably authorize the school, its employees, and its agents, to use my / my child’s name, information, picture, and likeness as recorded by the school for any purpose that the school deems appropriate, including promotional or advertising efforts. I specifically authorize the school, its employees, and its agents, to use, reproduce, exhibit, or distribute my / my child’s name & information and likeness for such purpose in any communications medium currently existing or later created, including without limitation print media, television, and the Internet. [Emphasis added.] 26 The MRF purports to give the Organisation a very broad discretion to use students’ information, by using the catch-all phrase “for any purpose that the school deems appropriate”. In this respect, apart 12 Spring College International Pte. Ltd. [2018] SGPDPC 15 from the accompanying words “including promotional or advertising efforts”, the MRF does not provide individuals with any greater specificity or details as to the purposes for which the Organisation may use their personal data. 27 It falls on me to highlight the following passage from the Advisory Guidelines on Key Concepts in the Personal Data Protection Act, which would be pertinent in this instance:5 … if an organisation’s Data Protection Policy sets out its purposes in very general terms (and perhaps for a wide variety of services), it may need to provide a more specific description of its purposes to a particular individual who will be providing his personal data in a particular situation (such as when subscribing for a particular service), to provide clarity to the individual on how his personal data would be collected, used or disclosed. [Emphasis added.] 28 In my view, the language used in the MRF is so broad such that it cannot reasonably be said to provide adequate clarity to individuals on the purposes for which their personal data would be used, and does not fulfill the requirements of section 20 of the PDPA. 29 Additionally, I note from the extract of the MRF as set out in paragraph 25 above, that the MRF purports to “irrevocably authorize” the Organisation to use students’ personal data for “any purpose that the school deems appropriate”. Needless to say, an overly-broad consent clause like this is unlikely to stand up to scrutiny and will probably not be effective in notifying purpose and thus any consent obtained in reliance 5 PDPC, Advisory Guidelines on Key Concepts in the PDPA (revised 27 July 2017) at [14.13]. 13 Spring College International Pte. Ltd. [2018] SGPDPC 15 on it rests on weak foundations. Furthermore, this provision in the MRF is potentially contrary to the requirements of section 16 of the PDPA: (a) section 16(1) of the PDPA provides that individuals may at any time withdraw any consent given under the PDPA in respect of the collection, use or disclosure of their personal data for any purpose; and (b) section 16(3) of the PDPA further provides that an organisation must not prohibit an individual from withdrawing such consent.6 30 In my view, the provision in the MRF that the Organisation be “irrevocably” authorised to use students’ personal data effectively seeks to prohibit such individuals from withdrawing their consent to the use of their personal data. Supposing that the MRF had been obtained by the Organisation from the students’ parents or guardians in this case, I may not have hesitated to find that it is ineffective as being contrary to the requirements under section 16 of the PDPA. However, I am also mindful of other circumstances where an irrevocable promise may be permissible, for example, in a professional modelling agreement an individual executes an irrevocable release in return for modelling fees from an advertisement agency for a specific client’s marketing campaign, in which case the bargain that is struck ought to be respected. The analysis would involve a detailed discussion of the interaction of the consent provisions of the PDPA and contractual principles. But this is 6 Section 16(3) of the PDPA further provides that this section does not affect the legal consequences arising from such withdrawal. 14 Spring College International Pte. Ltd. [2018] SGPDPC 15 not an analysis for this case nor do I need to reach such a conclusion in these grounds. 31 In the final analysis, I do not think that the MRF validly notifies the parents or guardians of the minors of the specific marketing use of their child or ward’s personal data, nor is it acceptable in its current form for use in the context of the present pedagogical relationship between the Organisation and its students, as it purports to provide for an irrevocable waiver of the students’ right to withdraw their consent, which is contrary to section 16 of the PDPA. Directions 32 Having found that the Organisation is in breach of sections 13 and 18 of the PDPA, I am empowered under section 29 of the PDPA to give the Organisation such directions as I deem fit to ensure compliance with the PDPA. This may include directing the Organisation to pay a financial penalty of such amount not exceeding S$1 million. 33 In assessing the breach and determining the directions to be imposed on the Organisation, I took into account the following factors in its mitigation: (a) there was no complaint or allegation received to the effect that there was any loss or damage accruing to individuals as a result of the Organisation’s breach; (b) the Organisation demonstrated a willingness to take remedial actions upon being informed of the breach by the Complainant; and 15 Spring College International Pte. Ltd. (c) [2018] SGPDPC 15 the Organisation was generally cooperative throughout the investigation process and did not seek to obfuscate its role or the facts in this matter. 34 In consideration of the relevant facts and circumstances of the present case, I hereby direct the Organisation to: (a) remove Posts B, C and D, and any other posts of a similar nature for which consent had not been obtained from the relevant individuals for their personal data to be used and disclosed on the Organisation’s Facebook page; (b) revise the MRF and all other documents used by the Organisation for obtaining consent from its students for the collection, use and disclosure of its students’ personal data, taking care: (i) to provide sufficient clarity and avoid the use of “catch-all” phrases in the articulation of the purposes for which personal data would be collected, used and disclosed; (ii) in particular, where the Organisation collects, uses or discloses personal data for purposes that involve marketing and profiling, to ensure that consent be obtained specifically for those purposes; and (iii) to clarify that individuals are not prohibited from withdrawing their consent; and 16 Spring College International Pte. Ltd. (c) [2018] SGPDPC 15 take all other steps and make such other arrangements as would reasonably be required to meet (a) and (b) above. YEONG ZEE KIN DEPUTY COMMISSIONER PERSONAL DATA PROTECTION 17 ",Directions,ab610ebd87a5e51bcfa08294b0f5948e87401467,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,192,192,1,952,"Directions were issued to Habitat for Humanity Singapore for breaches of the PDPA. The organisation did not make reasonable security arrangements to prevent unauthorised disclosure of its volunteers’ personal data, failed to put in place data protection policies, and omitted to communicate data protection policies and practices to its staff.","[""Accountability"", ""Protection"", ""Directions"", ""Social Service""]",2018-05-03,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds_of_Decision_Habitat_for_Humanity_Singapore_030518.pdf,"Accountability, Protection",Breach of Openness and Protection Obligations by Habitat for Humanity Singapore,https://www.pdpc.gov.sg/all-commissions-decisions/2018/05/breach-of-openness-and-protection-obligations-by-habitat-for-humanity-singapore,2018-05-03,"PERSONAL DATA PROTECTION COMMISSION [2018] SGPDPC 9 Case No DP-1707-B0971 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Habitat for Humanity Singapore Ltd … Organisation DECISION Habitat for Humanity Singapore Ltd [2018] SGPDPC 9 Yeong Zee Kin, Deputy Commissioner — Case No DP-1707-B0971 3 May 2018 Background 1 On 20 July 2017, the Organisation sent out an email to 32 of its volunteers with a PDF attachment comprising a batch of community involvement programme (“CIP”) letters (the “CIP Letters”) acknowledging the participation of each volunteer at an event organised by the Organisation (the “Incident”). The Personal Data Protection Commission (the “PDPC”) was informed of the Incident on 22 July 2017 and commenced its investigations thereafter. I set out below my findings and grounds of decision based on the investigations carried out in this matter. Material Facts 2 The Organisation is a registered charity under the National Council of Social Services, which objectives include seeking to eliminate poverty housing worldwide by providing decent and affordable housing. In furtherance of its objectives, the Organisation organises community involvement programmes, where volunteers can participate in activities such as mass clean-up events. After such events, the Organisation would generally send out a CIP letter to acknowledge and verify each individual volunteer’s participation. Habitat for Humanity Singapore Ltd 3 [2018] SGPDPC 9 The Incident involved the disclosure of a batch of CIP Letters in an email (the “Email”) that was prepared by a manager (the “Manager”) in the Organisation. The CIP Letters were created using the mail merge function in Microsoft Word which would fill in a CIP letter template with the names and NRIC numbers of the volunteers. This created a single Microsoft Word document containing the CIP Letters for all the volunteers, which the Manager then converted from Microsoft Word to PDF format. The Manager then sent the PDF containing the entire batch of CIP Letters to another member of staff (“Admin Staff”), along with the volunteers’ email addresses and instructed the Admin Staff to send out the CIP Letters. 4 The Organisation’s usual practice was for the document containing the entire batch of CIP Letters to be segregated and split into individual CIP Letters before each CIP Letter was individually sent to its respective volunteers. However, in this case, neither the Manager nor the Admin Staff had prepared and/or handled any CIP Letters prior to the Incident. The Manager failed to instruct the Admin Staff on the proper procedure. 5 On 20 July 2017, the Admin Staff sent a mass email to all the volunteers who were involved in the mass clean-up event, attaching the PDF document which contained the entire batch of CIP Letters. As a result, the PDF attachment containing the CIP Letters revealed the names and NRIC numbers of all the volunteers who had participated in the Organisation’s mass clean-up event. Additionally, the Email was also sent with the email addresses of all the recipients in the “cc” field. Consequently, the Organisation received two emails from the volunteers who had received the Email, expressing their concern that their personal data had been disclosed to other parties without their consent. 2 Habitat for Humanity Singapore Ltd [2018] SGPDPC 9 Findings and Basis for Determination 6 The issues for determination are: (a) whether the Organisation complied with its obligations under section 12 of the PDPA; and (b) whether the Organisation was in breach of section 24 of the PDPA. 7 As a preliminary point, the names, NRIC numbers and email addresses disclosed in the Email and CIP Letters fall within the definition of “personal data” under section 2(1) of the PDPA, as it was clearly possible to identify an individual from that data. 8 Pursuant to section 53(1) of the PDPA, any act done or conduct engaged in by a person in the course of his employment shall be treated for the purposes of the PDPA as done or engaged in by his employer as well as by him, regardless of whether it was done or engaged in with the employer’s knowledge or approval. The Organisation is therefore responsible for its employees’ conduct in relation to the Incident. (a) Whether the Organisation complied with its obligations under section 12 of the PDPA 9 Section 12(a) of the PDPA requires an organisation to develop and implement policies and practices that are necessary to meet its obligations under the PDPA. Section 12(c) of the PDPA also requires the organisation to communicate to its staff information about such policies and practices. 10 The Organisation claimed to have instructed its employees on the Organisation’s obligations under the PDPA and the importance of safeguarding 3 Habitat for Humanity Singapore Ltd [2018] SGPDPC 9 its volunteers and donors’ personal data. Employees who were required to deal with personal data were also briefed on the following data protection practices and procedures “on a need basis”: (a) to use the “bcc” function when sending out mass emails; (b) to send the CIP Letters individually; (c) to avoid sharing collected personal data with unauthorised third parties; (d) to contact individuals only for purposes that they have given consent; (e) to use personal data only for the purposes for which it was collected; and (f) 11 to secure all documents containing personal data safely. However, there were no documented policies, practices or procedures in relation to sending out the CIP Letters. Indeed, the Incident could very well have been averted if the Organisation had implemented, and documented, a standard operating procedure for the sending out of the CIP Letters. By the Organisation’s own admission, the Manager had omitted to instruct the Admin Staff on the Organisation’s usual procedure for sending out the CIP Letters and she “should have written down the instruction clearly for [the Admin Staff], which [she] had forgotten to do.” 12 I take this opportunity to reiterate the benefits and importance of documenting an organisation’s data protection policies and practices in a written 4 Habitat for Humanity Singapore Ltd policy as emphasised in [2018] SGPDPC 9 Re Furnituremart.sg [2017] SGPDPC 7 (“Furnituremart.sg”) at [14]: “The lack of a written policy is a big drawback to the protection of personal data. Without having a policy in writing, employees and staff would not have a reference for the Organisation’s policies and practices which they are to follow in order to protect personal data. Such policies and practices would be ineffective if passed on by word of mouth, and indeed, the Organisation may run the risk of the policies and practices being passed on incorrectly. Having a written policy is conducive to the conduct of internal training, which is a necessary component of an internal data protection programme.” 13 In this regard, the Organisation was unable to demonstrate or produce any evidence that it had developed and implemented policies and practices necessary for it to comply with its obligations under the PDPA in respect of sending out the CIP Letters. 14 In addition, the Organisation did not provide any formalised data protection training for its employees. As the Commissioner observed in Re National University of Singapore [2017] SGPDPC 5 (at [21]), data protection training may fall under both the openness obligation (specifically, section 12 of the PDPA) and the protection obligation (section 24 of the PDPA). Data protection training is an effective mode of communication of the Organisation’s policies and practices to fulfil the openness obligation (section 12(c) of the PDPA). 15 The Manager’s failure to communicate the Organisation’s data protection policy was evidenced by the Admin Staff’s lack of awareness of the use of the “bcc” function and the implications of her actions in respect of the Email. Although the Admin Staff claimed to have been instructed on the “rules with regard to volunteers’ personal details”, the fact that she: (a) did not query 5 Habitat for Humanity Singapore Ltd [2018] SGPDPC 9 whether it was appropriate to send the entire batch of CIP Letters containing personal data to all the volunteers; and (b) did not think to check whether the email addresses of the recipients of a mass email should be inserted in the “bcc” field instead of the “to” or “cc” fields suggests that there was a lack of awareness of the Organisation’s obligations under the PDPA. 16 Accordingly, I find that the Organisation has breached its openness obligation, given that it did not develop and implement a data protection policy as necessary for the Organisation to meet its obligations under the PDPA at the time of the Incident, and it did not communicate its data protection policies and practices to its staff, as required under sections 12(a) and (c) of the PDPA. (b) Whether the Organisation was in breach of section 24 of the PDPA 17 Section 24 of the PDPA requires an organisation to protect the personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks. 18 In this case, the Organisation’s informal practices and verbal reminders “on a need basis” were an insufficient security arrangement for the purposes of compliance with section 24 of the PDPA. The Organisation did not implement any checks and controls to prevent or minimise the risk of unauthorised disclosure of personal data. Knowing that the output produced by the Microsoft Word mail merge function was a single file containing the CIP Letters for all volunteers in the batch, the Organisation did not implement technical 6 Habitat for Humanity Singapore Ltd [2018] SGPDPC 9 arrangements such as installing IT tools1 that would have enabled the CIP Letters to be generated from the CIP letter template as separate documents. At the minimum, greater awareness of the need to protect the personal data of volunteers would have prompted the Admin Staff to process the PDF or Microsoft Word document containing the entire batch of CIP Letter manually in order to split the document into individual PDF files. The Manager would also have had a role to play in ensuring that this was done and could have implemented simple process checks to identify errors. Furthermore, technical controls could also have been installed to remind employees to use the “bcc” function when multiple email addresses are pasted in the “to” or “cc” field. Unnecessary disclosure of NRIC numbers 19 At this juncture, I observe that the disclosure of the volunteers’ NRIC numbers in the CIP Letters was unnecessary as the CIP Letters had already referred to the volunteers by their full names. Given that an individual’s NRIC number is a permanent and irreplaceable identifier which can be used to unlock large amounts of information relating to the individual, organisations should not disclose an individual’s NRIC number except where it is required under the law or where it is necessary to accurately establish and verify the identity of the individual by way of the same. It is not apparent to me that the need to identify an individual in a CIP Letter was to such a degree of specificity that his or her NRIC had to be included. The nature and function of a CIP Letter did not necessitate the publication of the volunteer’s NRIC number. 1 There were IT tools reasonably available that would have enabled the CIP Letters to be generated from a template as separate documents. For instance, the installable PDF Split & Merge program allows a single PDF or Microsoft Word output from a mail merge operation to be processed into individual PDF files. 7 Habitat for Humanity Singapore Ltd 20 [2018] SGPDPC 9 Organisations that choose to disclose more sensitive data than are required for their business or legal purposes have to be able to defend such decisions and bear the burden of ensuring an appropriate level of security for the personal data of varying levels of sensitivity. As observed in Re Aviva Ltd [2017] SGPDPC 14 (at [18]): “The Advisory Guidelines on Key Concepts in the PDPA states that an organisation should “implement robust policies and procedures for ensuring appropriate levels of security for personal data of varying levels of sensitivity”. This means that a higher standard of protection is required for more sensitive personal data.” [Emphasis added.] 21 In the premises, I find that the Organisation failed to make reasonable security arrangements to protect the personal data in its possession and control, as the Organisation: (a) did not put in place basic administrative security arrangements such as setting out its data protection policies and procedures in writing; (b) did not implement any checks and controls to ensure that its employees were complying with its data protection practices and policies; (c) did not provide any formalised data protection training for its employees; (d) failed to properly supervise the employees who were in charge of preparing and sending out the CIP Letters; and (e) did not have any other form of security arrangement to protect its volunteers’ personal data. 8 Habitat for Humanity Singapore Ltd [2018] SGPDPC 9 Directions 22 Having found that the Organisation is in breach of sections 12(a), 12(c), and 24 of the PDPA, I am empowered under section 29 of the PDPA to give the Organisation such directions as I deem fit to ensure compliance with the PDPA. 23 In assessing the breach and determining the directions to be imposed, I took into account, as an aggravating factor, the fact that the personal data disclosed included the volunteers’ NRIC number, which was of a sensitive nature. 24 I also took into account the following mitigating factors: (a) the disclosure only affected a limited number of people; and (b) the Organisation had cooperated fully in the PDPC’s investigation. 25 Pertinently, the PDPC has recently issued a public consultation on the proposed advisory guidelines for NRIC numbers, which, inter alia, discourages the indiscriminate use of NRIC numbers. Due weight has been given to the unsatisfactory practices that currently abound. Our practices as a society need to be improved as we become more knowledgeable about the risks of identity theft and other identity-related risks (and I do not restrict this caution as referring only to online risks). In future, similar conduct may call for the imposition of a financial penalty as proposed changes to the advisory guidelines on the collection, use and disclosure of NRIC numbers are implemented. This case should serve as a clarion call for all organisations to start handling personal data such as NRIC numbers, which are unique and permanent identifiers of individuals, with a much higher degree of care and discernment than the present. 9 Habitat for Humanity Singapore Ltd 26 [2018] SGPDPC 9 I hereby issue the following directions to the Organisation: (a) to conduct a review of all its activities involving the handling of personal data of its volunteers and donors; (b) to put in place a data protection policy, including process safeguards and written internal policies, such as standard operating procedures, to comply with the provisions of the PDPA; (c) to arrange for personal data protection training for its staff; and (d) to complete the above directions within 90 days from the date of this decision and inform the Deputy Commissioner of the completion thereof within 1 week of implementation. YEONG ZEE KIN DEPUTY COMMISSIONER FOR PERSONAL DATA PROTECTION 10 ",Directions,2f49f6f980fa80609521241128a33eb6a528f5a9,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,198,198,1,952,"Directions were issued to Jiwon Hair Salon, Next@Ion, Next Hairdressing and Initia for failing to put in place data protection policies to comply with the provisions of the PDPA.","[""Accountability"", ""Directions"", ""Others""]",2018-01-23,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/GroundsofDecisionJiwonNextIonNextHairdressingInitia23012018.pdf,Accountability,Breach of Openness Obligation by 4 Hair Salons,https://www.pdpc.gov.sg/all-commissions-decisions/2018/01/breach-of-openness-obligation-by-4-hair-salons,2018-01-23,"PERSONAL DATA PROTECTION COMMISSION Case No DP-1612-B0431 [2018] SGPDPC [2] In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And 1. Jiwon Hair Salon Pte. Ltd. 2. Next@Ion Pte. Ltd. 3. Next Hairdressing Pte. Ltd. 3. Initia Pte. Ltd. DECISION … Organisations Jiwon Hair Salon Pte. Ltd. & Ors. [2018] SGPDPC [2] Mr. Yeong Zee Kin, Deputy Commissioner — Case No DP-1612-B0431 23 January 2018 Background 1 This case highlights that while the Personal Data Protection Act (“PDPA”) seeks to balance the protection of individuals’ personal data with the need for organisations to use and share that personal data, compliance with the PDPA also serves to ensure that an organisation keeps data which is of significant commercial importance to it protected and out of the reach of its competitors. Material Facts 2 This case was triggered by, unusually, a complaint from one of the Organisations, Jiwon Hair Salon Pte Ltd (“Jiwon”). Jiwon alleged that a former employee (“Employee K”) had misappropriated the names and contact numbers (collectively referred to as the “Personal Data”) of its customers by surreptitiously accessing its customer management system (“CMS”). 3 An investigation was conducted into Jiwon’s complaint and into the following Organisations which Employee K had worked at after leaving Jiwon to determine if indeed Employee K was using the Personal Data from Jiwon’s CMS: Jiwon Hair Salon Pte. Ltd. & Ors. S/N Organisation 1. 2 Jiwon Next@Ion Pte Ltd 9 April 2014 3. Next Hairdressing Pte Ltd 1 Dec 2016 4. 4 [2018] SGPDPC 2 Initia Pte Ltd Start of employment 10 August 2016 13 Jan 2017 End of employment 15 August 2016 30 November 2016 16 Dec 2016 - In the meantime, Jiwon had instituted an action against Employee K in the State Courts arising out of the facts set out in the complaint and, according to Jiwon, an out-of-court settlement had been entered into. During the investigations, it became clear that none of the Organisations had any policies or practices in place for the protection of the personal data they collected. This Decision is solely concerned with the compliance of the Organisations’ obligations under section 12(a) of the PDPA and the foregoing information on Jiwon’s initial complaint serves merely as background information to give context. Findings and Basis for Determination Whether the Organisation had complied with its obligations under section 12 of the PDPA 5 Section 12(a) of the PDPA requires an organisation to develop and implement policies and practices that are necessary to meet its obligations under the PDPA (the “Openness Obligation”). 2 Jiwon Hair Salon Pte. Ltd. & Ors. 6 [2018] SGPDPC 2 During the investigations, it became apparent that the Organisations did not implement any data protection policies or practices. This was admitted to by the Organisations. 7 In the circumstances, I find that, by their own admission, each of the 8 I would like to take this opportunity to repeat the exhortations made in Organisations failed to meet its obligations under section 12(a) of the PDPA. Re: M Star Movers & Logistics Specialist Pte Ltd [2017] SGPDPC 15 (“M Star Movers”) to organisations to put in place policies and practices to protect personal data. 9 The M Star Movers grounds of decision (at paragraphs 27 and 28) explains the need for organisations to put in place data protection policies and practices as follows: At the very basic level, an appropriate data protection policy should be drafted to ensure that it gives a clear understanding within the organisation of its obligations under the PDPA and sets general standards on the handling of personal data which staff are expected to adhere to. To meet these aims, the framers, in developing such policies, have to address their minds to the types of data the organisation handles which may constitute personal data; the manner in, and the purposes for, which it collects, uses and discloses personal data; the parties to, and the circumstances in, which it discloses personal data; and the data protection standards the organisation needs to adopt to meet its obligations under the PDPA. An overarching data protection policy will ensure a consistent minimum data protection standard across an organisation’s business practices, procedures and activities (e.g. communications through social media). 3 Jiwon Hair Salon Pte. Ltd. & Ors. [2018] SGPDPC 2 Directions 10 Having found that the Organisations are in breach of section 12(a) of the PDPA, I am empowered under section 29 of the PDPA to give the Organisations such directions as I deem fit to ensure compliance with the PDPA. 11 In assessing the breach and determining the directions to be imposed on the Organisations, I took into account that the personal data collected by the Organisations was limited to the names and contact numbers of its customers. 12 I have decided to issue the following directions to each of the Organisations: (a) to put in place a data protection policy to comply with the provisions of the PDPA within 60 days from the date of this direction; and (b) to inform the office of the Commissioner of the completion of the above directions within 1 week of implementation. YEONG ZEE KIN DEPUTY COMMISSIONER 4 ",Directions,22dc817cc5a859cce0bf1f96066bd7470c408c03,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,203,203,1,952,"Directions were issued to M Stars Movers for disclosure of a customer's personal data via social media without consent, failure to appoint a Data Protection Officer, and failure to institute policies and practices that are necessary for the organisation to meet the obligations imposed under the PDPA.","[""Accountability"", ""Consent"", ""Directions"", ""Transport and Storage""]",2017-11-15,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/grounds-of-decision---m-stars-movers---151117.pdf,"Accountability, Consent",Breach of Consent and Openness Obligations by M Stars Movers,https://www.pdpc.gov.sg/all-commissions-decisions/2017/11/breach-of-consent-and-openness-obligations-by-m-stars-movers,2017-11-15,"PERSONAL DATA PROTECTION COMMISSION [2017] SGPDPC 15 Case No DP-1612-B0418 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And M Stars Movers & Logistics Specialist Pte Ltd … Organisation GROUNDS OF DECISION M Stars Movers & Logistics Specialist Pte Ltd [2017] SGPDPC 15 Yeong Zee Kin, Deputy Commissioner— Case No DP-1612-B0418 15 November 2017 Background 1 This case highlights the risks that organisations face when they fail to develop and implement policies, practices and procedures to protect personal data when communicating with its customers or other individuals through social media. 2 In this matter, a customer (the “Complainant”) of the Organisation, which provides professional moving services, alleged that the Organisation had disclosed her personal data on its Facebook page without her consent. 3 The findings and grounds of decision based on the investigations carried out in this matter are set out below. Material Facts 4 Sometime in December 2016, the Complainant engaged the Organisation’s professional moving services. The Complainant voluntarily provided her name, mobile number and residential addresses (i.e. the addresses where the items were to be picked up and delivered to) to the Organisation to provide the services. M Stars Movers & Logistics Specialist Pte Ltd 5 [2017] SGPDPC 15 Dissatisfied with the allegedly unsatisfactory services provided by the Organisation, the Complainant left a negative review in a public post on the Organisation’s Facebook page. Amongst other things, there was a disagreement as to when the Organisation was required to return the S$100 deposit to the Complainant. 6 The Organisation publicly responded to the Complainant’s review in the comment section of the Complainant’s post on its Facebook page. In its response, the Organisation identified the Complainant by her English name and surname (“name”) and residential address (collectively referred to as the “Personal Data”) and informed the Complainant that she would receive her deposit once she returned the carton boxes that the Organisation had previously provided to her to assist her in moving her belongings. 7 Shortly after the Organisation had disclosed the Complainant’s Personal Data on its Facebook page, the Complainant sent the Organisation a private Facebook message requesting the immediate removal of her residential address from the Organisation’s Facebook page. The Organisation denied any wrongdoing and refused to remove the Complainant’s address from its Facebook page until it was advised to do so by the office of the Commissioner. 8 The Organisation’s explanation was that it had disclosed the Complainant’s name and residential address in its response to identify the Complainant “to ensure that [it was] refunding the money of $100 [i.e., the deposit] to the correct person”. 9 The Organisation admitted in the course of the investigations that it was not aware of the Personal Data Protection Act 2012 (“PDPA”). Consequently, 2 M Stars Movers & Logistics Specialist Pte Ltd [2017] SGPDPC 15 it did not appoint a data protection officer (“DPO”) nor did it implement any data protection policies or guidelines. Findings and Basis for Determination 10 The issues for determination are: (a) whether the Organisation had disclosed the Complainant’s personal data without consent or authorisation; and (b) whether the Organisation had complied with its obligations under sections 11 and 12 of the PDPA. 11 The information disclosed by the Organisation is clearly “personal data” within the meaning of section 2(1) of the PDPA as the Complainant could be identified from the information disclosed. The Organisation did not dispute this. Whether the Organisation had disclosed the Complainant’s personal data without consent or authorisation 12 Subject to certain exceptions,1 in accordance with section 13 read with section 14 of the PDPA, organisations may only collect, use or disclose personal data about an individual with the consent of that individual (the “Consent Obligation”). 13 An individual may, in some circumstances pursuant to section 15 of the PDPA, be deemed to have consented to the collection, use and disclosure of 1 Pursuant to section 17 of the PDPA read with the Second, Third and Fourth Schedule of the PDPA. 3 M Stars Movers & Logistics Specialist Pte Ltd [2017] SGPDPC 15 his/her personal data where he/she voluntarily provided the personal data and it is reasonable that he/she would voluntarily provide the data.2 14 The Complainant engaged the Organisation to move her belongings to her new home. It is in this context that the Complainant provided her Personal Data to the Organisation; so that the Organisation would know the location from which to pick up the Complainant’s belongings and the delivery address. No evidence has been adduced of the Complainant consenting to the disclosure of the Personal Data on the Organisation’s public Facebook page. Further, the Deputy Commissioner finds that the Complainant is not deemed to have consented to the said disclosure as the two limbs for making a finding of deemed consent under section 15(1) of the PDPA have not been made out. In this context, it cannot be said that this manner of disclosure of the Complainant’s Personal Data by the Organisation in its response to her review on its Facebook page was within the Complainant’s reasonable contemplation. 15 The Organisation’s explanation that it replied to the Complainant’s Facebook post with the Personal Data as it wanted to confirm the identity of the Complainant does not address the reason the Organisation publicly disclosed the Personal Data on its Facebook page. The Organisation’s objective of ensuring the identity of the Complainant was not better served by disclosing the Personal Data publicly on its Facebook page instead of privately communicating with the Complainant directly. There was no legitimate reason for disclosing the Personal Data to third parties. Given the Organisation’s admission of its lack of awareness of the PDPA and the obligations it imposes, it is more likely than 2 Section 15 of the PDPA. 4 M Stars Movers & Logistics Specialist Pte Ltd [2017] SGPDPC 15 not, that the Organisation disclosed the Personal Data simply for convenience without further consideration. 16 It is a trite principle of law that ignorance of the law is no excuse. Thus, the Organisation’s lack of awareness of its obligations under the PDPA cannot excuse its breach of the PDPA. The data protection provisions of the PDPA took effect on 2 July 20143 after a “sunrise” period of more than a year from 2 January 2013. Since then, organisations have had ample opportunities to develop and implement appropriate policies and practices to comply with the PDPA. In any event, an organisation’s lack of awareness of its data protection obligations is not a legitimate defence to a breach. 17 It is apropos to address an issue which commonly arises in the context of an organisation’s communications through its commercial social media page. When is it ever acceptable to disclose personal data when an organisation is responding to public comments? It is unlikely that the terms of ex ante consent or scope of deemed consent can cover such disclosures. 18 The Deputy Commissioner advises caution in disclosing personal data when responding to public comments. An organisation should not be prevented or hampered from responding to comments about it using the same mode of communications that its interlocutor has selected. In some situations, it may be reasonable or even necessary to disclose personal data in order to advance an explanation. An individual who makes false or exaggerated allegations against an organisation in a public forum may not be able to rely on the PDPA to prevent the organisation from using material and relevant personal data of the individual 3 Personal Data Protection Act 2012 (Commencement) Notification 2014. 5 M Stars Movers & Logistics Specialist Pte Ltd [2017] SGPDPC 15 to explain the organisation’s position on the allegations through the same public forum. 19 The following observations may be made in this context about the approach that the Commission adopts. First, the Commission will not engage in weighing allegations and responses on golden scales in order to establish proportionality. The better approach is to act against disclosures that are clearly disproportionate on an objective standard before the Commission intervenes in what is essentially a private dispute (in this case the dispute was the Complainant’s alleged dissatisfaction of the services provided by the Organisation). Second, the disclosure may sometimes be justified by exceptions to consent. For example, disclosures in the course of the Organisation’s investigations into alleged breaches of agreement or into conduct that may give rise to tortious claims. Disclosures in reliance of exceptions to consent will nevertheless have to be limited in scope in order to achieve the purposes of the applicable exception. Third, even in the absence of consent (whether express or deemed) or an applicable exception, it may nevertheless be objectively reasonable for the Organisation to disclose personal data in response to allegations made against it. Section 11(1) of the PDPA exhorts organisations in discharging its responsibilities under the PDPA to “consider what a reasonable person would consider appropriate in the circumstances.” This requires factspecific analysis and the burden is on the Organisation to justify that the circumstances were atypical, the disclosure was warranted and its actions were reasonable. 20 In the present case, the Complainant had posted a lengthy complaint on the Organisation’s Facebook page, amounting to approximately 500 words. The Organisation responded in three separate posts. Having perused the explanations and considered the context of the disclosure of the Personal Data, 6 M Stars Movers & Logistics Specialist Pte Ltd [2017] SGPDPC 15 it cannot be said that the disclosure of the Personal Data had any nexus to the allegations and explanations. Hence, the disclosure in its response was clearly disproportionate. The Organisation’s response was not made in the context of an investigation into a civil dispute (although one patently existed), nor did it fall within any other exception. Finally, the Organisation’s disclosure was unwarranted and unreasonable as it was made, more likely than not, for convenience without further consideration (see paragraph 15 above). 21 Given the foregoing, the Deputy Commissioner finds that the disclosure of the Personal Data on the Organisation’s Facebook page was made in breach of its Consent Obligation under the PDPA. Whether the Organisation had complied with its obligations under sections 11 and 12 of the PDPA 22 Section 11(3) of the PDPA requires an organisation to designate one or more individuals (i.e. the DPO) to be responsible for ensuring compliance with the PDPA and section 12(a) of the PDPA requires an organisation to develop and implement policies and practices that are necessary to meet its obligations under the PDPA (collectively, the “Openness Obligation”). 23 During the investigations, the Organisation admitted that it was not aware of the PDPA and consequently, its data protection obligations4 under the PDPA. The Organisation also confirmed that, at the material time, it did not implement any data protection policies or practices, nor did it appoint a DPO. 24 In the circumstances, the Deputy Commissioner finds that, by its own admission, the Organisation failed to meet its obligations under sections 11(3) 4 Under Parts III to VI of the PDPA. 7 M Stars Movers & Logistics Specialist Pte Ltd [2017] SGPDPC 15 and 12(a) of the PDPA. In this regard, the Deputy Commissioner repeats his comments made at paragraph 16 above that a lack of awareness of the obligations imposed by the PDPA does not amount to a legitimate defence against a breach by the Organisation. Data protection policies 25 The Deputy Commissioner takes this opportunity to highlight that the development and implementation of data protection policies is a fundamental and crucial starting point for organisations to comply with their obligations under the PDPA. 26 In this regard, the Deputy Commissioner repeats the Commissioner’s guidance in Re Aviva Ltd [2017] SGPDPC 14 at paragraph [32] on the role of general data protection policies: “Data protection policies and practices developed and implemented by an organisation in accordance with its obligations under section 12 of the PDPA are generally meant to increase awareness and ensure accountability of the organisation’s obligations under the PDPA…” 27 At the very basic level, an appropriate data protection policy should be drafted to ensure that it gives a clear understanding within the organisation of its obligations under the PDPA and sets general standards on the handling of personal data which staff are expected to adhere to. To meet these aims, the framers, in developing such policies, have to address their minds to the types of data the organisation handles which may constitute personal data; the manner in, and the purposes for, which it collects, uses and discloses personal data; the parties to, and the circumstances in, which it discloses personal data; and the data protection standards the organisation needs to adopt to meet its obligations under the PDPA. 8 M Stars Movers & Logistics Specialist Pte Ltd 28 [2017] SGPDPC 15 An overarching data protection policy will ensure a consistent minimum data protection standard across an organisation’s business practices, procedures and activities (e.g. communications through social media). 29 A general data protection policy is, however, not the be all and end all of data protection. Specific practices, processes, procedures and measures need to be put in place by organisations to protect personal data. In this regard, the Deputy Commissioner agrees with the following comments made by the Office of the Privacy Commissioner of Canada’s decision in the case of Google Inc. WiFi Data Collection5 on the necessity to put in place real and effective measures to ensure an organisation’s accountability for the personal data it handles: “The obligation that organizations must have in place the proper practices, as a matter of accountability, concords with a growing international recognition that the protection of personal information requires real and effective measures. It is this Office’s view that organizations need to implement appropriate and effective measures to put into effect the principles and obligations of the Act, including effective compliance and training programs, as an essential part of ensuring that organisations remain accountable for the personal information they collect, use or disclose.” 30 Organisations with a social media or other online presence (e.g. social media forums), particularly those that rely on such platforms to communicate with its customers, ought to develop appropriate policies, practices and procedures that amply address the risks of disclosing personal data on social media or other online sites. Together, these policies, practices and procedures should seek to (i) ensure that staff who communicate through an organisation’s 5 PIPEDA Report of Findings #2011-001: Google Inc. WiFi Data Collection at [71]. 9 M Stars Movers & Logistics Specialist Pte Ltd [2017] SGPDPC 15 social media account or similar platforms are aware of the organisation’s data protection obligations and the importance and need to protect personal data; (ii) crystallise the organisation’s position on the circumstances in which it may be appropriate to disclose personal data on these platforms for example, disclosures for which individuals have already consented to; (iii) ensure that the organisation maintains an appropriate level of control on the content posted on these platforms (e.g. by limiting the number of staff who are allowed to post and placing conditions on these staff such as requiring them to undergo relevant data protection training); (iv) crystallise the organisation’s retention rules in respect of posts on such platforms; and (v) provide an avenue to escalate issues or queries to the appropriate function or role within the organisation. 31 A well informed DPO who is familiar with data protection law and practice, should be able to ensure that these policies, practices and procedures are updated to guide members of staff on the appropriate conduct when using such platforms as means of corporate communications, including with customers, and also provide guidance as to when communications commenced on public fora ought to continue in more private channels. Data protection officer 32 The above paragraph segues appropriately into a discussion of the requirement and role of the DPO. 33 The DPO plays an important role in ensuring that the organisation fulfils its obligations under the PDPA. Recognition of the importance of data protection and the central role performed by a DPO has to come from the very top of an organisation and ought to be part of enterprise risk management frameworks. This will ensure that the board of directors and C-level executives are cognisant of the risks. The DPO ought to be appointed from the ranks of 10 M Stars Movers & Logistics Specialist Pte Ltd [2017] SGPDPC 15 senior management and be amply empowered to perform the tasks that are assigned to him/her. If not one of the C-level executives, the DPO should have at least a direct line of communication to them. This level of access and empowerment will provide the DPO with the necessary wherewithal to perform his/her role and accomplish his/her functions. The DPO need not – and ought not – be the sole person responsible for data protection within the organisation. Properly implemented, data protection policies will touch most, if not all, parts of an organisation. Every member of staff has a part to play. The DPO is the person within an organisation responsible for implementing the policies and practices, just as the board and C-level executives are ultimately accountable to shareholders and owners for any failure to comply. 34 The responsibilities of a DPO include, but are not limited to:6 (a) ensuring compliance with the PDPA when developing and implementing policies and processes for handling personal data, including processes and formal procedures to handle queries and/or complaints from the public; (b) fostering a data protection culture and accountability among employees and communicating personal data protection policies to stakeholders; (c) handling and managing personal data protection related queries and complaints from the public, including making information about the organisation’s data protection policies and practices available on request to the public; 6 PDPC, Data Protection Officers at at para 4. 11 M Stars Movers & Logistics Specialist Pte Ltd (d) [2017] SGPDPC 15 alerting management to any risks that might arise with regard to personal data; and (e) liaising with the Commissioner on data protection matters, if necessary. 35 In this regard, the Deputy Commissioner agrees with the position adopted in the Joint Guidance Note7 on the role and responsibilities of a DPO (or Privacy Officer in the Canadian context) in an organisation: “[organizations] must appoint someone who is responsible for the privacy management program. Whether this person is a Clevel executive of a major corporation or the owner/operator of a very small organization, someone must be assigned responsibility for overseeing the organization’s compliance with applicable privacy legislation. Other individuals may be involved in handling personal information, but the Privacy Officer is the one accountable for structuring, designing and managing the program, including all procedures, training, monitoring/auditing, documenting, evaluating, and follow-up. Organizations should expect to dedicate some resources to training the Privacy Officer. The Privacy Officer should establish a program that demonstrates compliance by mapping the program to applicable legislation. It will be important to show how the program is being managed throughout the organization. The Privacy Officer will play many roles with respect to privacy. S/he will: 7 - establish and implement program controls; - coordinate with other appropriate persons responsible for related disciplines and functions within the organization; - be responsible for the ongoing assessment and revision of program controls; - represent the organization in the event of a complaint investigation by a privacy commissioner’s office; and Office of the Privacy Commissioner of Canada, Office of the Information and Privacy Commissioner of Alberta and the Office of the Information and Privacy Commissioner for British Columbia, Getting Accountability Right with a Privacy Management Program at p. 7. 12 M Stars Movers & Logistics Specialist Pte Ltd - [2017] SGPDPC 15 advocate privacy within the organization itself. This last role is as crucial as the others. Organizations face competing interests and privacy compliance is one program of many. Privacy, however, is more than a balancing of interests. Privacy should be seen in terms of improving processes, customer relationship management, and reputation. Consequently, the privacy management program’s importance must be recognized at all levels.” [Emphasis added.] 36 Again, while the quote above is in respect of a Privacy Officer, it is equally applicable in the context of a DPO under the PDPA notwithstanding the differences between privacy and data protection. 37 From the foregoing, it is clear that regardless of the size of an organisation, the DPO plays a vital role in building a robust data protection framework to ensure the organisation’s compliance with its obligations under the PDPA. Directions 38 Having found that the Organisation is in breach of sections 11(3), 12(a) and 13 of the PDPA, the Deputy Commissioner is empowered under section 29 of the PDPA to give the Organisation such directions as he deems fit to ensure compliance with the PDPA. This may include directing the Organisation to pay a financial penalty of such amount not exceeding S$1 million. 39 In assessing the breach and determining the directions to be imposed on the Organisation, the Deputy Commissioner took into account the following factors: (a) the personal data disclosed was limited to the Complainant’s name and residential address; and 13 M Stars Movers & Logistics Specialist Pte Ltd (b) [2017] SGPDPC 15 the Organisation’s breach of the Consent Obligation was due to its lack of awareness of the Organisation’s obligations under the PDPA. 40 The Deputy Commissioner has decided to issue the following directions to the Organisation: (a) to put in place a data protection policy and internal guidelines to comply with the provisions of the PDPA within 60 days from the date of this direction; (b) to appoint a DPO within 30 days from the date of this direction; (c) to inform the office of the Commissioner of the completion of each of the above directions within 1 week of implementation. YEONG ZEE KIN DEPUTY COMMISSIONER FOR PERSONAL DATA PROTECTION COMMISSION 14 ",Directions,76b2216f9b21cb552235144f0c76b8706503cf1a,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,212,212,1,952,"Directions were issued to Asia-Pacific Star, as a data intermediary, for failing to make reasonable security arrangements to prevent the disclosure of the personal data of Tiger Airways Singapore's passengers.","[""Protection"", ""Directions"", ""Others""]",2017-05-31,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/grounds-of-decision---tigerair-sats-aps-310517.pdf,Protection,Breach of Protection Obligation by Asia-Pacific Star,https://www.pdpc.gov.sg/all-commissions-decisions/2017/05/breach-of-protection-obligation-by-asia-pacific-star,2017-05-31,"DECISION OF THE PERSONAL DATA PROTECTION COMMISSION Case Number: DP-1607-B0129 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And (1) Tiger Airways Singapore Pte Ltd (UEN No. 200312665W) (2) SATS Ltd (UEN No. 197201770G) (3) Asia-Pacific Star Private Limited (UEN No. 199705514Z) … Organisations Decision Citation: [2017] SGPDPC 6 GROUNDS OF DECISION 31 May 2017 A. INTRODUCTION 1. On 27 July 2016, the Personal Data Protection Commission received a complaint that the passenger name list for Tiger Airways Singapore Pte Ltd (“Tigerair”) flight TR2466 (“Flight Manifest”) had been improperly disposed in a rubbish bin in the gate hold room at Changi Airport. The complainant alleged that the Flight Manifest could have been retrieved by anyone in the vicinity. 2. The Commission undertook an investigation into the matter and sets out its findings and grounds of decision below. B. MATERIAL FACTS 3. Tigerair is a low cost carrier. SATS Ltd (“SATS”) is an aviation ground handling service provider. SATS was engaged by Tigerair to provide ground handling services. In accordance with the terms of the ground handling services contract between SATS and Tigerair (“Ground Handling Services Contract”), SATS was responsible for the provision of the services by its subsidiaries as if it had been provided by SATS itself. Page 1 of 8 4. Asia-Pacific Star Private Limited (“APS”) is a wholly-owned subsidiary of SATS. SATS sub-contracted the provision of ground handling services for Tigerair to APS pursuant to a Services Agreement dated 11 June 2014 (“Services Agreement”). 5. Under the Services Agreement, APS was responsible for managing the boarding process, reconciling passenger numbers and verifying travel documents at the boarding gate. Among other things, APS was required to print a copy of the Flight Manifest at the boarding gate for the cabin crew to take on board the flight and submit to the immigration authority at the arrival destination. 6. On 26 July 2016, an APS employee who was on gate duty for flight TR2466 ran out of paper while printing a copy of the Flight Manifest. The APS employee disposed of the partially-printed Flight Manifest in the rubbish bin in the gate hold room for flight TR2466 and reprinted the Flight Manifest in full (“Data Breach Incident”). The gate hold room where the partially-printed Flight Manifest was discarded was only accessible to passengers and airport staff. 7. None of the Organisations (nor the complainant) could verify the exact number of passengers whose personal data was disclosed in the partially-printed Flight Manifest. 8. The partially-printed Flight Manifest contained passenger personal data such as the passenger’s name, booking reference number (also known as PNR), fare class, sequence number of check-in, date of booking, seat number, destination and flight number. 9. Other personal data such as the passenger’s full name, passport number, home address, phone number, email address and last four digits of the credit card used to pay for the plane ticket could have been retrieved by entering the passenger’s name and the PNR into Tigerair’s “Manage My Booking” portal. Special features or add-ons to the passenger’s flight(s) and travels, such as hotel bookings and airport transfers or cars rentals would also have been reflected on the “Manage My Booking” portal. This information was only accessible up to the last travelling date of the passenger’s itinerary. C. COMMISSION’S FINDINGS AND BASIS FOR DETERMINATION 10. At the outset, the Commission finds that the partially-printed Flight Manifest constitutes personal data as defined in section 2(1) of the Personal Data Protection Act 2012 (“PDPA”). The Flight Manifest contained data about the passengers who could be identified either from that data alone or from that data and the data on Tigerair’s “Manage My Booking” portal. Page 2 of 8 Issues for determination 11. The issues to be determined by the Commission are as follows: (a) whether SATS and APS were acting as data intermediaries for Tigerair in relation to the Tigerair passengers’ personal data; and (b) whether each of the Organisations complied with its obligation under section 24 of the PDPA in respect of the Data Breach Incident. Issue (a): Whether SATS and APS were acting as data intermediaries for Tigerair in relation to the Tigerair passengers’ personal data 12. As mentioned at paragraph 3 above, SATS was engaged by Tigerair to provide services such as managing the boarding process, reconciliation of passenger numbers and verification of travel documents at the boarding gate. These are activities of “processing” personal data on behalf of Tigerair as defined in section 2(1) of the PDPA. 13. SATS had sub-contracted the provision of the services to APS but remained responsible for the provision of ground handling services as if they were performed by SATS itself. APS was granted access to Tigerair’s “Departure Control System” which contained all the information related to a passenger’s booking to carry out activities of “processing” on behalf of Tigerair. Accordingly, the Commission is satisfied that SATS and APS were both acting as data intermediaries of Tigerair. 14. A data intermediary has a duty to comply with the Protection Obligation under section 4(2) of the PDPA. An organisation has the same obligation in respect of personal data processed by a data intermediary on its behalf and for its purposes as if the personal data were processed by the organisation itself under section 4(3) of the PDPA. Accordingly, Tigerair, SATS and APS each have an obligation to make reasonable security arrangements to protect the personal data of Tigerair passengers in their possession and/or under their control. Issue (b): Whether each of the Organisations complied with its obligation under section 24 of the PDPA in respect of the Data Breach Incident 15. It was not disputed that the partially-printed Flight Manifest was improperly disposed of by the APS employee at the gate hold room. However, the Organisations represented that they had adequate policies and processes regarding the protection of personal data. The Data Breach Incident was simply an isolated incident that occurred due to the oversight of the APS employee. 16. Section 24 of the PDPA places a positive obligation on an organisation to make reasonable security arrangements to protect the personal data Page 3 of 8 in its possession or under its control and to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks. 17. In accordance with section 11(1) of the PDPA, the reasonableness of security arrangements made is objectively determined, having regard to what a reasonable person would consider appropriate in the circumstances. In the context of section 24, this means that an organisation is not required to provide an absolute guarantee for the protection of personal data in its possession, but that it must make such security arrangements as a reasonable person would consider appropriate, given the nature of the personal data involved and the particular circumstances of that organisation. 18. In assessing the reasonableness of security arrangements, the Commission will also take into consideration the factors set out in the Advisory Guidelines on Key Concepts in the PDPA: (a) the nature of the personal data; (b) the form in which the personal data has been collected (e.g. physical or electronic); and (c) the possible impact to the individual concerned if an unauthorised person obtained, modified or disposed of the personal data. Tigerair 19. As an organisation under the PDPA, Tigerair has the primary responsibility of ensuring that there are reasonable security arrangements in place to protect the personal data in its possession or under its control. Tigerair remains ultimately responsible even though it had engaged a data intermediary to provide ground handling services and process personal data on its behalf. 20. Under the Ground Handling Services Contract, Tigerair required SATS to establish and maintain local procedures to comply with the PDPA in its provision of services to Tigerair. 21. SATS was also required to carry out all services in accordance with Tigerair’s ground services manual (“Ground Services Manual”). The Ground Services Manual specifically provided that ground handlers were to adhere to the requirements of the PDPA, including the obligations to use personal data only for the purposes for which consent had been obtained, protect personal data in its custody, and prevent disclosure to unauthorised persons. 22. In the present context, the ground handling services fell under the responsibility of SATS and APS, both of whom had the responsibility of ensuring that in the provision of these services, personal data was Page 4 of 8 adequately protected. In this regard, having imposed a contractual obligation on SATS to establish and maintain local procedures to comply with the PDPA, the Commission finds it reasonable for Tigerair to have expected SATS to carry out its obligations in accordance with the contract and the relevant sections of the Ground Services Manual. 23. Further, given that SATS was contractually accountable for APS’ provision of services, it was reasonable for Tigerair to have expected SATS to ensure that APS would implement reasonable security arrangements to protect the personal data that it processed on behalf of Tigerair. This is especially since Tigerair did not have oversight over the actions of APS’ employees. 24. Accordingly, the Commission finds that Tigerair had complied with its Protection Obligation under section 24 of the PDPA. SATS 25. SATS had, in its Service Agreement with APS for the sub-contracting of ground handling services for Tigerair, expressly required APS to comply with and ensure that the ground handling services were provided and performed in a manner which did not infringe any applicable laws, regulations and directions, including the PDPA. 26. In addition, SATS implemented the SATS Group Code of Conduct (“Group Code of Conduct”), which required all employees who may handle, receive, collect, use, disclose or transfer any personal data to comply with the PDPA and the Personal Data Protection Policy (“Group Data Protection Policy”). 27. The Group Data Protection Policy sets out guidelines on the physical measures that should be undertaken to protect personal data. Specifically, the guidelines recommended that there should be proper and secure disposal of documents containing personal data, such as requiring such documents to be shredded. APS was required to comply with both the Group Code of Conduct and the Group Data Protection Policy as it was a member of the SATS Group. 28. SATS also sent periodic updates and reminders to the SATS Group management and staff (including those from APS) to remind them about their data protection obligations under the Group Code of Conduct and the Group Data Protection Policy. Pertinently, SATS conducted annual “Control Self-Assessment” exercises as part of its enterprise risk management and required the General Manager of APS to confirm APS’ compliance with the Group Data Protection Policy. 29. In view of the above, the Commission finds that SATS made reasonable security arrangements and fulfilled its Protection Obligation under section 24 of the PDPA. Page 5 of 8 APS 30. APS represented that it had put in place security arrangements and the Data Breach Incident was an isolated incident that occurred as a result of a lapse by an APS employee. Pursuant to section 53(1) of the PDPA, any act done or conduct engaged in by an employee in the course of his employment shall be treated as done or engaged in by his employer as well as by him, regardless of whether it was done or engaged in with the employer’s knowledge or approval. Accordingly, APS remains responsible for its employee’s conduct. 31. Although the Commission finds that APS did have some security arrangements in place, the Commission is not satisfied that APS fulfilled its Protection Obligation under section 24 of the PDPA. 32. As mentioned at paragraph 27 above, APS is part of the SATS Group, all APS employees are required to comply with the Group Code of Conduct and the Group Data Protection Policy. The Group Code of Conduct was annexed to APS employees’ letters of employment and all new APS employees received a briefing on the requirement to comply with the PDPA during their employee induction programme. 33. However, APS relied solely on the administrative safeguards implemented by SATS, which applied to the organisations within the SATS Group. There was no evidence that APS provided additional information or implemented additional safeguards in order to contextualise the group level policies to its ground operations. In line with the Commission’s observation In the Matter of National University of Singapore that general guidelines did not necessarily translate into the kind of practices that were actually needed on the ground to protect personal data1, it is likewise important here for organisations to ensure that an organisation’s policies and training have to be contextualised to its operational setting. In this case, there was no evidence that APS had any procedure or policy of its own apart from the SATS Group Data Protection Policy. 34. Crucially, given that the personal data found in the Flight Manifest provided further access to personal information of an even more sensitive nature found on the “Manage My Bookings” portal, the impact to the passengers from the improper disposal was higher. Given the potential adverse consequences of unauthorised access to that personal data (from the initial and secondary exposure), APS should have afforded a high level of protection to such personal data, with greater attention given to the proper disposal of documents containing such personal data. The specific scenarios (like the present) where there are risks of data leaks through inappropriate handling or disposal of Flight Manifests that are likely to arise in ground operations (eg staff handling Flight Manifests at the gates) ought to have been part of the effort to 1 [2017] SGPDPC 5, at [32]. Page 6 of 8 translate and contextualise the group level policies for APS’s specific circumstances. 35. Additionally, as the Commission observed In the Matter of National University of Singapore2, security policies and procedures are essential but they are only effective when properly and consistently implemented and followed by employees. Ongoing training on the organisation’s data protection obligations and the organisation’s data protection policies and procedures is key to fostering and maintaining a high organisational awareness of data protection concerns and to ensure that the data protection obligations under the PDPA are consistently understood and acted upon by employees. This was also observed by the Commission In the Matter of National University of Singapore3. Yet, as set out in paragraph 32 above, the only training that APS employees appeared to have received was a general data protection briefing during the employee induction programme for new employees. 36. APS should have provided customised training and regular refresher training for APS employees who routinely handled passengers’ personal data. APS processes the personal data of a large number of individuals, including passenger identification information such as the Flight Manifest, on a regular basis in the course of its duties. 37. Given the Commission’s findings on the lack of administrative and physical safeguards in place, the Commission finds that APS did not make reasonable security arrangements to protect the personal data it processed on behalf of Tigerair. D. THE COMMISSION’S DIRECTIONS 38. For the reasons set out above, the Commission has determined that APS did not comply with its Protection Obligation under section 24 of the PDPA. In exercise of the power conferred upon the Commission pursuant to section 29(1) of the PDPA, the Commission directs APS to: 39. (a) conduct a review of its procedure for proper disposal of personal data in its possession and/or control; (b) introduce data protection policies that are contextualised and pertinent to the services provided by APS and functions performed by its staff; and (c) include a programme for initial and refresher training on its implementation by the APS staff in the course of its operations. In assessing the breach and remedial directions to be imposed (including not imposing a financial penalty on APS in this case), the Commission 2 [2017] SGPDPC 5, at [25]. 3 [2017] SGPDPC 5, at [20] – [28]. Page 7 of 8 considered various factors relating to the case, including the mitigating factors set out below: 40. (a) the gate hold room where the Flight Manifest was disposed was accessible only by passengers and airport staff; (b) the bin where the Flight Manifest was disposed could reasonably be expected to be emptied regularly as part of routine maintenance; (c) the Flight Manifest held data that served as login credentials to individual passengers’ personal data on the “Manage My Bookings” portal. However, the information on the page was only accessible for a limited time until the last traveling date on the passenger’s itinerary; (d) there were no complaints of any actual unauthorised access to the manage my bookings page of any passenger. The Commission emphasises that it takes a very serious view of any instance of non-compliance under the PDPA. Organisations should take the necessary action to ensure that they comply with their obligations under the PDPA. The Commission will not hesitate to take the appropriate enforcement action against the organisations accordingly. YEONG ZEE KIN DEPUTY COMMISSIONER PERSONAL DATA PROTECTION COMMISSION Page 8 of 8 ",Directions,b32d291037e42478607d82bf4e86cf61437ede0d,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,213,213,1,952,Directions were issued to Furnituremart for failing to make reasonable security arrangements to prevent the disclosure of the personal data of a customer.,"[""Protection"", ""Directions"", ""Wholesale and Retail Trade""]",2017-05-31,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/grounds-of-decision---furnituremart-(310517).pdf,Protection,Breach of Protection Obligation by Furnituremart,https://www.pdpc.gov.sg/all-commissions-decisions/2017/05/breach-of-protection-obligation-by-furnituremart,2017-05-31,"DECISION OF THE PERSONAL DATA PROTECTION COMMISSION Case Number: DP-1611-B0319 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Furnituremart.sg (UEN 53169430E) … Organisation Decision Citation: [2017] SGPDPC 7 GROUNDS OF DECISION 31 May 2017 1. This is a case involving an organisation which had issued to its customer (the Complainant) an invoice which had a separate invoice (“second invoice”) containing personal data of another customer printed on the reverse side. In this regard, the other customer’s personal data was disclosed to the Complainant, comprising of the following information of the other customer: a. Customer’s surname; b. Home address; c. Delivery address; d. Telephone number; and e. E-mail address. 2. The Complainant made a complaint to the Personal Data Protection Commission (the “Commission”) on 7 November 2016 of the disclosure that was made, and the Commission conducted an investigation into the matter. It now sets out its findings of its investigations below. A. MATERIAL FACTS AND DOCUMENTS 3. The Organisation is in the business of trading furniture, bedding, and other domestic products. Page 1 of 7 4. Whenever it issues its invoices, the Organisation’s procedure is to make three copies of every invoice: The first for the Organisation’s filing, the second for the customer, and the third for the customer to sign and return to the Organisation on delivery of the goods. 5. According to the Organisation, all signed copies of invoices are supposed to be returned to its office, and subsequently destroyed by its staff on a daily basis. 6. In this case, however, the returned invoice was put in a printer feed tray, and re-used as printing paper for the complainant’s invoice. 7. In support of the foregoing, the Organisation provided the Commission with a document entitled, “Policies and internal guideline [sic] for the protection of personal data of customers as at November 2016”. The document provided for, amongst other things, (a) all invoices to be printed on new paper (b) the supervisor to check that the invoices are printed on new paper instead of reused paper containing customer’s information (c) the delivery man to check the invoices to ensure that the back of the invoices do not contain other customers' information (d) the acknowledgment copy of the invoices be destroyed after delivery man returns the copy to the Organisation (e) the Organisation’s customer information to be kept safe. The Organisation claimed that some of the policies set out in the document had already been implemented prior to November 2016. 8. The Organisation admitted that none of its staff had undergone any training in respect of the Organisation’s obligations under the Personal Data Protection Act 2012 (“PDPA”). Further, no training was conducted to explain the Organisation’s own internal policies and guidelines to its staff. However, the Organisation claimed that management had briefed staff on the internal policies and guidelines at an unspecified meeting. B. COMMISSION’S FINDINGS AND ASSESSMENT (i) There was an unauthorised disclosure of personal data 9. The information disclosed by the second invoice is personal data within the meaning of section 2 of the PDPA, which requires that the individual may be identified from the data. Given that the surname of the customer was provided, along with the customer’s address, e-mail address, and telephone number, it was possible to identify that customer solely from the information disclosed by the second invoice. 10. Given that the disclosure of such information contained in the second invoice was made without consent or authority under the PDPA (or other written laws), it was an unauthorised disclosure of personal data under the PDPA. Page 2 of 7 (ii) The unauthorised disclosure was the result of a breach of the Organisation’s obligation to make reasonable arrangements for the protection of personal data 11. The Organisation claims that the unauthorised disclosure was an isolated incident that occurred due to the negligence of its staff. Specifically, that someone accidentally placed the second invoice in the printing tray instead of destroying it. In this regard, it could be argued that the unauthorised disclosure was simply caused by a one-off mistake by the Organisation’s staff, and not due to any lack or failure to put in place “reasonable security arrangements” under section 24 of the PDPA. 12. From the Commission’s investigations, though, there were more deeprooted problems with the Organisation’s processes, and it lacked the necessary policies and practices to protect personal data. These failures and omissions by the Organisation are detailed below. (a) The Organisation effectively did not have any policy in place to protect personal data 13. The Organisation had produced to the Commission a copy of its data protection policy which it says was put in place in November 2016. This is the same month in which the data breach had taken place. Prior to this, the Organisation claims it did not have a written policy on the protection of personal data. 14. The lack of a written policy is a big drawback to the protection of personal data. Without having a policy in writing, employees and staff would not have a reference for the Organisation’s policies and practices which they are to follow in order to protect personal data. Such policies and practices would be ineffective if passed on by word of mouth, and indeed, the Organisation may run the risk of the policies and practices being passed on incorrectly. Having a written policy is conducive to the conduct of internal training, which is a necessary component of an internal data protection programme. 15. In relation to the Organisation’s data protection policy itself, it consisted of a mere six bullet points. At least three of the six points in the policy relates coincidentally to the data breach incident – for example, it provides that the supervisor has to check that the invoices are printed on new paper instead of reused paper containing customer’s information. Additionally, the policy was put in place the same period of time as the data breach incident. The combination of the timing and content of the policy raises suspicion, and the Commission cannot rule out the possibility, that it was created subsequent to the breach to address that particular incident. 16. Additionally, investigations did not reveal any evidence to show that steps were taken to implement the data protection policy that the Organisation had put in place. Some of the evidence that ought ordinarily Page 3 of 7 to have presented would be internal communications of the data protection policy to staff, internal briefings conducted to raise staff awareness and training events and collateral to educate staff. During the investigation, the Commission specifically asked the Organisation what other arrangements, apart from the policy documents that they had already produced, the Organisation had in place to mitigate the risk of an unauthorised disclosure of personal data on the printed invoices. The Commission also asked for documentary evidence of such arrangements. The Organisation replied that it had assigned “a supervisor” to ensure that signed invoices were destroyed at the end of each business day, and even suggested that the supervisor was there to check that “invoices were not printed on the reverse side of invoice paper”. However, there were several issues which cast doubt on the Organisation’s response: a. b. c. The Organisation did not produce any documentary or other proof of its processes and workflow to show the supervisor’s place and role in the relevant process or workflow; Likewise, there was no indication of the actions or tasks that the supervisor was supposed to perform as part of the supervisory checks in the overall invoice process; and There was no explanation why the supervisor did not pick up on the erroneous invoices (when that was the precise risk that the supervisor was tasked to spot). In the premises, the Commission assessed the Organisation’s claim that it had an effective supervisory check put in place as no more than a bare assertion that was not adequately supported by facts disclosed during investigations. In the final analysis, the Commission is not satisfied by the Organisation’s response that the Organisation had translated its policies (if any) to effective practices to protect personal data. 17. From the above, given the shortcomings in the Organisation’s data protection policy, and the absence of evidence in its implementation, the Commission is not satisfied that the Organisation had an effective data protection policy at the time of the data breach incident to protect personal data. 18. Next, the Organisation admitted that it did not provide any data protection training whatsoever to its employees. Again, staff training forms part of the effective measures to protect personal data. The Commission has emphasised the importance of training in its Advisory Guidelines1, and also in its decision In the Matter of National University of Singapore2. The Commission agrees with the view expressed by the Office of the Australian Information Commissioner: 1 PDPC, Advisory Guidelines on Key Concepts in the PDPA (revised 15 July 2016) at [17.5]. 2 [2017] SGPDPC 5 at [21] to [28]. Page 4 of 7 “Regular staff training, and a culture of privacy awareness are essential to ensure compliance.”3 19. Overall, it is clear that the Organisation did not make reasonable security arrangements for the protection of personal data: a. The Organisation’s data protection policy was formalised during the month that the data breach occurred and could have been formalised after the unauthorised disclosure took place; b. There was no evidence to show that steps had actually been taken to implement such policy prior to the breach; and c. Further, the Organisation admitted that its staff had no training whatsoever regarding their data protection obligations. (b) At a more basic level, the Organisation did not seem to engage in the issue of what it should do to protect personal data. It had simply relied on its employees carrying out their jobs correctly. 20. A further point must be made. Based on the Organisation’s representations, it would appear that the Organisation is essentially relying on its employees and staff carrying out their job functions correctly to say that this is a form of data protection measure in and of itself. If the employees and staff had printed and sent the correct invoice to the correct recipient, there would not be any data protection issue to begin with. 21. In the Commission’s view, it is not enough for the Organisation to simply rely on its staff and employees to carry out their duties correctly for the protection of personal data. An organisation has certain obligations with respect to personal data that it has collected and which is holds or has control over. One such obligation is to put in place policies and measures to protect the personal data and to prevent unauthorised use, disclosure or alteration. Policies pertinent and adapted to the Organisation’s business and processes ought to be crafted and disseminated to staff. Indeed, section 12(c) of the PDPA imposes an obligation for such policies and practices to be communicated to staff. An effective mode of communication is to provide training to staff, whether in traditional classroom settings or through other means such as online training. 22. Crucially, it is important for the management of a company to “buy-in” to adopting good data protection practices for the company. It is from this starting point – the management level – that the company’s policies and 3 Office of the Australian Information Commissioner, Introduction to the APPs and OAIC’s Regulatory Approach (May 2005) at p 24. Page 5 of 7 practices be formulated with data protection in mind. From there, such good data protection policies and practices can permeate down to and be adopted at the staff level of the company. The Commission agrees with the observation made by the Australian Information Commissioner and Privacy Commissioner of Canada in the joint investigation into Ashley Madison: “Having documented security policies and procedures is a basic organizational security safeguard, particularly for an organization holding significant amounts of personal information. Making informational policies and practices explicit provides clarity about expectations to facilitate consistency, and helps to avoid gaps in security coverage. It also sends key signals to employees about the importance placed on information security. Furthermore, such security policies and processes need to be updated and reviewed based on the evolving threat landscape, which would be very challenging if they are not formalized in some manner.”4 23. The above position also stresses the importance of having documented policies, as mentioned at paragraph 14 above. 24. It is also important that management actively supervises employees and takes responsibility for creating a culture of security-awareness. As observed by the Hong Kong Privacy Commissioner for Personal Data: “With sound security policies and procedures in place, there is no guarantee that they will be followed. In this regard, supervision and monitoring of the implementation of the procedures are important.”5 25. Similarly, in its investigation into Monarch Beauty Supply, the Office of the Alberta Privacy Commissioner found that the Store Manager and District Manager of the organisation had not been diligent, as they had simply assumed that employees would shred documents containing customers’ credit and debit card information, in line with the organisation’s policies. However, as management had not provided sufficient instruction on the care and disposal of sensitive documents, the employees in fact threw the documents into the dumpster, which resulted in customers’ personal data falling into the hands of criminal suspects 6 . Monarch Beauty Supply is an example of what could go wrong and the harm that results from disclosure of personal data due to 4 PIPEDA Report of Findings #2016-005: Joint investigation of Ashley Madison by the Privacy Commissioner of Canada and the Australian Privacy Commissioner/Acting Australian Information Commissioner at [65]. 5 Investigation Report: Hong Kong Police Force’s Repeated Loss of Documents Containing Personal Data (R13 – 0407) at [38]. 6 Order P2006-IR-003: Monarch Beauty Supply [a division of Beauty Systems Group (Canada) Inc.] at [40(2)]. Page 6 of 7 insufficient follow through on the part of management. The Commission therefore highlights that management has an obligation to establish the standard of care that it expects staff to observe, communicate and train staff, and to put in place appropriate supervision and monitoring to ensure compliance. 26. In this case, for the reasons mentioned above, the Organisation did not have in place, whether at the management or staff level, the necessary policies to protect personal data. It has therefore failed in its obligation to protect personal data under section 24 of the PDPA. C. ENFORCEMENT ACTION BY THE COMMISSION 27. Given that the Organisation breached its obligation under section 24 of the PDPA, the Commission is empowered under section 29(1) of the PDPA to issue such directions as it thinks fit in the circumstances. 28. The Commission has decided to issue the following directions to the Organisation: a. To review its policy for the protection of personal data in relation to its order fulfilment process; b. To develop procedures to ensure effective implementation of its data protection policy; and c. To conduct training to ensure that its staff are aware of, and will comply with, the requirements of the PDPA when handling personal data. 29. The following mitigating factors were taken in account in arriving at this decision: a. The unauthorised disclosure was made to a single person only; b. The personal data disclosed was not sensitive; and c. There was no evidence that any loss or damage was caused by the unauthorised disclosure. YEONG ZEE KIN DEPUTY COMMISSIONER PERSONAL DATA PROTECTION COMMISSION Page 7 of 7 ",Directions,36a64b44f404c931de5370578f034bc3b5e25f6c,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,214,214,1,952,Directions were issued to the National University of Singapore for failing to make reasonable security arrangements to prevent the disclosure of the personal data of some of its students.,"[""Protection"", ""Directions"", ""Education"", ""NUS""]",2017-04-26,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/grounds-of-decision---national-university-of-singapore---260417.pdf,Protection,Breach of Protection Obligation by the National University of Singapore,https://www.pdpc.gov.sg/all-commissions-decisions/2017/04/breach-of-protection-obligation-by-the-national-university-of-singapore,2017-04-26,"DECISION OF THE PERSONAL DATA PROTECTION COMMISSION Case Number: DP-1605-B0028 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And National University of Singapore ... Organisation Decision Citation: [2017] SGPDPC 5 GROUNDS OF DECISION 26 April 2017 1. A student of the Organisation had complained to the Personal Data Protection Commission (the “Commission”) that a URL link that was being circulated for the Organisation’s orientation camp had disclosed (without authorisation) the personal data of student volunteers from the College of Alice and Peter Tan (“CAPT”). CAPT is a residential college of the Organisation. 2. It was found that by following the URL link, one could access an online Excel spreadsheet containing the full names, mobile numbers, matriculation numbers, shirt sizes, dietary preferences, dates of birth, dormitory room numbers, and email addresses (the “personal data set”) of approximately 143 student volunteers. The student matriculation number is a unique student identification number issued by the Organisation. The matriculation number to a student is, in a limited sense, like an NRIC number to a Singapore citizen and permanent resident, in that it is required for various school activities, such as accessing online library resources, or for the submission of examination scripts. 3. Based on the complaint that was made, the Commission proceeded to investigate into an alleged breach by the Organisation of the protection obligation under Section 24 of the Personal Data Protection Act 2012 (“PDPA”). The following sets out the Commission’s findings following its investigations into the matter. Page 1 of 10 A. MATERIAL FACTS AND DOCUMENTS 4. The CAPT Freshman Orientation Camp (“FOC”) is an annual event organised by student volunteers from CAPT for the freshmen matriculating into the Organisation. The FOC in the present case was for the year 2016. 5. The Organisation had designated several student leaders to take the responsibility for organising the FOC. As part of the process of organising the FOC, these student leaders would recruit other student volunteers to participate as counsellors and assist in the running of the FOC. 6. To get themselves organised, the student leaders created an online form using Google Forms1 for the student volunteers to fill in their personal particulars. The particulars that were entered into the Google Forms were stored in a Google Sheets2 spreadsheet (the “Spreadsheet”), which compiled all the particulars of the various student volunteers in a single spreadsheet. 7. The Spreadsheet was meant to be shared amongst the student leaders only, and not to the student volunteers, or anyone else. For the purpose of sharing access to the Spreadsheet, a URL link to the Spreadsheet was generated through Google Sheets by selecting the “Share with specific people” function, and this URL link was then shared amongst the student leaders. Only specified persons could access the Spreadsheet as the URL link to the Spreadsheet required a user to first log in with his or her Google account. 8. While the Spreadsheet was initially circulated to specified people (i.e. the student leaders), at some point in May 2016, the Spreadsheet came to be circulated beyond the originally intended group. An unknown party, whether intentionally or otherwise, changed the setting on the Spreadsheet from “Share with specific people” to “Share using a link”. As a result, any user who possessed the URL link could access the Spreadsheet, and all the personal data set of the student volunteers contained within. 9. Consequently, the personal data set was now exposed to those who had access to the URL link, which may have extended to persons beyond the Organisation itself. 1 Google Forms – An online form creation application by Google. Users can create, edit and distribute the form easily, and save responses into a Google Sheet. See for more information. 2 Google Sheets – An online spreadsheet application by Google, which enables users to create, edit and share spreadsheets. Sharing spreadsheets allows multiple users to edit the same spreadsheet at the same time. See for more information. Page 2 of 10 B. COMMISSION FINDINGS AND BASIS FOR DETERMINATION 10. The Organisation has not shied away from its responsibility for the data breach incident, and has confirmed that the FOC was an event that it had sanctioned. The Organisation has mentioned that any act done in the name of CAPT, which was authorised by the Organisation, was an act done in the name of the Organisation. 11. Given that the FOC activities were carried out in the Organisation’s name, the Organisation is ultimately responsible for ensuring that the personal data of its students is adequately protected pursuant to Section 24 of the PDPA. 12. In light of the events of this case, the relevant issue for determination is whether the Organisation had indeed complied with Section 24 of the PDPA. Whether the Organisation was in breach of Section 24 13. In its response to the Commission during investigations, the Organisation did not dispute the fact that the data breach had occurred. However, the fact that the data breach occurred is not necessarily indicative of a contravention of the PDPA. Rather, it is necessary to consider whether the Organisation’s safeguards that were in place at the material time were adequate having regard to the volume and type of personal data in question, and whether the safeguards were reasonable in the circumstances. The Organisation’s security arrangements at the material time 14. Security arrangements to protect personal data may take various forms, including administrative, physical, technical measures or a combination of these. According to the Organisation, it had, at the material time, implemented administrative safeguards, in the form of data protection training and guidelines, to adequately protect the personal data set in its possession and under its control: (a) Data protection training: The Organisation conducted classroom training in or around 2014 on the relevant data protection obligations that apply to the collection, use and disclosure of personal data for selected students who were likely to hold leadership roles. However, it would appear that the classroom training did not carry over to 2015. In 2015, the Organisation had instead provided all its students with access to etraining on the PDPA. This e-training appeared on the list of trainings available on the Integrated Virtual Learning Environment (“IVLE”) portal Page 3 of 10 such that when students logged into the system, the e-training option would be visible to them. (b) Data protection guidelines: The Organisation issued guidelines for the students organising various events in the name of the Organisation to ensure that all student activities complied with the Organisation’s regulations. These guidelines were adapted to become the CAPT Event Planning Guidelines for Student Groups (“CAPT Guidelines”). The CAPT Guidelines contained a section titled “Responsible Usage and Access of Personal Data”. Students in charge of planning activities in the name of the Organisation who collected personal data, such as “name, Matric No., email address, HP number”, were reminded to “observe proper use and access to prevent potential data leakage and unauthorized/accidental access.” The Organisation did not provide adequate training for the student leaders 15. Although the Organisation had in place general policies and guidelines for the protection of personal data, when it came to the security arrangements on the ground, the Organisation did not have any formalised data protection training in place to train and equip its students with the mind-set, knowledge, skills and tools to protect personal data. 16. While the Organisation had made the e-training programme available on IVLE, the Organisation did not make it compulsory for all the student leaders of the FOC to undergo the e-training. In any case, the Organisation confirmed that none of the student leaders had undergone the e-training prior to the commencement of the FOC in 2016, even though the student leaders were involved in the handling of the personal data of other students. 17. With regard to classroom training, it appeared to have been held only once in 2014, and was only for the benefit of selected students. Although the Organisation claimed that it had plans to make this classroom training an annual event, no such plans had materialised by the time of the FOC in 2016. 18. In this regard, there was effectively no data protection training provided to the student leaders of the FOC in 2016. 19. By the Organisation’s failure to provide adequate training for the student leaders before they handled personal data, this increased the risk of a data breach occurrence. Even if a student leader had some knowledge of the PDPA, how that translated into the actual practice of protecting personal data was something that the Organisation would not be able to ensure. Page 4 of 10 20. We pause to set out how training falls as a consideration for ensuring adequate protection of personal data under the PDPA. Training as a type of security arrangement 21. Data protection training may fall under two separate data protection obligations – the openness obligation (Sections 11 and 12, PDPA) and the protection obligation (Section 24, PDPA). An organisation that is subject to the openness obligation is required to communicate to its staff information about its policies and practices, pursuant to section 12(c) of the PDPA. This communication of the data protection policies may necessarily involve some form of staff training. 22. While the openness obligation may not extend to student leaders who are not members of staff, data protection training may also be seen as an administrative security measure that is necessary for compliance with the protection obligation. In its advisory guidelines, the Commission provided examples of administrative security measures such as the conducting of “regular training sessions for staff to impart good practices in handling personal data and strengthen awareness of threats to security of personal data”.3 [Emphasis added.] 23. In the UK, administrative or organisational security measures may encompass relevant and appropriate training of staff on the data protection obligations of the organisation, especially for employees that collect, use or disclose personal data.4 In describing the management and organisational measures that an organisation should put in place, the UK’s Information Commissioner’s Office highlighted the importance of staff training and stated that: “[i]t is vital that your staff understand the importance of protecting personal data; that they are familiar with your organisation’s security policy; and that they put its security procedures into practice. So you must provide appropriate initial and refresher training…”5 [Emphasis added.] 24. Similarly, in Canada, the Office of the Information & Privacy Commissioner for British Columbia expressly stated in the case of Park Royal Medical Clinic that PDPC, Advisory Guidelines on Key Concepts in the PDPA (revised 15 July 2016) at [17.5]. 4 Peter Carey, Data Protection: A Practical Guide to UK and EU Law (OUP, 4th Ed, 2015) at p 126. 5 Information Commissioner’s Office, Information security (Principle 7) (25 October 2016) at 4. 3 Page 5 of 10 “administrative security, which encompass policies and training regarding privacy is another important component” of the obligation to make reasonable security arrangements.6 In another case, the Office of the Privacy Commissioner of Canada (“OPC”) explained that whilst security policies and procedures are essential, they are not in themselves sufficient to protect personal information; the effectiveness of security safeguards depends on the organisation’s: “[d]iligent and consistent execution of security policies and procedures [which] depends to a large extent on ongoing privacy training of staff and management, so as to foster and maintain a high organizational awareness of informational security concerns”.7 25. In a separate investigation, the OPC further clarified its position and stated that security policies and practices are only effective when “properly and consistently implemented and followed by employees”.8 26. In Hong Kong, the Office of the Privacy Commissioner for Personal Data stated in its Code of Practice on Human Resource Management that employees “play the principal role in implementing an employer’s policies on the security of personal data”. Organisations should take reasonably practicable measures to ensure that employees handling personal data are trained to observe the personal data privacy policies, exercise due diligence in the application of those policies, and are subject to procedures designed to ensure their compliance with those policies.9 This statement is in line with Principle 4 of Hong Kong’s Personal Data (Privacy) Ordinance, i.e. security of personal data.10 27. Overall, the foreign data protection authorities all seem to agree that the data protection training provided by an organisation may constitute a type of administrative or organisation security measure, and that this training has an impact on the proper implementation of that organisation’s data protection policies and practices. 6 Order P15-01: Park Royal Medical Clinic 2015 BCIPC 20 at [58]. 7 PIPEDA Case Summary #2008-395: Commissioner initiates safeguards complaint against CIBC , second bullet point in the “Lessons Learned” section at p 1. 8 PIPEDA Report of Findings #2016-005: Joint investigation of Ashley Madison by the Privacy Commissioner of Canada and the Australian Privacy Commissioner/Acting Australian Information Commissioner at [74]. 9 Office of the Privacy Commissioner for Personal Data, Hong Kong, Code of Practice on Human Resource Management (April 2016) (First Revision) at [1.4.1]. 10 Personal Data (Privacy) Ordinance (Chapter 486) (Hong Kong) Schedule 1, Principle 4. Page 6 of 10 28. The above positions are useful in our case here. In the Commission’s view, a formalised data protection training for the student leaders for the FOC would be beneficial in several aspects. Not only would it inform the student leaders of the PDPA, but it would also sensitise them to their personal data protection obligations. Further, it also trains the students on the practices to be adopted, and not just pay lip service to the PDPA obligations, or to the Organisation’s policies. Additionally, it may provide some guidance for students to go about their tasks when it comes to handling personal data. Organisation’s breach of Section 24 of the PDPA 29. As mentioned above, the Organisation did not have in place any formalised training for the student leaders, even though it was reasonably foreseeable that they would be handling personal data in the course of organising the FOC. 30. The FOC was an event that involved many students, and would potentially involve the handling of many students’ personal data. The Organisation ought to have at least ensured that the student leaders organising and running the FOC had the proper training to deal with and protect the personal data that they will handle. Moreover, since the FOC was an event that takes place annually, the Organisation could have anticipated and planned for some form of training to be provided to the student leaders that were handling the personal data. 31. Since the FOC was an annual event, the training that can be provided can also be customised to the FOC and the data processing activities that will foreseeably be carried out. Such customisation could be based on considerations such as (a) to whom the training should apply (i.e. confined to just the student leaders or extending also to student volunteers); (b) the most effective way of disseminating best practices to all who may come into contact with personal data; and (c) the frequency and timing of such training. To be clear, the Commission is not setting down any rule that mandates formalised classroom training. The Organisation should adopt a mode of training that it considers to be effective and expedient, having regard to these factors. 32. In this case, it was not enough for the Organisation to rely solely on the CAPT Guidelines in order to protect personal data. Apart from the fact that it was unclear whether the student leaders were fully apprised of the CAPT Guidelines, the CAPT Guidelines did not necessarily translate into actual processes that would enable the student leaders to comply with the data protection obligations in practice. Proper guidance is not easily substitutable or replaceable by general guidelines that an organisation may set. Page 7 of 10 33. In view of the fact that the Organisation did not put in place adequate training for the student leaders, the Commission finds that the Organisation failed to make reasonable security arrangements to protect the personal data in its possession and/or under its control and is in breach of Section 24 of the PDPA. C. THE COMMISSION’S DIRECTIONS 34. The Commission is empowered under Section 29 of the PDPA to give the Organisation such directions as it deems fit to ensure the Organisation’s compliance with the PDPA. This may include directing the Organisation to pay a financial penalty of such amount not exceeding S$1 million as the Commission thinks fit. 35. In assessing the breach and determining the directions to be imposed to the Organisation in this case, the Commission took into account the following factors: (a) a significant number of individuals (approximately 143 students) were affected by the data breach incident; (b) the potential adverse consequences from a misuse of the student matriculation number by other persons. For example, passing off as a student to carry out identity theft, or even carrying out pranks or nuisances in the student’s name. It was however noted that the student matriculation number is used as an identifier for the duration of the student’s undergraduate or postgraduate course and not for an extended period of time; and (c) the Organisation was cooperative with the Commission and forthcoming in its responses during the Commission’s investigation. 36. Pursuant to Section 29(2) of the PDPA, and having completed its investigation and assessment of this matter, the Commission is satisfied that the Organisation was in breach of the protection obligation under Section 24 of the PDPA. The Commission has decided to issue directions to the Organisation, pursuant to Section 29 of the PDPA, in respect of the Organisation’s breach of Section 24 of the PDPA. 37. The Commission had provided its preliminary grounds of decision and directions to the Organisation directing the Organisation to essentially (a) implement mandatory training for its student volunteers within 60 days and (b) provide an update to the Commission of the training arrangements it had put in place. Page 8 of 10 38. The Organisation’s Data Protection Office accepted the Commission’s findings but made representations in respect of the preliminary directions, requesting: (a) for a longer duration of 120 days for the Organisation to fully implement the necessary training modules for its student leaders, which will apply to not just future freshman activities, but for other activities sanctioned by the Organisation; and (b) that the direction for mandatory training should refer to “student leaders”, which should take the following suggested meaning: “any undergraduate or post graduate student of [NUS] who has been appointed or is part of any committee tasked to organize any event/activity officially approved or sanctioned by [NUS]”. 39. The Commission has considered and accedes to the representations. While the Commission generally has the power to impose such directions as it deems fit in the circumstances, the Commission is prepared to consider representations from organisations on the grounds of decision and the form of directions to be issued, especially since directions ought to be adapted or customised to their operations or practices to be effective in addressing the particular shortcomings that had been identified during investigations. In the present case, the Commission accepts the representations since they do not detract from the key principles, functions and purposes of the Commission’s grounds of decision and directions. 40. However, the Commission clarifies that its directions are tailored to enable the Organisation to effectively address the shortcomings that had been identified during investigations. In this regard, while the Organisation has been directed to put in place mandatory training for student leaders of officially approved or sanctioned activities, that does not mean that for other types of activities, there is no need for the Organisation to put in place policies, create awareness or provide voluntary training. The PDPA imposes a free standing and continuing obligation on the Organisation to ensure that its policies are effective in implementing the requisite standard of personal data protection. It behoves the Organisation to consider whether, beyond the directions issued in this case, any further arrangements are necessary. 41. Having carefully considered all the relevant factors of this case, the Commission hereby directs that: (a) the Organisation to, within 120 days from the date of the Commission’s directions: Page 9 of 10 (b) (i) design training (including online training and dissemination of training materials) that would address personal data protection in the context of the collection and processing of personal data for student events and of the resulting interaction; (ii) make arrangements for such training to be mandatory for any student leader. For the avoidance of doubt, a student leader is defined as any undergraduate or post graduate student of the Organisation who has been appointed or is part of any committee tasked to organize any event or activity officially approved or sanctioned by the Organisation; (iii) make other arrangements as would be reasonably required to meet the objectives in 41(a)(i) and 41(a)(ii); and by no later than 14 days after the above action has been carried out, the Organisation shall, in addition, submit to the Commission a written update providing details on the arrangements for the training for student leaders managing personal data for student events officially approved or sanctioned by the Organisation. YEONG ZEE KIN DEPUTY COMMISSIONER PERSONAL DATA PROTECTION COMMISSION Page 10 of 10 ",Directions,dafeb9f9b760642c9a5c2ba2036a18117c600223,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,232,232,1,952,"Directions were issued to Universal Travel Corporation for disclosing a passenger list, consisting of 37 customers' personal data, to four of its customers without consent. The organisation was also penalised for its lack of data protection policies.","[""Consent"", ""Purpose Limitation"", ""Notification"", ""Directions"", ""Others""]",2016-04-21,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/grounds-of-decision---universal-travel-corporation-(210416).pdf,"Consent, Purpose Limitation, Notification",Breach of Consent and Other Obligations by Universal Travel Corporation,https://www.pdpc.gov.sg/all-commissions-decisions/2016/04/breach-of-consent-and-other-obligations-by-universal-travel-corporation,2016-04-21,"DECISION OF THE PERSONAL DATA PROTECTION COMMISSION Case Number: DP-1508-A496 UNIVERSAL TRAVEL CORPORATION PTE LTD (UEN. 197302113R) ... Respondent Decision Citation: [2016] SGPDPC 4 GROUNDS OF DECISION 20 April 2016 A. BACKGROUND 1. The Personal Data Protection Commission (“Commission”) received a complaint from a credible source concerning the alleged disclosure by the Respondent of personal data of 37 customers (the “passenger list”) in early March 2015 to certain individual(s) who participated in the 12 Days Legend of the Balkans Tour from 17 February 2015 to 28 February 2015 (“Balkans Tour”). 2. In the premises, the Commission decided to carry out an investigation into the matter. The Commission’s findings are set out below. B. MATERIAL FACTS AND DOCUMENTS 3. Sometime in or around late February 2015, four of the customers of the Balkans Tour requested the Respondent to furnish formal documentation confirming the cancellation of their transit flight to Sofia on 18 February 2015 (TK1027/18FEB15 ISTANBUL-SOFIA) (“formal confirmation”) to process their insurance claims. 4. The Respondent therefore requested from Turkish Airline written confirmation of the flight cancellation and the affected passenger list. 5. Sometime in early March 2015, the Respondent sent the formal confirmation together with the letter from Turkish Airline and the passenger list by email to four of the customers of the Balkans Tour. The passenger list that was sent contained the name, nationality, date of birth, passport number, passport expiry date and passenger name record (a record in the database of a computer reservation system (CRS) that contains the itinerary for a passenger, or a group of passengers travelling together) of all 37 of the passengers/customers that were on the Balkans Tour. The passengers’ details were not masked or redacted when it was sent by the Respondent. It is not disputed that the passengers’ details constituted personal data under the control of the Respondent at the material time. 6. In the Respondent’s response to the Commission during the investigation, the Respondent confirmed to the Commission that it did not obtain consent from the 37 passengers to disclose their personal data to other parties. It also mentioned that none of the passengers had authorised the release of their personal data to third parties. The Respondent confirmed to the Commission that it also did not have any personal data policy in place at the material time. C. COMMISSION FINDINGS AND BASIS FOR DETERMINATION 7. The issues in this case to be determined are as follow: i. Has the Respondent complied with sections 131 and 202 of the Personal Data Protection Act 2012 (“PDPA”) in disclosing the personal data to the customers of the Balkans Tour? ii. Was the disclosure of the personal data made in accordance with section 18 of the PDPA,3 ie for purposes that a reasonable person would consider appropriate in the circumstances? iii. Has the Respondent complied with section 12(a) of the PDPA4 in developing and implementing policies and practices necessary to meet its obligations under the PDPA? Contraventions by the Respondent under sections 13 and 20 of the PDPA 8. The Commission notes that the Respondent intentionally sent the passenger list to the four individuals who had requested for confirmation of the flight cancellation. 9. However, the Respondent had not sought for or obtained any of the 37 passengers’ consent in disclosing their information contained in the passenger list to the other individual(s) who were requesting for the formal confirmation from the Respondent. In this regard, the Respondent did not have the requisite consent from the 37 passengers to disclose their personal data to other individual(s) under section 14 of the PDPA. 10. In relation to whether the 37 passengers could be deemed to have consented to the disclosure of the personal data under section 15 of the PDPA, the Commission finds that no such deemed consent can be imputed on the facts. The Commission notes that when the 37 passengers voluntarily provided their personal data to the Respondent, the purposes for providing their personal data did not include the purpose of allowing another passenger(s) to process his/her insurance claim. This is fortified by the Respondent’s confirmation that none of the passengers had agreed or authorised the release of their personal data to a third party. The Commission notes that each individual only required his or her flight details and confirmation of the flight delay in order to process his or her insurance claim. 11. In its submissions to the Commission, the Respondent claimed that the exception provided for in paragraph 1(a) of the Fourth Schedule of the PDPA (the “exception”) applied5 to the case and hence it was not required to seek the consent of the individuals concerned for the disclosure of the 37 passengers’ personal data. 12. Having considered the context and circumstances of the case, the Commission concludes that the aforesaid exception does not apply for the following reasons: i. “Interests of the individual” under Paragraph 1(a) of the Fourth Schedule should refer to the interests of the data subject. Disclosing the personal data of other passengers to a fellow passenger for the purpose of enabling that passenger to make a claim against his travel insurance policy for himself cannot be said to be in the interest of any one or all of the other passengers. ii. It does not appear obvious to the Commission that in order to make an insurance claim, details of all other affected passengers on the Balkans Tour had to be disclosed. For one, the Respondent could have provided the confirmation with only the details of the individual making the insurance claim. Alternatively, the other passengers’ details could be removed or redacted in the list when it was forwarded to the recipients. There is no suggestion otherwise that these actions could not be carried out. iii. There is nothing to suggest that consent for disclosure could not be secured from the passengers in the list in a timely manner, or that there was urgency in the matter which warranted the consent from the other passengers to be dispensed with. 13. In the circumstances, by disclosing the passenger list containing the personal data of the 37 passengers without obtaining their prior consent, the Respondent had contravened section 13 of the PDPA. Additionally, since the Respondent had also not informed of the purposes for which it was disclosing their personal data, it is also in breach of section 20 of the PDPA. Disclosure of personal data was not for purposes reasonable or appropriate in the circumstances or for purposes that the individual has been informed of under section 20 14. In view that the disclosure of the entire passenger list goes beyond supporting an individual customer’s insurance claim (as set out in paragraphs 12i and 12ii above), the disclosure could not be for purposes that a reasonable person would consider appropriate in the circumstances. 15. In addition, since the Respondent had not been informed of the purposes for which it was disclosing the passengers’ personal data, it was also not in compliance with section 20 of the PDPA. 16. In this regard, the Respondent was also in breach of section 18 of the PDPA. Failure to develop and implement policies and practices necessary to meet obligations under the PDPA 17. Given that the Respondent had not put in place data protection policies to ensure compliance with the PDPA at the material time when the data breach transpired, as confirmed by the Respondent in its response to the Commission’s request for information and documents on 13 August 2015, the Respondent was in breach of section 12(a) of the PDPA. 18. The Commission notes from the Respondent’s response of 24 August 2015 that the Respondent is taking steps to set up guidelines with regard to the use and disclosure of customers’ personal data to comply with section 12(a) of the PDPA. D. ENFORCEMENT ACTION TAKEN BY THE COMMISSION 19. Given the Commission’s findings that the Respondent is in breach of its obligations under sections 12(a), 13, 18 and 20 of the PDPA, the Commission is empowered under section 29 of the PDPA to give the Respondent such directions as it deems fit to ensure compliance with the PDPA. This may include directing the Respondent to pay a financial penalty of such amount not exceeding $1 million as the Commission thinks fit. 20. In exercise of the power conferred upon the Commission pursuant to section 29 of the PDPA, the Commission directs the Respondent to take the following steps: i. To put in place within 3 months a data protection policy and internal guidelines to comply with the provisions of the PDPA and, in particular, to prevent future recurrences of the breaches that has occurred in this matter; ii. To inform within 2 weeks the individuals who received the passenger list not to disclose the list to other third parties; iii. For all employees of the Respondent handling personal data to attend a training course on the obligations under the PDPA and the organisation’s data protection policies within 6 months from the date of this decision; and iv. To inform the Commission of the completion of each of the above within 1 week. 21. On a balance, the Commission has decided not to impose a financial penalty on the Respondent in view of the overall circumstances of the matter, namely: i. that the disclosures were made to a limited number of persons and to their personal email addresses; ii. that the personal data that was disclosed was in relation to limited individuals; iii. that the disclosures were not due to a systemic issue that could result in further disclosures to be made or further harm to be caused; iv. that the disclosures appear to be caused by the lack of awareness on the Respondent’s employees’ part of data protection obligations; and v. that the disclosures were bona fide mistakes made by the Respondent’s employees who were seeking to assist the passengers with their insurance claims, and not one where there was a wilful disregard for the provisions in the PDPA. 22. The Commission emphasises that it takes a very serious view of any instance of non-compliance with the PDPA, and it urges organisations to take the necessary action to ensure that they comply with their obligations under the PDPA. The Commission will not hesitate to take the appropriate enforcement action against the organisation(s) accordingly. YEONG ZEE KIN COMMISSION MEMBER PERSONAL DATA PROTECTION COMMISSION 1 Section 13 of the PDPA prohibits an organisation from collecting, using or disclosing an individual’s personal data unless the individual gives, or is deemed to have given, his consent for the collection, use or disclosure of his personal data. This provision is also to be read with Section 14, 15 and Section 20 of the PDPA. 2 Section 20 of the PDPA requires, amongst other things, that an organisation informs an individual of (a) the purposes for the collection, use or disclosure of personal data, on or before collecting the personal data; and (b) any other purpose of the use or disclosure of the personal data of which the individual has not been informed under paragraph (a) above before the use or disclosure of the personal data for that purpose. 3 Section 18 of the PDPA provides that an organisation may collect, use or disclose personal data about an individual only for purposes (a) that a reasonable person would consider appropriate in the circumstances; and (b) that the individual has been informed of under section 20, if applicable. 4 Section 12(a) of the PDPA provides that an organisation shall develop and implement policies and practices that are necessary for the organisation to meet the obligations of the organisation. 5 Paragraph 1(a) of the Fourth Schedule of the PDPA states that an organisation may disclose personal data about an individual without the consent of the individual if the disclosure is necessary for any purpose which is clearly in the interests of the individual and if consent for its disclosure cannot be obtained in a timely way. ",Directions,5a0ff182bd0082f840e509fc39079487ae98fb3a,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-12-14T14:54:52+00:00,0e20feac9c1e16c30580baa727a897e3bfcf8791,483,243,1,958,Directions were issued to Tipros for failing to use or disclose personal data about an individual only for purposes that a reasonable person would consider appropriate.,"[""Consent"", ""Notification"", ""Purpose Limitation"", ""Directions"", ""Others""]",14 Dec 2023,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/GD_TIPROS_080623.pdf,"Consent, Notification, Purpose Limitation",Breach of the Purpose Limitation Obligation by Tipros,https://www.pdpc.gov.sg/all-commissions-decisions/2023/12/breach-of-the-purpose-limitation-obligation-by-tipros,2023-12-14,"PERSONAL DATA PROTECTION COMMISSION [2023] SGPDPC 7 Case No. DP-2207-C0019 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Tipros … Organisation DECISION Page 1 of 8 Tipros Yeong Zee Kin, Deputy Commissioner — Case No. DP-2207-C0019 8 June 2023 Introduction 1. On 21 July 2022, the Personal Data Protection Commission (the “Commission”) received a complaint that Tipros (the “Organisation”), a sole proprietorship in the wholesale of and repair of electrical appliances, had unreasonably disclosed the personal data of the complainant when responding to the complainant’s review on the Organisation’s Google reviews page (the “Incident”). 2. The Commission commenced investigations to determine the Organisation’s compliance with the Personal Data Protection Act 2012 (“PDPA”) and for suspected breaches of the same. Facts of the Case 3. The complainant had engaged the Organisation to repair a refrigerator. Following the repairs made, the complainant gave a “1-star” review on a Google reviews page “24hr fridge refrigerator #1 Quick repair service Trusted in Singapore”, which has since been renamed “Tipros.sg”. 4. The Organisation promptly responded to the complainant’s review. What is problematic was that the Organisation included the complainant’s personal data, including the complainant’s residential address and mobile number in their Page 2 of 8 response. The complainant filed a complaint with the Commission as the complainant was of the view that there was no reason for the Organisation to disclose her personal data in the course of responding to the review she left on the Organisation’s Google reviews page. 5. Apart from the Organisation’s response to the complainant’s review, the Commission found 13 other responses on the Organisation’s Google reviews page which disclosed, in a similar fashion, the personal data of other customers who had given reviews. Our Investigations 6. The Commission commenced investigations. In the course of investigations, it was ascertained that the Organisation’s place of business was vacant and its registered office was occupied by another business which was not related to the Organisation. Thus, a Notice to Produce Documents and Information for Investigation (“NTP”) was delivered by hand on 25 October 2022 to the residential address belonging to the Organisation’s sole proprietress, one Er Lee Cheng @ Angela Er Wei Leng (“Angela”). The Organisation failed to respond by the stated deadline. 7. Thereafter, the Commission issued three further notices to Angela to attend interviews, which were delivered by hand to Angela’s residential address on 8 November 2022, 15 December 2022, and 10 January 2023. Page 3 of 8 8. Following these notices, an individual claiming to be Angela contacted the Commission through an unlisted number on various occasions, namely 11 November 2022, 17 November 2022, and 27 December 2022, and declined our request to attend an interview, or to schedule any other alternative dates for an interview. 9. The Commission is satisfied that the Organisation had received due notice of our investigative proceedings. Given the Organisation’s refusal to respond to our NTP and our notices to attend an interview, the Commission proceeded with its investigations based on the evidence available to it. 10. The Commission is satisfied on a balance of probabilities that the Organisation’s responses which disclosed the complainant’s personal data had been posted by the Organisation for the following reasons: First, The Google reviews page reflects the name of the Organisation; and second, the Organisation has a direct and material interest in the reviews given by the complainant and other individuals on the Organisation’s Google reviews page. Findings and Basis for Determination 11. Based on the circumstances disclosed above, the Commission’s investigations centered on whether the Organisation had breached the Purpose Limitation Obligation under section 18 of the PDPA. Page 4 of 8 The Purpose Limitation Obligation under section 18 of the PDPA 12. Under section 18(a) of the PDPA, organisations may collect, use or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances and — under section 18(b) — that the individual had been informed prior to the intended collection, use or disclosure (the “Purpose Limitation Obligation”). 13. I had previously discussed the ambit of when it would be acceptable for an organisation to disclose personal data when responding to public comments in M Stars Movers & Logistics Specialist Pte Ltd [2017] SGPDPC 15 and in Big Bubble Centre [2018] SGPDPC 25. In Re M Stars Movers, I stated at [18] and [19] as follows: “The Deputy Commissioner advises caution in disclosing personal data when responding to public comments. An organisation should not be prevented or hampered from responding to comments about it using the same mode of communications that its interlocutor has selected. In some situations, it may be reasonable or even necessary to disclose personal data in order to advance an explanation. … An individual who makes false or exaggerated allegations against an organisation in a public forum may not be able to rely on the PDPA to prevent the organisation from using material and relevant personal data of the individual to explain the organisation’s position on the allegations through the same public forum. The following observations may be made in this context about the approach that the Commission adopts. First, the Commission will not engage in weighing Page 5 of 8 allegations and responses on golden scales in order to establish proportionality. The better approach is to act against disclosures that are clearly disproportionate on an objective standard before the Commission intervenes in what is essentially a private dispute…” 14. When an individual chooses a public platform to pass comments about an organisation, the organisation is fully entitled to respond on the same platform in a proportionate and reasonable manner. In such circumstances, the individual had initiated the communication and selected the public platform. The nature of the individual’s comments will determine whether a response from the organisation is necessary. Where the nature of the individual’s comments invites a response for the purpose of advancing an explanation, such a purpose is considered reasonable in the circumstances under section 18(a). In advancing an explanation, it may be necessary to use or disclose relevant facts in order for the explanation to be effective. Such disclosure is reasonable in the circumstances provided that the extent of disclosure is proportionate. 15. Further, the requirement under section 18(b) read with section 20(1)(b) that the individual be informed of the purpose prior to use or disclosure is also met in these circumstances. The raison d’être for this requirement is to keep the individual informed of the purposes for which his or her personal data is to be used or disclosed, unless such use or disclosure is for purposes that are authorised by law. In cases such as the present, the individual initiated the communication and the nature of his or her comments shapes the organisation’s response. As long as the organisation’s response is for a reasonable purpose that is a natural consequence Page 6 of 8 of the individual’s comments, the individual is deemed to have been informed of such purpose. Thus, where an individual makes a complaint on a public platform in relation to an interaction with the organisation, it is natural that the organisation responds on the same platform for the purpose of providing an explanation. And if use or disclosure of personal data is necessary for such a purpose, the individual is deemed to have been informed prior to such user or disclosure since it is the individual’s earlier actions that had elicited the response. 16. In the present case, I am of the view that the Organisation’s disclosure of the complainant’s personal data was unreasonable and disproportionate. The complaint related to the poor standard of service that the Organisation delivered. 17. The complainant alleged that two weeks after the Organisation repaired his or her refrigerator, the refrigerator stopped working. The complainant was aggrieved that the Organisation sought a payment of $80 ($20 transport fees and $60 checking fees) to check on the refrigerator two weeks after the Organisation fixed the refrigerator, and that the Organisation’s technician was supposedly not available over the weekend when the complainant had only engaged the Organisation because the Organisation had supposedly advertised itself as providing round-theclock service. Given the grievances flagged in the complainant’s review, there was no issue about the location for delivery of the service. Thus, it was unnecessary for the Organisation to disclose the complainant’s residential address. In the same vein, I do not see how disclosure of the complainant’s mobile number was necessary to advance an explanation in response to the complaint. Page 7 of 8 The Commission’s Decision 18. Based on the facts established, the Commission finds the Organisation in breach of its obligation under section 18(a) of the PDPA. The Organisation’s failure to respond to NTP and refusal to attend for an interview are duly considered as aggravating factors. As the Organisation had not taken any action to remove or amend its response to the complaint, there is no mitigating factors to speak of. 19. In the circumstances, I hereby direct the Organisation to: (a) Remove the disclosure of the complainant’s residential address and mobile number in its response to the complainant’s comments on the Organisation’s Google reviews page; and (b) Review the 13 other responses on the Organisation’s Google reviews page where it had also disclosed personal data of other customers in response to their reviews, and to remove disclosure of personal data if such disclosure is not reasonable or proportionate in order for the Organisation to respond to the Google reviews. The Organisation is given 30 days to comply with these directions. YEONG ZEE KIN DEPUTY COMMISSIONER FOR PERSONAL DATA PROTECTION Page 8 of 8 ",Directions,acd36e3274c5e29fe0627b24b99136461cdd6c47,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]"