_commit_at,_commit_hash,_id,_item,_version,_commit,description,tags,date,pdf-url,nature,title,url,timestamp,pdf-content,decision,_item_full_hash,_changed_columns 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,27,27,1,952,Both organisations were found not in breach of the PDPA in relation to complaints regarding alleged collection and disclosure of personal data without consent.,"[""Consent"", ""Not in Breach"", ""Real Estate"", ""No breach""]",2022-06-16,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---SLP-Scotia-Pte-Ltd-and-SLP-International-Property-Consultants-Pte-Ltd---09042022.pdf,Consent,No Breach of the Consent Obligation by SLP Scotia and SLP International Property Consultants,https://www.pdpc.gov.sg/all-commissions-decisions/2022/06/no-breach-of-the-consent-obligation-by-slp-scotia-and-slp-international-property-consultants,2022-06-16,"PERSONAL DATA PROTECTION COMMISSION Case No. DP-2007-B6585, DP-2007-B6591, DP-2007-B6594, DP-2007-B6598 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And SLP Scotia Pte. Ltd. SLP International Property Consultants Pte. Ltd. SUMMARY OF THE DECISION 1. Between 10 to 14 July 2020, the Personal Data Protection Commission (the “Commission”) received four complaints against SLP International Property Consultants Pte Ltd (“SLPIPC”) and its subsidiary SLP Scotia Pte Ltd (“SLPS”) (collectively, the “Organisations”). The complainants were property agents registered through SLPS (the “Complainants”). 2. As a merger was due to take place between the Organisations, on 7 July 2020, SLPIPC initiated the registration of salespersons in SLPS as salespersons in SLPIPC with the Council of Estate Agencies (“CEA”). CEA thereafter emailed the Complainants asking them to either initiate a salesperson application to join SLPIPC or disregard the email if they were not interested in registering with SLPIPC (the “Incident”). 1 3. The Complainants alleged that: a. they had not consented to be contacted for such purposes; and b. SLPS had improperly disclosed their personal data (including NRIC number, date of birth, and home address) to SLPIPC, and SLPIPC had in turn improperly disclosed the data to CEA. 4. CEA is the entity which administers the registration of salespersons (such as the Complainants) under the Estate Agents Act 2010 (“EAA”). Pursuant to section 29(1) of the EAA, a person may not act as a salesperson for any estate agent unless he or she is registered; the said register is maintained by the CEA pursuant to section 36 of the EAA. Further, under section 40(1) of the EAA, a salesperson may not be registered to act as a salesperson for more than one estate agent at any one time. 5. SLPIPC disclosed the personal data of the Complainants to CEA for the purposes of the change in registration from SLPS to SLPIPC. In doing so, SLPIPC was complying with its obligations under the EAA. The disclosure by SLPIPC to CEA was therefore not in breach of any of the provisions of the Personal Data Protection Act 2012 (“PDPA”), as under section 4(6) of the PDPA, obligations of a party under other written law take precedence over obligations under the PDPA. 2 6. The Commission’s investigation focused on whether the Organisations had breached the Consent Obligation under section 13 of the PDPA in relation to: a. the disclosure of the Complainants’ personal data by SLPS to SLPIPC; and b. the collection of the said data by SLPIPC from SLPS. 7. Investigations revealed that the Complainants had each, individually and separately, signed an agreement with SLPS (“Associate’s Agreement”) in which they had provided their consent for disclosure of their personal data in specific circumstances. Notably: a. Clause 24 of the Associate’s Agreement provided that the Complainants consented to SLPS collecting, using and/or disclosing their personal data for one or more of the “Company Purposes”. b. “Company Purposes” as defined in the Associate’s Agreement included disclosure of the Complainants’ personal data to SLPS’ related corporations, to facilitate and administer the real estate brokerage services to be provided by the Complainants under the Associate’s Agreement. c. As SLPS was a subsidiary of SLPIPC, both Organisations were “related corporations” for the purposes of the Associate’s Agreement. 8. The disclosure and collection of the Complainants’ personal data had been carried out because of an upcoming merger between the Organisations, for business reasons. With the move towards merger at the material time, the Complainants had 3 the option of providing their services under SLPIPC after the merger. This was found to fall under the ambit of “Company Purposes” pursuant to Clause 24 of the Associate’s Agreement, because the merger would have affected the Complainants’ ability to “facilitate and administer” their real estate brokerage services. 9. Consequently, the disclosure of the Complainants’ personal data by SLPS and the collection and disclosure of the same by SLPIPC as a related corporation was found to be consistent with the purposes for which the Complainants had provided consent in the Associate’s Agreement. 10. In light of the above, the Deputy Commissioner for Personal Data Protection finds that the Organisations did not breach the Consent Obligation under section 13 of the PDPA. The following is the provision of the Personal Data Protection Act 2012 cited in the above summary: Consent required 13. An organisation must not, on or after 2 July 2014, collect, use or disclose personal data about an individual unless — (a) the individual gives, or is deemed to have given, his or her consent under this Act to the collection, use or disclosure, as the case may be; or (b) the collection, use or disclosure (as the case may be) without the individual’s consent is required or authorised under this Act or any other written law. 4 ",Not in Breach,81943b55f3e50d31e820edf46499ec3602f370c0,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,40,40,1,952,"A financial penalty of $21,000 was imposed on Neo Yong Xiang for using his customers' personal data to register for prepaid SIM cards without their consent. The SIM cards were subsequently sold to anonymous individual(s) who used them to send specified messages in contravention of the Do Not Call provisions of the PDPA.","[""Consent"", ""Financial Penalty"", ""Others""]",2022-03-10,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Neo-Yong-Xiang---29102021.pdf,Consent,Breach of the Consent and Purpose Limitation Obligations by Neo Yong Xiang trading as Yoshi Mobile,https://www.pdpc.gov.sg/all-commissions-decisions/2022/03/breach-of-the-consent-and-purpose-limitation-obligations-by-neo-yong-xiang-trading-as-yoshi-mobile,2022-03-10,"PERSONAL DATA PROTECTION COMMISSION [2021] SGPDPC 12 Case No. DP-2013-B8088 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Neo Yong Xiang (trading as Yoshi Mobile) … Organisation DECISION Neo Yong Xiang (trading as Yoshi Mobile) Lew Chuen Hong, Commissioner — Case No. DP-2013-B8088 29 October 2021 Introduction 1. When customers purchased pre-paid SIM cards from a mobile phone shop at Geylang Road, they would not have anticipated that their personal data would be misused to register additional SIM cards for illegal sale. Unfortunately, this was exactly what happened to at least 78 individuals who purchased pre-paid M1 SIM cards from one Mr Neo Yong Xiang (“NYX”) the sole proprietor of Yoshi Mobile (“YM”). 2. The Commission observed that between January 2020 and November 2020, there were 3,636 Do Not Call (“DNC”) complaints from persons who received specified messages even though their telephone numbers are registered with the DNC register1. Further analysis revealed that 1,379 of the messages were sent from 98 SIM cards registered at YM. The Commission initiated investigations against NYX (trading as YM) for suspected breaches of the Personal Data Protection Act 2012 (“PDPA”). Facts of the Case 3. NYX has operated YM since 2013. As an exclusive retailer of M1 SIM cards, NYX was provided a terminal device installed at YM’s premises for the purposes of 1 Under Section 43 of the PDPA, a person is not allowed to send specified messages to a Singapore telephone number registered with the DNC register unless the person has, at the time where he sends the specified message, valid confirmation that the Singapore telephone number is not listed in the DNC register. SIM card registration (the “M1 Terminal Device”). SIM card registration had to be carried out in accordance with the conditions of M1’s telecommunications licence granted under Section 5 of the Telecommunications Act (Chapter 323). The typical SIM card registration process in YM would be as follows: (a) First, the customer’s identity document (e.g. identity card, passport, work pass etc.) would be scanned using the M1 Terminal Device. The system would capture the customer’s personal data, and state whether the customer had reached the permitted limit of 3 prepaid SIM cards. (b) Next, the barcode of the SIM card(s) would be scanned so that they could be tagged to the registered customer. (c) Finally, a mobile application would be used to load credit value to the prepaid SIM card(s) to activate them for usage. M1’s policy was for each prepaid M1 SIM card to have a zero-initial balance, and for retailers to load some or all of the money paid by the customer. 4. The Commission’s investigations revealed that NYX exploited the above registration process in order to use his customers’ personal data without consent to register for additional prepaid M1 SIM cards that his customers did not intend to purchase. NYX would do so by one of two methods: (a) Method 1 – After scanning a customer’s identity documents via the M1 Terminal Device, NYX would check whether the customer was still entitled to purchase more SIM cards (in addition to the SIM card(s) that were intended to be purchased). If so, NYX would proceed to register additional SIM card(s) to the same customer without their knowledge (the “illicit SIM card(s)”). (b) Method 2 – Occasionally, customers who had completed the registration process would not want to continue with their purchase after learning that the credit value of the SIM card would have to be separately loaded. At this juncture, instead of cancelling or reversing the registration process, NYX would keep the SIM card(s) and activate them without the customer’s knowledge. 5. During investigations, NYX admitted that his purpose for registering the illicit SIM cards was to sell them to earn extra money. In his three years of selling such illicit SIM cards to anonymous walk-in customers, NYX estimated that he earned approximately $15,000 (i.e. around 100 illicit SIM cards per year at a price of $50 per card). 6. The affected personal data collected and used by NYX to register the illicit SIM cards include, at a minimum, the following personal data of 78 individuals (used to register 94 SIM cards): (a) the customers’ names; (b) the customers’ addresses; and (c) the customers’ NRIC numbers and/or work permit numbers. 7. After registering the illicit SIM cards, NYX would sell them to anonymous buyers who occasionally patronised YM from 2018 to 2020. Investigations revealed that illicit SIM cards registered at YM were exploited by unknown perpetrators to send unsolicited spam and/or scam messages, often also in contravention of the DNC provisions of the PDPA. Findings and Basis for Determination 8. Section 2(1) of the PDPA defines an “organisation” broadly to include “any individual, company, association or body of persons, corporate or unincorporated”. YM is a sole proprietorship and has no separate legal personality from NYX. Accordingly, NYX constitutes an organisation under the PDPA Further, NYX is bound by the provisions of the PDPA (including Part IV) as he was acting in a business capacity in selling the SIM cards to make a profit, and not a domestic capacity. As stated in Re Sharon Assya Qadriyah Tang [2018] SGPDPC 1: “9 …Although the PDPA defines “organisation” broadly to include individuals, an individual is expressly excluded from the Data Protection Provisions in the PDPA if the individual was acting in a personal or domestic capacity. Therefore, when it comes to the application of the PDPA to individuals, it is usually germane to the issue to determine whether the individual was acting in a personal or domestic capacity. If the individual was not acting in a personal or domestic capacity, then she will be treated as an “organisation” for the purposes of the PDPA, and obliged to comply with the Data Protection Provisions. 10 On the facts, the Respondent was clearly not acting in a personal or domestic capacity in respect of the buying and selling of leads. The purchase and sales of the leads were not for her own personal use or purposes, but in order to make a profit. Under the PDPA, “business” includes an activity of any organisation, whether or not carried on for purposes of gain, or conducted on a regular, repetitive or continuous basis, but does not include an individual acting in his personal or domestic capacity. In this regard, the converse of a person acting in a personal or domestic capacity is one that acts in a business capacity. This was the case for the Respondent in respect of the purchase and sale of leads.” [emphasis added] 9. Based on the circumstances set out above, the issues to be determined in this case are: (a) Whether NYX breached the Consent Obligation under section 13 of the PDPA; and (b) Whether NYX breached the Purpose Limitation Obligation under section 18 of the PDPA. The Consent Obligation under section 13 of the PDPA 10. Under Section 13 of the PDPA, organisations are prohibited from collecting, using or disclosing an individual’s personal data unless the individual gives, or is deemed to have given, his consent, an exception to the requirement for consent applies, or if otherwise authorised under the PDPA or any other written law (the “Consent Obligation”). In this connection, Section 14(1) of the PDPA further provides that an individual has not given consent unless he has been notified of the purposes for which his personal data was being collected, used or disclosed. If an organisation fails to do so, any consent obtained from an individual is invalid. 11. On the facts of this case, NYX breached the Consent Obligation by using his customers’ personal data to register the illicit SIM cards for sale to anonymous buyers. When NYX used Method 1, NYX’s customer(s) only consented to the collection and use of their personal data for the purpose of registering the number of SIM cards which they had requested. They did not provide consent to NYX to use their personal data for any other purpose, including the registration of additional SIM cards. 12. In the case of Method 2, the customers withdrew their consent to the collection and use of their personal data to purchase M1 SIM cards, and NYX should have cancelled the SIM card registrations. Instead, he went behind his customers’ backs and used their personal data without consent to register illicit SIM cards. 13. In the premises, NYX is determined to have breached the Consent Obligation by using his customers’ personal data without their consent. The Purpose Limitation Obligation under Section 18 of the PDPA 14. Under Section 18 of the PDPA, an organisation may collect, use or disclose personal data about an individual only for purposes that a reasonable person would consider appropriate in the circumstances, and where that individual has been informed of the said purposes under Section 20 of the PDPA (the “Purpose Limitation Obligation”). As set out in the Commission’s Advisory Guidelines on Key Concepts in the PDPA2: “The main objective of the Purpose Limitation Obligation is to ensure that organisations collect, use and disclose personal data that are relevant for the purposes, and only for purposes that are reasonable. Consistent with the Notification Obligation, the Purpose Limitation Obligation also limits the purposes for which personal data may be collected, used or disclosed to those 2 Advisory Guidelines on Key Concepts in the PDPA (Rev 1 February 2021) which have been informed to the individuals concerned pursuant to the Notification Obligation (where applicable). For the purposes of section 18 (and as stated in that section), whether a purpose is reasonable depends on whether a reasonable person would consider it appropriate in the circumstances. Hence the particular circumstances involved need to be taken into account in determining whether the purpose of such collection, use or disclosure is reasonable. For example, a purpose that is in violation of a law or which would be harmful to the individual concerned is unlikely to be considered appropriate by a reasonable person.” [emphasis added] 15. The Purpose Limitation Obligation operates independently from the Consent Obligation. Even if the data subject gave his consent for his personal data to be used for a particular purpose, it does not follow that the said purpose is reasonable in the circumstances. As stated in Re AIA Singapore Pte Ltd [2016] SGPDPC 10 at [18]: “Section 18 of the PDPA provides, inter alia, that an organisation may collect, use or disclose personal data about an individual only for purposes that a reasonable person would consider appropriate in the circumstances. It should be borne in mind that Section 18 of the PDPA is an independent obligation that organisations would need to comply with even if it had obtained the consent from the relevant individual for the collection, use or disclosure of his or her personal data. This is an important aspect of the PDPA as it is effective in addressing excesses in the collection, use or disclosure of personal data under a broadly-worded consent clause, like in the present case.” [emphasis added] 16. In this case, NYX has admitted that he had fraudulently used his customers’ personal data for the purpose of registering illicit SIM cards in order to sell them to anonymous buyers. This is plainly not a reasonable purpose under any circumstances, as individuals could not have reasonably intended for their personal data to be used to register illicit SIM cards purely for NYX’s financial gain. 17. In the premises, NYX is determined to have breached the Purpose Limitation Obligation. The Commissioner’s Decision 18. In determining whether NYX should be required to pay a financial penalty under section 48J of the PDPA, the factors listed at section 48J(6) of the PDPA were considered, with particular emphasis on the following aggravating and mitigating factors: Aggravating Factors (a) NYX’s breaches of the PDPA were difficult to detect as it included a high degree of planning and pre-meditation by him to evade detection by authorities; (b) NYX was entrusted by his customers with their personal data for the purpose of registering prepaid SIM cards, and he abused their trust by misusing their personal data; (c) NYX’s breaches of the PDPA caused inconvenience to innocent parties, as the illicit SIM cards sold by him were used to send unsolicited messages to phone numbers that were registered with the DNC register; (d) Through the sale of the illicit SIM cards for approximately 3 years, NYX financially gained at least $15,000 for his misuse of his customers’ personal data; and Mitigating Factor (e) NYX admitted to liability early in the investigation process, thus reducing the time and resources expended on investigations. NYX’s representations 19. On 7 September 2021, NYX was notified of the Commissioner’s Preliminary Decision (as set out above) and intention to impose a financial penalty of $35,000. On 20 September 2021, NYX submitted written representations on the amount of financial penalty that was to be imposed. NYX raised the following factors to argue for either a waiver of the imposition of a financial penalty, or (in the alternative) for a lower financial penalty: (a) NYX was facing a difficult financial situation, as he had low savings / monthly income, and was responsible for servicing several outstanding liabilities (such as a vehicle loan, housing loan and renovation loan). Additionally, he was also responsible for paying the medical bills of his parent. NYX claimed that it would cause him undue hardship if a high financial penalty was imposed. (b) NYX had breached the PDPA for financial gain due to extenuating circumstances, as his business was adversely affected by COVID-19 and the landlord of Yoshi Mobile had refused to pass on the relevant COVID-19 rental relief provided by the Government. (c) NYX’s breaches of the PDPA can be distinguished from the breaches committed by other organisations on the basis that he did not leak or sell the personal data for financial gain. Instead, he had merely used his customers’ personal data to register for SIM cards and was not the person who used the illicit SIM cards to send unsolicited text messages to telephone numbers on the DNC register. In this connection, NYX pointed to other decisions where the Commission had imposed a lower financial penalty or a warning on other organisations that had breached the PDPA. 20. After careful consideration, we have accepted and taken into account NYX’s representation at [19(a)] above, but are unable to do the same with respect to the representations set out in [19(b)] and [19(c)] above. 21. When imposing financial penalties, the Commission may consider the personal and financial circumstances of the organisation / individual, bearing in mind that financial penalties imposed should avoid imposing a crushing burden or cause undue hardship on organisations: see Re Jigyasa [2021] SGPDPCR 1. In considering NYX’s representations at [19(a)], the Commission gave due consideration to the existing financial commitments on NYX and accepted that the imposition of a heavy financial penalty would cause substantial hardship to NYX. 22. We are unable to accept NYX’s representation at [19(b)] that he had breached the PDPA due to extenuating financial difficulties that arose due to the COVID-19 pandemic. Based on the Commission’s investigations, NYX has been using his customers’ personal data to register illicit SIM cards for the purpose of selling them to third parties since 2018. NYX’s modus operandi (as described in [4]) predated the onset of COVID-19, and it is disingenuous for NYX to attribute his actions to the financial difficulties that followed the COVID-19 pandemic. 23. We are also unable to accept NYX’s representation at [19(c)] that his breach of the PDPA was less serious than the breaches committed by various other organisations. Compared with the decisions that NYX mentioned, NYX’s culpability is more egregious as his breach involved the intentional misuse of personal data from a position of trust, over a protracted period of time, for personal financial gain. While NYX did not send any unsolicited text messages or made any unsolicited calls directly to telephone numbers on the DNC register, his sale of the unsolicited SIM cards to anonymous buyers (that NYX did not verify or identify) facilitated the commission of those offences and the harm caused as a consequence. The anonymous sale of illicit SIM cards may also be the catalyst or precursor for other illicit activities. 24. Having carefully considered the all the relevant factors of this case including the representations made by NYX, the Commissioner has decided to reduce the financial penalty to $21,000. This decision is made on an exceptional basis, and should not be taken as setting any precedent for future cases. The Commissioner hereby requires NYX to pay a financial penalty of $21,000 in 18 monthly instalments by the due dates as set out in the notice accompanying this decision, failing which interest at the rate specified in the Rules of Court in respect of judgment debts shall accrue and be payable on the outstanding amount of such financial penalty until the financial penalty is paid in full. 25. The Commission will not be issuing any further directions given that M1 has barred NYX from offering the sale of its prepaid SIM cards. YEONG ZEE KIN DEPUTY COMMISSIONER FOR COMMISSIONER FOR PERSONAL DATA PROTECTION ",Financial Penalty,9701ccc45e49e35f3e4018e10b92d445aca1c569,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,62,62,1,952,A warning was issued to Greatearth Corporation for failing to obtain consent to disclose personal data of 8 crane operators on the external façade of a construction site.,"[""Consent"", ""Warning"", ""Construction"", ""Consent"", ""Ban list"", ""Acting in Course of Employment""]",2021-05-12,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Progressive-Builders-and-Greatearth-Corporation---16042021-(002).pdf,Consent,"Breach of the Consent Obligation by Greatearth Corporation, No Breach of the PDPA by Progressive Builders",https://www.pdpc.gov.sg/all-commissions-decisions/2021/05/breach-of-the-consent-obligation-by-greatearth-corporation,2021-05-12,"PERSONAL DATA PROTECTION COMMISSION [2021] SGPDPC 2 Case No. DP-1907-B4305 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And (1) Progressive Builders Private Limited (2) Greatearth Corporation Pte. Ltd. … Organisation DECISION 1 (1) Progressive Builders Private Limited; (2) Greatearth Corporation Pte. Ltd. [2021] SGPDPC 2 Yeong Zee Kin, Deputy Commissioner — Case No. DP-1907-B4305 16 April 2021 Introduction 1 This case involves a series of incidents that led to the unauthorised collection, use, and disclosure of the personal data of 8 individuals (the “Complainants”) by Greatearth Corporation Pte. Ltd. (“GCPL”). On 19 and 20 July 2019, the Personal Data Protection Commission (the “Commission”) received complaints from each of the Complainants alleging that their personal data had been disclosed by Progressive Builders Private Limited (“PBPL”) without their consent (the “Complaints”). The Commission commenced an investigation into the Complaints. Facts of the Case 2 The Complainants are tower crane operators engaged by Craneworks Pte Ltd (“the Subcontractor”) to operate tower cranes for the Subcontractor’s clients, including PBPL. PBPL is the main contractor for a housing project in Geylang (the “Geylang Project”) and is in charge of the Geylang Project worksite (the “Geylang Worksite”). PBPL had collected the Complainants’ personal data (including their full name, NRIC, contact number and photograph) when they were appointed as tower crane operators for the Geylang Project. The collection of their personal data was for the purposes of managing the Complainants’ roles as tower crane operators. The Subcontractor is a sub-contractor of PBPL for the Geylang Project. It supplies licensed crane operators to PBPL for the operation of tower cranes. 3 GCPL is also a company that is in the construction business. It is the main contractor for a housing project in Clementi (the “Clementi Project”) and is in charge of the Clementi 2 Project worksite (“Clementi Worksite”). GCPL does not have any business relationship with PBPL, the Subcontractor, or the Complainants. Creation of the Banned Operators List 4 Between 12 and 18 July 2019, a series of incidents involving the Complainants and the staff of PBPL occurred at the Geylang Site. As a result of the incidents, PBPL banned the Complainants from entering the Geylang Worksite. After the workplace incidents, PBPL’s project director (“Project Director”) directed PBPL’s Workplace Safety & Health Officer (“WSHO”) at the time to compile a list of the Complainants’ details, which included the following personal data of each of the Complainants: (a) Full name; (b) NRIC number; (c) Contact number; and (d) Photo ID of the individual (collectively, the “Banned Operators List”). 5 According to PBPL, the Banned Operators List was created to identify the Complainants that were involved in the workplace incidents and sent to the Subcontractor and the Ministry of Manpower to inform them of the individuals involved in the workplace incidents. Disclosure of the Banned Operators List 6 On or about 17 July 2019, unbeknownst to PBPL and without any authorisation from PBPL, PBPL’s WSHO sent the Banned Operators List to a private Whatsapp group comprising of workplace safety professionals in Singapore (the “Whatsapp Group”) along with the following Whatsapp message: “… [details of the incident]. Please look out for such operators in future at your site.” 3 7 The Complaints were filed with the Commission between 19 and 20 July 2019 after the Complainants came to know of the existence of the Banned Operators List and the fact that it was being circulated amongst those in the construction industry. 8 GCPL’s WSHO was a member of the Whatsapp Group. When GCPL’s WSHO received the Banned Operators List and message, he understood it to mean that the individuals listed in the Banned Operators List (i.e. the Complainants) were banned from working at the Geylang Worksite. As he oversaw the Clementi Worksite, he wanted to look out for the Complainants should they come onto the Clementi Worksite. 9 On or about 24 July 2019, GCPL’s WSHO sent the Banned Operators List to GCPL’s safety coordinator with instructions “to look out for these people and not to let them enter the Clementi worksite”. Specifically, GCPL’s WSHO instructed GCPL’s safety coordinator to print and paste a copy of the Banned Operators List in the guard room so that the security guards could keep a lookout for the Complainants. However, GCPL’s safety coordinator misunderstood these instructions. Instead of pasting a copy of the Banned Operators List in the guard room of the Clementi Worksite, the word “BANNED” was added as a header to the Banned Operators List and the list was pasted on the external façade of the Clementi Worksite where it was visible to all persons walking onto the Clementi Worksite (the “Poster”). 10 According to GCPL’s WSHO, he had not noticed that the Poster was pasted on the external façade of the Clementi Worksite as he usually drove into the worksite. While GCPL’s WSHO claimed to have only noticed the Poster on the external façade in late September 2019 and intended to remove it, GCPL only took down the Poster after the Commission notified it of the Complaints on or about 26 September 2019. The Poster had been displayed on the external façade for about 2 months. Findings and Basis for Determination 11 The issues to be determined in this case are: (a) whether PBPL is responsible for their WSHO’s disclosure of the Banned Operators List; (b) if PBPL is responsible, whether PBPL contravened its obligations under the Personal Data Protection Act 2012 (“PDPA”); 4 (c) whether GCPL is responsible for their WSHO and safety coordinator’s collection, use, and disclosure of the Banned Operators List; and (d) if GCPL is responsible, whether GCPL contravened its obligations under the PDPA. Whether PBPL is responsible for their WSHO’s disclosure of the Banned Operators List 12 Under section 53(1) of the PDPA, any act done, or conduct engaged in by an employee in the course of his employment is treated as done or engaged in by his employer as well, regardless of whether it was done or engaged in with the employer’s knowledge or approval. Section 53(2) provides for a defence of reasonable diligence for offences under the PDPA, where the employer had taken reasonable steps to prevent or reasonably reduce the risk of the occurrence of the employee’s action or conduct that resulted in an unauthorised collection, use and/or disclosure of personal data. For investigations into breaches of the PDPA that are not offences — such as the present case — a similar standard of reasonable diligence may be applied by virtue of section 11(1) of the PDPA, by considering whether the organisation had acted reasonably in meeting its responsibilities under the PDPA. 13 In the present case, the Commission’s investigations found that PBPL’s WSHO was not acting in the course of his employment when he disclosed the Banned Operators List to the members of the Whatsapp Group: (a) first, even though PBPL’s WSHO compiled the Banned Operators List in the course of his employment, there was no evidence that PBPL had directed him to share the Banned Operators List in the Whatsapp Group. PBPL was not aware of the Whatsapp Group’s existence and did not know that their WSHO was a member of the Whatsapp Group; and (b) second, in sharing and disclosing the Complainants’ personal data in the Banned Operators List to the members of the Whatsapp Group, PBPL’s WSHO had disregarded his obligations of confidentiality under his employment contract: “You shall keep confidential and not, during your employment, directly or indirectly use, divulge, disclose or deliver to any person except as authorized or required by your duties, or by law, and term in this letter of 5 any Confidential Information of the Company acquired by you in the course of your employment.” 14 Thus, given that PBPL’s WSHO acted outside of the course of his employment when he disclosed the Complainants’ personal data without their consent, section 53(1) of the PDPA does not apply and the WSHO’s actions cannot be attributed to PBPL. Accordingly, PBPL did not contravene its data protection obligations under the PDPA with regard to the disclosure of the Complainants’ personal data in the Banned Operators List. Whether GCPL is responsible for their WSHO and safety coordinator’s collection, use and disclosure of the Banned Operators List 15 Similar to PBPL, it is doubtful if GCPL knew of the existence of the WhatsApp Group or that it’s WSHO was a member thereof. GCPL’s WSHO probably also did not obtain the Banned Operators List in the course of his employment, since his participation in the WhatsApp Group was unsanctioned. However, the significant departure is that unlike PBPL’s WSHO, GCPL’s WSHO was acting in the course of his employment when he instructed GCPL’s safety coordinator to put up a copy of the Banned Operators List in the Clementi Worksite guardhouse. The use of the Complainants’ personal data was expressly professed to be for the purpose of screening and restricting the entry of the Complainants onto the Clementi Worksite. Similarly, GCPL’s safety coordinator was also acting in the course of his employment when he pasted the Poster on the external façade of the Clementi Worksite, thereby disclosing the Complainants’ personal data. 16 Accordingly, pursuant to section 53(1) of the PDPA, GCPL’s WSHO and safety coordinator’s collection, use, and disclosure of the Complainants’ personal data were the actions of GCPL for which it was responsible. Whether GCPL has contravened its obligations under the PDPA 17 Under section 13 of the PDPA, organisations are prohibited from collecting, using or disclosing an individual’s personal data unless the individual gives, or is deemed to have given, his consent for the collection, use or disclosure of his personal data, or the collection, use or disclosure without consent is authorised under the PDPA or any other written law (the “Consent Obligation”). 6 18 On the present facts, the disclosure of the Complainants’ personal data without their consent was not authorised under the PDPA or any other written law; nor could disclosure be supported by any extant exceptions for the Consent Obligation. It was clear from the facts that the Complainants had not voluntarily provide their personal data to GCPL. GCPL therefore needed to have obtained the Complainants’ consent before disclosing their personal data by pasting the Banned Operators List onto the façade of the Clementi Worksite. However, GCPL failed to do so. 19 While it is arguable that the use of the Banned Operators List within the guardroom and confined to the security personnel may have been acceptable, especially if the context of the information had been provided and clear instructions had been given that the Banned Operators List be restricted to private reference by security personnel on duty. However, the present case went beyond what a reasonable person would consider appropriate in the circumstances. The information came from an informal source – i.e. the WhatsApp Group – and GCPL made a decision to ban the Complainants from the Clementi Worksite on the basis of the Banned Operators List. These are decisions that GCPL may make as a private commercial enterprise. The Banned Operators List could have been handled more discretely and used more responsibly. However, pasting it on the external façade of the Clementi Worksite such that it could be seen any passer-by fell below the standard of reasonableness that is expected from GCPL. 20 In the circumstances, GCPL breached the Consent Obligation. The Deputy Commissioner’s Directions 21 In determining the directions, if any, to be imposed on GCPL under section 48I of the PDPA, I took into account the following mitigating factors: (a) the incident occurred because GCPL’s safety coordinator (who was a new employee at the time) misunderstood the instructions given to him; (b) the incident had originated from GCPL’s WSHO whose actions arose out of concern for the safety of the Clementi Worksite, in view of the alleged conduct of the Complainants, and in the interest of his employer; 7 (c) there was limited disclosure of personal data of the Complainants and any disclosure would have been limited to those who entered the Clementi Worksite on foot; and (d) upon being notified of the Complaints, GCPL took prompt remedial action by removing the Banned Operators List poster from the Clementi Worksite. 22 Having considered all the relevant factors of this case, I hereby issue a Warning to GCPL. No further directions are necessary given the remedial actions that have already been taken by GCPL. YEONG ZEE KIN DEPUTY COMMISSIONER FOR PERSONAL DATA PROTECTION 8 ",Warning,3df9d84ac2b94b9eceb608d856f98239db7a49bc,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,159,159,1,952,Telcos were not found in breach of the PDPA for charging subscribers for the provision of Caller Number Non-Display value added services.,"[""Consent"", ""Not in Breach"", ""Information and Communications"", ""Singtel"", ""Starhub"", ""M1""]",2019-06-06,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision---3-Telcos---06062019.pdf,Consent,No Breach of the Withdrawal of Consent Obligation by Telcos,https://www.pdpc.gov.sg/all-commissions-decisions/2019/06/no-breach-of-the-withdrawal-of-consent-obligation-by-telcos,2019-06-06,"PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC 12 Case No DP-1609-B0229 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And 1. Starhub Mobile Pte Ltd 2. M1 Limited 3. Singtel Mobile Singapore Pte. Ltd. … Organisations DECISION Data protection – Consent obligation – Withdrawal of consent Starhub Mobile Pte Ltd, M1 Limited and Singtel Mobile Singapore Pte. Ltd. [2019] SGPDPC 12 Yeong Zee Kin, Deputy Commissioner — Case No DP-1609-B0229 6 June 2019. Background 1 The present matter arose from a complaint made by an individual mobile subscriber (“Complainant”), in relation to the current industry practice of mobile network operators charging for the provision of Caller Number NonDisplay (“CNND”) services. The CNND service is offered on a per-line basis affecting all out-going calls made using a particular telephone number. When activated by a subscriber, the CNND service essentially prevents the subscriber’s telephone number from being displayed on call recipients’ devices. 2 The Organisations are the three mobile network operators in Singapore. They offer a range of telecommunication services to subscribers, in particular, mobile telephony services. They also offer CNND as an optional value-added service to their subscribers. All the Organisations share a common practice of charging subscribers for the provision of CNND services, although the precise charges differ from Organisation to Organisation. 3 The key question which has to be determined in this case is whether section 16 of the Personal Data Protection Act 2012 (“PDPA”) prohibits organisations from imposing charges for the provision of CNND services. The Starhub Mobile Pte Ltd and others [2019] SGPDPC 12 findings and grounds of decision based on the Commission’s investigation are set out below. Material Facts 4 The Complainant is an individual subscriber of StarHub Mobile Pte Ltd (“StarHub”)’s mobile services. He had written to StarHub to request the withdrawal of his consent to the disclosure of his telephone number to parties receiving his calls. 5 In response, the Complainant was informed by StarHub that, if he wished to prevent his telephone number from being displayed to call recipients, he would need to activate StarHub’s CNND value-added service. He was also informed that a one-time activation charge and monthly recurring charges were applicable. 6 The Complainant was not agreeable to pay the charges for activating the CNND value-added service. He expressed the view that, as he was exercising his right under the PDPA to withdraw consent to the disclosure of his personal data, he should not be required to pay any charges for the CNND value-added service in order to prevent his telephone number from being displayed to call recipients. 7 Against this backdrop, the Complainant raised this matter to the Commission. As the practice of charging for CNND services is common to all the Organisations, the Commission commenced an investigation into the practices pertaining to the CNND services of all three Organisations. Conveyance/withholding of calling party’s telephone number from recipient 2 Starhub Mobile Pte Ltd and others 8 [2019] SGPDPC 12 In the course of its investigation, the Commission obtained a range of information from the Organisations pertaining to the manner in which a calling party’s telephone number is conveyed to a call recipient during a telephone call, as well as details pertaining to the implementation of the CNND value-added service. Investigations disclosed the following: (a) All mobile and fixed line operators in Singapore are interconnected using international telephony signaling protocols, e.g., signaling system no. 7 and session initiation protocol. Under the arrangements for interconnection adopted by the Organisations, a caller’s telephone number will be passed on by the caller’s network operator to the receiving network operator as part of the conveyance of a telephone call. (b) The transmission of the calling party’s telephone number by the calling party’s operator to the recipient’s operator takes place regardless of whether the calling party has activated CNND services. The calling party’s network does not remove the calling party’s telephone number from being transmitted. The difference in handling the caller’s number lies in indicators as to whether the phone number should be displayed or hidden from the recipient. (c) If the call recipient has activated caller ID (also known as caller line identity or “CLI”) services, the recipient operator’s network will forward the calling party’s telephone number to the recipient’s device. Otherwise, the calling party’s telephone number will not be forwarded to the recipient’s device, and the recipient’s device would not display the incoming caller’s telephone number. Currently, the vast majority of Singapore mobile subscribers have enabled CLI services. (d) The flow of the caller’s telephone number from the caller to the caller ID display at the call recipient’s device when the call recipient has activated the CLI services for his telephone line takes place in the following manner: 3 Starhub Mobile Pte Ltd and others [2019] SGPDPC 12 (i) When the caller dials the call recipient’s telephone number using his phone, the call will be routed from the caller’s originating local exchange to the recipient’s local exchange, which could be in the same or different telecommunication company’s network, based on the preplanned call routing arrangement. The originating local exchange will be able to determine which telephone communications company the call recipient has subscribed to and will try to establish a call with the designated recipient’s local exchange through the adopted signalling protocols. (ii) If the call recipient’s telephone is connected to the call recipient’s telephone network, after the call is routed successfully, an acknowledgement awaits the call recipient to pick up the call, which is typically translated to the ringing of the telephone. At this stage, the caller’s telephone number is reflected on the call recipient’s telephone as caller ID display. The call is considered established after the call recipient picks up/accepts the call. (iii) Where the caller has activated CNND for his telephone line or where the call recipient has not activated CLI for his telephone line, the caller’s ID will not be shared with the call recipient. (e) The CNND services offered by the Organisations allow callers’ telephone numbers to be hidden from call recipients even if these call recipients have subscribed to caller ID services. The Organisations’ CNND services are based on recommendations promulgated by the Telecommunication Standardisation Sector of the International Telecommunication Union (“ITU-T”). In addition to per-line CNND, it is also possible to offer CNND on a per-call basis although the Organisations have not made CNND available on a per-call basis. Each of the Organisations imposes its own set of charges on its subscribers for the CNND service. Typically, the charges consist of a combination of a one-time activation charge and monthly recurring charges. (f) If a calling party has subscribed for CNND services, when a telephone call is initiated, the calling party’s network operator would 4 Starhub Mobile Pte Ltd and others [2019] SGPDPC 12 transmit a CNND indicator, together with the calling party’s telephone number, through the originating telephone network to the recipient’s network operator. The function of the CNND indicator is to mark the caller’s telephone number as “Presentation Restricted”, which would notify the recipient’s network operator not to forward the calling party’s telephone number to the recipient’s device. (g) In order for the calling party’s telephone number to be withheld from the recipient, the recipient network operator’s cooperation is needed to honour the CNND indicator, by recognising the indicator and withholding the calling party’s telephone number from the recipient’s device. (h) As such, the successful withholding of the calling party’s telephone number from the call recipient is ultimately dependent on cooperation between the caller’s network operator and the recipient network operator. In this regard, the Commission understands that the Organisations have adopted common standards for CNND services, and as between themselves will typically honour one another’s CNND indicators. Findings and Basis for Determination 9 The key issue to be determined in this case is whether the Organisations have contravened section 16 of the PDPA by requiring individual subscribers to pay charges for the CNND value-added service, in order to withhold their telephone number from being disclosed to call recipients. 10 In addressing the aforementioned key issue, it is pertinent to briefly address a couple of preliminary issues that were raised in the course of the Commission’s investigation into this matter, namely: (a) whether telephone numbers constitute personal data; and 5 Starhub Mobile Pte Ltd and others (b) [2019] SGPDPC 12 whether express consent is required for the disclosure of telephone numbers to call recipients. Whether telephone numbers constitute personal data 11 In some of their representations to the Commission, the Organisations suggested that mobile telephone numbers do not constitute personal data for the purposes of the PDPA. In this regard, the Organisations asserted that a call recipient would not be able to identify a calling party simply by looking at the telephone number displayed. 12 I do not think that that such an assertion accords with the definition of “personal data” under the PDPA. Section 2 of the PDPA defines “personal data” to mean: “data, whether true or not, about an individual who can be identified – (a) from that data; or (b) from that data and other information to which the organisation has or is likely to have access”. [Emphasis added.] 13 In relation to whether telephone numbers constitute personal data, the Commission has stated in the Advisory Guidelines for the Telecommunication Sector that: “Telephone numbers and International Mobile Equipment Identity (“IMEI”) numbers 6 Starhub Mobile Pte Ltd and others [2019] SGPDPC 12 2.3 Where an individual is identifiable from the data, such as a combination of the individual’s name, address and telephone number, then such data is personal data. In cases where the individual cannot be identified from that data alone (such as a device identifier in itself), such data may still be personal data if the organisation has or is likely to have access to other information that will allow the individual to be identified when taken together with that data… 2.4 In the telecommunication context, an individual’s mobile telephone number is likely to be personal data as it may uniquely identify, or be uniquely associated with, that individual…”1 [Emphasis added.] 14 Additionally, the Commission’s Advisory Guidelines on Key Concepts in the Personal Data Protection Act also identifies personal mobile telephone numbers as a unique identifier, and hence personal data on its own: “Certain types of data can on its own, identify an individual, for instance biometric identifiers which are inherently distinctive to an individual, such as the face geometry or fingerprint of an individual. Similarly, data that has been assigned to an individual for the purposes of identifying the individual (e.g. NRIC or passport number of an individual) would be able to identify the individual from that data alone. Such data which, on its own, constitutes personal data, is referred to as “unique identifier” in these guidelines. Data that the Commission generally considers unique identifiers include: … Personal mobile telephone number 1 PDPC, Advisory Guidelines for the Telecommunication Sector at [2.3] – [2.4]. 7 Starhub Mobile Pte Ltd and others [2019] SGPDPC 12 …” 15 Mobile use in Singapore has grown in leaps and bounds. Just in terms of figures alone, there were altogether 8,381,900 mobile subscriptions in Singapore as of March 2018, and a mobile population penetration rate of 149.3%.2 It was also reported that 7 in 10 Singaporeans use social media on mobile, which, according to the survey, is double of the global average.3 Given the multitudinous uses of mobile in today, mobile numbers have increasingly been used as a form of identification or verification of individuals, including for online transactions, mobile payments, and social networking. This works on the general premise that an issued mobile number is unique, and no two same mobile numbers should be in operation at the same time. Hence, a mobile number acts as a unique address for which individuals may be contacted or receive messages or information on their mobile phones. In this regard, mobile numbers double up as a unique identifier of the individual. 16 This role of a personal mobile telephone number as a unique identifier is further strengthened by the mobile telephone number portability policy such that an individual is able to retain and keep his mobile telephone number when he switches to another service provider. This is one of the reasons that caller ID is popular with mobile phone subscribers – a subscriber is able to identify the 2 https://www.imda.gov.sg/industry-development-facts-andfigures/telecommunications/statistics-on-telecom-services/statistic-on-telecomservice-for-2018-jan 3 http://www.businesstimes.com.sg/consumer/7-in-10-singaporeans-use-social-media-onmobile-double-global-average-survey 8 Starhub Mobile Pte Ltd and others [2019] SGPDPC 12 caller through the caller’s telephone number if the subscriber had programmed the caller’s telephone number in his telephone directory. 17 Also, when one of the Organisations uses a subscriber’s personal mobile telephone number, for example to establish a telephone call or for logging call data for billing purposes, that Organisation is using that personal mobile telephone number as a unique identifier of the individual subscriber. 18 There is, however, a distinction between land lines and mobile telephone numbers. The foregoing discussion is concerned with mobile telephone numbers. A land line terminates at premises that are, more likely than not, shared: e.g. residence of a family or place of business of an organisation. It is the recognition of this key distinction that the aforementioned advisory guidelines limit its policy guidance to treating mobile telephone numbers personal data without adopting a similar approach for land lines. Consumers and organisations also do not treat land lines as personal. 19 From the perspective of the call originating network, the Organisation transmitting its subscriber’s mobile telephone number will be transmitting personal data since it has full subscriber details. From the perspective of the recipient of the call, the reality today is that a significant number of calls will be matched with an address book entry in the recipient’s mobile phone and will thus identify the caller, or the recipient may recognise the number. Hence, I am satisfied that the guidance set out in the Advisory Guidelines referred to above would be applicable in the context of the present case, and that it would be entirely relevant and reasonable to proceed with the analysis in this case on the basis that subscribers’ mobile telephone numbers constitutes personal data. 9 Starhub Mobile Pte Ltd and others [2019] SGPDPC 12 Deemed consent for disclosure of subscriber identity to telephone call recipients 20 The Advisory Guidelines for the Telecommunication Sector sets out the following guidance in relation to consent and the withdrawal of consent for the disclosure of a subscriber’s telephone number to receiving parties:4 “Provision of subscriber identity for calls or text messages 3.8 Currently, when a subscriber who is an individual makes a telephone call or sends a text message, his telephone number (which may be personal data relating to him) would typically be disclosed to the receiving party and both the subscriber and receiving party’s telecommunication operators, unless the subscriber had chosen to have his telephone number ‘blocked’/ ‘unlisted’. Telecommunication operators may wish to obtain the consent of the individuals for the purpose of such disclosures to recipients of his calls and messages. 3.9 Even if the telecommunication operators do not obtain such actual consent, given established practice, the Commission is of the view that a subscriber who opts to have an ‘unblocked’/ a ‘listed’ telephone number would typically be aware that the telephone number would be collected, used or disclosed for the purpose of identifying that subscriber to other parties. Where the telephone number is personal data relating to a subscriber, a subscriber with an ‘unblocked’/ a ‘listed’ telephone number initiating a call or sending a message may be deemed to have consented to the collection, use or disclosure of the number for the purpose of identifying himself to the receiving party, since the subscriber would have voluntarily provided the data, and it would be reasonable for the subscriber to have done so. 4 PDPC, Advisory Guidelines for the Telecommunication Sector at [3.8] – [3.11]. 10 Starhub Mobile Pte Ltd and others [2019] SGPDPC 12 3.10 Conversely, a subscriber who has opted for a ‘blocked’/ an ‘unlisted’ number at the outset would not be considered to have consented to the collection, use or disclosure of the number for that purpose. A subscriber with an ‘unblocked’/ a ‘listed’ telephone number who subsequently applies to ‘block’/ ‘unlist’ that telephone number would be considered to have withdrawn consent for the collection, use or disclosure of that telephone number for the purpose of identifying himself to other parties when making a call or sending a message. 3.11 Where an individual subscriber is deemed to have given consent for disclosure of his telephone number by one telecommunication operator to another telecommunication operator for the purpose of identifying himself to the recipient of his call or message, consent may be deemed to have been given to the collection, use or disclosure of the telephone number by that other telecommunication operator for the same purpose. Alternatively, consent may not be required if the purpose for collection, use or disclosure of the personal data falls within an exception, such as when it is required or authorised under written law.” [Emphasis added.] 21 I understand that currently the Organisations obtain express consent from subscribers for the collection, use and disclosure of their telephone numbers for the purpose of identifying them to receiving parties. This is a good practice although, as the Advisory Guidelines for the Telecommunication Sector establish, not strictly necessary. A subscriber who has opted for an ‘unblocked’ or ‘listed’ telephone number may be deemed to have consented to the collection, use or disclosure of his telephone number for the purpose of 11 Starhub Mobile Pte Ltd and others [2019] SGPDPC 12 identifying himself to recipients of his calls.5 It naturally follows that, the Organisations would be able to rely on deemed consent to collect, use or disclose the subscriber’s telephone number for the purpose of identifying the subscriber to call recipients. Whether the Organisations have contravened section 16 of the PDPA 22 Turning to the key issue raised in this case, section 16 of the PDPA provides that individuals may at any time withdraw any consent given or deemed to be given under the PDPA in respect of the collection, use or disclosure of their personal data for any purpose. 23 Section 16(3) of the PDPA is particularly relevant, and states that an organisation: “shall not prohibit an individual from withdrawing his consent to the collection, use or disclosure of personal data about the individual, but this section shall not affect any legal consequences arising from such withdrawal”. [Emphasis added.] 24 Section 16(3) of the PDPA may be seen as comprising two limbs, namely that: (a) an organisation shall not prohibit individuals from withdrawing consent; and 5 Section 15(1) of the PDPA; and PDPC, Advisory Guidelines for the Telecommunication Sector at [3.9]. 12 Starhub Mobile Pte Ltd and others (b) [2019] SGPDPC 12 any legal consequences arising from such withdrawal shall not be affected. 25 It is necessary to construe both limbs of section 16(3) of the PDPA holistically. While section 16(3) of the PDPA is clearly intended to ensure that individuals are not prohibited from exercising their right to withdraw consent, it also expressly preserves any legal consequences arising from such withdrawal. 26 It is also pertinent to refer to section 11(1) of the PDPA, which imposes a general standard of reasonableness on organisations in meeting their responsibilities under the PDPA. Section 11(1) of the PDPA states: “In meeting its responsibilities under this Act, an organisation shall consider what a reasonable person would consider appropriate in the circumstances.” 27 At this juncture, it should be highlighted that the provision of CLI services serves important societal purposes, including helping to reduce calls made to harass or scam individuals and to speed up law enforcement investigations where a caller’s telephone number is required for the purposes of criminal investigations. Additionally, given that most mobile telephone subscribers have CLI and that Over-The-Top telephone services such as calls made through smartphone applications do not provide the ability to the caller to mask his telephone number, the provision of CLI services has become a baseline expectation of all users of modern mobile telephone networks: call recipients expect to know the identity of the caller. Consumers’ expectations to be able to identify an incoming caller as a basic functionality is also clearly embedded into the design and manufacture of mobile phones as mobile phone manufacturers universally incorporate the ability to display caller ID as a basic and essential 13 Starhub Mobile Pte Ltd and others [2019] SGPDPC 12 feature of modern mobile phones. This functionality is integrated with the contact list functionality such that display caller ID is matched with contact details whenever a call is received, and the caller’s name is displayed by the mobile phone when the call is connected. This modern convenience enables the subscriber to decide whether to answer the call from an identified contact; and some subscribers prefer not to take calls when the display caller ID does not match a known contact. 28 Under the signaling standards adopted by fixed and mobile network operators in Singapore, a caller’s telephone number will be transmitted by the calling party’s network to the receiving party’s network by default as part of the conveyance of a telephone call. 29 In order for calling parties to withhold their telephone numbers from being displayed to call recipients (the vast majority of whom currently have caller ID enabled), action has to be taken on the part of the Organisations, in terms of transmitting and giving effect to the relevant “Presentation Restricted” indicator. 30 Against this backdrop, I understand from the Organisations’ representations that, for CNND services to be implemented and offered as an option to subscribers, the Organisations have had to invest in relatively complex IT systems which are, amongst other things, able to automatically and in real time instruct the mobile network to either implement or deactivate the CNND depending on whether the caller is a CNND subscriber and which would be able to manage the customer sign-up for CNND and the database of CNND customers. Regular and continuous tests and updates to the IT systems are also required to ensure that CNND continues to work accurately when there is an update to interconnected systems, whenever new handsets are introduced into 14 Starhub Mobile Pte Ltd and others [2019] SGPDPC 12 the Singapore market by the Organisations, when new roaming partners are onboarded by the Organisations and when new technologies and platforms (such as VoLTE and VoWiFi) are deployed. 31 Perhaps in a nod to the infrastructure investment and operational costs required in order to provide consumer choice in both CLI and CNND services, the International Telecommunication Union (“ITU”) provides charging principles for supplementary services such as for the charging of both CLI and CNND services, but has left it to individual member country to formulate its own policy decision with respect to charging for such services. The ITU is an agency of the United Nations specializing in information and communication technologies and, amongst other things, allocates global radio spectrum and satellite orbits. In its ITU-T Rec D.232, ITU provides for charging principles for supplementary service as follows: “2.1 Number Identification This subclause provides charging principles for the supplementary services, Calling Line Identification Presentation (CLIP), Calling line Identification Restriction (CLIR), Connected Line Identification Presentation (COLP), Connected Line Identification Restriction (COLR) and Malicious Call Identification (MCID). Detailed description of the services are provided in Recommendations 1.251.3 (CLIP), 1.251.4 (CLIR), 1.251.5 (COLP), 1.251.6 (COLR and 1.251.7 (MCID). 2.1.1 Charging principles Innovation of the display or restriction service may be charged for by: a) Inclusion in the rental charges raised against customers; or b) The setting of a separate subscription charge; c) A per event charge; or d) Combinations of a) to c).” 15 Starhub Mobile Pte Ltd and others 32 [2019] SGPDPC 12 Given established practice as discussed above and the inherent nature of a telephone call, whereby a calling party’s telephone number is by default transmitted to the recipient network operator and typically forwarded to the call recipient’s device, it would not be unreasonable for the network operator to charge a reasonable fee for the costs it incurs to provide the CNND and restrict the number from being disclosed to the call recipient. Also, given the competitive marketplace in the provision of telecommunications services in Singapore, market forces can be expected to determine the range of service charges that any of the Organisations will be able to impose for the CNND service. The relevant charges for the Organisations’ CNND services are publicly accessible and can be obtained by subscribers relatively easily, and that any charges payable by individual subscribers to the Organisations for CNND services would have a legal basis stemming from the contract between subscribers and the Organisations. 33 In summary, users of modern mobile telecommunications services expect to be able to identify a caller and mobile telephone handset manufacturers have incorporated CLI as a basic and essential feature. CLI now plays a societal role, enabling consumers to order their private lives and exercise choice in how they wish to be contacted or to decline taking calls. In order to provide consumers with this choice, significant ongoing investment have to be made by the Organisations to maintain CNND services for its subscribers. The ITU also recognises that there may be a need to charge for both CLI and CNND services. In our domestic market, the price of these services are contained by competitive market forces. With the provision of CNND services as a value added service, consumers have access to a paid service to restrict the sharing of their personal mobile phone numbers. 16 Starhub Mobile Pte Ltd and others 34 [2019] SGPDPC 12 Given the consumer expectations and reliance on CLI and how CLI is fundamentally embedded into the design and operation of mobile telephone systems and handsets, and the additional infrastructure investments and operational costs required to provide consumer choice for CLI and CNND, it is not unreasonable that the Organisations impose a reasonable charge for these services. I have no doubt that a reasonable person would consider it appropriate for the Organisations to charge a caller to prevent his telephone number from being displayed to the call recipient, failing which the Organisation may inform the subscriber that the Organisations are unable to provide the caller with telecommunications services if he wishes to withdraw such consent. An example which illustrates the application of this can be found in the Advisory Guidelines on Key Concepts in the PDPA, which states:6 “An individual wishes to obtain certain services from a telecom service provider, Operator X and is required by the telecom service provider to agree to its terms and conditions for provision of the services. Operator X can stipulate as a condition of providing the services that the individual agrees to the collection, use and disclosure of specified types of personal data by the organisation for the purpose of supplying the subscribed services. Such types of personal data may include the name and address of the individual as well as personal data collected in the course of providing the services such as the individual’s location data. The individual provides consent for those specified types of personal data but subsequently withdraws that consent. The withdrawal of consent results in Operator X being unable to provide services to the individual. This would in turn entail an early termination of the service contract. Operator X should 6 PDPC, Advisory Guidelines on Key Concepts in the PDPA at [12.45]. 17 Starhub Mobile Pte Ltd and others [2019] SGPDPC 12 inform the individual of the consequences of the early termination, e.g. that the individual would incur early termination charges.” 35 I am therefore of the view that the provision of CNND is less a means to withdraw consent for the disclosure of the caller’s personal mobile telephone number to the call recipient but rather a separate service to allow a caller to maintain anonymity. Accordingly, where an individual subscriber requests his telecommunications service provider to mask his telephone number when he calls another phone number, the Organisations are in compliance with section 16 if they inform the subscriber that he may do so by subscribing and paying for CNND services failing which the Organisation is unable to provide the telecommunications service to the subscriber. By doing so, the Organisations would have informed the subscriber of the legal consequences arising from such withdrawal pursuant to section 16(2) of the PDPA. 36 Having carefully considered all the relevant circumstances of the present case, and for the reasons set out above, I find that the Organisations have not breached section 16 of the PDPA in respect of the charges imposed on subscribers for providing CNND value-added services, and that take no further action is required in this matter. YEONG ZEE KIN DEPUTY COMMISSIONER FOR PERSONAL DATA PROTECTION 18 ",Not in Breach,d14207cb5ac452bf33a3e97f370a686be33c72ca,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,162,162,1,952,A warning was issued to H3 Leasing for disclosing personal data online without the consent of the individual concerned.,"[""Consent"", ""Warning"", ""Transport and Storage"", ""Vehicle rental""]",2019-06-06,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision---H3-Leasing---06062019.pdf,Consent,Breach of the Consent Obligation by H3 Leasing,https://www.pdpc.gov.sg/all-commissions-decisions/2019/06/breach-of-the-consent-obligation-by-h3-leasing,2019-06-06,"PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC 9 Case No DP-1803-B1859 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And H3 Leasing … Organisation DECISION H3 Leasing [2019] SGPDPC 9 H3 Leasing [2019] SGPDPC 9 Yeong Zee Kin, Deputy Commissioner — Case No DP-1803-B1859 6 June 2019 Background 1. The complaint concerns the disclosure of personal data without consent by H3 Leasing (the “Organisation”). The Organisation is in the business of rental of motor vehicles in Singapore. 2. The Complainant was a member of the public who had come across a post on social media by the Organisation disclosing scanned images of the NRIC of another individual (“Affected Individual”). The personal data disclosed by virtue of this comprised the full name, residential address, date of birth, NRIC number, NRIC photo and the thumbprint image of the Affected Individual (the “Personal Data Set”). On 8 March 2018, the Complainant filed a complaint with the Personal Data Protection Commission (the “Commission”) in relation to the disclosure of the Personal Data Set by the Organisation. 3. The key issue raised by the Complaint is whether the Organisation had the consent required under section 13 of the Personal Data Protection Act 2012 (the “PDPA”) to disclose the Personal Data Set of the Affected Individual in the manner and for the purposes which they did. 4. Following an investigation into the matter by the Personal Data Protection Commission, I found the Organisation in breach of section 13 of the PDPA. 2 H3 Leasing [2019] SGPDPC 9 Material Facts 5. On 15 December 2017, the Affected Individual rented a motor vehicle from the Organisation. He voluntarily provided a copy of his NRIC and entered into an agreement with the Organisation for that purpose. 6. Subsequently, the Affected Individual went into rental arrears and ceased contact with the Organisation. The Organisation was unable to locate him or the motor vehicle and made a police report concerning the apparent disappearance of the Affected Individual and the motor vehicle. The Organisation subsequently disclosed images of the Affected Individual’s NRIC, which contained the Personal Data Set, through a public Facebook post to warn others about the Affected Individual and to solicit information from the general public on the whereabouts of the motor vehicle. Findings and Basis for Determination 7. Section 13 of the PDPA provides that an Organisation shall not collect, use or disclose personal data about an individual unless: (a) the organisation obtains the consent of the individual for the collection, use or disclosure of his personal data (in accordance with section 14 of the PDPA); (b) the individual is deemed to consent to the collection, use or disclosure of his personal data (in accordance with section 15 of the PDPA); or (c) collection, use or disclosure of his personal data is permitted or required under the PDPA or any other written law. 8. In this case, the rental agreement entered into by the Organisation and the Affected Individual did not specify any purposes for which the Organisation could disclose his personal data. There was no other document setting out such purposes 3 H3 Leasing [2019] SGPDPC 9 and the Organisation admitted that it had not obtained the consent of the individual to disclose his personal data. As such, I find that the Organisation did not have consent for the disclosure of the Personal Data Set in the manner, and for the purposes, that it did. 9. It is also clear to me that none of the exceptions to consent in the Fourth Schedule to the PDPA permit such disclosure. The purposes of the Organisation in making the public Facebook post were to warn others about the Affected Individual and to solicit information from the public on the whereabouts of the missing vehicle. These matters do not fall within any of the exceptions in the Fourth Schedule. 10. One question which may arise is whether the Organisation could have relied on the exception to consent in paragraph 1(i) of the Fourth Schedule. That exception permits an organisation to disclose of an individual’s personal data without consent where it is necessary to do so in order for the organisation to recover a debt owed by individual to the organisation. In my view, disclosure of the Personal Data Set via a public Facebook post would be too broad a disclosure and would not be necessary for the purpose of recovering a debt. Furthermore, disclosure of the scanned image of an NRIC (with all the data therein) in such a manner would neither be necessary nor appropriate. 11. As regards deemed consent, although the rental agreement between the Organisation and the Affected Individual did not expressly specify the purposes for which the Organisation could collect, use or disclose the Affected Individual’s personal data, the Affected Individual had provided his personal data to the Organisation for purposes relating to the rental of the motor vehicle and deemed consent under section 15 of the PDPA would apply in respect of such purposes. The scope of deemed consent permits the Organisation to use and disclose the Affected Individual’s personal data to other allied service providers as necessary to provide the primary service of motor vehicle rental. However, in my view, these purposes would not extend to permitting the Organisation to disclose his full NRIC details on social media for the purpose of warning others about the Affected Individual or soliciting information from 4 H3 Leasing [2019] SGPDPC 9 the public on the whereabouts of the missing vehicle. Accordingly, deemed consent under section 15 of the PDPA does not apply to the disclosure in this case. 12. In light of the above, I find that the Organisation had disclosed the personal data of the Affected Individual without consent and is therefore in breach of section 13 of the PDPA. Conclusion 13. In assessing the appropriate enforcement action in this case, I took into account the following: (a) The Organisation’s prompt action to remove the Personal Data Set from the public Facebook page; 14. (b) The number of individuals affected; and (c) The impact of the breach. Taking into account the factors listed above, I have decided to issue a warning to the Organisation for the breach of its obligation under section 13 of the PDPA. YEONG ZEE KIN DEPUTY COMMISSIONER FOR PERSONAL DATA PROTECTION 5 ",Warning,975a9880e3865b938caf22061b31d292c5d3e479,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,163,163,1,952,German European School Singapore was found not to be in breach of the PDPA in relation to allegations that there was no consent given for the collection of its student’s hair sample for the purpose of drug testing.,"[""Consent"", ""Not in Breach"", ""Education"", ""Student""]",2019-06-03,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision---German-European-School-Singapore---030619.pdf,Consent,No Breach of the Consent Obligation by German European School Singapore,https://www.pdpc.gov.sg/all-commissions-decisions/2019/06/no-breach-of-the-consent-obligation-by-german-european-school-singapore,2019-06-03,"PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC 8 Case No DP-1712-B1471 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And German European School Singapore … Organisation DECISION German European School Singapore [2019] SGPDPC 8 Yeong Zee Kin, Deputy Commissioner — Case No DP-1712-B1471 3 June 2019. Background 1 This case concerns a complaint made by the father (the “Complainant”) of a student1 (“AB”) at the German European School Singapore (“GESS”). The central issue raised in the complaint, in so far as it relates to the Personal Data Protection Act 2012 (“PDPA”), was that GESS had collected and used personal data of AB without valid consent in the course of conducting a random drug test. GESS has not denied that it had collected the personal data of AB but has asserted that it did so with valid consent. The brief facts of the case are as follows. 2 On 6 December 2017, AB was selected by staff of GESS for random drug testing and asked to provide a hair sample by cutting for the drug test. This was done in accordance with GESS’ internal procedures and pursuant to its school bye-laws which provided that it may conduct drug testing at random or in cases of “proven suspicion”. When the Complainant found out about this later that day, he immediately contacted the Principal of GESS via email to 1 As this individual is a minor, his name and the names of his parents are omitted from this Decision. German European School Singapore [2019] SGPDPC 8 object to the test being done on his son. The complainant also requested that the results of the test be given to him in its unopened envelope, as received by the school. 3 In a turn of events, the drug test could not be conducted on AB’s hair sample as it apparently had not been stored correctly after it had been cut when it was sent to the overseas testing laboratory engaged by GESS to conduct the drug test2. Following the email correspondence between the Complainant and the Principal, the Complainant and his wife (“AC”) met with the Principal and other GESS staff on 12 December 2017 to discuss the matter. At the meeting, the Principal informed AB’s parents that AB was required to provide a second hair sample when he returned to school in January 2018. 4 The outcome of this discussion was that the Complainant and AC were informed by GESS during the meeting, and again by way of a letter dated 13 December 2017, that AB would be subject to immediate expulsion from the school if he did not provide a hair sample for the drug test on his first day back in school, or if the results of the test were positive. 5 The Complainant eventually sent another email to the Principal on 7 January 2018 which stated that he permitted AB to give the second hair sample, albeit under his “profound protest”. In reply to this email, the Principal reiterated GESS’ position that AB was required to give a hair sample for drug testing, failing which he would have to leave school. Thereafter, the 2 The drug test results on AB’s hair sample indicated “unable to complete” in respect of each of the drugs to be tested (listed in the results as cocaine, opiates, PCP, amphetamines and marijuana) and the reason stated was “INVALID SAMPLE – Flap A/B not sealed or improperly sealed.” 2 German European School Singapore [2019] SGPDPC 8 Complainant sent a final email emphasising that he had permitted AB to give the second hair sample. 6 On 8 January 2018, AB, accompanied by AC, presented himself at the Principal’s office at GESS. AC agreed to AB providing his hair sample for the purpose of drug testing and the school’s first aid officer proceeded to take a hair sample from AB. 7 On 11 January 2018, the Complainant submitted his complaint to the Personal Data Protection Commission (“PDPC”) that GESS had collected and used personal data of AB without consent. The Complainant asserted that this was in contravention of sections 13 and 14 of the PDPA and that deemed consent (under section 15 of the PDPA) did not apply. The Complainant also asserted that GESS “expect[s] parents to consent to have their children randomly selected to take hair samples” and also that GESS “cannot argue that it is reasonable to do drugs testing in order to give a good education to its students”. 8 In its response to PDPC’s investigation into the matter, GESS sought to rely on agreements entered into between GESS and AC in 2006 and 2011. GESS also sought to rely on the Complainant’s correspondence with the Principal and AC’s verbal statements on 8 January 2018 to assert that the Complainant and AC had provided their consent for the collection of AB’s personal data. GESS also made various representations concerning the reasons for its drug testing policy. 3 German European School Singapore [2019] SGPDPC 8 The Deputy Commissioner’s Findings What is the personal data that is the subject of the complaint? 9 In his complaint, the Complainant raised the possibility of AB’s hair sample being part of his personal data, apparently on the basis that a hair sample contains DNA.3 In this case, GESS had not collected the hair sample for DNA testing and would not have obtained any information concerning AB’s DNA. 10 Nevertheless, the intention was to obtain through chemical analysis information about whether the individual had consumed controlled drugs by identifying traces found in the hair sample. It is this personal data that is the subject matter of the complaint. Further, it is clear that the hair sample was collected for drug testing and there would be a report produced by the testing laboratory which indicated the outcome of the test. The hair sample was sent to the testing laboratory on a “no-names” basis, that is, without identifying the individual to whom the sample belonged. As such only GESS was able to match the drug test results with the student who had given the hair sample. What are the requirements for obtaining consent for the collection and use of personal data under the PDPA? 11 Section 13 of the PDPA allows an organisation to collect, use or disclose personal data with the individual’s consent unless an exception applied. Consent may be given by the individual or any person validly acting on behalf of the individual: section 14(4). However, section 14(2) read with section 14(3) 3 The Complainant stated in the third paragraph of the details of the complaint, “… I realised that a hair sample contains DNA, and therefore qualifies as data in the list of examples you listed – which included DNA sample and Iris scans”. 4 German European School Singapore [2019] SGPDPC 8 invalidates any consent which requires an individual to give consent as a condition of providing a product or service, beyond what is reasonably necessary in order to provide the product or service. Section 15 of the PDPA contemplates the possibility that an individual may be deemed to have given consent through his voluntarily act of providing personal data to the organisation for specific purposes. While section 16(1) of the PDPA provides an individual may, at any time on giving reasonable notice to the organisation, withdraw any consent given, or deemed to have been given. Finally, organisations are held to a reasonable standard in meeting their responsibilities by virtue of section 11(1) of the PDPA. 12 As there are no written laws which require or authorise the collection of personal data without consent as in the circumstance of this case, GESS must therefore have either obtained consent under the PDPA for the collection and use of AB’s personal data or AB must be deemed to have consented to such collection and use. For the purposes of this case, I would like to highlight the following principles which would apply under the PDPA: (a) The term “consent” under sections 13 and 14 – in contrast with “deemed consent” under section 15 – is not defined in the PDPA. In general, consent refers to any agreement to, or acceptance of, the matter which is being consented to. (b) The PDPA does not specify any particular manner in which consent is to be given under sections 13 and 14 of the PDPA. It is trite law that consent may either be express or implied: (i) Express consent refers to consent which is expressly stated in written or verbal form. 5 German European School Singapore (ii) [2019] SGPDPC 8 Implied consent refers to consent which may be inferred or implied from the circumstances or the conduct of the individual in question. Thus Black’s Law Dictionary (10th edition) defines “implied consent” as: “1. Consent inferred from one’s conduct rather than from one’s direct expression. – Also termed implied permission. 2. Consent imputed as a result of circumstances that arise, as when a surgeon removing a gall bladder discovers and removes colon cancer.” Likewise, in the High Court case of Samsonite IP Holdings Sarl v An Sheng Trading Pte Ltd [2017] 4 SLR 99 which involved, amongst others, the question of whether certain backpacks were “put on the market with the [trade mark] proprietor’s express or implied consent (conditional or otherwise)” within the meaning of section 29 of the Trade Marks Act (Cap 322), George Wei J observed at [113] that: “The notion of “implied consent” is a more difficult concept to grapple with [as compared to express consent], especially in terms of its application. In general, it can be characterised as consent which is not expressly granted by the proprietor, but rather inferred from his actions and/or the facts and circumstances of a particular situation.” In contrast to consent deemed by operation of law under section 15, this is a form of actual consent where the individual does, in fact, consent to the collection, use and disclosure of his personal data (as the case may be) although he has not expressly stated his consent in written or verbal form. It is a concept that is more 6 German European School Singapore [2019] SGPDPC 8 expansive and malleable than deemed consent as its ambit is defined by the circumstances and conduct of the individual; but is necessarily more restricted in scope than express consent which is an expression of agreement of the range of purposes contemplated by the organisation to which the individual agrees or accepts. (Parenthetically, the expansive scope of express consent is circumscribed by the requirement of reasonable appropriateness under section 18.) (c) For both of the above modes of giving consent to be effective under the PDPA, the requirements of section 14(1) of the PDPA must be met. For example, the individual must have been notified of the purposes for the collection, use or disclosure (as the case may be) of his personal data.4 In comparison, deemed consent under section 15 does not require that the individual must have been notified of such purposes: section 20(3)(a) of the PDPA. It suffices that the individual provided personal data for a purpose which may, or ought to, be known to the individual, or inferred from the surrounding circumstances. (d) Where an individual has given express or implied consent in the circumstances specified in section 14(2) of the PDPA (see 4 An example of this is where an individual presents a credit card or charge card for the purpose of making payment for an online purchase. The individual expressly consents to the issuer bank collecting, using and/or disclosing his payment details to process his purchases. Deemed consent covers the disclosure of his payment details by the merchant to its acquiring bank. Implied consent enables the multiple layers of disclosure and use of his payment details by the financial institutions participating in the card scheme during the course of processing the payment. The concepts of deemed and implied consent operate in a mutually exclusive manner but may be daisy-chained. 7 German European School Singapore [2019] SGPDPC 8 above), such consent would be invalid. As stated in the Advisory Guidelines on Key Concepts in the PDPA (revised 27 July 2017) (at [12.15] to [12.16]): “12.15 Section 14(2) of the PDPA sets out additional obligations that organisations must comply with when obtaining consent. This subsection provides that an organisation providing a product or service to an individual must not, as a condition of providing the product or service, require the individual to consent to the collection, use or disclosure of his personal data beyond what is reasonable to provide the product or service. The subsection also prohibits organisations from obtaining or attempting to obtain consent by providing false or misleading information or using deceptive or misleading practices. 12.16 Section 14(3) provides that any consent obtained in such circumstances is not valid. Hence an organisation may not rely on such consent, and if it collects, uses or discloses personal data in such circumstances, it would have failed to comply with the Consent Obligation.” (e) Where an individual has given express or implied consent under the PDPA, deemed consent would not arise under section 15 of the PDPA. This is in view of the words in section 15(1)(a) which state that deemed consent may arise where the individual “without actually giving consent referred to in section 14, voluntarily provides the personal data to the organisation …”. Consent obtained by GESS – Implied Consent 13 After a review of all the evidence obtained by PDPC during its investigation and for the reasons set out below, I am of the view that GESS had 8 German European School Singapore [2019] SGPDPC 8 obtained the necessary consent for the collection and use of AB’s personal data in connection with the drug test conducted on his hair sample. Notification of purpose 14 As with other schools, GESS has in place various school rules and policies which it has established. Specifically, in relation to drug testing, paragraph 5.8 of the Respondent’s School Bye-Law (“Bye-Law 5.8”) states as follows: “5.8 Drug Testing The School shall conduct drug tests on students of Form 7 and above in cases of proven suspicion, as well as, at random. The Principal shall decide on the procedures of the test. If and when the first test shall be positive, and this is confirmed by a second test taken within a reasonable time-span, the respective student shall be expelled from the school immediately.” 15 These bye-laws are made available to parents when they enrol their children in the school and are also available on GESS’ website through a parents’ portal set up by the school. 16 When considering Bye-Law 5.8, I note that it expressly states the outcome of a positive test, which is that the student in question will be expelled from the school. I am of the view that Bye-law 5.8 sufficiently specifies the purposes for which the drug test results would be used. Accordingly, I find that Bye-Law 5.8 has met the requirements of the PDPA in terms of notifying the individuals concerned of the purposes for the collection and use of their personal data. 17 During investigations, GESS sought to rely on the following documents to substantiate its assertion that it had obtained written consent for the collection and use of AB’s personal data: 9 German European School Singapore (a) [2019] SGPDPC 8 An agreement entered into by AC on 20 March 2006 to abide by the terms of GESS bye-laws (including Bye-Law 5.8) (the “2006 Agreement”). (b) An information letter provided to parents of GESS’ students, including AC, on 31 October 2011 which included a reference and a link to GESS’ bye-laws and which was accepted by AC on 1 November 2011 (the “2011 Information Letter”). 18 The documents relied upon by GESS do not contain any express consent clause for the collection and use of personal data. This is unsurprising given that those documents predate the enactment of the PDPA. It is notable in this case that GESS had implemented a data protection policy following the enactment of the PDPA and it provided for express consent to be obtained for collection and use of various items of personal data for various purposes. However, GESS’s data protection policy does not cover personal data collected for the purpose of drug testing and accordingly they have not sought to rely on their data protection policy in this case. 19 The 2006 Agreement comprises a set of documents entitled “Part 4 – Admission Forms” which were signed by the Complainant’s wife on 20 March 2006. In particular: 20 Part 4.2 (entitled “Application Form”) included the following paragraph which was signed and agreed to by the Complainant’s wife: “I/We the undersigned request the enrolment of my/our child/ward/employee in accordance with the terms, conditions and the school rules of the German European School Singapore. I certify that all particulars furnished in this application are complete and accurate to the best of my/our knowledge, and that I/we will notify the School of any changes immediately. I/We acknowledge that the School is considering 10 German European School Singapore [2019] SGPDPC 8 the application on the basis of the information I/we have provided.” 21 Part 4.6 (entitled “Confirmation of Receipt of Documents”) included the following, which was also signed and agreed to by the Complainant’s wife: “By signing this confirmation, I/we hereby confirm that I/we have received the documents listed and that I/we agree to abide by their terms, and where appropriate make my/our child aware of their content.” Title of Document School rules Constitution of the School Association School Fee Bye-Law Terms and Conditions of Payments Fees Bye-Law School Bye-Law Governing the Education Principles (emphasis added) 22 The 2011 Information Letter is a letter dated 31 October 2011 which had been sent by GESS to parents of its students. This letter informed parents of certain changes to their Terms and Conditions. These Terms and Conditions was found in a document entitled “Statutory Information” which included the school bye-laws. The following confirmation to the 2011 Letter was signed by AC on 1 December 2011: “I acknowledge receipt of the German European School Singapore Updated Terms and Conditions August 2011 and agree to accept the terms stated therein.” 11 German European School Singapore [2019] SGPDPC 8 In my view, both the 2006 Agreement and the 2011 Information Letter each serve as sufficient notification under the PDPA, since, as noted above, Bye-Law 5.8 sufficiently identified the purposes for which students’ personal data (namely drug test results) were to be collected. 23 In the circumstances, I am of the view that AB’s parents had access to GESS’ school bye-laws and hence had been notified of the purposes for the collection and use of AB’s personal data in connection with the random drug testing administered by GESS. Actual and/or implied consent (by conduct) to the collection of personal data in drug test results 24 GESS raised a number of specific instances where the Complainant and/or AC were alleged to have given their consent in written or verbal form, which I am satisfied to be the case on a review of the documents. Additionally, I am of the view that there is a more general principle that applies in this case. As the school’s bye-laws were made available to parents, they must be taken to have agreed to enrol their children in the school on that basis. This is certainly the case in the present matter as AB has been enrolled in GESS for more than 10 years. 25 I find that his parents’ decision to enrol him, and to continue having him enrolled in the school for a substantial period, amounts to an acceptance of the school’s bye-laws, including Bye-law 5.8. This constitutes implied consent for the purposes of the PDPA and, as it was validly given by AB’s parents, amounts to consent by AB pursuant to section 14(4) of the PDPA. A similar view was taken by the court in GBN v GBO [2017] SGDC 143 with respect to a school’s confiscation of its student’s mobile phone in accordance with its school rules. In that case, the school in question had confiscated the student’s mobile phone 12 German European School Singapore [2019] SGPDPC 8 as the student was found to have used the phone in contravention of the school’s rule on mobile phones. The said rule further provided that the school will only return mobile phones which had been confiscated after a period of three months. The father of the student commenced court proceedings against the school alleging that the school’s confiscation of the phone amounted to the tort of conversion. The court in GBN, in dismissing the father’s proceedings, held: “I also disagree with the plaintiff’s assertion that he is not bound by the school rules. The plaintiff does not deny knowledge of the Phone Rule or the 3 January Letter. If the plaintiff took issue with the Phone Rule, the plaintiff could have enrolled his son in another school. Surely, as the defendant counsel submitted, by continuing to let his son study at the School, the plaintiff would have either expressly or impliedly agreed that his son would abide by the School’s disciplinary policies and rules.” 26 Similarly, by continuing to keep AB enrolled at GESS, the Complainant and AC have either expressly or impliedly agreed that AB would abide by the School Bye-laws. Actual consent when AB provided his hair sample for the purposes of drug testing and collection of personal data 27 At this juncture, I should deal with the Complainant’s email of 7 January 2018 wherein he provided consent under protest for AB to undergo drug testing: “My principled objections to random drugs testing, as explained in my previous email […] remain unchanged, but my son’s continued education at a school we otherwise like is more important, so [AB] will report to the front desk on Monday, under profound protest form my side: It is my view that parents are ultimately responsible for their children’s upbringing, and that we should be asked explicitly for consent to a policy that:  invades our child’s privacy  has no relation to his performance, attitude, and behaviour at school 13 German European School Singapore  [2019] SGPDPC 8 has been ruled illegal in Europe. Specifically, every parent should have the right to deny consent without any adverse impact on their child’s school experience.” (Emphasis added) 28 The Complainant’s 7 January 2018 email makes it clear that he agreed to allow AB to provide GESS with his hair sample for the purpose of the drug test in view of his continued desire for AB to remain and continue with his education at the school. Presumably, the purpose of giving consent under protest is to record the Complainant’s objections to GESS’ policy on random drugs testing on principle. His email is premised on his “principled objections to random drugs testing” and that parents ought to be able to deny consent without any adverse impact on the child’s school experience. The Complainant’s protest does not and cannot be taken to mean that he is giving notice that he intends to challenge GESS’ collection of personal data on the basis that his agreement under protest, without more, prevents such collection of personal data. This is made clearer on a review of the correspondence between GESS and the Complainant following the Complainant’s said e-mail. 29 In response to the Complainant’s email of 7 January 2018, GES replied on the same day as follows: “Dear [redacted], Thank you for your mail. Our position has not changed. [AB] will not enter a classroom without giving a hair sample before doing so. If he is unwilling to cooperate, he has to leave school at once. As you know. We (sic) are a private school and we have no obligations whatsoever to keep students who do not follow our policies.” 30 The above email is presumably an attempt by GESS to make clear that AB would have to provide his hair sample without any condition or AB’s admission at the school would be terminated. This correspondence likely 14 German European School Singapore [2019] SGPDPC 8 resulted from the uncertainty of the Complainant’s intention agreeing to AB giving his hair sample under protest. 31 The Complainant then responded as follows: “Dear [redacted], In your letter (attached), you asked [AB] to report to the front desk, and in my email this morning, I write to you that [AB] will do exactly that (albeit under my official protest, as stated). So I am not sure why I receive this reply from you.” 32 This makes it clear that the Complainant agreed to AB providing GESS with the hair sample, although the Complainant was clearly displeased about having to do so. Accordingly, AB presented himself later that day and underwent the collection of the hair sample for drug testing. In this regard, I note that GESS had asserted that AC also gave verbal consent when she accompanied AB to school on 8 January 2018. 33 The Complainant seeks to keep AB in GESS while cherry picking from its bye-laws those that he does not wish to abide with. Bye-laws play an important role in shaping conduct within an organisation. In an educational institution like a school, it is untenable that parents are able to cherry pick from its bye-laws in order to create a customised set of rules for their child. The Organisation has the prerogative to justify that its bye-laws are reasonably necessary for maintaining conduct and discipline in the school, and to provide a safe educational environment. If the Complainant disagrees, it was always open to the Complainant or AC to have enrolled AB in another school which did not test its student for drugs. Accordingly, I find that GESS had obtained AB’s consent for the collection and use of his personal data as required under section 13 of the PDPA. In coming to this conclusion, I bear firmly in mind the fact that AB’s parents had not formally objected to the collection and use of 15 German European School Singapore [2019] SGPDPC 8 AB’s personal data until after he had been selected for random drug testing, even though he had been receiving his education in GESS for over a decade and AC had, as a staff member of GESS, known of the annual random drug tests that GESS conducts pursuant to its bye-laws. Reasonableness - GESS’ collection of personal data found in AB’s drug test results is not beyond what is reasonable for GESS to provide education services to AB 34 The Complainant also raised the issue that even if consent had been obtained by GESS, such consent would be invalid on the basis of section 14(2)(a) read with section 14(3) of the PDPA. 35 Broadly speaking, GESS is providing education services to AB and it is clear that GESS did not permit AB to be exempt from the random drug testing when he was selected. To the contrary, GESS clearly informed AB’s parents that he would be expelled from the school if he did not provide a hair sample and submit to the drug testing. Also, as set out above in paragraphs 13 to 23, the Complainant had access to the School Bye Laws and had been notified about the school’s random drug testing policy since at least by 20 March 2006 when AC entered into the 2006 Agreement with the school. In the context of the PDPA, this also amounts to a requirement that AB consent to the collection and use of his personal data (namely the drug test results, as stated earlier) by GESS for the purposes provided in Bye-Law 5.8. The question therefore arises as to whether GESS’ requirement for consent is beyond what is reasonable for the provision of education services by GESS to AB. 36 On this issue, I note that GESS asserted that the drug testing policy is instituted for a purpose which was reasonable and appropriate in the 16 German European School Singapore [2019] SGPDPC 8 circumstances. In this regard, GESS stated the following in its response to PDPC: “With regard to query 5(g)[5] of the Notice, the basis of GESS’ belief is as follows: i. GESS is registered as a society with its objectives and powers set out in its constitution; ii. GESS has an open, long-standing, and firm policy on maintaining itself as a drugs-free institution; iii. In furtherance of this objective, GESS exercised its powers under its constitution to institute policies and bye-laws, including its drug policy; iv. As a school, GESS places paramount importance on the safety and welfare of its students, including maintaining itself as a drugs-free institution; v. GESS’ drug policy is made known to and consented to by its students and/or their parents; and vi. GESS has in place clear guidelines and confidential procedures in implementing drug testing…” 37 GESS also asserted that the German Embassy of Singapore supported drug testing in schools and, in this regard, provided PDPC with a copy of a letter from the German Embassy of Singapore to the Respondent dated 1 March 2004 (in German together with GESS’ translation). GESS’ translation of the German Embassy’s letter states that: “The foreign federal office makes the following statement regarding the intention to conduct drug testing at the German School Singapore and regarding the changes of the school byelaws: The Consideration of the German School Singapore, similar to other German schools abroad especially in the Asiatic region to introduce drug testing, has been welcomed. The German schools abroad develop their school regulations on the basis of 5 Query 5(g) refers to PDPC’s query on the basis of GESS’ assertion that their drug testing policy was instituted for a purpose which was reasonable and appropriate in the circumstances. 17 German European School Singapore [2019] SGPDPC 8 the guideline of the standing conference of the ministers of education and cultural Affairs"" (KMK) dated 15.01.1982. Under this directive, schools are taking action to promote and ensure health care, including drug prevention. A coordination with the funding German authorities is not intended. With the enrolment of their child, the parents/guardians acknowledge the school regulations, and therefore also the provisions on health care and any regulations on drug prevention. The prerequisite for the introduction of a drug test policy is ... these procedures shall be embedded into an overall pedagogical concept to drug prevention. If such a concept is not included elsewhere in the school regulations, schools are requested to do so without further delay. For this purpose, the exchange of experience with other schools of the region in particular the German School Beijing is recommended, as they have included a drug policy as annex to their school regulations to, inter alia, “save their students from addiction, keep the school free from addictive substances and to support students who are at risk of being addicted and their guardians to get away of the addiction, if necessary.” The German School Tokyo have similar plans. The background to such an overall pedagogical approach to drug prevention is the understanding of drug prevention as an educational task and not only as measurement to identify drug users.” (Emphasis added) 38 As a general principle, schools have various responsibilities in relation to their students and these may extend beyond a purely pedagogical role. For example, they would also be responsible for ensuring the health and safety of students in the school environment. Hence, I am of the view that schools are best placed to determine the appropriate school rules and bye-laws to establish in order to discharge their various responsibilities and create an environment that is conducive to meet the educational needs of their students. This may include implementing a policy which requires drug tests for certain students or in certain circumstances to ensure a safe environment and to detect behaviour and habits that may affect a student’s scholastic performance. I am fortified by the views of the court in GBN where the court found that a school had the authority to implement and enforce school rules to maintain the discipline of its 18 German European School Singapore [2019] SGPDPC 8 students as set out above at paragraph 25. Just as in GBN, it was open to the Complainant in this matter to take AB out of GESS and enrol AB in another school. 39 It should also be highlighted that it was open to the Complainant to withdraw his consent on giving reasonable notice to GESS by virtue of section 16 of the PDPA. Had the Complainant withdrawn this consent, GESS would have had to inform the Complainant of the likely consequences of withdrawing the consent: section 16(2). Section 16(3) of the PDPA safeguards the Complainant by ensuring that GESS cannot prohibit his withdrawal of consent; but the Complainant will have to live with any legal consequences arising from such withdrawal, which in this case means that he has to take AB out of GESS and enroll him in another school. The application of these principles had been illustrated in the Advisory Guidelines on Key Concepts in the PDPA (at [12.45]): “An individual wishes to obtain certain services from a telecom service provider, Operator X and is required by the telecom service provider to agree to its terms and conditions for provision of the services. Operator X can stipulate as a condition of providing the services that the individual agrees to the collection, use and disclosure of specified types of personal data by the organisation for the purpose of supplying the subscribed services. Such types of personal data may include the name and address of the individual as well as personal data collected in the course of providing the services such as the individual’s location data. The individual provides consent for those specified types of personal data but subsequently withdraws that consent. The withdrawal of consent results in Operator X being unable to provide services to the individual. This would in turn entail an early termination of the service contract. Operator X should inform the individual of the consequences of the early termination, e.g. that the individual would incur early termination charges.” 19 German European School Singapore 40 [2019] SGPDPC 8 Clearly, the above finding is limited to the facts in this case and should not be taken as a general ruling that an organisation can in all cases justify a claim that it cannot provide services to an individual if the individual does not consent to the collection, use or disclosure of personal data. Any such finding is fact and context specific and must meet the same reasonableness test as set out at section 14(2)(a) and which is discussed above at paragraphs 35 to 38. Reasonableness – a reasonable person would consider it appropriate in the circumstances for GESS to obtain a hair sample from AB by cutting his hair 41 Apart from whether consent to random drug testing in order to receive education from a school is reasonable, there is the related question whether the collection of personal data through the provision of hair sample by cutting is a reasonably appropriate means of implementing the random drug test policy. Section 11(1) of the PDPA imposes a general standard of reasonableness on organisations in meeting their responsibilities under the PDPA: “In meeting its responsibilities under this Act, an organisation shall consider what a reasonable person would consider appropriate in the circumstances.” 42 To my mind, obtaining a hair sample by cutting in order to perform drug testing does not appear to me to be particularly invasive or unreasonable. Hair tests are contemplated in our anti-drug abuse laws as means of detecting suspected drug consumption: see section 31A of the Misuse of Drugs Act. Also, obtaining a hair sample by cutting a few strands of hair is not invasive and does not ordinarily cause pain. I acknowledge that the random drug testing policy by GESS and the mandatory regime under the Misuse of Drugs Act are very different, and take care to emphasise that I refer to the Misuse of Drugs Act only to highlight that taking a hair sample to test for drug consumption is an acceptable method. 20 German European School Singapore 43 [2019] SGPDPC 8 Accordingly, I find that the collection and use of AB’s personal data in the circumstances of this case is not beyond what is reasonable for GESS to provide education services to AB and the collection of personal data through hair samples is a reasonably appropriate means to do so. As GESS has not contravened section 14(2) of the PDPA, section 14(3) does not apply and the consent obtained by GESS remains valid. The Deputy Commissioner’s Decision 44 In the circumstances, I find that GESS is not in breach of sections 13 and 14 of the PDPA as they had obtained consent for the collection and use of AB’s personal data and this consent was valid and subsisting at the relevant time. YEONG ZEE KIN DEPUTY COMMISSIONER FOR PERSONAL DATA PROTECTION 21 ",Not in Breach,987d60071fb1ca62d5f365695fbcb87e5d8703f3,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,175,175,1,952,A warning was issued to Big Bubble Centre for disclosing personal data online without the consent of the individuals concerned.,"[""Consent"", ""Warning"", ""Arts, Entertainment and Recreation"", ""Scuba diving""]",2018-11-28,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision---Big-Bubble-Centre---281118.pdf,Consent,Breach of the Consent Obligation by Big Bubble Centre,https://www.pdpc.gov.sg/all-commissions-decisions/2018/11/breach-of-the-consent-obligation-by-big-bubble-centre,2018-11-28,"PERSONAL DATA PROTECTION COMMISSION [2018] SGPDPC 25 Case No DP-1802-B1770 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Big Bubble Centre … Organisation DECISION Big Bubble Centre [2018] SGPDPC 25 Big Bubble Centre Yeong Zee Kin, Deputy Commissioner — Case No DP-1802-B1770 28 November 2018 1. The circumstances which led to the complaint over Big Bubble Centre’s (the “Organisation”) actions is a common one in today’s social media age. It usually starts with a dispute between an individual and an organisation and quickly escalates from there. One party expresses unhappiness with the other on social media and the other party then responds on social media to defend themselves. During the exchange, personal data is disclosed and is accessible to all and sundry. The approach of the Personal Data Protection Commission (“PDPC”) in such cases has been stated in Re My Digital Lock Pte Ltd [2018] SGPDPC 3 and Re M Star Movers & Logistics Specialist Pte Ltd [2017] SGPDPC 15 and that approach has been followed in this case. 2. The Organisation is a sole-proprietorship in the scuba-diving services business. The Complainant is an ex-employee of the Organisation. 3. The key issue is whether by using the personal data, the Organisation has: a) breached its obligation under section 13 of the Personal Data Protection Act 2012 (“PDPA”) to obtain valid consent before disclosing personal data; or b) breached its obligation under section 18 of the PDPA to only use and disclose personal data for purposes (i) that a reasonable person would consider appropriate in the circumstances; and (ii) that the data subject has been informed of. Material Facts 4. The Complainant and the Organisation had a contractual dispute in which the Complainant claimed that the Organisation had failed to pay his wages. The Complainant resigned and took dive equipment which he claims to have paid for. 5. The Organisation, however, refutes these claims and say that they withheld $600 from the Complainant as the Complainant owed the Organisation $850 for participating in and logging dives organised by the Organisation with the aim of the Complainant obtaining the PADI Dive Master Certification. Also, the Organisation alleges that the Complainant did not pay for the dive equipment that he took and instead stole the said equipment together with the Organisation’s documents. Accordingly, the Organisation has filed a police report against the Complainant for the alleged theft. 6. The above contractual dispute and allegations of theft are beyond the remit of the Personal Data Protection Commission (“PDPC”) and I do not make any findings in respect of the 2 Big Bubble Centre [2018] SGPDPC 25 above. It is the actions of the Organisation and the Complainant subsequent to the submitting of the police report that concerns the PDPC. According to the Complainant, the Organisation had sent text messages to some of its customers informing them of their allegations against the Complainant. 7. In February 2018, the Complainant wrote a Facebook post detailing his unhappiness with the Organisation and its sole proprietor. The crux of his post was that he felt cheated because the Organisation did not pay his salary and made a police report against him although he did his best as an employee. He also warned other divers from joining the Organisation. 8. The Organisation responded with two Facebook posts of its own, which were posted on the Facebook pages of the sole-proprietor (ie his personal Facebook page) and a public group for scuba divers. The crux of these posts was that the Complainant owed the Organisation money for participating in dives organised by them, that they had given him a large discount to participate in the dives, that they had given the Complainant diving experience that no one else would give him and that the Complainant stole diving equipment as well as a customer database and the Organisation’s delivery documents 9. The Organisation also disclosed the following personal data in these posts: (a) the Complainant’s name, NRIC number, date of birth, passport number and expiry date, mobile phone number, email address and residential address; and (b) the name and residential address of the Complainant’s female friend as well as the make of her car (collectively, the “Personal Data Sets”). It is undisputed that the Personal Data Sets were in the Organisation’s possession and that the Organisation had obtained them from the Complainant when he was employed by the Organisation. Did the Organisation comply with sections 13 and 18 of the PDPA? 10. Subject to certain exceptions,1 in accordance with section 13 read with section 14 of the PDPA, organisations may only collect, use or disclose personal data about an individual with the consent of that individual (the “Consent Obligation”). It is undisputed that the Organisation had not explicitly obtained the Complainant’s consent to disclose the Personal Data Sets in the manner above or notified him, as required under section 20 of the PDPA, that his personal data would be disclosed in such manner. 11. In Re M Star Movers, the position I took was as follows: “18. The Deputy Commissioner advises caution in disclosing personal data when responding to public comments. An organisation should not be prevented or hampered from responding to comments about it using the 1 Pursuant to section 17 of the PDPA read with the Second, Third and Fourth Schedule of the PDPA. 3 Big Bubble Centre [2018] SGPDPC 25 same mode of communications that its interlocutor has selected. In some situations, it may be reasonable or even necessary to disclose personal data in order to advance an explanation. An individual who makes false or exaggerated allegations against an organisation in a public forum may not be able to rely on the PDPA to prevent the organisation from using material and relevant personal data of the individual to explain the organisation’s position on the allegations through the same public forum. 19. The following observations may be made in this context about the approach that the Commission adopts. First, the Commission will not engage in weighing allegations and responses on golden scales in order to establish proportionality. The better approach is to act against disclosures that are clearly disproportionate on an objective standard before the Commission intervenes in what is essentially a private dispute…” 12. In the present case, the Organisation’s disclosure of personal data is clearly disproportionate on any objective standard. I can conceive of no legitimate reason for the Organisation to disclose the Complainant’s NRIC and passport number in order to defend itself against the Complainant’s allegations. Neither can I see the relevance of disclosing the name and residential address of the Complainant and the make of the car owned by the Complainant’s friend to the dispute over salary and dive equipment. 13. While it is understandable how such excessive disclosure of personal data could have been made when penning social media posts in the heat of the moment, such conduct is nevertheless inexcusable. Let this be a caution against wielding one’s pen in anger during the heat of altercation. 14. I thus find that the Organisation’s disclosure of the personal data of the Complainant and his friend was done without consent and is in breach of section 13 of the PDPA. Actions taken by the Commission 15. As at 15 March 2018, the Facebook posts had been removed. Upon being contacted by the Personal Data Protection Commission, the Organisation’s sole-proprietor resolved to improve his awareness of the Organisation’s protection obligations under the PDPA. 4 Big Bubble Centre [2018] SGPDPC 25 16. Having considered these factors and the context in which the breach occurred, I have decided to issue a warning to the Organisation for breaching its obligations under section 13 of the PDPA, without further directions or imposing a financial penalty. YEONG ZEE KIN DEPUTY COMMISSIONER PERSONAL DATA PROTECTION 5 ",Warning,09ebd633a030b216def95af0bcc6a92e9d25d637,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,228,228,1,952,A financial penalty of $500 was imposed on a registered salesperson of a property firm for disclosing personal data of two of his landlord’s tenants to a third party tenant without consent.,"[""Consent"", ""Financial Penalty"", ""Others"", ""ESTATE"", ""Property"", ""SALESPERSON""]",2016-08-12,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/grounds-of-decision---rsp-justin-chua-(120816).pdf,Consent,Breach of Consent Obligation by a Registered Salesperson,https://www.pdpc.gov.sg/all-commissions-decisions/2016/08/breach-of-consent-obligation-by-a-registered-salesperson,2016-08-12,"DECISION OF THE PERSONAL DATA PROTECTION COMMISSION Case Number: DP-1411-A247 CHUA YONG BOON JUSTIN [NRIC NO. REDACTED] ... Respondent Decision Citation: [2016] SGPDPC 13 GROUNDS OF DECISION 12 August 2016 A. INTRODUCTION 1. On 15 November 2014, the Personal Data Protection Commission (the “Commission”) received an email from [Redacted] (Replaced with Mr K) (the “Complainant”) regarding the unauthorised disclosure of personal data of his wife and himself by the property agent of his landlord following a dispute between the Complainant, the Complainant’s wife, and another tenant, [Redacted] (Replaced with Ms C). The Commission proceeded to investigate into the alleged breach of the Personal Data Protection Act 2012 (“PDPA”). Its findings into the matter are set out below. B. MATERIAL FACTS AND DOCUMENTS 2. The Complainant, his wife, and Ms C are tenants of a landed property. For the purposes of entering into the tenancy with the landlord, the Complainant and his wife had previously provided their names and NRIC numbers (amongst other personal data) to the registered salesperson1 (commonly known as a “property agent”) of the landlord, Mr Chua Yong Boon Justin (the “Respondent”). The Respondent was registered as a salesperson with Global Property Strategic Alliance Pte Ltd (“GPS”). The Respondent’s engagement as a salesperson with GPS was governed by a “Salesperson Agreement” dated 31 October 2011. 3. In or around November 2014, a dispute arose between Ms C and the Complainant and his wife over the usage of common space within the rented premises, and an argument had apparently ensued between the parties. The Respondent was not present during the argument. However, Ms C had informed him of the argument, and also requested the Respondent to provide her with the 1 Under the Estate Agents Act (Cap. 95A) (“EAA”) Page 1 of 5 names and NRIC numbers of the Complainant and his wife so as to hold the Complainant “responsible” in the event that the Complainant had publicised the photos that were apparently taken in the course of the argument. The Respondent took this to mean that Ms C was prepared to lodge a police report over the matter. 4. The Respondent proceeded to provide Ms C with their full names and NRIC numbers. 5. According to the Complainant, the information was used to send an email to his employer casting allegations against him. There was, however, no proof or evidence of the email that was sent or the impact that the email had on his employment. 6. In response to the Commission’s queries on this matter, the Respondent referred to Sections 2 and 4(1) of the PDPA, and took the view that he was acting in a “personal or domestic capacity” in the matter, since his actions were unrelated to real estate matters. He also took the view that his “intervention” in the matter was justified in the circumstances. C. COMMISSION FINDINGS AND BASIS FOR DETERMINATION 7. The main issues that have arisen in this case are as follow: (a) Was the Respondent acting in a personal or domestic capacity under Section 2 of the PDPA? (b) Did the Respondent comply with his obligations under the PDPA in respect of the disclosure that was made by obtaining consent from the Complainant and his wife for the disclosure? (c) If not, are any of the exceptions to the PDPA applicable in respect of the disclosure made by the Respondent? Issue (a): Was the Respondent acting in a personal or domestic capacity under Section 2 of the PDPA? 8. Section 4(1)(a) of the PDPA carves out an exception in the PDPA for Parts III to VI of the PDPA (i.e. an exception to the consent obligation or the notification obligation or the purpose limitation obligation). Section 4(1)(a) provides that Parts III to VI of the PDPA shall not impose any obligation on an individual acting in a personal or domestic capacity. The word “domestic” is defined in the PDPA to mean “related to home or family”. 9. As mentioned above, the Respondent claimed that he was acting in a personal or domestic capacity when he disclosed the personal data of the Complainant and his wife. If that were the case, he would not need to comply with the relevant Page 2 of 5 provisions of the PDPA (especially the consent and notification provisions 2) in making the disclosure. It follows that he would not be liable under the PDPA for any omission to carry out any steps or take any action as provided for under Parts III to VI of the PDPA, including, obtaining consent from the individual for the disclosure. However, the Commission is of the position that the Respondent cannot rely on Section 4(1)(a) of the PDPA in this case. 10. In considering the capacity of the Respondent when he disclosed the personal data of the Complainant and his wife, it would be relevant to look at the nature of the relationship between the Respondent, GPS and the landlord, and the context in which the Respondent had dealt with the personal data in question. 11. Under the Salesperson Agreement, it was expressly provided that the Respondent was not a “servant, agent or employee” of GPS. As stated by GPS to the Commission, the Respondent was the one who “represented” the landlord in this case in respect of the transaction for the tenancy. In the Commission’s view, the Respondent was carrying out his real estate agency work as a business of his own. Therefore, in dealing with the personal data that the Respondent had collected in the course of his real estate agency work, the Respondent was an “organisation” under the PDPA, separate from the company which had engaged him (ie GPS). 12. Since the personal data of the Complainant and his wife were collected by the Respondent in the course of his real estate agency work, it was for the Respondent’s “business”3 purposes, and not for his personal or domestic purposes. The Respondent therefore was obliged to comply with the provisions in the PDPA in respect of such personal data that was collected in the course of his work. 13. Accordingly, even if the Respondent had intended to act in a personal or domestic capacity in relation to the dispute that took place between Ms C and the Complainant and his wife, he remains obliged to comply with his obligations under the PDPA. The Respondent cannot take personal data that he had been provided with in his commercial capacity as a registered salesperson and disclose it in a personal or domestic capacity. In other words, the Respondent was not permitted to disclose the personal data as and when he chooses for the reason that he was doing it for “personal or domestic purposes”. He was, and remains, obliged to keep that personal data protected pursuant to the provisions of the PDPA. 2 Under Sections 13, 14, 15 and 20 of the PDPA 3 As defined in the PDPA Page 3 of 5 Issues (b) and (c): Has the Respondent complied with the consent obligation under the PDPA or does the disclosure fall under any exceptions under the PDPA? 14. Given, as explained above, that the PDPA continues to apply to the personal data of the Complainant and his wife which was collected by the Respondent, the Respondent is obliged to obtain their consent in order to disclose the personal data to a third party, under Section 13 of the PDPA, unless an exception applies under the PDPA. 15. Section 13 of the PDPA provides that an organisation shall not, on or after the appointed day, collect, use or disclose personal data about an individual unless (a) the individual gives, or is deemed to have given, his consent under the PDPA to the collection, use or disclosure, as the case may be; or (b) the collection, use or disclosure, as the case may be, without the consent of the individual is required or authorised under the PDPA or any other written law. Relatedly, Section 14 provides that an individual has not given consent under the PDPA for the collection, use or disclosure of personal data about the individual by an organisation for a purpose unless (a) the individual has been provided with the information required under Section 20 of the PDPA; and (b) the individual provided his consent for that purpose in accordance with the PDPA. 16. Based on the facts of this case, the Commission notes that the Respondent had not obtained the consent of the Complainant and his wife for the disclosure of their personal data to Ms C. Accordingly, the Respondent is in breach of Section 13 of the PDPA. 17. Additionally, in the Commission’s assessment, none of the exceptions under the PDPA would apply to allow the Respondent to disclose the personal data of the Complainant and his wife without consent. D. ACTIONS TAKEN BY THE COMMISSION 18. Given the Commission’s findings that the Respondent is in breach of its obligations under Section 13 of the PDPA, the Commission is empowered under Section 29 of the PDPA to give the Respondent such directions as it deems fit to ensure compliance with the PDPA. This may include directing the Respondent to pay a financial penalty of such amount not exceeding $1 million as the Commission thinks fit. 19. In this case, the Commission has considered the following pertinent factors: (a) Registered salespersons (as defined under the EAA) are likely to collect, receive, or obtain a considerable amount of personal data of various individuals (including the personal data of the landlord and the tenants) in the course of their work. It is imperative that these salespersons ensure that the personal data in their possession or control are sufficiently protected, and that they keenly observe the provisions under the PDPA in dealing with the personal data; Page 4 of 5 (b) In this case, the personal data of two persons were disclosed to a third party without consent or authority; and (c) It would appear, in this case, that just by the Respondent hearing Ms C’s version of events and the accusations made against the Complainant and his wife, the Respondent had, without proper consideration for the personal data which the Respondent was obliged to protect, released the personal data to Ms C without consent. Given the circumstances in which the personal data was disclosed, the Respondent must have known or would have been aware that there would be repercussions that follow from the disclosure, and that the Complainant and his wife would be affected from the disclosure, now that they can be specifically identified from the information provided. However, the Respondent still proceeded to disclose the personal data of the Complainant and his wife without obtaining consent. 20. Given the considerations set out above, the Commission has decided to impose a financial penalty against the Respondent. 21. On the quantum of the financial penalty, the Commission notes that the Respondent was carrying on his trade independently and, based on what was found above, had failed to fulfil his responsibility of ensuring compliance of the PDPA. However, the Commission also considered that the amount should be set at the lower end of the spectrum given that: (a) The disclosure had been made to a single individual and it appears to be done on a one-off instance; and (b) There was no proof of the impact on the Complainant’s employment or the risk of damage or loss in relation to the personal data that was disclosed. 22. In view of the above, a financial penalty of $500 is imposed on the Respondent. 23. The Commission emphasises that it takes a very serious view of any instance of non-compliance with the PDPA, and it urges organisations to take the necessary action to ensure that they comply with their obligations under the PDPA. The Commission will not hesitate to take the appropriate enforcement action against the organisation(s) accordingly. LEONG KENG THAI CHAIRMAN PERSONAL DATA PROTECTION COMMISSION Page 5 of 5 ",Financial Penalty,028172bef7256a4b868d532ab6c60d23871e1eff,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,233,233,1,952,A warning was issued to YesTuition Agency for disclosing tutors’ personal data on its website without consent.,"[""Consent"", ""Warning"", ""Education"", ""YESTUITION"", ""Tuition""]",2016-04-21,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/grounds-of-decision---yestuition-agency-(210416).pdf,Consent,Breach of Consent Obligation by YesTuition Agency,https://www.pdpc.gov.sg/all-commissions-decisions/2016/04/breach-of-consent-obligation-by-yestuition-agency,2016-04-21,"DECISION OF THE PERSONAL DATA PROTECTION COMMISSION Case Number: DP-1407-A028 YESTUITION AGENCY (UEN No. 53084839B) …Respondent Decision Citation: [2016] SGPDPC 5 GROUNDS OF DECISION 20 April 2016 BACKGROUND 1. On 16 July 2014, the Personal Data Protection Commission (“Commission”) received information that YESTUITION AGENCY (UEN 53084839B) (the “Respondent”) had disclosed on its website the NRIC numbers and images of certain individuals who had registered to be tutors with the Respondent and it was alleged that they had done so without the consent of the individuals concerned. 2. In light of the information received, the Commission commenced an investigation under section 50 of the Personal Data Protection Act 2012 (No. 26 of 2012) (the “PDPA”) to ascertain whether there had been a breach by the Respondent of its obligations under the PDPA. The Commission’s findings are set out below. MATERIAL FACTS AND DOCUMENTS 3. The Respondent is a locally registered business providing home tuition matching services to individuals seeking tutors for primary to A-levels education. The Respondent renders its matching services via a website, which it operates at www.yestuition.sg (the “Site”). 4. The Site consists of various webpages that are accessible to the public and a tutors’ log-in portal which is accessible only by individuals who had registered with the Respondent to be a tutor. Disclosure of NRIC numbers and images by the Respondent 5. From the Commission’s examination of the Site, it was found that the Respondent had published images of its tutors on its Site. The tutors’ images were stored in a JPEG file format and named using the tutors’ respective NRIC particulars, for example, as 1234567A.jpg. As such, the Respondent had also disclosed the tutors’ respective NRIC numbers with the images. CONFIDENTIAL Page 1 of 5 6. The NRIC numbers and images were at the material time made publicly discoverable and accessible via a directory listing on one of the Site’s pages. Investigations by the Commission indicate that there were approximately thirty (30) individuals whose images and NRIC numbers were listed by the Respondent in the directory listing. The Respondent’s responses to the Commission 7. In its responses to the Commission during the investigation, the Respondent represented that it had more than 10,000 tutors’ profiles on its Site. It asserted that these profiles were not disclosed to members of the public. 8. The Respondent explained that individuals who wished to register with the Respondent as tutors were required to provide the following set of information to it by filling out a form made available on the Site (the “Form”): (a) (b) (c) (d) (e) (f) (g) Full names; NRIC numbers; Residential addresses; Mobile numbers; Email addresses; Education backgrounds; and Relevant tutoring experiences. 9. Using the above information, the Respondent would then match the tutors to the appropriate students, and in return, collect a fee for the matching service. 10. The Respondent also represented to the Commission that tutors who submitted their personal data via the Site would have provided either their express or deemed consent to the collection, use, and disclosure of their personal data by the Respondent for the purposes of providing the tutors with tuition matching services. In this regard, the Commission notes that the Form expressly notified tutors that: “By submitting this form, you hereby accept all terms & conditions as well as consent to be included in the mailing list of Yes Tuition to receive all information from us (Yes Tuition) electronically. Please be assured that we do not sell your personal information to third parties, and we will abide by our Privacy Policy”. 11. The Commission also sets out below the more pertinent terms of The Respondent’s Privacy Policy, which was referred to in the Form and available on The Respondent’s Site at the material time, as follows: “Tutor A tutor is a person who registers and maintains an account with Yes Tuition. When you register as a tutor we ask for information such as your name, identification number, email address, passwords, telephone Page 2 of 5 number, gender, occupation, qualification, and subjects you are interested to teach. Once you register with Yes Tuition and sign in to our services, you are not anonymous to us. Tutors can go on-line to access their personal profile, and make changes to the subjects they are interested to teach and their personal information. … Tutor Yes Tuition will not share personal information with any other third parties without your permission, unless required by, or in connection with, law enforcement action, subpoena or other litigation, or applicable law. Yes Tuition will not sell, trade or lease your personal information to others. Choice and Consent Yes Tuition does not require that you provide Yes Tuition with personal information. The decision to provide personal information is voluntary. If you do not wish to provide the personal information requested, however, you may not be able to proceed with the activity or receive the benefit for which the personal information is being requested. Except as expressly stated otherwise in this Privacy Statement, you may opt out of having Yes Tuition share personal information with third parties as described in this Privacy Statement by notifying Yes Tuition in writing of your desire to do so. … (Emphasis underlined)” COMMISSION’S FINDINGS AND ASSESSMENT Relevant issue 12. 13. Under section 13 of the PDPA, organisations are prohibited from collecting, using or disclosing personal data about an individual unless: (a) the individual gives, or is deemed to have given, consent under the PDPA to such collection, use or disclosure; or (b) collection, use or disclosure of the personal data (as the case may be) is authorised or required under any written law. In this case, the primary issue in this case is whether the Respondent had the tutors’ consent for their disclosure of their NRIC numbers and images to members of the public. Page 3 of 5 Commission’s Findings 14. As noted above, the Respondent collected several categories of personal data from its tutors. With the exception of the tutors’ NRIC numbers and images, it generally did not disclose these data to members of the public. The Commission notes that this is in line with the terms of the Respondent’s own Privacy Policy. 15. However, the Commission is of the view that the Respondent had not obtained its tutors’ consent for disclosure of their images and NRIC numbers, which had been published on one of the pages of the Site. In this regard, the Commission further notes that such disclosure ran counter to the terms of the Respondent’s own Privacy Policy. 16. In light of the foregoing, the Commission is of the view that the Respondent had disclosed the personal data of some of its tutors without their consent, and it is therefore in breach of section 13 of the PDPA. ENFORCEMENT ACTION BY THE COMMISSION 17. Given the Commission’s findings that the Respondent is in breach of its obligations under section 13 of the PDPA, the Commission is empowered under section 29 of the PDPA to give the Respondent such directions as it deems fit to ensure compliance with the PDPA. This may include directing the Respondent to pay a financial penalty of such amount not exceeding $1 million as the Commission thinks fit. 18. In considering whether a direction should be given to the Respondent in this case, the Commission notes the following: 19. (a) The Respondent took proactive steps to restrict access to the relevant page containing personal data on the Site once it was made aware of the issue, and changed its practice of using its tutors’ NRIC numbers as the file names of their images; and (b) The Respondent had been cooperative with the Commission and forthcoming in its responses to the Commission during the Commission’s investigation. In view of the factors noted above, the Commission has decided not to issue any direction to the Respondent to take remedial action or to pay a financial penalty. Instead, it has decided to issue a Warning against the Respondent for the breach of its obligations under section 13 of the PDPA. Page 4 of 5 20. The Commission emphasises that it takes a very serious view of any instance of non-compliance with the PDPA, and it urges organisations to take the necessary action to ensure that they comply with their obligations under the PDPA. The Commission will not hesitate to take the appropriate enforcement action against the organisation(s) accordingly. YEONG ZEE KIN COMMISSION MEMBER PERSONAL DATA PROTECTION COMMISSION Page 5 of 5 ",Warning,20a97b6ebe97b71c317c4befaebf71b555f828dd,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]"