_commit_at,_commit_hash,_id,_item,_version,_commit,description,tags,date,pdf-url,nature,title,url,timestamp,pdf-content,decision,_item_full_hash,_changed_columns
2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,37,37,1,952,Directions were issued to ACL Construction (S) for breach of the PDPA in relation to failure to appoint a data protection officer and no policies and practices in place to comply with the PDPA.,"[""Accountability"", ""Directions"", ""Construction"", ""No DPO""]",2022-04-21,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision--ACL-Construction-S-Pte-Ltd--030222.pdf,Accountability,Breach of Accountability Obligation by ACL Construction (S),https://www.pdpc.gov.sg/all-commissions-decisions/2022/03/breach-of-accountability-obligation-by-acl-construction,2022-04-21,"PERSONAL DATA PROTECTION COMMISSION
Case No. DP-2107-B8598
In the matter of an investigation under section 50(1) of the
Personal Data Protection Act 2012
And
ACL Construction (S) Pte Ltd

SUMMARY OF THE DECISION

1. On 2 June 2021, the Personal Data Protection Commission (the “Commission”)
was notified that data from ACL Construction (S) Pte Ltd (the “Organisation”), a
company that provides pre-fabricated structures, structural steel products and
construction services, was being offered for sale on the darkweb by one
“Prometheus” (the “Incident”).

2. Investigations revealed that a few days ago, three ACL staff - a designer and two
sales executives had experienced difficulties when they tried to log in to access
their files. Thereafter, the ACL staff discovered that the files had been encrypted.
The Organisation then sought external IT support.

3. The Organisation informed the Commission that the affected files contained the
following data related to their projects:
(i) Quotation folder – quotations (to clients and from suppliers), delivery orders,
invoices and other supporting documents;
(ii) Common folder – project document and photographs; and
Page 1 of 3

(iii) Drawing folder – CAD drawings.

4. Our investigations revealed that the affected files contained the names of the
Organisation’s customers, the relevant liaison person, their business contact
number(s) and/or business email(s). As the names, business contact numbers and
business emails were not provided by the individuals concerned for a personal
purpose, they would constitute “business contact information” as defined under the
Personal Data Protection Act (“PDPA”), and fall outside the scope of the Act by
virtue of section 4(5) of the PDPA. Accordingly, while the Organisation may have
suffered a data breach, no personal data was in fact affected.

5. This finding alone would have brought the matter to a close. However, in the course
of our investigations, the Commission found out that the Organisation had failed to
designate one or more individuals, commonly known as a Data Protection Officer
(“DPO”), to be responsible for ensuring that the Organisation complies with the
PDPA, as required under section 11(3) of the PDPA. The Organisation’s omission
to have any data protection policies in place meant that it was also in breach of
section 12(a) of the PDPA.
6. The Commission is cognizant that by virtue of the nature of the Organisation’s
business, the Organisation primarily deals with business contact information from
its corporate clients. Having said that, while no personal data may have been
affected as a result of the Incident, the Organisation still has to comply with the
accountability obligation, as set out in sections 11 and 12 of the PDPA so as to
protect the personal data of its employees, and any other personal data it may
incidentally process, come into control or possession of.
Page 2 of 3

7. The Commission notes that after the Incident, the Organisation took prompt
remedial actions and duly appointed a member of its staff to be responsible for
ensuring that the Organisation complies with the PDPA.

8. Nonetheless, bearing in mind the Organisation’s low level of awareness of its
obligations under the PDPA, the Commission considered that it would be most
appropriate in lieu of imposing a financial penalty, to direct the Organisation to
comply with the following:
a. To develop and implement policies and practices to comply with the provisions
of the PDPA; and
b. Put in place a programme of compulsory training for employees of ACL on
compliance with the PDPA when handling personal data.

The following is the provision of the Personal Data Protection Act 2012 cited in the
above summary:
Compliance with PDPA
11(3). An organisation must designate one or more individuals to be responsible for ensuring that the
organisation complies with the PDPA.
Policies and practices
12(a). An Organisation must develop and implement policies and practices that are necessary for the
organisation to meet the obligations of the organisation under the PDPA.

Page 3 of 3

",Directions,e5d93d363b4513ab709353939decc81ce04eb8a1,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]"
2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,120,120,1,952,Saturday Club was found in breach of the PDPA for failing to put in place written policies and practices necessary to ensure its compliance with the PDPA. Saturday Club was directed to put in place a data protection policy to comply with the provisions of the PDPA and to conduct training to ensure its employees are aware of and comply with the requirements of the PDPA.,"[""Accountability"", ""Directions""]",2019-12-05,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Summary-Decision---Saturday-Club.pdf,Accountability,Breach of the Accountability Obligation by Saturday Club,https://www.pdpc.gov.sg/all-commissions-decisions/2019/12/breach-of-the-accountability-obligation-by-saturday-club,2019-12-05,"PERSONAL DATA PROTECTION COMMISSION
Case No. DP-1906-B4109
In the matter of an investigation under section 50(1) of the
Personal Data Protection Act 2012
And
Saturday Club Pte Ltd

SUMMARY OF THE DECISION

1.

Upon investigation into a suspected data breach, it was found that Saturday Club Pte Ltd
(the “Organisation”) had not developed any internal policies and practices that are
necessary for it to meet its obligations under the Personal Data Protection Act 2012
(“PDPA”). In the circumstances, the Deputy Commissioner for Personal Data Protection
found the Organisation in breach of section 12 of the PDPA and decided to issue the
directions to the Organisation.

",Directions,d047195a60d37294c9b55687dc7b54978590b389,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]"
2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,131,131,1,952,iClick was found in breach of the PDPA for failing to put in place written policies and practices necessary to ensure its compliance with the PDPA. iClick was directed to put in place a data protection policy to comply with the provisions of the PDPA; to develop a training programme for its employees and require them to attend the training.,"[""Accountability"", ""Directions"", ""Information and Communications""]",2019-11-04,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Summary-Decision---iClick-Media.pdf,Accountability,Breach of the Accountability Obligation by iClick Media,https://www.pdpc.gov.sg/all-commissions-decisions/2019/11/breach-of-the-accountability-obligation-by-iclick-media,2019-11-04,"PERSONAL DATA PROTECTION COMMISSION
Case No. DP-1901-B3254
In the matter of an investigation under section 50(1) of the
Personal Data Protection Act 2012
And
iClick Media Pte. Ltd.

SUMMARY OF THE DECISION

1.

Following a complaint against EU Holidays Pte Ltd, (“EU Holidays”), the Personal Data
Protection Commission conducted an investigation to determine whether EU Holidays
had contravened the Personal Data Protection Act 2012 (the “PDPA”). In the course of
investigations, it was found that EU Holiday’s IT vendor, iClick Media Pte Ltd (the
“Organisation”), had not developed any internal policies and practices that are necessary
for it to meet its obligations under the PDPA. In the circumstances, the Deputy
Commissioner for Personal Data Protection found the Organisation in breach of section
12 of the PDPA and decided to direct the Organisation to, within 60 days:

2.

Put in place a data protection policy, including written internal policies, to comply with
the provisions of the PDPA;

3.

Develop a training programme for the Organisation’s employees in respect of their
obligations under the PDPA when handling personal data and require all employees to
attend such training; and

4.

By no later than 7 days after the above actions have been carried out, the Organisation
shall, in addition, submit to the Commission a written update.

",Directions,bf9f246a0db6172bb647c44e87dcaa6e5793dce4,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]"
2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,141,141,1,952,"A financial penalty of $5,000 was imposed on Executive Link Services for breaches of the PDPA. The organisation failed to appoint a data protection officer and did not have written policies and practices necessary to ensure its compliance with the PDPA.","[""Accountability"", ""Financial Penalty"", ""Employment""]",2019-09-06,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision---Executive-Link-20082019.pdf,Accountability,Breach of the Accountability Obligation by Executive Link Services,https://www.pdpc.gov.sg/all-commissions-decisions/2019/09/breach-of-the-accountability-obligation-by-executive-link-services,2019-09-06,"PERSONAL DATA PROTECTION COMMISSION
[2019] SGPDPC 30
Case No DP-1806-B2237

In the matter of an investigation under
section 50(1) of the Personal Data
Protection Act 2012
And
Executive Link Services Pte. Ltd.
…Organisation(s)

DECISION

Executive Link Services Pte. Ltd.
[2019] SGPDPC 30
Mr Yeong Zee Kin, Deputy Commissioner – Case No DP-1806-B2237

23 August 2019

Background

1.

On 11 June 2018, Executive Link Services Pte. Ltd. (the “Organisation”)

reported a data breach to the Personal Data Protection Commission (the
“Commission”) concerning the unintended disclosure of personal data of
individuals that were stored on the Organisation’s server (“Incident”). The
Commission investigated the Incident and determined that the Organisation had
breached its obligations under the Personal Data Protection Act 2012 (“PDPA”).

Material facts

2.

The Organisation is an employment agency. Sometime before 8 June 2018,

one of the Organisation’s clients engaged a cybersecurity company to scan the
Internet for information relating to the client. During this scan, the cybersecurity
company was able to gain access and retrieve copies of draft contracts of job
candidates from the Organisation’s server. The Organisation was alerted on 8 June
2018. In total, resumes of 367 individuals (the “Affected Individuals”) and around
150 draft contracts relating to some of those individuals, together with the personal
data therein (the “Compromised Personal Data”), were exposed to unauthorised
disclosure in this manner.

3.

The Compromised Personal Data included the following:

Re Executive Link Services Pte Ltd

(a)

[2019] SGPDPC 30

the individual’s name, address, contact number, email address(es),
education level, salary expectation and employment history (in
relation to the resumes); and

(b)

the individual’s name, address and salary information (in relation to
the draft contracts).

Events leading to the Incident

4.

The Organisation had implemented remote access for staff to access internal

files stored on its data storage server. This required the use of a Virtual Private
Network (“VPN”) service. The server was supplied by Blumm Technology Pte.
Ltd. (“Blumm”) and installed and set up by the Organisation’s information
technology (“IT”) vendor, SShang Systems (“SShang”). SShang provided IT
support services to the Organisation, eg upgrading and configuration of hardware,
and general IT troubleshooting. When staff had difficulties with VPN access, the
Organisation approached SShang for assistance. SShang was, in turn, advised by
Blumm to adopt a workaround, by opening and enabling file access through the
server’s file transport protocol (“FTP”) port (the “VPN Workaround”). Blumm
also advised SShang to password-protect the folders within the server after the FTP
port was opened.

5.

When SShang implemented the VPN Workaround, it did not advise the

Organisation about password-protecting the folders on the server because it
assessed that there was little or no risk of unauthorised access to the folders since
remote access was limited to staff. Although the Organisation had only intended to
test the VPN Workaround for a few days, it was during this period that its client
discovered the Compromised Personal Data on its server.

3

Re Executive Link Services Pte Ltd

6.

[2019] SGPDPC 30

In the course of the Commission’s investigation, the Organisation also

admitted that it had not appointed a DPO and that it did not have any policies,
internal guidelines or procedures on the collection, use and disclosure of personal
data and other matters required under the PDPA.

Findings and Basis for Determination

Issues for determination

7.

Based on the facts of the case, the issues to be determined are as follows:

(a)

Whether the Organisation had complied with its obligation to protect
personal data under section 24 of the PDPA; and

(b)

Whether the Organisation had complied with the obligations to
appoint a data protection officer (“DPO”) and develop and implement
data protection policies and practices under sections 11(3) and 12
respectively of the PDPA;

Whether the Organisation complied with its obligation under section 24 of the
PDPA

8.

At all material times, the Compromised Personal Data was in the

Organisation’s sole possession and control. SShang was engaged to provide IT
support services but was not engaged to process personal data. Blumm supplied the
server and had assisted to open the server’s FTP port to enable the VPN
Workaround, but it was not engaged to process personal data. Hence, both SShang
and Blumm were not data intermediaries. Hence, the responsibility to protect the
Compromised Personal Data fell squarely and solely on the Organisation.

4

Re Executive Link Services Pte Ltd

9.

[2019] SGPDPC 30

The question is whether the Organisation had failed to take reasonable steps

to protect the Compromised Personal Data. It should be noted from the outset that
this was not a case involving a server hosting a website that was meant to be
accessible on the World Wide Web. It was an internal server that was meant to be
accessed by staff remotely through the Internet. There are subtle but significant
differences between the two. A website on the World Wide Web is by its nature
intended to be more easily linked from other websites, and to be discovered by
search engines and directories. Remote access to a server via the Internet requires
the member of staff to use VPN software or know the precise Internet Protocol
(“IP”) address. It is not usually crawled by online search engines. But that is not to
say that it cannot be discovered. It can be, by using the right tool to scan a known
set of IP address range, as was done in this case by the cybersecurity company. The
footprint is smaller and the risk is lower, but that does not in any way mean that the
risk does not exist.

10.

The Organisation did not have requisite IT knowledge and depended on its

outsourced IT support services provider. Its duties as owner of the server and
controller of the Compromised Personal Data include making its requirements
known to SShang and asking the right questions from the perspective of a business
owner. It can rely on SShang’s technical know-how. In this case, the Organisation
was aware of the risks and had implemented VPN access for its staff. When there
were difficulties with the VPN access and SShang was called upon to troubleshoot,
it was a natural and reasonable expectation that any workaround recommended
would not materially compromise its requirement for security. It is not unreasonable
for the Organisation to have expected that any such material deviation– particularly
when the security level is lowered – would be drawn to its attention.

11.

Of course, the Organisation could have asked about the security of VPN

Workaround. But is it reasonable to expect this level of pedantry? I am mindful that
when troubleshooting IT issues, there is a degree of urgency and need for speed to
implement workarounds, identify root causes and implement permanent solutions.

5

Re Executive Link Services Pte Ltd

[2019] SGPDPC 30

In these circumstances, the operating assumption should be that existing business
rules continue to be relevant. However, I am of the view that since the VPN
Workaround touched on secured remote access, the Organisation could have sought
clarification of the impact of the VPN Workaround on its requirements for security.

12.

In this case, SShang had been advised by Blumm to enable password

protection. SShang had assessed that there was no need to do so as remote access
was limited to staff and there was little or no risk of unauthorised access to the
folders. We do not know what SShang would have informed the Organisation had
the Organisation sought clarification. However, even if SShang shared its
assessment and maintained its advice that it was not necessary to enable password
protection, the Organisation would not have known better and would have relied on
the advice. In light of these circumstances, I am giving the Organisation the benefit
of doubt and will not make a finding of breach of its protection obligation under
section 24 of the PDPA.

Whether the Organisation complied with its obligations under sections 11(3) and
12 of the PDPA

13.

The remaining two issues are straightforward. Section 11(3) of the PDPA

requires an organisation to designate one or more individuals to be responsible for
ensuring that the organisation complies with the PDPA. This individual is typically
referred to as the DPO. Further, section 12 of the PDPA requires organisation to
develop and implement policies and practices that are necessary for the organisation
to meet its obligations under the PDPA, and to communicate information about such
policies and practices to its employees (among other obligations). The importance
of these requirements have been emphasized multiple times in previous decisions.1

1

See Re Aviva Ltd [2017] SGPDPC 14 at [32]; Re M Stars Movers & Logistics Specialist Pte Ltd
[2017] SGPDPC 15 at [31] to [37]; Re Singapore Taekwondo Federation [2018] SGPDPC 17 at [39]
to [42]; Re AgcDesign Pte Ltd [2019] SGPDPC 23 at [4] to [5].

6

Re Executive Link Services Pte Ltd

[2019] SGPDPC 30

In view of the Organisation’s admissions that it had not appointed a DPO

14.

and had not developed and implemented any policies, internal guidelines or
procedures on the collection, use and disclosure of personal data, I find the
Organisation in breach of sections 11(3) and 12 of the PDPA.
Remedial Actions by the Organisation

15.

After being informed of the Incident by its client, the Organisation closed

the FTP port on the same day. The Organisation also took the following additional
steps:

a. Shut down the server permanently and replaced it with a new server;

b. Installed a firewall for the new server and implemented access to the new
server via VPN, which requires the use of passwords (thereby limiting
access to the data stored on the server);

c. Implemented password policies for its employees for the use of the VPN;

d. Engaged a cyber-security firm to conduct a network vulnerability
assessment on its new server, which found no vulnerabilities;

e. Appointed a data protection officer;

f. Drafted and implemented policies on the handling of personal data; and

g. Provided data protection training for its employees.
The Deputy Commissioner’s Directions

16.

In assessing the breach, I took into account the following mitigating factors:

7

Re Executive Link Services Pte Ltd

a.

[2019] SGPDPC 30

The Organisation was cooperative with the Commission during its
investigation and was prompt and forthcoming in its responses to
queries posed by the Commission;

b.

The Organisation took swift and extensive remedial action following
the Incident;

c.

The duration that the Compromised Personal Data was at risk was only
for a limited time period. The Organisation was alerted to the Incident
only a few days after the FTP port was opened to enable the VPN
Workaround, and the Organisation took swift action thereafter to
remove such access; and

d.

The VPN Workaround was only intended to be a temporary measure,
and the Organisation had intended to revert back to the use of the VPN.
Thus, the potential for unauthorised disclosure of the Compromised
Personal data would have been limited in any event.

17.

Having considered the facts of this case and the factors outlined above, I

hereby direct the Organisation to pay a financial penalty of $5,000 within 30 days
from the date of this direction, failing which interest at the rate specified in the
Rules of Court2 in respect of judgment debts, shall accrue and be payable on the
outstanding amount of the financial penalty until the financial penalty is paid in full.

YEONG ZEE KIN
DEPUTY COMMISSIONER
FOR PERSONAL DATA PROTECTION

2

Cap 322, R5, 2014 Rev Ed.

8

",Financial Penalty,738ff8a1f74b23bb71dfc2235015dbfcd02e2751,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]"
2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,146,146,1,952,"Directions, including a financial penalty of $5,000, were imposed on Championtutor for breaches of the PDPA. The organisation failed to appoint a data protection officer and did not have written policies and practices necessary to ensure its compliance with  the PDPA.","[""Accountability"", ""Financial Penalty"", ""Education"", ""Tuition"", ""Education""]",2019-08-02,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Championtutor---220719.pdf,Accountability,Breach of the Openness Obligation by Championtutor,https://www.pdpc.gov.sg/all-commissions-decisions/2019/08/breach-of-the-openness-obligation-by-championtutor,2019-08-02,"PERSONAL DATA PROTECTION COMMISSION

[2019] SGPDPC 25
Case No DP-1710-B1269

In the matter of an investigation under section 50(1)
of the Personal Data Protection Act 2012
And
ChampionTutor Inc.
… Organisation

DECISION

ChampionTutor Inc
[2019] SGPDPC 25
Tan Kiat How, Commissioner — Case No DP-1710-B1269

22 July 2019
Background
1

On 31 October 2017, the Personal Data Protection Commission (the

“Commission”) received a complaint from a former tutor (“Complainant”)
who had registered with ChampionTutor Inc (“Organisation”), stating that he
found a URL link1 (“URL Link”) to the Organisation’s tutor list (“Tutor List”)
through a Google search. (the “Incident”). The Commission proceeded to
investigate the Incident in order to determine whether the Organisation had
complied with its obligations under the Personal Data Protection Act 2012
(“PDPA”).
Material Facts
2

The Organisation is a home tuition agency in Singapore with more than

10 years’ experience matching students and tutors. While the service is free for
students, tutors are required to pay a commission to the Organisation for each
tuition assignment they accepted.

1

https://www.championtutor.com/certs_tutor/1certs1397642794.pdf

ChampionTutor Inc

3

[2019] SGPDPC 25

In the course of investigations by the Commission, it was found that the

Tutor List contained name, contact number and email address (“Disclosed
Information”) of a total of 4,899 individuals, including the Complainant
(“Affected Individuals”).
4

It also emerged in the course of investigations that the Organisation had

not appointed any data protection office (“DPO”) and had failed to develop and
put in place any internal data protection policies.
Findings and Basis for Determination
5

The issues to be determined by the Commissioner in this case are as

follows:
(a)

Whether the Disclosed Information is “business contact

information” as defined under section 2(1) of the PDPA; and
(b)

Whether the Organisation had complied with the obligations to

appoint a data protection officer (“DPO”) and develop and implement
data protection policies and practices under sections 11(3) and 12
respectively of the PDPA.
Whether the Disclosed Information is “business contact information”
6

Under section 2(1) of the PDPA, “business contact information” is

defined as “an individual’s name, position name or title, business telephone
number, business address, business electronic mail address or business fax
number and any other similar information about the individual, not provided by
the individual solely for his personal purposes” (emphasis added). Section 4(5)
of the PDPA provides that the substantive data protection obligations found in

2

ChampionTutor Inc

[2019] SGPDPC 25

Parts III to VI of the PDPA (the “Data Protection Provisions”) shall not apply
to business contact information (“BCI”).
7

The purpose for which the contact information is provided is key in

determining whether it is considered BCI. In this regard, the Affected
Individuals provided the Disclosed Information to the Organisation for the
purposes of being contacted for tuition assignments.
8

Under section 2(1) of the PDPA, “business” is defined as including “the

activity of any organisation, whether or not carried on for the purposes of gain,
or conducted on a regular, repetitive or continuous basis, but does not include
an individual acting in his personal or domestic capacity”. Tutors carry out a
business of providing tuition services. In this regard, the tutors registered with
the Organisation are freelancers, and are paid directly by the student. For each
tuition assignment accepted, tutors are required to pay the Organisation a onetime commission.2 Tutors are also responsible for reporting their earnings as a
freelance tutor to the tax authority yearly.3 The Inland Revenue Authority of
Singapore’s “Tax Guide for Tuition Industry” provides guidance for tutors
providing tuition services and tuition agencies assigning tutors to students with
respect to reporting business income for tax purposes.4

2

See https://www.championtutor.com/faq.html which provides that agency commission is
calculated at 50% of the first payment cycle (4 weeks)
3

See https://www.championtutor.com/faq.html

4

https://www.iras.gov.sg/IRASHome/uploadedFiles/IRASHome/Businesses/Starter%20Guide
%20for%20Self%20Employed%20Tuition%20Centre%20or%20Agency%20Operators.pdf

3

ChampionTutor Inc

9

[2019] SGPDPC 25

Based on the foregoing, the Commissioner finds that the tuition services

offered by the Organisation’s tutors falls within the definition of “business”
under section 2(1) of the PDPA. Therefore, the Contact Details provided by the
Affected Individuals for the purposes of being contacted for tuition assignments
is BCI, and the Data Protection Provisions do not apply.
Whether ChamptionTutor complied with its obligations under sections 11 and
12 of the PDPA
10

The Organisation’s admission that it had not appointed a DPO at the

material time is a breach of section 11(3) of the PDPA. In this regard, section
11(3) requires organisations to designate one or more individuals (typically
referred to as a DPO) to be responsible for ensuring that they comply with the
PDPA. The importance of appointing a DPO in ensuring the proper
implementation of an organisation’s data protection policies and practices, as
well as compliance with the PDPA was emphasized in Re M Stars Movers &
Logistics Specialist Pte Ltd [2017] SGPDPC 15 at [31] to [37].
11

Section 12 of the PDPA requires organisation to develop and implement

policies and practices that are necessary for the organisation to meet its
obligations under the PDPA, and to communicate information about such
policies and practices to its employees (among other obligations).
12

At the material time, the Organisation had a privacy policy to inform

tutors and students on how it collects, use, disclose, manage and safeguard
personal information provided by them in the course of accessing and using the
Organisation’s website.
13

The Organisation did not employ full-time staff but employed part-time

home-based tuition coordinators to liaise with tutors and students, process e4

ChampionTutor Inc

[2019] SGPDPC 25

invoices and follow up on payment. These part-time coordinators had access to
personal data of the tutors and students in the course of their work. However,
the Organisation did not have any internal data protection policies which specify
the rules and procedures on the collection, use and disclosure of personal data.
This omission meant that part-time tuition coordinators were not provided with
any form of guidance with the PDPA and amounts to a breach of section 12 of
the PDPA. An organisation that relies wholly on part-time staff needs to pay
especial attention to ensuring that its policies can be easily accessible and that
it has an effective system for promoting awareness and training part-time staff
on its data protection policies and practices.
The Commissioner’s Directions
14

Given the Commissioner’s findings that the Organisation is in breach of

sections 11(3) and 12 of the PDPA, the Commissioner is empowered under
section 29 of the PDPA to issue the Organisation such directions as it deems fit
to ensure compliance with the PDPA. This may include directing the
Organisation to pay a financial penalty of such amount not exceeding S$1
million.
15

In assessing the breach and determining the directions, if any, to be

imposed on the Organisation in this case, the Commissioner took into account
as a mitigating factor that the Organisation had cooperated with investigations
and was forthcoming in its response.
16

Having considered all the relevant factors of this case, the Commissioner

hereby directs the Organisation to do the following:
(a)

Pay a financial penalty of S$5,000.00 within 30 days from the

date of the Commissioner’s direction, failing which, interest at the rate

5

ChampionTutor Inc

[2019] SGPDPC 25

specified in the Rules of Court5 in respect of judgment debts, shall accrue
and be payable on the outstanding amount of the financial penalty until
the financial penalty is paid in full; and
(b)

Within 60 days from the date of the Commissioner’s directions,

develop and implement an internal data protection policy and appoint a
DPO.

YEONG ZEE KIN
DEPUTY COMMISSIONER
FOR COMMISSIONER FOR PERSONAL DATA PROTECTION

5

Cap 322, R5, 2014 Rev Ed.

6

",Financial Penalty,a7bc8b98d073c9ff692b042e0c3cd60c12941780,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]"
2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,148,148,1,952,"Directions, including a financial penalty of $5,000, were imposed on AgcDesign for breaches of the PDPA. The organisation failed to appoint a data protection officer and did not have written policies and practices necessary to ensure its compliance with the PDPA.","[""Accountability"", ""Financial Penalty"", ""Others"", ""Interior design""]",2019-07-04,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision--AgcDesign-Pte-Ltd--040719.pdf,Accountability,Breach of the Openness Obligation by AgcDesign,https://www.pdpc.gov.sg/all-commissions-decisions/2019/07/breach-of-the-openness-obligation-by-agcdesign,2019-07-04,"PERSONAL DATA PROTECTION COMMISSION
[2019] SGPDPC 23

Case No DP-1805-B2072

In the matter of an investigation under section 50(1)
of the Personal Data Protection Act 2012

And

AgcDesign Pte. Ltd.
… Organisation

DECISION

AgcDesign Pte. Ltd.

[2019] SGPDPC 23

Yeong Zee Kin, Deputy Commissioner – Case No DP-1805-B2072

4 July 2019

Background and Material Facts

1

AgcDesign Pte. Ltd. (the “Organisation”) provides interior designing

services for commercial and residential properties. Between 5 and 9 May 2018,
the Personal Data Protection Commission (the “Commission”) received
complaints alleging that the Organisation had used the complainants’ names and
residential addresses without the complainants’ consent to send them marketing
mailers. In the course of investigations by the Commission, it was found that
the Organisation had sent the mailers using information from a database of
property-related information obtained from a third party. That database had
been compiled from information on caveats lodged with the Singapore Land
Authority, which was publicly available.

2

It also emerged in the course of investigations that the Organisation had

not appointed any data protection officer (“DPO”) and it had not developed and
put in place any data protection policies. Upon being notified of the complaints,
the Organisation appointed a DPO and issued certain verbal instructions to its
employees concerning the collection, use and disclosure of personal data.

1

AgcDesign Pte. Ltd.

[2019] SGPDPC 23

Findings and Basis for Determination

3

Section 17 of the PDPA, read with the relevant provisions of the Second,

Third and Fourth Schedules to the PDPA, permits organisations to collect, use
and disclose personal data which is publicly available without the consent of the
individuals concerned. The Commission therefore did not proceed further with
its investigation into the Organisation’s use of personal data in this case and I
am satisfied that it is unnecessary to do so.

4

In relation to the Organisation’s failures to appoint a DPO and develop

and implement any data protection policy, these are required under sections
11(3) and 12 respectively of the PDPA. In particular, section 11(3) requires
organisations to designate one or more individuals (typically referred to as a
DPO) to be responsible for ensuring that they comply with the PDPA. Section
12 of the PDPA requires organisations to (among other things):

(a)

develop and implement policies and practices that are necessary
for the organisation to meet the obligations of the organisation
under the PDPA; and

(b)

5

communicate information about such policies and to its staff.

The importance of these requirements have been emphasised multiple

times in previous decisions. For example, it is important for an organisation to
document its data protection policies and practices in writing as they serve to
increase awareness and ensure accountability of the organisation’s obligations
under the PDPA (Re Aviva Ltd [2017] SGPDPC 14 at [32]). Similarly,
appointing a DPO is important in ensuring the proper implementation of an

2

AgcDesign Pte. Ltd.

[2019] SGPDPC 23

organisation’s data protection policies and practices, as well as compliance with
the PDPA (see eg Re M Stars Movers & Logistics Specialist Pte Ltd [2017]
SGPDPC 15 at [31] to [37]).

6

In the circumstances, the Organisation was clearly in breach of sections

11(3) and 12 of the PDPA. While it has since appointed a DPO, it has not yet
developed written policies and practices necessary to ensure its compliance with
the PDPA.

The Deputy Commissioner’s Directions

7

Having found the Organisation in breach of sections 11(3) and 12, I have

decided to issue it the following directions under section 29 of the PDPA:

(a)

To develop and implement, within 30 days of the date of this
direction, a data protection policy and the appropriate written
internal policies and practices to comply with the provisions of
the PDPA;

(b)

To communicate such policies and practices to its employees and
conduct (or ensure that its employees attend) a suitable training
course in order to ensure that employees handling personal data
understand and comply with the requirements of the PDPA, both
within 60 days of the date of this direction;

(c)

To inform the Commission of the completion of each of the
above within 7 days of completion; and

3

AgcDesign Pte. Ltd.

(d)

[2019] SGPDPC 23

To pay a financial penalty of $5,000 within 30 days from the date
of this direction, failing which interest at the rate specified in the
Rules of Court in respect of judgment debts shall accrue and be
payable on the outstanding amount of such financial penalty
until the financial penalty is paid in full.

YEONG ZEE KIN
DEPUTY COMMISSIONER
FOR PERSONAL DATA PROTECTION

4

",Financial Penalty,dbe45267b662cba27e20e9da8c6e449830e75c7f,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]"
2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,152,152,1,952,A warning was issued to Xbot for failing to put in place data protection policies to comply with the provisions of the PDPA.,"[""Accountability"", ""Warning"", ""Real Estate"", ""Property""]",2019-06-20,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision--Xbot-Pte-Ltd---200619.pdf,Accountability,Breach of the Openness Obligation by Xbot,https://www.pdpc.gov.sg/all-commissions-decisions/2019/06/breach-of-the-openness-obligation-by-xbot,2019-06-20,"PERSONAL DATA PROTECTION COMMISSION

[2019] SGPDPC 19
Case No DP-1803-1781

In the matter of an investigation under section 50(1)
of the Personal Data Protection Act 2012

And

Xbot Pte. Ltd.

… Organisation

DECISION

Xbot Pte. Ltd.
[2019] SGPDPC 19

Yeong Zee Kin, Deputy Commissioner — Case No DP-1803-1781

20 June 2019
Introduction
1.

On 2 March 2018, the Personal Data Protection Commission (the “Commission”)

received a complaint that Xbot Pte. Ltd. (the “Organisation”) had disclosed the personal data
of property owners through the Strata.sg mobile application without their consent. The
Commission commenced an investigation in order to determine whether the Organisation had
failed to comply with its obligations under the Personal Data Protection Act 2012 (the
“PDPA”).

Material Facts

2.

The Organisation developed and operated the Strata.sg mobile application (the “App”)

and an associated website, http://Strata.sg (the “Website”), which provided access to a database
of residential property transactions (the “Database”). The Database included information on
transactions involving both private residential properties (“Private Properties”) and Housing
Development Board (“HDB”) properties (“HDB Properties”). This information was made
available to users of the App and Website and included a partial address (block number, road
and, for HDB Properties only, a storey range), area, type and price for the properties listed. In
addition, the complete addresses of the Private Properties (including the specific unit number)
was made available to premium subscribers of the App or Website who paid a fee for access to
the information in the Database.

3.

The Organisation also collected personal data from users of the Website and users of the

App in order to grant them access to the Database. The Organisation had a data protection
policy for the Website (which it referred to as a “Privacy Policy”) but that policy did not
1

Xbot Pte. Ltd.

[2019] SGPDPC 19

mention or cover the personal data collected from users of the App. The App did not include
any separate data protection policy nor any link to the Organisation’s data protection policy for
the Website. In addition, the Organisation did not have any internal policies or procedures
relating to its personal data practices. At the material time, the Organisation was run by a single
individual who was also an employee of the Organisation. The Organisation had only one other
employee.

Findings and Basis for Determination

(A)

Does the information in the Database constitute personal data under the PDPA?

4.

Section 2(1) of the PDPA defines “personal data” as “data, whether true or not, about an

individual who can be identified –
(a)

from that data; or

(b)

from that data and other information to which the organisation has or is likely to
have access.”

5.

The information in the Database would not, on its own, be personal data as none of those

data could identify an individual (per limb (a) of the above definition). In particular, as there is
no publicly available means of identifying the owners of the HDB Properties based on the
information available in the Database, the information relating to HDB Properties would not
constitute personal data under the PDPA.

6.

However, the complete addresses of the Private Properties in the Database could be used

to trace the name of the owners of those properties through the Singapore Land Authority’s
Land Titles Register. The information in the Database could then be related to the identified or
identifiable owners of the Private Properties and reveal the type and size of property they own
and the price they paid for the property. In light of this, the information in the Database relating
to Private Properties constitute personal data under the PDPA (per limb (b) of the above
definition).

2

Xbot Pte. Ltd.

(B)

[2019] SGPDPC 19

Is the Organisation permitted to collect, use and disclose the personal data in the

Database?

7.

Section 13 of the PDPA prohibits organisations from collecting, using or disclosing

personal data about an individual for a purpose unless:
(a)

the individual consents, or is deemed to have consented, under the PDPA to such
collection, use or disclosure; or

(b) collection, use or disclosure without the individual’s consent is permitted or
required under the PDPA or any other written law.

8.

In the course of the Commission’s investigation, the Organisation admitted that it had

not obtained the consent of the individuals concerned for the collection, use and disclosure of
their personal data in the Database. Hence, the key issue is whether the Organisation is
permitted to do so without the individuals’ consent.

9.

Under section 17(1) of the PDPA, collection of personal data without consent is permitted

in the circumstances listed in the Second Schedule to the PDPA. In particular, paragraph 1(c)
of the Second Schedule permits the collection of personal data without consent if the personal
data is publicly available. Section 2(1) of the PDPA defines the term “publicly available” (in
relation to personal data) as “personal data that is generally available to the public …”. Use
and disclosure of personal data which is publicly available is similarly permitted without
consent under section 17(2) read with paragraph 1(c) of the Third Schedule and section 17(3)
read with paragraph 1(d) of the Fourth Schedule respectively.

10.

In this case, the information in the Database had either been obtained by the Organisation

from a source which was generally available to the public or had been derived by the
Organisation from information which had obtained from such a source. In particular, the
Organisation had obtained information from the Urban Redevelopment Authority’s Real Estate
Information System (“REALIS”) portal and the HDB’s Resale Flat Prices portal. The
information in these portals are available to members of the public (in some cases, upon
payment of a fee). In my view, such information is generally available to the public.

3

Xbot Pte. Ltd.

11.

[2019] SGPDPC 19

In the circumstances, I find that the Organisation is permitted under the PDPA to collect,

use and disclose the personal data in the Database without consent of the relevant individuals.
The Organisation is therefore not in breach of section 13 of the PDPA.

(C)

Did the Organisation have in place the necessary data protection policies and practices

under the PDPA?

12.

Section 12 of the PDPA requires organisations to:
(a)

develop and implement policies and practices that are necessary for the organisation
to meet the obligations of the organisation under the PDPA;

(b)

develop a process to receive and respond to complaints that may arise with respect
to the application of the PDPA;

(c)

communicate to its staff information about the organisation’s policies and practices
referred to in paragraph (a); and

(d)

13.

made information available on request about —
(i)

the policies and practices referred to in paragraph (a); and

(ii)

the complaint process referred to in paragraph (b).

In this case, although the Website and the App collected the same personal data for the

same purpose, the data protection policy published on the Website was expressly limited to
personal data collected via the Website. This, in my view, is insufficient to meet the
requirements of section 12 as users of the App would not have a clear indication of how their
personal data would be handled by the Organisation. The Organisation should have ensured
that its published data protection policy covered personal data regardless of whether it was
collected via the Website or the App. This could have been done this with some simple
amendments to the current data protection policy and, as a good practice, the App could have
included a link to the policy published on the Website. Alternatively, the Organisation could
include a separate data protection policy within the App.

14.

In addition to an organisation’s published data protection policy, the “policies and

practices” referred to in section 12 of the PDPA includes internal policies and processes that
are necessary for the organisation to meet its obligations under the PDPA. While an
organisation’s published data protection policy is meant to inform individuals about how their
4

Xbot Pte. Ltd.

[2019] SGPDPC 19

personal data will be handled by the organisation, the internal policies and practices are meant
for the organisation’s employees. Section 12 also requires such policies and practices to be
communicated to the organisation’s staff. These requirements are intended to ensure that all
employees of the organisation are aware of the specific practices they must adhere to when
handing personal data including, for example, the notifications to be given to individuals when
their personal data is collected, how access and correction requests should be handled, how
personal data must be kept and secured and how personal data must be disposed of when no
longer required by the Organisation. The specific internal policies and practices which may be
required for a particular organisation would depend on various factors such as the following
(among other factors):
(a)

the type(s) and amount of personal data collected by the organisation;

(b)

the organisation’s processes for collecting the personal data;

(c)

the organisation’s purposes for using or disclosing the personal data; and

(d)

the number and roles of employees who require access to personal data in the course
of their employment.

15.

In the present case, the Organisation has one employee (in addition to the sole director).

Nevertheless, it should have developed internal policies and practices, having in mind the
considerations enumerated in the preceding paragraph, and communicated them to its
employee so as to ensure that its employee adhered to the appropriate practices when handling
personal data (and related matters) in the course of his or her employment. Although the
Organisation is a small company, size of the organisation is but one determinant of the
complexity of the internal policies and practices required. The types and amount of personal
data that it possesses and controls is another relevant consideration. In this regard, the
Organisation possess and controls a not insignificant amount of personal data which relate to
property ownership (even if these are publicly available).

16.

In view of the above, I find the Organisation in breach of section 12 of the PDPA.

5

Xbot Pte. Ltd.

[2019] SGPDPC 19

Conclusion

17.

Having found the Organisation in breach of section 12 of the PDPA, I am empowered

under section 29 of the PDPA to give to the Organisation such directions as I deem fit to ensure
its compliance with the PDPA.

18.

Taking the totality of the circumstances into account, I have decided to issue a warning

to the Organisation for its breach of section 12 of the PDPA without further directions or
imposing a financial penalty. In particular, I noted that-

a) the Organisation had ceased operations of both the App and the Website on 16 May
2018; and

b) the Organisation has been cooperative throughout the investigations.

YEONG ZEE KIN
DEPUTY COMMISSIONER
FOR PERSONAL DATA PROTECTION

6

",Warning,d2e2fb18265e0bede337a2a87e9f9ab6c61a81af,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]"
2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,198,198,1,952,"Directions were issued to Jiwon Hair Salon, Next@Ion, Next Hairdressing and Initia for failing to put in place data protection policies to comply with the provisions of the PDPA.","[""Accountability"", ""Directions"", ""Others""]",2018-01-23,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/GroundsofDecisionJiwonNextIonNextHairdressingInitia23012018.pdf,Accountability,Breach of Openness Obligation by 4 Hair Salons,https://www.pdpc.gov.sg/all-commissions-decisions/2018/01/breach-of-openness-obligation-by-4-hair-salons,2018-01-23,"PERSONAL DATA PROTECTION COMMISSION

Case No DP-1612-B0431

[2018] SGPDPC [2]

In the matter of an investigation under section 50(1) of the Personal Data
Protection Act 2012
And
1.

Jiwon Hair Salon Pte. Ltd.

2.

Next@Ion Pte. Ltd.

3.

Next Hairdressing Pte. Ltd.

3.

Initia Pte. Ltd.

DECISION

… Organisations

Jiwon Hair Salon Pte. Ltd. & Ors.
[2018] SGPDPC [2]
Mr. Yeong Zee Kin, Deputy Commissioner — Case No DP-1612-B0431
23 January 2018
Background
1

This case highlights that while the Personal Data Protection Act

(“PDPA”) seeks to balance the protection of individuals’ personal data with the

need for organisations to use and share that personal data, compliance with the
PDPA also serves to ensure that an organisation keeps data which is of

significant commercial importance to it protected and out of the reach of its
competitors.

Material Facts
2

This case was triggered by, unusually, a complaint from one of the

Organisations, Jiwon Hair Salon Pte Ltd (“Jiwon”). Jiwon alleged that a former
employee (“Employee K”) had misappropriated the names and contact

numbers (collectively referred to as the “Personal Data”) of its customers by
surreptitiously accessing its customer management system (“CMS”).
3

An investigation was conducted into Jiwon’s complaint and into the

following Organisations which Employee K had worked at after leaving Jiwon

to determine if indeed Employee K was using the Personal Data from Jiwon’s
CMS:

Jiwon Hair Salon Pte. Ltd. & Ors.

S/N

Organisation

1.
2

Jiwon

Next@Ion Pte Ltd

9 April 2014

3.

Next Hairdressing Pte
Ltd

1 Dec 2016

4.
4

[2018] SGPDPC 2

Initia Pte Ltd

Start of
employment

10 August 2016

13 Jan 2017

End of
employment

15 August 2016

30 November
2016
16 Dec 2016

-

In the meantime, Jiwon had instituted an action against Employee K in

the State Courts arising out of the facts set out in the complaint and, according

to Jiwon, an out-of-court settlement had been entered into. During the
investigations, it became clear that none of the Organisations had any policies

or practices in place for the protection of the personal data they collected. This

Decision is solely concerned with the compliance of the Organisations’
obligations under section 12(a) of the PDPA and the foregoing information on

Jiwon’s initial complaint serves merely as background information to give
context.

Findings and Basis for Determination
Whether the Organisation had complied with its obligations under section 12
of the PDPA
5

Section 12(a) of the PDPA requires an organisation to develop and

implement policies and practices that are necessary to meet its obligations under
the PDPA (the “Openness Obligation”).

2

Jiwon Hair Salon Pte. Ltd. & Ors.

6

[2018] SGPDPC 2

During the investigations, it became apparent that the Organisations did

not implement any data protection policies or practices. This was admitted to
by the Organisations.
7

In the circumstances, I find that, by their own admission, each of the

8

I would like to take this opportunity to repeat the exhortations made in

Organisations failed to meet its obligations under section 12(a) of the PDPA.

Re: M Star Movers & Logistics Specialist Pte Ltd [2017] SGPDPC 15 (“M Star
Movers”) to organisations to put in place policies and practices to protect
personal data.
9

The M Star Movers grounds of decision (at paragraphs 27 and 28)

explains the need for organisations to put in place data protection policies and
practices as follows:

At the very basic level, an appropriate data protection policy
should be drafted to ensure that it gives a clear understanding
within the organisation of its obligations under the PDPA and
sets general standards on the handling of personal data which
staff are expected to adhere to. To meet these aims, the framers,
in developing such policies, have to address their minds to the
types of data the organisation handles which may constitute
personal data; the manner in, and the purposes for, which it
collects, uses and discloses personal data; the parties to, and
the circumstances in, which it discloses personal data; and the
data protection standards the organisation needs to adopt to
meet its obligations under the PDPA.
An overarching data protection policy will ensure a consistent
minimum data protection standard across an organisation’s
business
practices,
procedures
and
activities
(e.g.
communications through social media).

3

Jiwon Hair Salon Pte. Ltd. & Ors.

[2018] SGPDPC 2

Directions
10

Having found that the Organisations are in breach of section 12(a) of the

PDPA, I am empowered under section 29 of the PDPA to give the Organisations
such directions as I deem fit to ensure compliance with the PDPA.
11

In assessing the breach and determining the directions to be imposed on

the Organisations, I took into account that the personal data collected by the
Organisations was limited to the names and contact numbers of its customers.
12

I have decided to issue the following directions to each of the

Organisations:
(a)

to put in place a data protection policy to comply with the

provisions of the PDPA within 60 days from the date of this direction;
and
(b)

to inform the office of the Commissioner of the completion of

the above directions within 1 week of implementation.

YEONG ZEE KIN
DEPUTY COMMISSIONER

4

",Directions,22dc817cc5a859cce0bf1f96066bd7470c408c03,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]"