_commit_at,_commit_hash,_id,_item,_version,_commit,description,tags,date,pdf-url,nature,title,url,timestamp,pdf-content,decision,_item_full_hash,_changed_columns 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,29,29,1,952,"Ngian Wen Hao Dennis, Chua Puay Hwa Melissa and Winarto were found in breach of the PDPA and issued warnings in relation to two incidents involving the unauthorised collection and disclosure of individuals’ personal data in 2019 and 2020.","[""Consent"", ""Notification"", ""Warning"", ""Finance and Insurance""]",2022-06-16,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Dennis-Ngian--Others---08032022.pdf,"Consent, Notification",Breach of the Consent and Notification Obligations by three insurance financial advisers,https://www.pdpc.gov.sg/all-commissions-decisions/2022/06/breach-of-the-consent-and-notification-obligations-by-three-insurance-financial-advisers,2022-06-16,"PERSONAL DATA PROTECTION COMMISSION Case No. DP-2109-B8857 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And (1) Ngian Wen Hao Dennis (2) Chan Puay Hwa Melissa (3) Winarto (4) Aviva Financial Advisers Pte Ltd SUMMARY OF THE DECISION 1. On 7 September 2021, the Personal Data Protection Commission (the “Commission”) was notified of two incidents involving unauthorised disclosure and collection of personal data by three individuals. 2. Ngian Wen Hao Dennis (“Dennis”) was an Aviva Financial Advisers Pte Ltd (“AFA”) representative between December 2017 and February 2019. In March 2019 and August 2020, Dennis approached two insurance financial advisers, Chua Puay Hwa Melissa (“Melissa”) and Winarto, to offer them a list of client leads, stating that he was leaving the insurance industry and looking for a reliable agent 1 to take over his clientele. Melissa and Winarto each said they paid $1,000 to Dennis for the list (the “Incidents”). 3. The list contained approximately 1,000 clients’ names, mailing addresses, contact numbers and the names of organisations underwriting the hospitalisation plans bought by the clients (“Personal Data Sets”). 4. The PDPA defines “organisations” to include individuals. As held in Re Sharon Assya Qadriyah Tang1, individuals who collect, use or disclose personal data otherwise than in a personal or domestic capacity will be treated as organisations within the meaning of the Act, and are obliged to comply with the Data Protection Provisions. In this case, we are of the view that it is clear that Dennis, Melissa and Winarto can be regarded as an “organisation” as defined under the PDPA for a number of reasons. First, the trio had bought and sold the client leads for work and business purposes, with the aim of generating an income or profit, and cannot be said to have been acting in a personal or domestic capacity. 5. Second, Dennis, Melissa and Winarto were not employees. In Re Ang Rui Song2, the Commission found that the respondent, a financial consultant with Prudential Assurance Company (Pte) Ltd, had been engaged on such terms that he was in effect an independent contractor rather than an employee of Prudential. The same applies to the trio. The Representative Agreement between AFA and Dennis 1 2 [2018]SGPDPC 1. [2017] SGPDPC 13. 2 expressly provides that “nothing in [the] Agreement shall constitute, or be construed, or deemed to constitute, any employment…between [Dennis] and [AFA]”. Dennis 6. Having found that the PDPA applies, we now turn to consider the data protection obligations applicable to the different parties concerned. Dennis conceded that he approached Melissa and Winarto to transfer his list of client leads to them. Our investigations revealed that Dennis’ claim that he had obtained the necessary consent and duly notified the clients on the list regarding the disclosure of their personal data to other insurance financial advisers could not be corroborated. None of the clients verified Dennis’ claim that he had contacted them to seek their consent or notified them of the disclosure of their personal data to other insurance financial advisers. We are therefore of the view that Dennis has breached the Consent and Notification Obligation under the PDPA in that he did not obtain his clients’ consent before disclosure of their personal data. Melissa and Winarto 7. Both Melissa and Winarto admitted to the collection (purchase) of the client list from Dennis. They claimed to have relied on the verbal assurances provided by Dennis that he had informed the clients about the change in their insurance financial adviser. In Re Amicus Solutions Pte Ltd and Ivan Chua Lye Kiat [2019] 3 SGPDPC 33 (at [49]), we stated that a reasonable person should undertake proper due diligence, such as obtaining from the seller a sample of the written notifications and consent. In our view, Melissa and Winarto have failed to take reasonable steps to verify from Dennis that there had been proper notification to and consent obtained from the clients for the disclosure of their personal data. In collecting (i.e. buying) the client list, we find that Melissa and Winarto are in breach of the Notification and Consent Obligations under the PDPA. AFA 8. The Commission found no evidence of breach of the PDPA by AFA in the Incidents. As stated in [5], Dennis was not an employee of AFA for whose acts AFA may be liable through section 53(1) of the PDPA. Dennis claimed that the Personal Data Sets were not retrieved from AFA’s systems and that he had compiled the list on his own accord to keep track of his clientele during his time as an independent financial adviser with AFA. This was consistent with AFA’s own investigations. Our investigations also revealed that AFA had reasonable policies and security measures in place for personal data protection. These included data leak prevention controls and monitoring of AFA corporate network to prevent representatives from exporting clients’ data from its systems. Contractual terms were also in place to require representatives to comply with the PDPA. AFA issued a letter to Dennis, upon the termination of the relationship between them, referring to the need to return “all policies, rate books, receipts, manuals, literature, lists and personal information of Customers”. 4 The Commission’s Decision 9. The sale of personal data by organisations without obtaining the consent of the individuals involved is a serious breach of the PDPA. In Re Sharon Assya Qadriyah Tang at [30], we had stated as follows: There are strong policy reasons for taking a hard stance against the unauthorised sale of personal data. Amongst these policy reasons are the need to protect the interests of the individual and safeguard against any harm to the individual, such as identity theft or nuisance calls. Additionally, there is a need to prevent abuse by organisations in profiting from the sale of the individual’s personal data at the individual’s expense. It is indeed such cases of potential misuse or abuse by organisations of the individual’s personal data which the PDPA seeks to safeguard against. In this regard, the Commissioner is prepared to take such stern action against organisations for the unauthorised sale of personal data. [Emphasis added.] 10. To curb this form of abuse of personal data, the amount of profit made by the organisation from the sale may be factored in determining the financial penalty that the organisation may be required to pay. Indeed, had the sale taken place after the 2020 amendments to the PDPA, this would have been a specific consideration under section 48J(6)(c): “whether the organisation or person (as the case may be), as a result of the non‑compliance, gained any financial benefit”. 11. In determining the enforcement action in response to the breach by Dennis, the Commission took into account the cooperation extended to the investigation, and 5 the full refund made by Dennis of the proceeds he made from the sale. The Commission also considered that Dennis is in poor health, has been unemployed since 2018, has little savings in his bank account, and is dependent on his aged father for financial support. Having considered the state of Dennis’ health and financial status, the Commission is of the view that a financial penalty would impose a crushing burden on him and his family, resulting in undue hardship. Accordingly, taking into account all relevant factors, the Commission has decided to administer a warning in respect of the breach by Dennis of the Consent and Notification Obligations. The Commission wishes to emphasize that this assessment that undue hardship may occur following the imposition of a financial penalty is not a finding that the Commission will make easily and will be reserved only for the most deserving and exceptional cases. Individuals who seek to misuse personal data for profit and are found to be in breach of the PDPA must expect to pay a heavy financial penalty. 12. Turning to Melissa and Winarto, the Commission has decided to administer warnings to Melissa and Winarto in respect of their breaches of the Consent and Notification Obligations. In so deciding, the Commission considered that both of them did not sell the personal data for profit and had been cooperative throughout the investigations. More importantly, neither of them used the personal data they obtained without consent from the individuals involved. 6 The following provisions of the Personal Data Protection Act 2012 (pre-amendment in 2020) had been cited in the above summary: Consent and Notification Obligations (Section 13 read with 20 of the PDPA) Pursuant to section 13 of the PDPA, unless an exception to consent is applicable, organisations are generally required to obtain the consent of an individual before collecting, using and/or disclosing the individual’s personal data (“Consent Obligation”). Consent must be obtained from the individual with reference to the intended purpose of the collection, use or disclosure of the personal data. The organisation’s collection, use and disclosure of personal data are limited to the purposes for which notification has been made to the individuals concerned. In this regard, organisations have an obligation under section 20 of the PDPA to inform individuals of the purposes for which their personal data will be collected, used and/or disclosed, on or before collecting the personal data in order to obtain consent (“Notification Obligation”). Protection Obligation (Section 24 of the PDPA) An organisation shall protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks. 7 ",Warning,11afc51e552a655c8c243aa724648b2011a2eb25,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,139,139,1,952,"Amicus Solutions and a financial consultant were issued directions, including to pay financial penalties of $48,000 and $10,000 respectively, for breaches of the PDPA. Amicus Solutions failed to notify and obtain consent for the disclosure of individuals’ personal data that it sold to the financial consultant who used such personal data for telemarketing purposes.","[""Consent"", ""Notification"", ""Financial Penalty"", ""Admin and Support Services"", ""Finance and Insurance""]",2019-10-10,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision--Amicus-Solutions-Pte-Ltd---Another.pdf,"Consent, Notification",Breach of the Consent and Notification Obligations by Amicus Solutions and a Financial Consultant,https://www.pdpc.gov.sg/all-commissions-decisions/2019/10/breach-of-the-consent-and-notification-obligations-by-amicus-solutions-and-a-financial-consultant,2019-10-10,"PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC [33] Case No DP-1610-B0290 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And (1) Amicus Solutions Pte. Ltd. (UEN No. 201534661R) (2) Ivan Chua Lye Kiat … Organisations DECISION Amicus Solutions Pte. Ltd. & Anor. [2019] SGPDPC 33 Amicus Solutions Pte. Ltd. & Anor. [2019] SGPDPC 33 Tan Kiat How, Commissioner — Case No DP-1610-B0290 30 August 2019 1 The Personal Data Protection Commission (the “Commission”) received a complaint regarding the unauthorised collection and use of personal data to market financial products. Investigations were commenced into the alleged unauthorised sale and disclosure of personal data by a data broker and the unauthorised collection and use of the personal data for telemarketing purposes. Upon conclusion of investigations and consideration of the totality of evidence, the Commissioner found Amicus Solutions Pte. Ltd. (“Amicus”) and Mr Ivan Chua Lye Kiat (“Mr Chua”) to be in breach of the Personal Data Protection Act 2012 (“PDPA”) for the reasons set out in these grounds. Material Facts 2 An independent life insurance brokerage company (the “Insurance Brokerage”) appointed Mr Chua as a financial adviser director to provide financial advisory services and to market financial products distributed by the Insurance Brokerage to prospective clients in accordance with the terms set out in a Financial Adviser Representative Agreement. He oversees a team of financial adviser representatives. Their main products are Eldershield related insurance policies targeted at individuals over 40 years old. 2 Amicus Solutions Pte. Ltd. & Anor. 3 [2019] SGPDPC 33 It is undisputed that Mr Chua and the financial adviser representatives in his team are not employees of the Insurance Brokerage but independent agents. As independent agents, they receive a commission for each sale but are not in an employer-employee relationship with the Insurance Brokerage nor are they entitled to any employee benefits such as employer Central Provident Fund contributions and/or medical benefits. 4 One of Mr Chua’s primary roles as a financial adviser director is to seek out new customers. Mr Chua mainly relied on referrals from existing customers but he also engaged telemarketers to make cold calls to potential customers. These telemarketers are independently sourced with no assistance of or referrals from the Insurance Brokerage; telemarketers are directly engaged by Mr Chua or the financial adviser representatives in his team. 5 Amicus is an organisation that provides business and consultancy management services and claims to be able to provide business opportunities and marketing plans with its database. It claims to have 1.8 million contacts which it markets as being in compliance with the PDPA and the Personal Data Protection (Do Not Call Registry) Regulations 2013. Aside from the sale of data, Amicus also offers a range of services such as purchasing property ownership information (including caveats) on behalf of property agents, data mining and Do Not Call (“DNC”) Registry scrubbing services. 6 During investigations, Mr Chua was upfront in admitting that he had purchased telemarketing leads from Amicus both before and after 2 July 2014, the date when Parts III to VI of the PDPA (“Data Protection Provisions”) came into effect (the “Appointed Day”). Mr Chua represented that before the Appointed Day, Amicus sold personal data (including the individual’s name, mobile number, gender and birthday) at S$0.50 to S$1.00 per record. After the 3 Amicus Solutions Pte. Ltd. & Anor. [2019] SGPDPC 33 Appointed Day, the products that were offered by Amicus changed. The previous product was no longer offered but it now offered different products. For Mr Chua’s commercial purposes, the product that he was interested in was the sale of telephone numbers of individuals above 40 years old (which was his team’s target demographic), each of which was sold for between S$0.01 to S$0.02. 7 Mr Chua provided two datasets that he claimed to have purchased from Amicus after the Appointed Day. The information disclosed in these datasets are set out in the table below: Information Disclosed List 1     List 2     Number of records in the List partial NRIC number, i.e. 11,384 the first 4 digits (for some entries); partial date of birth (for those that did not include a partial NRIC number);1 gender; and mobile phone number partial NRIC number, i.e. 10,074 the first 4 digits (for some entries); partial date of birth; gender; and mobile phone number 1 Amicus admitted that the information it sold to Mr Chua included partial NRIC numbers (i.e. the first 4 digits) but denied that the information contained the individuals’ date of birth. 4 Amicus Solutions Pte. Ltd. & Anor. 8 [2019] SGPDPC 33 Telemarketers engaged by Mr Chua and his team relied on the information in these datasets to help generate leads and sales for the team by making cold calls to the individuals in the datasets. Mr Chua informed the Commission that Amicus had sold both Lists 1 and 2 to him and confirmed that he did not purchase such lists from any other source at the time. While Amicus admitted that it sold Mr Chua two datasets, it disputed Mr Chua’s account that both Lists 1 and 2 were sold to him after the Appointed Day. By Amicus’ account, it only sold Mr Chua one dataset after the Appointed Day though it was unable to identify which of the two lists (i.e. Lists 1 and 2) it had sold to Mr Chua. 9 Amicus also admitted to selling the following dataset to another individual on another occasion after the Appointed Day at S$0.10 per record in the course of the investigations: Information Disclosed List 3 10    age; gender; and mobile phone number Number of records in the List 1,200 However, Amicus denied any wrongdoing in selling the datasets with the type of personal data found in Lists 1, 2 and 3 (the “datasets”) as it contended that the information in the datasets was not personal data to begin with. It also argued that the information in the datasets was publicly available data that it collected from public sources such as Government Gazettes and records of the Singapore Land Authority (“SLA”) and the Accounting and Corporate Regulatory Authority (“ACRA”), and the information in the datasets 5 Amicus Solutions Pte. Ltd. & Anor. [2019] SGPDPC 33 was collected before the Data Protection Provisions came into effect on the Appointed Day. 11 During investigations, Amicus was unable to give a satisfactory explanation regarding the source of the information in the datasets. Investigations were not able to establish with any degree of certainty when the lists were compiled or obtained, nor where the lists were sourced from [Redacted] (Replaced with Mr L), who is in charge of the day-to-day operations of Amicus, gave evidence on behalf of Amicus and initially claimed that the personal data was obtained from publicly available sources. However, he subsequently claimed that the personal data was obtained from organisers of surveys, meetings and seminars as well as call centres but was unable to name any of the seminars or meetings from which Amicus had purportedly collected the information or the organisations that conducted the surveys or operated the call centres when queried. Thereafter, he claimed that the personal data was obtained from telemarketing and Multi-Level Marketing (“MLM”) companies, though he was again unable to name any of these companies, nor provide any proof of purchase. Finally, upon further questioning, Amicus represented that the information in the datasets was actually collected before the Appointed Day. He confirmed that he did not collect personal data found in the datasets from publicly available sources. Number of datasets sold 12 As a preliminary issue, while Amicus and Mr Chua disagreed over the number of datasets that Amicus sold Mr Chua after the Appointed Day2, an 2 See paragraph 8 above. 6 Amicus Solutions Pte. Ltd. & Anor. [2019] SGPDPC 33 evaluation of the evidence in its entirety shows Mr Chua’s evidence to be more credible for the following reasons: (a) Mr Chua offered the two lists that he claimed to have purchased from Amicus after the Appointed Day even though it was to his detriment. The Commission had commenced investigations on the basis of information provided by a complainant who had requested for anonymity. At the time Mr Chua volunteered the two lists, he was only aware that a complaint had been made against him but was not aware of the information which was provided to the Commission. Hence, the fact that he volunteered information that he knew could be detrimental to himself spoke to his openness and willingness to cooperate with investigations; (b) although both lists were not dated and he was unable to produce any receipts, Mr Chua was able to produce a screenshot of an email dated 22 March 2016 containing List 1 from one [Redacted] (Replaced with Mr N) from Amicus; (c) both Lists 1 and 2 only contain partial NRIC numbers, partial date of births, gender and mobile phone numbers. They did not contain names of the individuals. The evidence is that Amicus only started selling lists without names after the PDPA came into effect. Before the PDPA came into effect they sold lists with full names and these lists were more valuable than those sold after the PDPA came into effect. Given that Lists 1 and 2 do not contain full names, it is more likely than not that both these lists were sold after the PDPA came into effect; and 7 Amicus Solutions Pte. Ltd. & Anor. (d) [2019] SGPDPC 33 Mr Chua was very cooperative throughout the investigation and there was no evidence to suggest that he had been anything less than forthcoming. 13 In contrast, as described in paragraph 11 above, Amicus had prevaricated during investigations and was unable to give a satisfactory explanation regarding the source of the information in the datasets and was unable to provide any documentary evidence on the dates Lists 1 and 2 were sold. Further, Amicus appeared to have intentionally limited the documentary trail in respect of the sale of Lists 1 and 2. According to Mr Chua, despite allowing its clients, including Mr Chua, to pay for its DNC scrubbing services by cheque, Amicus required cash payment for the lists. Amicus confirmed that it required Mr Chua to pay cash. It is suspicious that a company that has two commercial transactions with the same customer will allow payment for one by cheque but require payment by cash for the other. This conduct is less than straightforward. The reason provided by Amicus for requiring cash payment was that Amicus needed Mr Chua to verify the data in person. The reason provided does not in any way explain why Amicus could not accept cheque payments from Mr Chua when he collected the lists in person. 14 For the foregoing reasons, the following assessment is based on Mr Chua’s evidence that Amicus had sold him two datasets (i.e. Lists 1 and 2) after the Appointed Day. Findings and Basis for Determination 15 The issues for determination are: (a) whether the information disclosed in the Lists constituted personal data; 8 Amicus Solutions Pte. Ltd. & Anor. (b) [2019] SGPDPC 33 whether Amicus had collected, used and/or disclosed personal data without consent and/or notification; and (c) whether Mr Chua used and/or disclosed the personal data without consent and/or notification. Whether the information disclosed constituted personal data 16 Section 2(1) of the PDPA defines “personal data” to be data, whether true or not, about an individual who can be identified from that data; or from that data and other information to which the organisation has or is likely to have access. 17 The information disclosed in all three datasets are as follows: Information Disclosed List 1     List 2   Number of entries in the List partial NRIC number, i.e. 11,384 the first 4 digits (for some entries); partial date of birth (for those that did not include a partial NRIC number);3 gender; and mobile phone number partial NRIC number, i.e. 10,074 the first 4 digits (for some entries); partial date of birth; 3 Amicus admitted that the information it sold to Mr Chua included partial NRIC numbers (i.e. the first 4 digits) but denied that the information contained the individuals’ date of birth. 9 Amicus Solutions Pte. Ltd. & Anor. List 3 18 [2019] SGPDPC 33   gender; and mobile phone number    age; gender; and mobile phone number 1,200 As mentioned at paragraphs 11 and 12 above, although Amicus admitted that it sold datasets containing individuals’ mobile phone numbers, age range and gender, it contended that no personal data was disclosed in the datasets because it was “sufficiently anonymised”. The datasets did not disclose the individual’s name, NRIC number, address or any unique personal information but only included truncated NRIC numbers (i.e. only the first 4 digits) and dates of birth (i.e. only the month and year of birth). 19 There are certain types of information that are unique identifiers, which are capable of identifying an individual in and of themselves. The Advisory Guidelines on Key Concepts in the PDPA sets out a non-exhaustive list of information that the Commission generally considers to be unique identifiers (at [5.10]): (a) Full name; (b) NRIC number or FIN (foreign identification number); (c) Passport number; (d) Personal mobile telephone number; (e) Facial image of an individual (e.g. in a photograph or video recording); 10 Amicus Solutions Pte. Ltd. & Anor. 20 [2019] SGPDPC 33 (f) Voice of an individual (e.g. in a voice recording); (g) Fingerprint; (h) Iris image; and (i) DNA profile. In Re My Digital Lock Pte Ltd [2018] SGPDPC 3 (at [11]), the Commission observed that information will generally only be considered to be a unique identifier if there is a one-to-one relationship between the information and the individual, i.e. the information is not typically associated with more than one individual: There are certain types of information that in and of themselves are capable of identifying an individual. The Advisory Guidelines on Key Concepts in the PDPA (revised on 27 July 2017) (“Key Concepts Guidelines”) at [5.10] provides a list of information that is considered to be capable of doing so. While such information is capable of identifying an individual, it does not necessarily mean that anyone in possession of the information will be able to do so. The touchstone used to compile the list is the one-to-one relationship of the information and the individual. Information on the list is not typically associated with more than one individual, either scientifically (eg biometric signature and DNA profile), by convention (eg NRIC number) or as a matter of social norms (eg personal mobile phone number). [Emphasis added.] 21 The lists were sold for the purpose of generating leads for the sale of Eldershield and other personal insurance policies. A natural inference is that the mobile numbers in the lists were personal mobile numbers. As a personal mobile phone number is generally tied to an individual subscriber who uses it 11 Amicus Solutions Pte. Ltd. & Anor. [2019] SGPDPC 33 as his/her individual contact number to the exclusion of others, it is prima facie personal data given its one-to-one relationship. 22 The “redacted” or truncated NRIC numbers in the datasets do not conform to the Commission’s published advisory guidelines on redaction of NRIC numbers which are designed to minimise the risk of re-identification. On the contrary, the key piece of information that the “redacted” NRIC number was intended to convey was the age of the person that it is associated with given that it is well known that the first 4 digits of the NRIC discloses the year of registration (and accordingly, the age) of the individual. It is trite that NRIC numbers are the same as Birth Certificate numbers that are assigned upon registration of birth, which has to take place within x days/weeks of birth. Hence, there was every intention to convey information about the year of birth of the individual associated with the personal mobile phone number. 23 Accordingly, although the information disclosed in the datasets did not include the names of the individuals, the information is still personal data as defined in section 2(1) of the PDPA because the individuals in List 1 and 2 were identifiable directly or indirectly through their year of birth and personal mobile numbers. 24 Likewise, the individuals in List 3 were directly identifiable through their personal mobile phone numbers. Whether the Organisations breached section 13 and/or section 20 of the PDPA 25 As the PDPA defines “organisation” to include “any individual, company, association or body of persons, corporate or unincorporated”, each of Mr Chua and Amicus is an organisation under the PDPA. As mentioned in Re 12 Amicus Solutions Pte. Ltd. & Anor. [2019] SGPDPC 33 Spring College International [2018] SGPDPC 15 (at [10]), the PDPA adopts a consent-first regime and the concepts of notification of purpose and consent are closely intertwined. Pursuant to section 13 of the PDPA, unless an exception to consent is applicable, organisations are generally required to obtain the consent of an individual before collecting, using and/or disclosing the individual’s personal data (“Consent Obligation”). Consent must be obtained from the individual with reference to the intended purpose of the collection, use or disclosure of the personal data. The organisation’s collection, use and disclosure of personal data are limited to the purposes for which notification has been made to the individuals concerned. In this regard, organisations have an obligation under section 20 of the PDPA to inform individuals of the purposes for which their personal data will be collected, used and/or disclosed, on or before collecting the personal data in order to obtain consent (“Notification Obligation”). 26 As observed in Re Sharon Assya Qadriyah Tang [2018] SGPDPC 1 (at [13]), the buying and selling of leads that comprise personal data of individuals are activities that fall under the scope of the PDPA: The PDPA governs the collection, use and disclosure of personal data by organisations. Given that the leads which the Respondent had purchased or sold comprised of personal data of individuals, these were activities that fell under the scope of the PDPA. In respect of the purchase of leads by the Respondent, in which the Respondent acquired personal data from the seller of the transaction, this amounted to a “collection” of personal data under the PDPA by the Respondent. In respect of the sale of leads by the Respondent, in which the Respondent provided personal data to the buyer of the transaction, this amounted to a “disclosure” of personal data under the PDPA by the Respondent. [Emphasis added.] 13 Amicus Solutions Pte. Ltd. & Anor. [2019] SGPDPC 33 Amicus 27 As the organisation with possession and control in respect of the personal data in the datasets that it compiled and sold, Amicus has a duty to comply with the data protection obligations under the PDPA, specifically the Consent and Notification Obligations. However, Amicus contended that it was not necessary for it to obtain consent or to notify individuals before selling the datasets because, among other things4: (a) the information was collected before the Consent and Notification Obligations came into force; or (b) 28 the information was publicly available. As stated above, Amicus had been prevaricating during investigations without providing a clear and consistent explanation as to when and how the personal data in the Lists were obtained, nor their source. Taking its case at the highest, the following analysis takes each of these possible defences separately as each, if successful, can stand independently. Personal data collected before the Appointed Day 29 One of Amicus’ main defences was that the information in the datasets was collected before the Data Protection Provisions came into force and Amicus was therefore not subject to the Consent and Notification Obligations in relation to the personal data that it collected, used and/or disclosed. Section 19 of the PDPA allows organisations to continue to use personal data collected before the 4 Amicus also argued that it was not required to obtain consent and notify the individuals before selling the datasets because the information contained in the datasets are not personal data. We refer to our findings on this issue at paragraphs [18] to [24] above. 14 Amicus Solutions Pte. Ltd. & Anor. [2019] SGPDPC 33 Appointed Day for the same purposes for which the personal data was collected without obtaining fresh consent, unless consent for such use is withdrawn. As such, it may be possible for an organisation to continue using personal data that was purchased or obtained before the Appointed Day without consent or notification if such use falls within the purposes of collection, provided that there was no indication that the individual did not consent to the continued use5. 30 However, section 19 of the PDPA only covers the use of personal data collected before the Appointed Day and not the disclosure of personal data. As was held in Re Sharon Assya Qadriyah Tang (at [22] and [23]), the grandfathering provision in section 19 of the PDPA would not apply to instances where the organisation had been selling personal data before the Appointed Day, and continued to sell personal data after the Appointed Day: However, in this case, the Respondent went beyond using the personal data for her own telemarketing purposes, and proceeded to sell personal data to third parties. The “grandfathering” provision only permits the continued “use” of personal data for the purposes for which the personal data was collected. Such “use” does not extend to “disclosure” of personal data unless, as set out at paragraph 23.1 of the Advisory Guidelines, the disclosure “is necessarily part of the organisation’s use of such personal data”. In the case of the sale of personal data, the disclosure of personal data is the main activity being carried out, and is not incidental to any of the organisation’s own uses of the personal data. Thus, it is not a disclosure “that is necessarily part of the organisation’s use of such personal data”. The Commission has stated this position in its Advisory Guidelines as an example: Organisation XYZ has been selling databases containing personal data. This would be considered a disclosure of 5 Re Sharon Assya Qadriyah Tang (at [20]) 15 Amicus Solutions Pte. Ltd. & Anor. [2019] SGPDPC 33 personal data and not a reasonable existing use under section 19. After the appointed day, XYZ needs to ensure that consent has been obtained before selling these databases again. [Emphasis added.] Consequently, the grandfathering provision would not apply to the instances where the Respondent had been selling personal data before the Appointed Day, and continued to sell personal data after the Appointed Day. In respect of personal data that was not sold before the Appointed Day, it is all the more so that the Respondent cannot rely on the grandfathering provision, because there was never an existing practice of selling the personal data in the first place, and hence there is no “use” to be carried on in respect of the personal data. [Emphasis added.] 31 Moreover, even if Amicus had collected the personal data before 2 July 2014, that permitted it to disclose by way of sale, it would have had to obtain fresh consent for such purposes of disclosure after the Appointed Date. Needless to say, Amicus was not able to provide evidence of either during the course of investigations. As mentioned at paragraph 11 above, Amicus was unable to satisfactorily explain the source of the personal data in the datasets. During the course of the investigation, Amicus first claimed that the information was collected from surveys, meetings and seminars, but subsequently represented that it was collected from telemarketing and MLM companies. Nevertheless, even if the individuals had provided their personal data during surveys or at meetings and seminars, or even if the personal data was collected from telemarketing or MLM companies, Amicus did not provide any evidence that the individuals concerned had provided fresh consent after the Appointed Date for their personal data to be disclosed by way of sale to telemarketers. In this regard, Amicus acknowledged that it could have sought consent given that it 16 Amicus Solutions Pte. Ltd. & Anor. [2019] SGPDPC 33 possessed the individuals’ full NRIC numbers and personal mobile phone numbers but conceded that it did not do so. 32 In the circumstances, there was a clear breach of the Consent and Notification Obligations under the PDPA in respect of Amicus’ sale of the datasets containing personal data after the Appointed Day. Publicly available exception 33 The alternate defence that Amicus raised during the investigations, but which it subsequently dropped, was that the information in the datasets was publicly available information obtained from public sources, such as records of registered doctors, lawyers and engineers published on Government Gazettes, and records from SLA and ACRA. The PDPA sets out an exception for the collection, use and disclosure of personal data that is publicly available.6 However, by Amicus’ own admission, the Government Gazettes only contained the names and organisations of certain individuals, which did not form part of the information that was found in the datasets it sold after the Appointed Day. Representations by Amicus and an affiliated company 34 Amicus and an affiliated company, Ilied.com Pte. Ltd. (“Ilied”), submitted written representations to the Commission (the “Representations”) after Amicus received a copy of the Preliminary Decision. The Representations were signed off by Mr L. In the Representations, Ilied and Amicus raised the following three points: 6 Paragraph 1(c) of the Second Schedule to the PDPA; paragraph 1(c) of the Third Schedule to the PDPA; and paragraph 1(d) of the Fourth Schedule to the PDPA. 17 Amicus Solutions Pte. Ltd. & Anor. [2019] SGPDPC 33 (a) Ilied was the organisation that sold the datasets, and not Amicus; (b) List 1 was transacted before the Appointed Day; and (c) The datasets did not contain personal data as they had been truncated and anonymised, and further, that personal mobile phone numbers are not personal data per se. The identity of the organisation which sold the datasets 35 The Representations enclosed two invoices issued by Ilied in support of the assertion that it was Ilied which had sold the data (the “Invoices”). The first Invoice, for the sum of $1,900, was dated 25 June 2014 and was issued for “Leads Born 1973, 1975”. The second Invoice, for the sum of $1,138, was dated 22 March 2016 and was issued for “Data Sales”. 36 Ilied is an affiliate of Amicus and together with Amequity Solutions Pte Ltd (“Amequity”), are part of a group of closely related companies managed by Mr L, with some of the shareholders and directors being common across the said affiliated companies. 37 The Commission has reviewed the Representations and the additional evidence and finds that on a balance of probabilities, Amicus sold the data. 38 Ilied attempted to use the Invoices as incontrovertible proof that it was Ilied, and not Amicus, which had sold the datasets. However, Mr L, Mr N and [Redacted] (Replaced with Ms J), the Director and shareholder of Amicus, Ilied and other affiliated companies, stated in their statements to the Commission that Amicus, Ilied and all affiliated companies operated as a single entity, with no clear demarcation between the companies. The entire group of companies was, 18 Amicus Solutions Pte. Ltd. & Anor. [2019] SGPDPC 33 in effect, headed by Mr L. Ilied individually had no real function but was merely used “for receipt purpose”7 and it did not even have a bank account.8 The facts suggest that Ilied’s issuance of the Invoices was merely an administrative arrangement and that Ilied, in fact, did not engage in data sales. 39 Furthermore, Amicus’ vacillation in its responses to the Commission also suggests that Amicus’ new claim that Ilied was the data seller should be treated with circumspection. As noted at paragraph 52(d) below, Amicus was inconsistent in its responses and kept changing its account of the facts. In particular, Amicus provided inconsistent accounts on the source of the personal data, initially claiming that it was collected from publicly available sources, subsequently claiming that it was collected from surveys, meetings and seminars, and finally claiming that it was collected from telemarketing and MLM companies. Amicus was also inconsistent in its statements concerning Amequity. Amicus stated in the Representations that Amequity “is not into data business, but credit collection by banks”. However, in the same Representations, Amicus also stated that one of the lists of personal data, dated 5 March 2014, had been sold by Amequity. 40 Amicus, through its representatives Mr N and Mr L, admitted initially that it was Amicus that sold the datasets. This was corroborated by Mr Chua. Mr N explained Ilied’s issuance of the receipt by stating that Ilied, like Amequity, had no real function but was used for “receipt purpose”. Mr L also admitted in his statement given on 3 February 2017 that “data selling is purely 7 Mr N’s statement dated 30 April 2019. 8 Mr L’s statement dated 30 April 2019. 19 Amicus Solutions Pte. Ltd. & Anor. [2019] SGPDPC 33 done by Amicus”. There is no reason to distrust the consistent evidence of all three individuals, reflected in separate statements recorded at different times. 41 Amicus subsequently tried to explain this away by saying that Mr L’s statement referred to above at paragraph 40 were made “with reference to the business done by Amicus vis-à-vis Amequity”, and that “the term Amicus was used loosely to refer to company that do data sales [sic]”. Amicus further claimed that it had “confused itself” to be the seller because the Commission’s Notice to Require Production of Documents and Information (“NTP”) was addressed to it. If it was true that both Amicus and Ilied engaged in data selling, this would have been operative on Mr L’s mind when answering the NTP and at the very least raised the possibility that it may have been Ilied which sold the data instead, earlier in the investigations. The fact that all three individuals, Mr N, Mr L and Mr Chua, were consistent in omitting to mention Ilied during the investigations shows that it was only Amicus that was engaged in data sales. The reasonable explanation is that while the invoices may have been issued by other companies affiliated to Amicus, such as Ilied or Amequity, it was Amicus that in fact engaged in data sales and Ilied and Amequity’s part in the arrangement was to merely issue invoices. 42 For the above reasons, it is more likely than not that Amicus sold the data to Mr Chua. Accordingly, the assertion in the Representations that it was Ilied which had sold the data cannot be accepted. Date of transaction for List 1 43 Ilied claimed that the first Invoice was a receipt for List 1, and as the first Invoice was dated 25 June 2014, List 1 was transacted before the Appointed Day. However, it is unlikely that the first Invoice was a receipt for List 1. The 20 Amicus Solutions Pte. Ltd. & Anor. [2019] SGPDPC 33 quantity reflected on the first Invoice is 19,000, whereas the quantity of records in List 1 was 11,384. On the facts, it is more likely that List 1 was transacted on 22 March 2016, i.e. after the Appointed Day, for the following reasons: (a) As noted at paragraph 12(b) above, Mr Chua was able to produce a screenshot of an email from Mr N, containing List 1. The email was dated 22 March 2016, which was the same as the date on the second Invoice; (b) The second Invoice, which was dated 22 March 2016, was more likely to be the receipt for List 1; (c) Mr N corroborated in his statement that List 1 was sold on 22 March 2016; (d) List 1 contained personal data of individuals born in 1976 whereas the first Invoice was issued for “Leads Born 1973, 1975”; (e) The second Invoice reflected a quantity of 11,380, which was closer to the quantity of records in List 1 than the quantity reflected in the first Invoice; and (f) As noted at paragraph 18 above, List 1 contained truncated personal data. As noted in paragraph 45 below, the truncation had apparently been done in an attempt to comply with the requirements of the PDPA and, as such, List 1 was more likely to have been transacted after the Appointed Day. 44 In view of the above factors, the weight of the evidence points to the fact that List 1 was transacted after the Appointed Day. 21 Amicus Solutions Pte. Ltd. & Anor. [2019] SGPDPC 33 Whether the datasets contained personal data 45 In the Representations, Ilied claimed that it sought to comply with the requirements of the PDPA by truncating and anonymising the personal data. As noted at paragraph 22 above, the “redacted” or truncated NRIC numbers in the datasets do not conform to the Commission’s published advisory guidelines on redaction of NRIC numbers. The “redacted” NRIC numbers were intended to, and did in fact, convey information about the year of birth of the individual associated with the personal mobile phone number. 46 Ilied further claimed in the Representations that its research showed that an individual’s mobile phone number is likely to be personal data as it may be uniquely associated with an individual, but stopped short of admitting that all mobile phone numbers were personal data. In this regard, Ilied has not raised any evidence or arguments to suggest that the personal mobile phone numbers disclosed in the datasets were not personal data. As stated at paragraphs 19 to 21 above, personal mobile numbers are prima facie personal data as they are unique identifiers. Mr Ivan Chua 47 As observed in Re Sharon Assya Qadriyah Tang (at [13]), the purchase of leads, in which the buyer acquired personal data from the seller of the transaction amounts to a “collection” of personal data under the PDPA by the buyer. It is not disputed that Mr Chua collected personal data when he bought the Lists from Amicus and used the personal data to market his team’s financial products. By his own admission, the personal data was collected and used in breach of the Consent and Notification Obligations. Mr Chua also admitted that while he received verbal assurance from Amicus that the information in the 22 Amicus Solutions Pte. Ltd. & Anor. [2019] SGPDPC 33 datasets was obtained from caveats and was “legal”, he did not probe further as to how, where and when Amicus obtained the personal data, or whether Amicus had obtained consent and provided notification to the individuals concerned. 48 In this regard, reference is made to the UK Information Commissioner’s Office’s (“ICO”) decision in The Data Supply Company, where a data broker was found to be in breach of the Data Protection Act 1998 for obtaining customer data from various sources and selling the data to third party organisations for the purposes of direct marketing. The individuals were not informed that their personal data would be disclosed to the data broker, or the organisations to which the data broker sold the data on to, for the purpose of sending direct marketing text messages. The ICO issued a monetary penalty of £20,000 and gave the following guidance in the Monetary Penalty Notice (at [22] to [25]): Data controllers buying marketing lists from third parties must make rigorous checks to satisfy themselves that the third party obtained the personal data fairly and lawfully, that the individuals understood their details would be passed on for marketing purposes, and that they have the necessary consent. Data controllers must take extra care if buying or selling a list that is to be used to send marketing texts, emails or automated calls. The Privacy and Electronic Communications Regulations 20003 specifically require that the recipient of such communications has notified the sender that they consent to receive direct marketing messages from them. Indirect consent (ie consent originally given to another organisation) may be valid if that organisation sending the marketing message was specifically named. But more generic consent (eg marketing ‘from selected third parties’) will not demonstrate valid consent to marketing calls, texts or emails. Data controllers buying in lists must check how and when consent was obtained, by whom, and what the customer was 23 Amicus Solutions Pte. Ltd. & Anor. [2019] SGPDPC 33 told. It is not acceptable to rely on assurances of indirect consent without undertaking proper due diligence. Such due diligence might, for example, include checking the following:        How and when was consent obtained? Who obtained it and in what context? What method was used – eg was it opt-in or opt-out? Was the information provided clear and intelligible? How was it provided – eg behind a link, in a footnote, in a popup box, in a clear statement next to the opt-in box? Did it specifically mention texts, emails or automated calls? Did it list organisations by name, by description, or was the consent for disclosure to any third party? Is the seller a member of a professional body or accredited in some way? Data controllers wanting to sell a marketing list for use in text, email or automated call campaigns must keep clear records showing when and how consent was obtained, by whom, and exactly what the individual was told (including copies of privacy notices), so that it can give proper assurances to buyers. Data controllers must not claim to sell a marketing list with consent for texts, emails or automated calls if it does not have clear records of consent. It is unfair and in breach of the first data protection principle to sell a list without keeping clear records of consent, as it is likely to result in individuals receiving noncompliant marketing. [Emphasis added.] 49 While there is no uniform industry standard in relation to how a buyer should verify whether the seller has obtained the consent of the individuals, the positions articulated by the ICO must be right. A reasonable person would likely undertake proper due diligence, such as seeking written confirmation that the personal data sold was actually obtained via legal sources or means, or inquire further as to whether the individuals had provided their consent and were 24 Amicus Solutions Pte. Ltd. & Anor. [2019] SGPDPC 33 notified of the disclosure, and if so, obtain a sample of such consent and notification. 50 Similarly, organisations that sell datasets should ensure that they obtain and maintain clear records of consent so that proper assurances can be given to buyers. Directions 51 Having found Amicus and Mr Chua to be in breach of sections 13 and 20 of the PDPA, the Commissioner is empowered under section 29 of the PDPA to give such directions as he deems fit to ensure compliance with the PDPA. 52 In assessing the breach and determining the directions to be imposed on Amicus, the following aggravating factors were taken into account: (a) the personal data disclosed included NRIC numbers which constitute personal data of a sensitive nature; (b) Amicus profiteered from the sale of personal data. It admitted that it sold the personal data to others besides Mr Chua; (c) Amicus was unhelpful and was not forthcoming in its responses to the Commission during the investigation; and (d) Amicus was inconsistent in its responses and kept changing its account of the facts. 53 The following aggravating and mitigating factors were taken into account in assessing the breach and determining the directions to be imposed on Mr Chua: 25 Amicus Solutions Pte. Ltd. & Anor. [2019] SGPDPC 33 Aggravating factors (a) the personal data was purchased with the intention to market goods and services to individuals for financial gain; and Mitigating factors (b) Mr Chua had cooperated fully with the investigation and played an important and integral role in the investigation. He was forthcoming and admitted to his wrongdoing at the first instance. 54 There are strong policy reasons for taking a hard stance against the unauthorised sale of personal data, which were set out in Re Sharon Assya Qadriyah Tang (at [30]): The Commissioner likewise takes a serious view of such breaches under the PDPA. There are strong policy reasons for taking a hard stance against the unauthorised sale of personal data. Amongst these policy reasons are the need to protect the interests of the individual and safeguard against any harm to the individual, such as identity theft or nuisance calls. Additionally, there is a need to prevent abuse by organisations in profiting from the sale of the individual’s personal data at the individual’s expense. It is indeed such cases of potential misuse or abuse by organisations of the individual’s personal data which the PDPA seeks to safeguard against. In this regard, the Commissioner is prepared to take such stern action against organisations for the unauthorised sale of personal data. [Emphasis added.] 55 The profiting from sale of personal data by organisations without consent of individuals is the kind of activity which the PDPA seeks to curb and will be dealt with severely. In order to prevent abuse by organisations profiting 26 Amicus Solutions Pte. Ltd. & Anor. [2019] SGPDPC 33 from the sale of personal data at the individual’s expense, the Commission may take into account any profits from the unauthorised sale of personal data in calculating the appropriate financial penalty to be imposed. 56 Having considered all the relevant factors of this case, the following directions are made: To Amicus: (a) to pay a financial penalty of $48,000 (including $2,900 for the profit made from the sale of Lists 1 and 2) within 30 days from the date of the Commissioner’s direction, failing which interest at the rate specified in the Rules of Court in respect of judgment debts shall accrue and be payable on the outstanding amount of such financial penalty until the financial penalty is paid in full; (b) to cease the disclosure (sale) of the personal data of all the individuals immediately; (c) to cease the retention of the said personal data within seven (7) days from the date of the Commissioner’s direction, to the extent that such personal data was collected and/or disclosed in breach of the PDPA; and (d) to submit a written confirmation to the Commission by no later than 1 week after each of the above directions in (b) and (c) have been carried out. To Mr Ivan Chua: 27 Amicus Solutions Pte. Ltd. & Anor. (e) [2019] SGPDPC 33 to pay a financial penalty of $10,000 within 30 days from the date of the Commissioner’s direction, failing which interest at the rate specified in the Rules of Court in respect of judgment debts shall accrue and be payable on the outstanding amount of such financial penalty until the financial penalty is paid in full; (f) to cease the use (telemarketing) of the personal data of all the individuals immediately; (g) to cease the retention of the said personal data within seven (7) days from the date of the Commissioner’s direction, to the extent that such personal data was collected in breach of the PDPA; and (h) to submit a written confirmation to the Commission by no later than 1 week after each of the above directions in (f) and (g) have been carried out. YEONG ZEE KIN DEPUTY COMMISSIONER FOR COMMISSIONER FOR PERSONAL DATA PROTECTION 28 ",Financial Penalty,f9c77b604588fd22b9623d2884cfc03d6a7dbbb3,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,158,158,1,952,A warning was issued to Skinny’s Lounge for failing to ensure that consent was obtained from its patrons to re-play recorded CCTV footage on a screen in its public lounge. Skinny’s Lounge also failed to provide due notification to its patrons on the full purposes of the CCTV footage recorded at its premises.,"[""Consent"", ""Notification"", ""Warning"", ""Arts, Entertainment and Recreation"", ""KTV"", ""Karaoke""]",2019-06-11,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision---Skinnys-Lounge---110619.pdf,"Consent, Notification",Breach of the Consent and Notification Obligations by Skinny's Lounge,https://www.pdpc.gov.sg/all-commissions-decisions/2019/06/breach-of-the-consent-and-notification-obligations-by-skinny-s-lounge,2019-06-11,"PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC 13 Case No DP-1806-B2267 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Skinny’s Lounge … Organisation DECISION Skinny’s Lounge [2019] SGPDPC 13 Skinny’s Lounge Yeong Zee Kin, Deputy Commissioner — Case No DP-1806-B2267 11 June 2019 Background 1 The Organisation is a Karaoke Television (“KTV”) bar located in Boat Quay. The central issue in this case is whether the Organisation had valid consent from its patrons to disclose their images recorded on closed-circuit camera footage (“CCTV Footage”). The disclosure was on a screen in a publicly accessible area of its premises. 2 Following an investigation into the matter, I found the Organisation in breach of section 13(a) read with section 18 and with section 20(1) of the Personal Data Protection Act (“PDPA”). Material Facts 3 The Organisation had one KTV Room on its premise. The KTV Room had a sign beside the TV screen which read “Smile you are being recorded”. Patrons using the KTV Room were then recorded on CCTV Footage streamed “live” onto a screen in the Organisation’s public lounge (“Public Screen”) for general viewing. 4 On or before 19 June 2018, the Complainant and her friends used the KTV Room and their images were live-streamed onto the Public Screen. After the Complainant and her friends left, the CCTV in the KTV Room malfunctioned. With the live streaming disrupted, the Organisation played on the Public Screen randomly selected recorded CCTV Footage. This included CCTV Footage of the Complainant and her friends which was replayed on the Public Screen for “a day or two”. After the Complainant found out about the replaying of the CCTV Footage, she lodged a complaint with the Personal Data Protection Commission (“PDPC”) on 19 June 2018. 2 Skinny’s Lounge [2019] SGPDPC 13 Findings and Basis for Determination 5 The provisions relevant to this case are as follows: (a) Section 13(a) of the PDPA states that organisations are prohibited from collecting, using or disclosing an individual’s personal data unless the individual gives, or is deemed to have given, his consent for the collection, use or disclosure of his personal data (the “Consent Obligation”). (b) Section 18 of the PDPA states that an organisation may collect, use or disclose personal data about an individual only for purposes (a) that a reasonable person would consider appropriate in the circumstances; and (b) that the individual has been informed of under section 20, if applicable (the “Purpose Limitation Obligation”). (c) Section 20(1) of the PDPA states that an organisation is required to notify individuals of the purpose(s) for which it intends to collect, use or disclose an individual’s personal data on or before such collection, use or disclosure of the personal data (the “Notification Obligation”). Personal Data 6 The images of the Complainant and her friends on the CCTV Footage were their personal data as defined in section 2(1) of the PDPA. This was regardless of whether the images were streamed live or replayed. The personal data was in the Organisation’s possession and/ or under its control. The Organisation failed to obtain valid consent to re-play the CCTV Footage with the personal data of the Complainant and her friends on the Public Screen 7 Upon review of the collected evidence, patrons were given notice that their images would be recorded and streamed live onto the Public Screen. First, they would have walked past the Public Screen before entering the KTV Room. In this regard, they would have noticed 3 Skinny’s Lounge [2019] SGPDPC 13 that the Public Screen showing images of the KTV Room. Second, the sign beside the TV screen mentioned also notified the customers that they were being recorded. 8 However, there was no notice to the Complainant and her friends that their images could be randomly selected and re-played on the Public Screen when they were no longer in the Organisation’s premises. The Organisation gave no notice to its patrons of the purpose(s) for which their recorded images would have been used. The only purpose evident from the circumstances was the live streaming visible to the patrons on the Public Screen. There was no evidence that a re-play of CCTV Footage on the Public Screen was regular. Neither could it be said that re-playing images of patrons in the KTV Room was an obvious response to CCTV malfunction, such that a reasonable person would have considered it natural and therefore appropriate. Music videos, for example, could have been screened. 9 Given the foregoing, as the Organisation had not notified the Complainant of the purposes for which the CCTV Footage would be reused, it follows that it had not obtained consent for the use and disclosure of the Complainant’s personal data under section 13 read with sections 14(1) and 20(1) of the PDPA. On the facts, none of the other provisions in the PDPA would apply to allow the Organisation to re-play the CCTV Footage on the Public Screen. In addition, the failure to notify the Complainant meant that the Organisation was not permitted to use and disclose the CCTV Footage in the manner which it did under section 18 of the PDPA. I therefore find that the Organisation had contravened sections 13 and 18 of the PDPA. Remedial Action 10 The Organisation did take remedial action. It ceased screening of CCTV Footage on the Public Screen. It improved its notification by informing patrons that CCTV recording is ongoing in its premise for security purposes. Conclusion 11 Having found the Organisation to be in breach as above, I am empowered under section 29 of the PDPA to give the Organisation such directions as deemed fit to ensure compliance with the PDPA. 4 Skinny’s Lounge 12 [2019] SGPDPC 13 In determining the appropriate directions to be imposed on the Organisation, I have taken into account the following mitigating factors: (a) There was no evidence of any unauthorised use of the CCTV Footage of the Complainant and her friends other than the re-play mentioned. (b) The Organisation did not receive any other complaints on this incident other than from the Complainant. (c) The Organisation was cooperative in the course of investigation. (d) The Organisation took prompt remedial action after being notified by the Complainant and PDPC. 13 Having considered all the relevant factors of the case, I have decided to issue a warning to the Organisation for breaching its obligations under section 13(a) read with section 18 and with section 20(1) of the PDPA, as neither further directions nor a financial penalty is warranted in this case. YEONG ZEE KIN DEPUTY COMMISSIONER PERSONAL DATA PROTECTION 5 ",Warning,ee7c19d8e4e94c3b494bfbe6567abae917e4cd07,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,199,199,1,952,"A financial penalty of $6,000 was imposed on an individual for selling a database containing personal data, without notifying the individuals involved.","[""Consent"", ""Notification"", ""Financial Penalty"", ""Wholesale and Retail Trade""]",2018-01-11,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/GroundsofDecisionSharonAssyaQadriyahTang110118.pdf,"Consent, Notification",Breach of the Consent and Notification Obligations by an Individual Selling Personal Data,https://www.pdpc.gov.sg/all-commissions-decisions/2018/01/breach-of-the-consent-and-notification-obligations-by-an-individual-selling-personal-data,2018-01-11,"PERSONAL DATA PROTECTION COMMISSION [2018] SGPDPC 1 Case No DP-1701-B0485 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Sharon Assya Qadriyah Tang … Organisation DECISION Sharon Assya Qadriyah Tang [2018] SGPDPC 1 Tan Kiat How, Commissioner — Case No DP-1701-B0485 11 January 2018 Background 1 This is the first reported case of an individual (the “Respondent”) who was involved in the unauthorised selling of personal data. The facts disclose a straightforward breach of the Personal Data Protection Act 2012 (“PDPA”), and the Respondent does not deny committing the infringing acts. The Commissioner has accordingly found the Respondent in breach of sections 13 and 20 of the PDPA. 2 The Commissioner’s findings and grounds of decision are set out below. Material Facts 3 The Respondent was employed as a telemarketer from 2004 to 2014. Sometime in 2012, the Respondent started purchasing ‘leads’ to expand the reach of her marketing in order to hit her sales targets. These ‘leads’ typically comprised an individual’s name, NRIC number, mobile number and annual income range. A lead would typically cost between $0.20 and $0.30. 4 The Respondent bought the leads from unknown online sellers and did not retain the details of these transactions. Also, the Respondent did not check Sharon Assya Qadriyah Tang [2018] SGPDPC 1 or verify with the sellers that the leads she purchased were obtained legitimately with the individuals’ consent. 5 On average, the Respondent would buy approximately 10,000 leads per year. According to the Respondent, her first purchase of leads was sometime in late 2012 and her last purchase was sometime in either May or June 2014. At the material time, the Respondent had in her possession approximately 30,990 leads. The leads were stored in Microsoft Excel spreadsheets. 6 From late 2012 up until 23 February 2017, the Respondent estimated that she had re-sold the leads she had bought about 9 to 10 times, typically charging customers between $0.05 to $0.20 per lead, depending on the number they purchased. The Respondent would advertise the sale of the leads on various websites, and customers who wished to buy the leads would make payment to the Respondent via a bank transfer. While conducting these transactions, the Respondent concealed her true identity by using an alias (with a corresponding email address), her husband’s bank account number, and a mobile phone number registered under her friend’s name. The Respondent estimated she had made a profit of $5,000 from selling these leads. The Respondent explained that she had decided to re-sell the leads as a side-line to supplement her income. During this period of time, the Respondent was concurrently holding a job as a telemarketer and engaging in an apparel business. Findings and Basis for Determination 7 The following two main issues were canvassed from the facts for the Commissioner’s determination: (a) whether the Respondent was an “organisation” subject to the Data Protection Provisions of the PDPA; and 2 Sharon Assya Qadriyah Tang (b) [2018] SGPDPC 1 whether the Respondent’s sale and purchase of leads complied with the Consent and Notification Obligations under the PDPA. 8 As a preliminary point, it was not disputed that the 30,990 leads in the Respondent’s possession, each of which comprised an individual’s name, NRIC number, mobile number and annual income range, fell within the definition of “personal data” under section 2(1) of the PDPA as it was clearly possible to identify an individual from that data. (a) Whether the Respondent was an “organisation” subject to the Data Protection Provisions of the PDPA 9 The Commissioner first determined whether the Respondent was acting as an “organisation” for the purposes of the PDPA. This is a pertinent issue in this case, because the Respondent is an individual, and the Data Protection Provisions1 are only applicable to an “organisation” under the PDPA. Although the PDPA defines “organisation” broadly to include individuals,2 an individual is expressly excluded from the Data Protection Provisions in the PDPA if the individual was acting in a personal or domestic capacity.3 Therefore, when it comes to the application of the PDPA to individuals, it is usually germane to the issue to determine whether the individual was acting in a personal or domestic capacity. If the individual was not acting in a personal or domestic capacity, then she will be treated as an “organisation” for the purposes of the PDPA, and obliged to comply with the Data Protection Provisions. 1 As borne out by Parts III to VI of the PDPA. 2 Section 2(1) of the PDPA. 3 Under section 4(1)(a) of the PDPA. 3 Sharon Assya Qadriyah Tang 10 [2018] SGPDPC 1 On the facts, the Respondent was clearly not acting in a personal or domestic capacity in respect of the buying and selling of leads. The purchase and sales of the leads were not for her own personal use or purposes, but in order to make a profit. Under the PDPA, “business” includes an activity of any organisation, whether or not carried on for purposes of gain, or conducted on a regular, repetitive or continuous basis, but does not include an individual acting in his personal or domestic capacity. In this regard, the converse of a person acting in a personal or domestic capacity is one that acts in a business capacity. This was the case for the Respondent in respect of the purchase and sale of leads. 11 In earlier cases, the Commissioner had also found individuals, namely, a registered salesperson4 and a financial consultant5, to come within the definition of an “organisation” under the PDPA. In those cases, the individuals had been carrying out data processing activities for work or business purposes, and were thus not acting in a personal or domestic capacity. 12 Given the above, the Respondent is as an “organisation” for the purposes of the PDPA, and subject to the Data Protection Provisions. (b) Whether the Respondent’s sale and purchase of leads complied with the Consent and Notification Obligations under the PDPA (i) The Respondent’s buying and selling of leads were activities that fell under the scope of the PDPA 13 The PDPA governs the collection, use and disclosure of personal data by organisations. Given that the leads which the Respondent had purchased or 4 Re Chua Yong Boon Justin [2016] SGPDPC 13. 5 Re Ang Rui Song [2017] SGPDPC 13. 4 Sharon Assya Qadriyah Tang [2018] SGPDPC 1 sold comprised of personal data of individuals, these were activities that fell under the scope of the PDPA. In respect of the purchase of leads by the Respondent, in which the Respondent acquired personal data from the seller of the transaction, this amounted to a “collection” of personal data under the PDPA by the Respondent. In respect of the sale of leads by the Respondent, in which the Respondent provided personal data to the buyer of the transaction, this amounted to a “disclosure” of personal data under the PDPA by the Respondent. 14 The relevant obligations under the PDPA that apply to the facts of this case are the Consent and Notification Obligations. The Notification Obligation requires an organisation to inform individuals of the purposes for the collection, use and disclosure of personal data, while the Consent Obligation requires the organisation to obtain consent from the individual for such purposes of the collection, use and disclosure. The appropriate provisions of the Notification and Consent Obligations are found in the Data Protection Provisions of the PDPA at sections 13 to 15 and 20 respectively. (ii) The Respondent was not subject to the Data Protection Provisions in respect of the purchase and sale of personal data before the Appointed Day 15 According to the Respondent, she was first involved in the buying and selling of leads since 2012 to support her work as a telemarketer. 16 However, the Data Protection Provisions of the PDPA only came into effect on 2 July 2014 (the “Appointed Day”). This means that during the period before the Appointed Day, the Respondent was not subject to or required to comply with the Data Protection Provisions of the PDPA in respect of the collection, use and disclosure of the personal data found in the database of leads. 5 Sharon Assya Qadriyah Tang 17 [2018] SGPDPC 1 Notwithstanding, after the Appointed Day when the Data Protection Provisions came into force, the Respondent was subject to the obligations under the Data Protection Provisions in respect of both the existing personal data held in the Respondent’s possession or control, and any new personal data that the Respondent may come into possession or control with. The Respondent was therefore obliged to take steps to comply with the Data Protection Provisions in respect of both these sets of data. This includes obtaining consent from the individuals for the use of the personal data for a new purpose, which the individuals had previously not consented to, as it falls outside the purposes for which the personal data was originally collected under section 19 of the PDPA (as will be elaborated on below). 18 This was a position that was taken in Re Social Metric Pte Ltd [2017] SGPDPC 17. In that case, Social Metric had processed personal data for its clients’ social marketing campaigns all the way back before the Appointed Day. The Commissioner took the position that before the Appointed Day, Social Metric was not required to put in place reasonable security arrangements under section 24 of the PDPA to protect the personal data in its possession or under its control. However, when the Data Protection Provisions came into force after the Appointed Day, Social Metric needed to put in place such security arrangements to protect both the existing and new personal data. (iii) Grandfathering provision may apply to the continued use but not sale of personal data 19 As the Respondent had been purchasing and selling personal data since 2012, and before the Appointed Day, the question is whether the Respondent can rely on the “grandfathering” provision under section 19 of the PDPA to continue to use or sell (ie disclose) such personal data to third parties after the Appointed Day. It should be noted that Respondent cannot continue to purchase 6 Sharon Assya Qadriyah Tang [2018] SGPDPC 1 or collect personal data after the Appointed Day, as the Data Protection Provisions would have kicked in on the Appointed Day, and would require the Respondent to provide notification to, and obtain consent from, the individuals pursuant to the Consent and Notification Obligations (unless an exception applies). 20 The grandfathering provision provides that organisations may continue to use personal data that they have collected before the Appointed Day, for the purposes for which the personal data was collected, unless consent is withdrawn or the individual gives an indication that there is no such consent. 21 In respect of the personal data that was purchased or obtained before the Appointed Day, it may be possible for an organisation to continue using the personal data if such use falls within the purposes of collection, such as for its own reasonable use (ie telemarketing purposes), provided that there was no indication that the individual did not consent to the continued use. This is a position that the PDPC articulated in its Advisory Guidelines on Key Concepts in the PDPA (“Advisory Guidelines”), of which an extract of the relevant parts is set out below:6 The effect of section 19 is that organisations can continue to use personal data collected before the appointed day for the same purposes for which the personal data was collected without obtaining fresh consent, unless the individual has withdrawn consent (whether before on, or after the appointed day). Organisations should note that section 19 only applies to ‘reasonable existing uses’ of personal data collected before the appointed day. For the avoidance of doubt, the purpose of telemarketing (i.e. sending a specified message to a Singapore telephone number) could be a reasonable existing use. 6 PDPC, Advisory Guidelines on Key Concepts in the PDPA (revised 27 July 2017) at [23.3]-[23.4]. 7 Sharon Assya Qadriyah Tang 22 [2018] SGPDPC 1 However, in this case, the Respondent went beyond using the personal data for her own telemarketing purposes, and proceeded to sell personal data to third parties. The “grandfathering” provision only permits the continued “use” of personal data for the purposes for which the personal data was collected. Such “use” does not extend to “disclosure” of personal data unless, as set out at paragraph 23.1 of the Advisory Guidelines, the disclosure “is necessarily part of the organisation’s use of such personal data”. In the case of the sale of personal data, the disclosure of personal data is the main activity being carried out, and is not incidental to any of the organisation’s own uses of the personal data. Thus, it is not a disclosure “that is necessarily part of the organisation’s use of such personal data”. The PDPC has stated this position in its Advisory Guidelines as an example:7 Organisation XYZ has been selling databases containing personal data. This would be considered a disclosure of personal data and not a reasonable existing use under section 19. After the appointed day, XYZ needs to ensure that consent has been obtained before selling these databases again. [Emphasis added.] 23 Consequently, the grandfathering provision would not apply to the instances where the Respondent had been selling personal data before the Appointed Day, and continued to sell personal data after the Appointed Day. In respect of personal data that was not sold before the Appointed Day, it is all the more so that the Respondent cannot rely on the grandfathering provision, because there was never an existing practice of selling the personal data in the first place, and hence there is no “use” to be carried on in respect of the personal data. 7 PDPC, Advisory Guidelines on Key Concepts in the PDPA (revised 27 July 2017) at [23.6]. 8 Sharon Assya Qadriyah Tang [2018] SGPDPC 1 (iv) The Respondent’s sale of leads comprising of personal data after Appointed Day was a serious contravention of the PDPA 24 During the investigations, the Commissioner found no evidence that the Respondent had continued to purchase leads from the online sources after the Appointed Day. However, there was clear evidence that the Respondent was still selling leads after the Appointed Day. In respect of the Respondent’s sale of such leads, the Commissioner finds that there was a clear breach of the Consent and Notification Obligations under the PDPA. 25 When questioned about the sale of personal data, the Respondent admitted that she did not obtain consent from the individuals for the sale of their personal data to third parties. The Respondent also admitted that she did not check or verify with the online sellers if they had obtained consent from the individuals to the selling of their personal data. Similarly, the Respondent had also admitted that she did not provide any notification to the individuals of the sale of their personal data. The Commissioner also carried out further investigations and separately contacted several individuals whose personal data were found in the database of leads, and all of them confirmed that they had not consented to their personal data to be disclosed or sold. 26 Accordingly, on the evidence that the individuals had not been informed of the sale of their personal data nor did they provide consent to the sale of their personal data, the Respondent is in breach of both the Consent and Notification Obligations under the PDPA. 27 The sale of personal data in contravention of the PDPA is a serious breach of the PDPA. In the UK, data selling is expressly prohibited by legislation. Section 55 of the Data Protection Act 1998 (“DPA”) provides that it is an offence for any person who (a) knowingly or recklessly, without the 9 Sharon Assya Qadriyah Tang [2018] SGPDPC 1 consent of the data controller, obtains or discloses personal data or procures such disclosure, or (b) sells or offers to sell the personal data so obtained. Specifically, section 55(6) of the DPA clarifies that “an advertisement indicating that personal data are or may be for sale is an offer to sell the personal data”.8 In this regard, both the advertisement of the sale of personal data, and the actual sale of personal data carried out, would constitute an offence under the DPA. 28 The UK’s Information Commissioner’s Office (“ICO”) has recently found a data broker to be in breached of the DPA for obtaining customer data from various sources and selling the data to third party organisations for the purposes of direct marketing. The individuals whose data was traded by the data broker were not informed that their personal data would be disclosed to the data broker, or the organisations to which the data broker sold the data on to, for the purpose of sending direct marketing text messages. In total, the ICO found that there were 580,302 records containing personal data that were disclosed without the data subjects’ knowledge or consent.9 In terms of the harm, the ICO stated that “the unlawful trade in personal data [led] directly to the wholescale sending of unsolicited direct marketing texts and the making of nuisance calls”, and was satisfied that the “cumulative amount of distress suffered by the large numbers of individuals affected, coupled with the distress suffered by some 8 UK, Data Protection Act . 9 UK, ICO, Monetary Penalty Notice: The Data Supply Company Ltd (27 January 2017) at [26], [29]. 10 1998 Sharon Assya Qadriyah Tang [2018] SGPDPC 1 individuals, means that overall the level was substantial”.10 As such, the data broker was found to be in breach of the DPA and was issued a monetary penalty of £20,000. 29 In Hong Kong, the Office of the Privacy Commissioner for Personal Data (“PCPD”) found that the Octopus group of companies (“Octopus Group”), which provides an extensive smartcard payment system for transport and other services, had contravened the requirements of the Personal Data (Privacy) Ordinance (Cap. 486) by entering into contracts with several business partners to sell its members’ personal data without their consent.11 In that case, the Octopus Group had failed to inform individuals registering for its rewards programme that one of the purposes was the sale of their personal data for monetary gain. This purpose was neither expressly stated in the terms and conditions on the member’s registration form, nor could it be said to be a purpose of use within the reasonable expectation of the individuals.12 In this regard, despite providing their signature on the registration form, the individuals could not be said to have consented to the data selling. It should be noted that the Hong Kong case had a widespread impact, eventually becoming the catalyst for amendments to the data protection law in Hong Kong. 10 UK, ICO, Monetary Penalty Notice: The Data Supply Company Ltd (27 January 2017) at [32]-[34]. 11 H.K., PCPD, The Collection and Use of Personal Data of Members under the Octopus Rewards Programme run by Octopus Rewards Limited, Report Number R10-9866 . 12 Ibid.at [3.36] and [3.40]. 11 Sharon Assya Qadriyah Tang 30 [2018] SGPDPC 1 The Commissioner likewise takes a serious view of such breaches under the PDPA. There are strong policy reasons for taking a hard stance against the unauthorised sale of personal data. Amongst these policy reasons are the need to protect the interests of the individual and safeguard against any harm to the individual, such as identity theft or nuisance calls. Additionally, there is a need to prevent abuse by organisations in profiting from the sale of the individual’s personal data at the individual’s expense. It is indeed such cases of potential misuse or abuse by organisations of the individual’s personal data which the PDPA seeks to safeguard against.13 In this regard, the Commissioner is prepared to take such stern action against organisations for the unauthorised sale of personal data. Enforcement Action 31 Given that the Commissioner has found the Respondent to be in breach of sections 13 and 20 of the PDPA, the Commissioner is empowered under section 29 of the PDPA to give the Respondent such directions as it deems fit to ensure the Respondent’s compliance with the PDPA. This may include directing the Respondent to pay a financial penalty of such amount not exceeding S$1 million as the Commissioner thinks fit. 32 In assessing the breach and determining the directions to be imposed to the Respondent, the Commissioner took into account the following aggravating factors: 13 Sing., Parliamentary Debates, vol. 89 (15 October 2012) (Assoc Prof Dr Yaacob Ibrahim) at p. 1: “The personal data protection law will safeguard individuals’ personal data against misuse by regulating the proper management of personal data”. 12 Sharon Assya Qadriyah Tang (a) [2018] SGPDPC 1 the database of leads included personal data of a sensitive nature, i.e. NRIC numbers and salary ranges of individuals; (b) the Respondent had used means to obscure her identity when she was selling the leads, which is indicative of a guilty conscience and of a premeditated and deliberate contravention of the PDPA; and (c) as elaborated above at paragraph 30, the profiteering from the sales of personal data by organisations at the expense of consumer or individuals is the very kind of activity which the PDPA seeks to curb, and hence, must be severely dealt with. 33 In relation to the mitigating factors of this case, the Commissioner took into account the fact that the Respondent had candidly admitted to the wrongdoing at the first instance, and co-operated fully with investigations. Additionally, the Respondent was fully cooperative with the Commissioner’s investigations and was helpful in providing evidence of the matter. 34 Crucially, the Commissioner also considered the special financial circumstances of the Respondent in determining a suitable amount of financial penalty to impose on the Respondent. During the course of investigation, the Commissioner learnt that the Respondent and her husband were of limited financial means and were earning modest salaries, and had a child and family to support. In the Commission’s assessment, imposing a high financial penalty on the Respondent would likely place a crushing burden on the Respondent and her family in the circumstances and cause undue hardship. 35 From the evidence, the cumulative amount of payment received by the Respondent from the sale of the leads was unlikely to exceed $5,000, and this was based on a conservative estimate. In addition, the investigation showed that 13 Sharon Assya Qadriyah Tang [2018] SGPDPC 1 the Respondent was not carrying out the sale and purchase of personal data on a large-scale basis, but was simply conducting these activities opportunistically and on the side to supplement her income. 36 Accordingly, taking into account all relevant factors of this case, and given the special financial circumstances that the Respondent is in, the Commissioner has decided to adjust the amount of financial penalty to an amount which would adequately reflect the seriousness of the breach of the PDPA, but at the same time not impose a crushing burden on the Respondent or her family. 37 Although the Commissioner has imposed a lower financial penalty in this case, this is exceptional and should not be taken as setting any precedent for the extension of the same leniency or indulgences in other cases. The Commissioner wishes to remind organisations of their obligations under the PDPA and that it takes a serious view towards any unauthorised sale of personal data. 38 The Commissioner hereby directs the Respondent to pay a financial penalty of S$6,000 within 30 days from the date of the Commissioner’s direction. YEONG ZEE KIN DEPUTY COMMISSIONER FOR COMMISSIONER FOR PERSONAL DATA PROTECTION 14 ",Financial Penalty,7c97ac65ddddd62ae8a119b6caa4338a79492ebb,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,211,211,1,952,"A joint decision was issued for three separate cases involving Management Corporation Strata Title and managing agents of condominiums. The parties were found not to be in breach for disclosing names of unit holders, unit numbers and voting shares of subsidiary proprietors via minutes and voters lists.","[""Consent"", ""Notification"", ""Not in Breach"", ""Real Estate""]",2017-06-12,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/grounds-of-decision---3-mcst-ma---120617.pdf,"Consent, Notification",No Breach of Consent and Notification Obligations by MCST and Managing Agents of Condominiums,https://www.pdpc.gov.sg/all-commissions-decisions/2017/06/no-breach-of-consent-and-notification-obligations-by-mcst-and-managing-agents-of-condominiums,2017-06-12,"DECISION OF THE PERSONAL DATA PROTECTION COMMISSION Case Number: DP-1607-B0117 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And (1) Exceltec Property Management Pte Ltd (2) Management Corporation Strata Title Plan No 2956 (3) Strata Land Property Consultants Pte Ltd ... Organisations Decision Citation: [2017] SGPDPC 8 GROUNDS OF DECISION 12 June 2017 A. BACKGROUND 1. This decision arises from three separate cases involving Management Corporation Strata Title (“MCSTs”) and managing agents (collectively, the “Organisations”) of condominiums posting documents containing the personal data of subsidiary proprietors (hereinafter will be referred to as “residents”) on notice boards. The nature of the complaints was that the disclosures made of these personal data was an infringement of the Personal Data Protection Act 2012 (“PDPA”). 2. The Personal Data Protection Commission (the “Commission”) commenced investigations into the matter, and provides its decision below. 3. Although the three cases involve different residents and managing agents of condominiums, the facts of the three cases are substantially similar and the legal issues involved are identical. Therefore, this consolidated decision is issued for the three cases. 1 B. MATERIAL FACTS AND DOCUMENTS 4. Between 29 June and 27 July 2016, the Commission received complaints from several residents of three condominiums (namely, (1) Prive, (2) The Mornington, and (3) Seletaris) against the condominiums’ respective MCST or managing agents, namely, (1) Exceltec Property Management Pte Ltd (“Exceltec”), (2) Management Corporation Strata Title Plan No 2956 (“MCST 2956”), and (3) Strata Land Property Consultants Pte Ltd (“Strata Land”) respectively: 5. a. In the first case, three residents (“1st Complainants”), complained that Exceltec had posted copies of the voter list containing the names, unit numbers, and voting shares of residents, and the draft minutes of the 1st council meeting on 12 July 2016 (containing the names and unit numbers of residents) on notice boards of the Prive condominium and Prive EC web portal without providing prior notification and obtaining their consent. b. In the second case, a resident (“2nd Complainant”), complained that MCST 2956 had left the voter list, containing the names and unit numbers of residents, on a publicly accessible notice board for longer than necessary after the conclusion of the Annual General Meeting. According to the 2nd Complainant, the voter list was left on the board for roughly 2 months after the council meeting was held. c. In the third case, a resident (“3rd Complainant”), complained that Strata Land had posted a voter list containing the names, unit numbers, and voting shares of residents, on at least two notice boards at different blocks of the Seletaris condominium. The 3rd Complainant alleged that there was no need to have posted the voter list on multiple notice boards, and further, that the voter lists had been displayed for an unnecessarily long period of time (ie 2 days after the council meeting). For ease of reference, we set out in a table below a summary of the types of personal data that were disclosed by the Organisations and the nature of the complaints that were made by the various complainants. No. Relevant parties 1. 1st Complainants Exceltec Documents Involved (1) Draft minutes of meeting Personal Data Involved (1) Names and unit numbers 2 Nature of Complaint Disclosure of personal data without notification or consent. 2. 2nd Complainant (2) Voter list (2) Names and unit numbers, and voting shares Voter list Names and unit numbers Duration of the disclosure of personal data was for longer than necessary. Voter list Names, unit numbers, and voting shares - Disclosure of personal data without notification or consent. MCST 2956 3. 3rd Complainant Strata Land - Duration of the disclosure of personal data was for longer than necessary. - Disclosure of personal data ought not to be made on multiple notice boards. C. THE COMMISSION’S FINDINGS AND ASSESSMENT Applicability of the PDPA 6. The posting of the voter lists and minutes of meeting by the Organisations on notice boards located within the compound of the condominiums amounted to a “disclosure” under the PDPA of the information in the voter list and minutes of meeting. 7. As seen in the table above, the information that was disclosed in the voter lists and minutes of meeting included the names, unit numbers, and voting shares of the residents. This information constitutes “personal data” under section 2(1) of the PDPA because the residents could be identified from such information. 3 For example, the 2nd Complainant could be identified from the voter list that MCST 2956 had disclosed on The Mornington’s notice board, which included the name, unit number and voting shares of the 2nd Complainant. 8. Given that the disclosed information constitutes personal data, the Organisations are therefore subject to the data protection provisions in Parts III to IV of the PDPA in relation to the disclosure of that personal data. Issues to be Determined 9. There are two data protection obligations under the PDPA that are relevant to the disclosures that were made by the Organisations – the Consent Obligation1 and Notification Obligation.2 a. The Consent Obligation generally requires organisations to obtain consent from an individual for the collection, use or disclosure of his or her personal data. b. The Notification Obligation generally requires that notice of the purposes for which organisations collect, use or disclose personal data be given to the individual beforehand. 10. Both the Consent and Notification Obligations are subject to various exceptions under the PDPA, including the exceptions found in Schedules 2 to 4 of the PDPA. Additionally, section 4(6) of the PDPA allows the provisions of other written law to prevail over data protection obligations where they are inconsistent with the provisions of that other written law (“the subordination provision”). 11. The first issue is therefore whether the Organisations have complied with the Consent and Notification Obligations, or whether they can avail themselves of any exceptions under the PDPA. 12. For this issue, we will examine what the Commission considers is the crux of the matter: (a) whether, by reason of the subordination provision, the requirements for Organisations to notify and obtain consent to disclose the voter lists and minutes of meeting containing personal data is superseded by the Building Maintenance and Strata Management Act (Cap. 30C) (Rev. Ed. 2008) 1 Pursuant to Sections 13 to 15 and 17 of the PDPA. 2 Pursuant to Section 20 of the PDPA. 4 (“BMSMA”) requirements for such voter lists and minutes of meeting to be disclosed; and/or (b) whether the public availability exception applies. 13. The second issue is whether, even if the disclosure was permissible in respect of the first issue above, the Organisations had disclosed more personal data than what was permitted in the voter lists and minutes of meeting. 14. The final two issues are: (i) whether MCST 2956 and Strata Land had disclosed the personal data for a longer duration than necessary, and (ii) whether Strata Land was permitted to disclose the voter lists on multiple notice boards located in the condominium. Issue (a): Whether the Organisations had obtained consent or provided notification when they disclosed the personal data of the residents 15. As part of the Consent Obligation, section 13 of the PDPA requires that prior consent be obtained by an organisation in order to collect, use or disclose personal data about an individual. 16. This is concomitant with the Notification Obligation, which requires, under section 20 of the PDPA, that notification be provided to the individual of the purposes for the collection, use or disclosure of personal data before consent is obtained. However, the need to obtain consent or to provide the related notification is dispensed with where an exception to section 13 of the PDPA (ie the Consent Obligation) applies. 17. Based on the Organisations’ representations to the Commission, none of the Organisations had notified their respective residents of the purpose of the disclosure of the voter lists or minutes of meeting, nor did any Organisation obtain the residents’ consent to disclose their personal data. 18. Accordingly, the next question is whether the Organisations could avail themselves of an exception to section 13 of the PDPA (ie the Consent Obligation). Issue (b): Whether the disclosure may be made without consent Sub-issue (1): Whether the disclosure was required or authorised under other written law 19. Section 13(b) of the PDPA provides for an exception to the need for consent to be obtained – it states that an organisation shall not disclose personal data unless the disclosure without the consent of the individual is required or authorised under the PDPA or any other written law. Simply put, insofar as there 5 is another written law which requires or authorises the disclosure of personal data, an organisation which does so pursuant to that law will be able to avail itself of the exception under section 13(b) of the PDPA. In the present case, the other written law in question is the BMSMA. 20. Under Paragraph 7 of the First Schedule to the BMSMA, management corporations are statutorily required to display a list of voters entitled to vote at the general meeting on the notice board maintained on the common property. Paragraph 7 of the First Schedule to the BMSMA reads as follows: “List of names of persons entitled to vote 7. The secretary of the management corporation or (as the case may be) subsidiary management corporation shall put up a list of the names of the persons who are entitled to vote at a general meeting on the notice board maintained on the common property at least 48 hours before the general meeting.” [Emphasis added.] 21. The BMSMA therefore requires that the names of the persons entitled to vote at the general meeting to be put up on the notice board. It does not, however, state that other information, namely, the unit numbers or voting shares, may also be disclosed in the voter list. This would be an issue which we will address further below at paragraphs 30 to 39. 22. Similarly, management corporations are required under Paragraph 3 of the Second Schedule to the BMSMA to keep the minutes of any meeting of the council or executive committee of the management corporation, and display those minutes on the notice board. Paragraph 3 of the Second Schedule to the BMSMA reads as follows: “Keeping of records 3.—(1) The council or executive committee shall keep minutes of its proceedings and shall cause minutes of general meetings to be kept. (2) If the management corporation or subsidiary management corporation is required by its by-laws to maintain a notice board, its council or executive committee, as the case may be, shall — (a) cause a copy of the minutes of a meeting of the council or executive committee, as the case may be, to be displayed on the notice board within 7 days after the meeting; and (b) cause a copy of a minute of any resolution thereof, or of the management corporation or subsidiary management corporation, as the 6 case may be, passed in accordance with this Act to be displayed on the notice board after it is passed. (3) A copy of any minutes referred to in sub-paragraph (2) shall be kept displayed on the notice board for a period of not less than 14 days. (4) If there is no notice board, the council or executive committee concerned shall give each resident a copy of the minutes referred to in subparagraph (2)(a) or (b) within the period specified in that sub-paragraph. (5) The council or executive committee shall — (a) cause proper books of account to be kept in respect of all sums of money received and expended by it, specifying the matters in relation to which the receipts and expenditure take place; and (b) on the application of a resident or mortgagee of a lot (or any person authorised in writing by him), make the books of account available for inspection at all reasonable times.” [Emphasis added.] 23. While Paragraph 3 of the Second Schedule to the BMSMA does not expressly state the information that ought to be included (or omitted) in the minutes of meeting that is displayed on the notice board, in the Commission’s view, the function and purpose of minutes of meetings, at least in the context of the BMSMA, is to fully and accurately record what was discussed and what happened at the meeting. This includes recording the declarations made under section 60(7) of the BMSMA3, and the resolutions and/or motions that were passed. Such minutes serve a variety of purposes including being record of discussions for future reference, or to capture the rationale behind the decisions being made. It is therefore implicit in the definition and understanding of “minutes of meetings” that it can contain the personal data of individuals, as part of this full and accurate recording of the meeting: eg attendance, participation in discussions and views expressed, as the subject of matters discussed in the meeting agenda. 24. In this regard, the Commission agrees with the position taken by the Office of the Information and Privacy Commissioner of British Columbia (“OIPC”):4 3 Section 60(7) of the BMSMA states: “The secretary of the council shall record every declaration under this section in the minutes of the meeting at which it was made.” 4 Office of the Information and Privacy Commissioner of British Columbia, Privacy Guidelines for Strata Corporations and Strata Agents (June 2015), online: OIPC at page 19. 7 “[A] strata council should ensure that every statement in the strata council minutes is accurate, objective and verifiable and that the minutes contain the minimum amount of personal information necessary.” 25. The OIPC also provided some guidance on the personal information that may be recorded in the strata council minutes:5 “If a strata council member or a guest attends a strata council meeting, they have provided implied consent to have their name recorded in the strata council minutes. Similarly, the names of any authorised people in attendance at the meeting, such as the strata manager, can be noted in the minutes. The name, strata lot number and/or unit number of each strata council member, who is not attending the meeting, should also be recorded. … Minutes of strata council meetings should record all decisions made by the strata council, but need not include the exact discussions leading up to any votes. It is important that the strata council minutes clearly document how resolutions are amended and what outcome of any votes were. Strata councils should ensure that only the minimal amount of personal information required to provide an accurate and objective account of its decisions is recorded in the meeting minutes.” 26. In the Exceltec case, the draft minutes if the 1st council meeting disclosed the names and unit numbers of the residents. In the Commission’s view, the names of the residents would reasonably form part of the minutes of the council meeting as there is a need to identify and record the persons in attendance (or absence), including the council office bearers and the residents who are sitting in the meeting as observers. Given that Paragraph 3 of the Second Schedule to the BMSMA provides for an organisation (specifically, the MCST or managing agent) to disclose the full and accurate minutes of the council meeting on the notice board, it must be taken that the personal data (ie the names) are to be disclosed as part of the overall publication of the minutes of meetings. When read together with section 13(b) of the PDPA, Exceltec is allowed to disclose the names and of the residents in the minutes of meeting without obtaining the residents’ consent. 5 Office of the Information and Privacy Commissioner of British Columbia, Privacy Guidelines for Strata Corporations and Strata Agents (June 2015), online: OIPC at page 17. 8 27. In respect of the unit numbers found in the minutes of meeting, it should first be noted that a unit number in and of itself is not personal data. The association of the unit number with the person attending the meeting renders the pair personal data. Having considered the matter, the Commission is of the view that if the purpose of including the name of the person attending the council meeting is to identify him, then the inclusion of the unit in the minutes of meeting is reasonable because it serves to establish the basis for his attendance (ie he is the subsidiary proprietor or represents the subsidiary proprietor of that unit). In any event, as will be dealt with below, the publicly available exception would apply to the disclosure of such personal data. 28. In light of the foregoing, the Commission makes the following findings: 29. a. In respect of the disclosures that were made by the Organisations of the residents’ names in the voter lists, these were in compliance with the Consent Obligation and Notification Obligation, pursuant to Paragraph 7 of the First Schedule of the BMSMA read with section 13(b) of the PDPA. b. In respect of the disclosures of the residents’ (i) names and (ii) unit numbers that were made by Exceltec of the minutes of meetings, these were in compliance with the Consent Obligation and Notification Obligation, pursuant to Paragraph 3 of the Second Schedule of the BMSMA read with section 13(b) of the PDPA. This leaves open the question of whether or not the disclosures of (i) unit numbers and (ii) voting shares of residents in the voters list are also permitted to be disclosed under the PDPA. These two issues will now be addressed in the paragraphs below. Sub-issue (2): Whether the disclosure fell under the public availability exception 30. The Commission also found that the public availability exception6 is applicable in this case. Public availability (of the personal data) is an exception to the Consent Obligation and Notification Obligation, and allows for personal data to be disclosed without obtaining consent, as provided for in section 17(3) of the PDPA read with Paragraph 1(d) of the Fourth Schedule of the PDPA. 31. Public availability, in relation to personal data about an individual, is defined in section 2(1) of the PDPA to be personal data that is generally available to the public, and includes personal data which can be observed by reasonably expected means at a location or event (a) at which the individual appears, and (b) that is open to the public. 6 Paragraph 1(d) of the Fourth Schedule of the PDPA. 9 32. In its Advisory Guidelines on Key Concepts in the PDPA, the Commission has stated at paragraph 12.58 that personal data will be generally available to be public as long as “any member of the public could obtain or access the data with few or no restrictions” (emphasis added). 33. In the present case, the disclosures that were made by the Organisations, on the whole, were the (i) names, (ii) unit numbers and, in the cases of Exceltec and Strata Land, (iii) the voting shares of residents. The Commission is of the view that all these three types of personal data were generally available to the public for the following reasons. 34. First, the information can be found in the strata roll, which is generally available to the public. Under section 47(1)(b) of the BMSMA, any resident or mortgagee, prospective purchaser or mortgagee, or even a person authorised in writing by the resident or mortgagee, may make an application to the managing corporation for the property’s strata roll. All management corporations are required to prepare and maintain a strata roll which contains, among other things, the (i) names and (ii) addresses (including the apartment unit number) of residents and mortgagees of the lots, and the (iii) respective share value of the lots.7 Since access to these strata rolls extends to “prospective” purchasers or mortgagees as well, in practical terms, this allows almost any member of public who claims to be a “prospective” purchaser to gain access the information in the strata roll. 35. Second, there are few restrictions under the BMSMA for a person to gain access to the strata roll. In order for a person to inspect the strata roll (amongst other information that the MCST has to make available under Section 47(1)(b) BMSMA, ie minutes of general meetings of MCST and council, or any other record in the custody or control of the MCST), the person only needs to do two things: (a) make an application to the MCST and (b) pay the prescribed fee in order to obtain the strata roll. There are generally no other pre-requisites or qualifications needed to fulfil in order to obtain the strata roll. Even though section 47 of the BMSMA states that the strata roll shall only be made available to a defined group (ie residents, mortgagees or purchasers), “prospective” mortgagees or purchasers as well as such persons authorised by residents or mortgagees are included in the group. The expansion of the defined group renders it very difficult to enforce checks to ensure that the applicant for the information falls within the class. The practical reality is that there is a very low barrier to cross for a person to access the strata roll, besides just simply making the online application and paying the prescribed fee. 7 Pursuant to Section 46 of the BMSMA. 10 36. Third, some of this information may already be found on the Singapore Land Authority Registry (“SLA”), which the public would generally have access to. In this regard, anyone can purchase property title information, property ownership information and land information, which include name, unit number and share value of the lot, for a prescribed fee. Similar to the strata roll, SLA imposes no or few restrictions on the purchase. 37. Accordingly, the Commission takes the view that the names, unit numbers, and voting shares of the residents (which are, for all intents and purposes, the same as the share value of the apartment) are publicly available information under the PDPA. 38. As the information was publicly available, therefore, pursuant to section 17(3) of the PDPA and Paragraph 1(d) of the Fourth Schedule of the PDPA, there was no need for the Organisations to obtain consent from the residents or provide prior notification to the residents before the Organisations disclosed the names, unit numbers, and voting shares of the residents found in the strata rolls. 39. In light of the above, the Commission is of the view that the above exceptions are applicable, and that the Organisations are neither in breach of the Consent Obligation or Notification Obligation in respect of the residents’ personal data. Issue (c): Whether the Organisations had disclosed more personal data than necessary in the voter lists and minutes of meeting 40. In consideration of the applicability of the exceptions to the PDPA, the Commission also looked at whether the Organisations had disclosed more personal data than they were required or authorised to in the voter lists and minutes of meeting. (i) Voter lists 41. It was already determined above that the Organisations are permitted to disclose the names of residents for the voter list on the notice board, without obtaining consent or providing notification, pursuant to Paragraph 7 of the First Schedule of the BMSMA and section 13(b) of the PDPA. 42. However, based on the express wording of Paragraph 7 of the First Schedule to the BMSMA, this does not appear to extend to the disclosure of unit numbers and voting shares of the residents. The exception under section 13(b) of the PDPA therefore does not apply to the disclosure of such personal data on the notice board. 11 43. Nonetheless, as mentioned above, the residents’ unit numbers and voting shares were publicly available information, and therefore could be disclosed without notifying the residents of the purpose for disclosure or obtaining prior consent from them before disclosure. (ii) Minutes of meeting 44. Turning to the minutes of meeting, the Commission also considered whether Exceltec was specifically required to record the personal data of the residents, ie their names and unit numbers, in the draft minutes of the 1st council meeting. 45. It has already been mentioned above at paragraphs 26 to 28 that personal data found in the minutes of meetings may be disclosed pursuant to Paragraph 7 of the First Schedule of the BMSMA read with section 13(b) of the PDPA. 46. However, this position should not be construed to mean that MCSTs and managing agents may include personal data of their residents without any restriction. The Commission cautions that any personal data recorded in the minutes should be relevant to the proceedings and necessary to ensure a full and accurate record of the conduct of the meeting. In a case where personal data is disclosed without being in any way relevant to the agenda of the meeting, the Commission may take the appropriate enforcement action. Issue (d): Whether the Organisations had disclosed personal data for longer than necessary 47. Keeping the voter lists posted on the notice boards for a period of time may be seen as a continuous disclosure of the personal data in the voter lists. In the case of Strata Land, the disclosure was for approximately a 2-month period, whereas in the case of MCST 2956, the disclosure was for a 2-day period. 48. The Commission is of the view that MCSTs and managing agents should generally only keep the voter list and minutes of meetings that contain personal data on the notice board for only a reasonable period of time. Good data protection practices dictate that the period of exposure of personal data and the length of such exposure should be minimised as far as possible, even if the disclosure is, in and of itself, permitted under the PDPA. By keeping personal data longer than necessary, an organisation runs the risk of falling afoul of the Retention Obligation under section 25 of the PDPA. 49. In the case of MCST 2956, displaying the voter list on the notice board for 2 days cannot be said to be unduly protracted. In the case of Strata Land, the period was 2 months. Considering that the voter list is intended to establish both the persons who are entitled to attend and vote at the meeting and also the 12 share value or voting rights of each of such persons, it stands to reason that the voter list may be displayed on the notice board for as long a duration as the minutes of meeting. This provides the conscientious reader of the minutes of meeting the means by which to verify the accuracy of the minutes of meeting, insofar as it concerns the identity of the voters and the calculation of votes. The Commission bore in mind that the minutes of meeting must be displayed for at least 14 days: see Paragraph 3 of the Second Schedule to the BMSMA, reproduced in paragraph 22 above. 50. Taking this minimum period of displaying as the basis for comparison, it is the Commission’s view that keeping the voter list posted on the notice board for 2 months is not an unduly protracted period. Admittedly, assessments of discretions are not an exact science and there can be a range of validly held views as to what a reasonable period ought to be. In cases such as these where the reasonableness of a course of action is called to question, the Commission restricts its role to determining when the action is so clearly unreasonable such that sanctions under the PDPA are warranted. For the present case, it is not necessary to express any view as to when a period crosses the threshold and becomes unreasonably protracted. It sufficient for this decision that a period of 2 months is not so unreasonably long that it ought to attract a sanction under the PDPA. 51. In this case, for the reasons above, the Commission finds that MCST 2956 and Strata Land are not in breach of the PDPA in respect of the duration of the disclosures that were made. Issue (e): Whether the disclosure of personal data may be made on multiple notice boards 52. The last issue, raised by the 3rd Complainant, is whether there was a requirement that the disclosure of the voter lists had to be made on all the notice boards of the condominium unit, or whether it was only necessary for the disclosure to be made on one. 53. Since the disclosure of personal data in the voter list is permissible under the PDPA for the reasons above, there are no restrictions to the voter list being disclosed on multiple notice boards under the PDPA. Moreover, the BMSMA does not make a distinction whether or not the disclosure is to be made on one notice board or multiple notice boards. 54. Accordingly, Strata Land is not in breach of the PDPA for disclosing the voter list on multiple notice boards. 13 D. CONCLUSION 55. For the foregoing reasons, the Commission therefore concludes that the Organisations have not breached the Consent and Notification Obligations under the PDPA in relation to the disclosure of personal data in the voter lists and minutes of meeting, and has decided to take no further action in respect of the complaints made. YEONG ZEE KIN DEPUTY COMMISSIONER PERSONAL DATA PROTECTION COMMISSION 14 ",Not in Breach,2ce165e02e9bb75e1c3bd17b406722924d367851,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,216,216,1,952,A warning was issued to Executive Coach International for failing to notify and obtain consent from an ex-employee for the disclosure of her personal data.,"[""Consent"", ""Notification"", ""Warning"", ""Education""]",2017-03-21,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/grounds-of-decision---executive-coach-international---210317.pdf,"Consent, Notification",Breach of Consent and Notification Obligations by Executive Coach International,https://www.pdpc.gov.sg/all-commissions-decisions/2017/03/breach-of-consent-and-notification-obligations-by-executive-coach-international,2017-03-21,"DECISION OF THE PERSONAL DATA PROTECTION COMMISSION Case Number: DP-1504-A426 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 (the “PDPA”) And Executive Coach International Pte. Ltd. [UEN 200414184R] ... Organisation Decision Citation: [2017] SGPDPC 3 GROUNDS OF DECISION 21 March 2017 BACKGROUND 1. On 20 April 2015, the Complainant, complained to the Personal Data Protection Commission (the “Commission”) that the Organisation had disclosed her past personal history in a WhatsApp group chat comprising the Complainant and the Organisation’s other staff and volunteer trainees (“WhatsApp Group”) without her consent and without notifying her of the purposes for the disclosure. 2. On account of the complaint made, the Commission commenced an investigation under Section 50 of the Personal Data Protection Act 2012 (the “PDPA”) to ascertain whether the Organisation had breached its obligations under the PDPA. The material facts of the case are as follows. MATERIAL FACTS AND DOCUMENTS 3. The Organisation is an organisation which provides life and executive coaching services to individual and corporate clients. The Complainant is a former employee of the Organisation. She was the personal assistant to [Redacted] (Replaced with Mr L), a director of the Organisation. The Complainant has since left the employment of the Organisation on unamicable terms. 4. The WhatsApp Group, comprising of the Organisation’s employees and volunteers, was created on 22 August 2013. The Complainant and Mr L were - 1 - both participants in this WhatsApp Group. At the material time on 7 April 2015, there were a number of other participants in this WhatsApp Group.1 5. On 7 April 2015, Mr L disclosed highly sensitive information of the Complainant’s personal history, namely her past drug problem and issue with infidelity in her amorous relationship, (“Personal Data”) to the participants in the WhatsApp Group. The Organisation has not disputed that the personal history of the Complainant is personal data. The disclosure of the Personal Data was made by Mr L following allegations that she was undermining the Organisation’s authority by persuading the employees and volunteers of the Organisation to leave the Organisation. 6. The Complainant claims that the Personal Data was disclosed by her to Mr L in the context of Mr L being the Complainant’s employer, teacher and coach. 7. On 11 May 2015, the Commission notified the Organisation of the complaint and requested the Organisation to cooperate and assist in investigations. In the course of the investigations, the Organisation represented to the Commission that: (a) Mr L disclosed the Personal Data in his personal capacity and not as an employee of the Organisation; and (b) the Personal Data was only known to Mr L and not the Organisation, and that the Organisation did not authorise Mr L to disclose the Personal Data. COMMISSION’S FINDINGS AND BASIS FOR DETERMINATION Issues to be determined 8. The issues to be determined in the present case are as follows: (a) Whether the Organisation is responsible for Mr L’s disclosure of the Personal Data. (b) If the Organisation is liable for Mr L’s disclosure, whether the Organisation is in breach of Sections 13 and 20 of the PDPA for the said disclosure. 1 The Complainant and Organisation disagreed on the exact number of participants in the WhatsApp Group on 7 April 2015. The Complainant claimed that the WhatsApp Group contained 117 participants. The Organisation claimed that there were only 58 participants and that a group could only accommodate a maximum of 100 participants. The Commission does not have sufficient evidence to decide on the exact number of participants. However, the exact number of participants is immaterial in this case and the Commission will accept that there were at least 58 participants in the WhatsApp Ground on 7 April 2015. - 2 - Whether the Organisation is responsible for Mr L’s disclosure of the Personal Data 9. The Personal Data disclosed involved sensitive data of the Complainant’s personal history, and in this instance, there is no question, and it is not disputed, that such information falls within the definition of “personal data” under the PDPA. The nature of the Personal Data, including the fact that the Complainant was identified in the WhatsApp Group, puts it beyond doubt that the information was information “about an individual who can be identified from that data”. 10. Under Section 53(1) of the PDPA, any acts done or conduct engaged in by an employee in the course of his employment shall be treated for the purposes of the PDPA as done or engaged in by his employer as well as him, whether or not it was done or engaged in with the employer’s knowledge or approval. 11. Based on the facts described in paragraphs 3 to 7 above, the Commission notes that the disclosure of Personal Data was made in the context of an ongoing dispute arising from the unamicable departure of the Complainant from the Organisation’s employment. The Organisation’s director, Mr L, had expressed his disappointment and views with the Complainant in the WhatsApp Group chat following her resignation from the Organisation, and claimed that the Complainant had subsequently sought to undermine his authority, and to persuade the Organisation’s employees and volunteers to leave the organisation. The Complainant, on the other hand, had expressed her own disappointment with Mr L’s conduct (personally, and as an employer, teacher and coach) and raised issues that she had with the Organisation during her time of employment. Against this background, the disclosure of Personal Data in the WhatsApp Group was not made by parties in the personal sense, but was made viz an ongoing dispute between an employer and its ex-employee, with the intent to discredit the ex-employee. Accordingly, the Commission is of the view that Mr L was acting in the course of his employment as a director of the Organisation when he disclosed the Complainant’s Personal Data in the WhatsApp Group chat, and was not, as the Organisation claims, disclosed by Mr L acting in his individual capacity. 12. The Organisation claims that it did not know or approve of Mr L’s collection and disclosure of the Personal Data. Even if this is true, the Organisation’s knowledge or approval is immaterial under Section 53(1) of the PDPA. It is noted that Mr L was at all material times a senior member of the Organisation. 13. Accordingly, pursuant to Section 53(1) of the PDPA, because Mr L’s disclosure of the Personal Data was made in the course of employment, the disclosure is treated as a disclosure by the Organisation, for which the Organisation is responsible. - 3 - Whether the Organisation is in breach of Sections 13 and 20 of the PDPA for the said disclosure 14. 15. Section 13 of the PDPA prohibits organisations from collecting, using or disclosing personal data about an individual unless: (a) the individual gives, or is deemed to have given, consent under the PDPA to such collection, use or disclosure; or (b) the collection, use or disclosure of the personal data without the individual’s consent is required or authorised under the PDPA or any written law. Section 20 of the PDPA requires, amongst other things, that an organisation informs an individual of: (a) the purposes for the collection, use or disclosure of personal data, on or before collecting the personal data; and (b) any other purpose of the use or disclosure of the personal data of which the individual has not been informed under paragraph (a) above before the use or disclosure of the personal data for that purpose. 16. In the present case, there is no dispute that neither Mr L nor the Organisation obtained the Complainant’s consent or informed the Complainant’s of the purposes of the disclosure, before disclosing the Personal Data. The Organisation has not referred to any of the exceptions in the Fourth Schedule of the PDPA in its response and the Commission also takes the view that none of the exceptions apply in the present case. 17. Accordingly, the Commission finds the Organisation in breach of Sections 13 and 20 of the PDPA. ACTIONS TAKEN BY THE COMMISSION 18. Given the Commission’s findings that the Organisation is in breach of its obligations under Sections 13 and 20 of the PDPA, the Commission is empowered under Section 29 of the PDPA to issue the Organisation such directions as it deems fit to ensure compliance with the PDPA. This may include directing the Organisation to pay a financial penalty of such amount not exceeding S$1 million. 19. The Commission notes that the disclosure was deliberately made, and under circumstances to discredit the Complainant. The personal data that was disclosed was also highly sensitive. However, the Commission is also mindful of the fact that the disclosure was made in the context of a dispute between an employer and ex-employee, and made in what essentially was the Organisation’s chat group for work (and not to the public at large). On balance, therefore, even though the Commission has found the Organisation to be in breach of Sections 13 and 20 of the PDPA, the Commission is of the view that - 4 - the enforcement action to be taken in this case should be calibrated based on the circumstances of the case. 20. Accordingly, the Commission has decided not to issue any direction to the Organisation to take remedial action or to pay a financial penalty. Instead, it has decided to issue a Warning to the Organisation for the breach of its obligations under Sections 13 and 20 of the PDPA. YEONG ZEE KIN DEPUTY COMMISSIONER PERSONAL DATA PROTECTION COMMISSION - 5 - ",Warning,4606cb34276907f06cf0c6913f89d949fec92bb7,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,220,220,1,952,A warning was issued to Jump Rope (Singapore) for disclosing the personal data of two former employees without consent and notification.,"[""Consent"", ""Notification"", ""Warning"", ""Arts, Entertainment and Recreation""]",2016-11-24,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/grounds-of-decision---jump-rope---241116.pdf,"Consent, Notification",Breach of Consent and Notification Obligations by Jump Rope (Singapore),https://www.pdpc.gov.sg/all-commissions-decisions/2016/11/breach-of-consent-and-notification-obligations-by-jump-rope-(singapore),2016-11-24,"DECISION OF THE PERSONAL DATA PROTECTION COMMISSION Case Number: DP-1411-A265 JUMP ROPE (SINGAPORE) (UEN No. T13SS0090E) … Respondent Decision Citation: [2016] SGPDPC 21 GROUNDS OF DECISION 24 November 2016 A. BACKGROUND 1. On 1 December 2014, the Personal Data Protection Commission (“Commission”) received a complaint against Jump Rope (Singapore) (the “Respondent”) from a complainant (the “Complainant”) alleging that his personal data had been disclosed in an email sent to various Singapore government schools. 2. The Commission commenced an investigation under Section 50 of the Personal Data Protection Act 2012 (“PDPA”) to ascertain whether there had been a breach by the Respondent of its obligations under the PDPA. B. MATERIAL FACTS AND DOCUMENTS 3. The Respondent is a non-profit society registered with the Registry of Societies that promotes and manages the sport of rope skipping, and provides training to students in Singapore schools. The Respondent was set up by the President of the Respondent, [redacted], who is also the owner and director of Emotion Learning Pte. Ltd. (“Emotion”) and Eltitude Pte. Ltd. (“Eltitude”). Emotion and Eltitude are companies in the business of providing enrichment and CCA education, and enrichment and sports coaching services to schools respectively. 4. Based on the Respondent’s response to the Commission during the investigation, the Commission understands that the Complainant was a former employee of Emotion and Eltitude, who held the designation of Part Time Instructor. The Complainant went through an in-house training program conducted by Emotion, and obtained a certificate in rope skipping coaching, which was issued by the Respondent. 1 5. The Respondent alleged that the Complainant had breached his contract of employment with his employers and had engaged in some unethical activities during the course of his employment. As a result, the Respondent blacklisted the Complainant and revoked his certification. 6. The President of the Respondent then decided to send an email to various government schools involved in the sport of jump rope to notify them of the blacklisting of the Complainant and the revocation of his certification. In this regard, an email dated 28 November 2014 originating from the email address admin@jumpropesingapore.com was sent to around 30 government schools (“Email”). The Email stated, among other things, that disciplinary action had been taken against the Complainant, and that he was on the Respondent’s blacklist. The Email set out the Complainant’s name and NRIC number (and the name and NRIC number of another individual), and stated that persons on the blacklist are not suitable for instructing and coaching duties in schools. The Respondent advised all schools not to engage the named persons to avoid the teaching of wrong values to their pupils. 7. In addition, the Respondent stated that as a non-profit rope skipping society with the mission to monitor and protect the interest of the sport and the children, the Respondent considered it necessary to inform the schools involved in rope skipping, so that the schools could take precautions. The Email was sent to around 30 government schools involved in rope skipping, and it was solely meant to inform the schools of the situation. The Respondent’s stated intentions in sending the Email was to provide schools with information which may be important in their decision when engaging rope skipping instructors, so that the schools can better decide in engaging the appropriate people to teach, instruct and coach their students. The Respondent reiterated that the disclosure of the personal data of the Complainant was meant solely to help schools in decision making when engaging rope skipping instructors. 8. Having carefully considered the relevant facts and circumstances, including the statements and representations made by the Respondent, the Commission has completed its investigation into the matter, and sets out its findings and assessment herein. C. THE COMMISSION’S FINDINGS AND ASSESSMENT 9. The nub of the Respondent’s claim is that it had good intentions when it informed the various government schools involved in the sport of jump rope of the blacklisting of the Complainant and the revocation of his certification. In particular, the following points were noted: 2 (a) The Respondent claimed that it had advised all schools not to engage the named persons so as to avoid the teaching of wrong values to their pupils; and (b) The Respondent claimed that it had decided to send out the Email to the various government schools to notify them of the blacklisting of the Complainant and the revocation of his certification so that the schools “can better decide on engaging the right people to teach, instruct and coach [their students]”, and to take precautions against engaging the wrong rope skipping instructors. 10. It is clear that consent for disclosure of the Complainant’s personal data in an email communicating that he had been blacklisted was not obtained. This is not a case where consent was obtained earlier in time when he was first employed; and there is no evidence to show that the Complainant was notified nor gave consent for disclosure, before or after the Complainant had been disciplined and dismissed. In a suitable case, there can be valid business or legal reasons for the blacklisting to be disclosed in order to warn the Respondent’s clients, notwithstanding that it may contain some personal data about the Complainant. It may not be desirable to expect organisations to obtain consent from the person(s) that is the subject of the disciplinary action, dismissal and blacklisting, as consent is unlikely to be forthcoming in all cases. However, the organisation should still comply with the neighbouring obligations of consent, namely, the notification obligation and the purpose limitation obligation. This means disclosing the blacklist containing the former employee’s personal data only for purposes that a reasonable person would consider appropriate in the circumstances, and notifying the former employee about the disclosure to be made. 11. In a suitable case, disclosure of personal data that is relevant to the matter, by an organisation without consent nor notification, may be made if it is reasonable to do so. This is because the standard of “reasonableness” underpins the PDPA, as specifically provided for under Section 11(1) of the PDPA. Section 11(1) of the PDPA provides that “[i]n meeting its responsibilities under this Act, an organisation shall consider what a reasonable person would consider appropriate in the circumstances”. In this regard, an organisation can inform its clients that Person A (name and former designation) has left its employment on a specific date. Further, the Commission considers that it is conceivable that there can be circumstances where an organisation may be acting reasonably in disclosing personal data in respect of a blacklisting to warn others, without consent, and apart from the scheduled exceptions; but 3 these are limited, and very much depends on the context and circumstances in which the disclosure was made. For example, if there was credible evidence of fraudulent conduct that a former member of staff is misrepresenting his status of employment and association with his former employer, it may be reasonable for the former employer to write to existing customers informing them of the facts. The former employer should, however, also inform the former member of staff of the communication to be made to the existing customers, so that the disclosure of personal data is made transparent to the member of staff concerned. 12. In this case, not only has the Respondent failed to obtain consent from the Complainant for the disclosure made pursuant to Sections 13 to 15 of the PDPA, the Respondent’s actions have gone beyond what is reasonable in the circumstances. The Commission has not found any business or legal reasons that justifies the Respondent’s actions in writing to its clients to inform them of the blacklisting. It is not uncommon for employees to leave for various reasons, including for poor performance and breaches of codes of conduct. In the absence of evidence that the Complainant’s post-employment conduct had put the Respondent’s trade reputation or potential clients at risk, the Respondent’s measure of writing to name and shame the Complainant is not an appropriate or reasonable step to take. 13. Given the potential adverse effect or consequence on the Complainant from the disclosure of such information to third parties, in particular, the impact on future engagements of the Complainant’s services for jump rope activities, the Respondent ought to have taken the extra care and precautions in relation to the protection and disclosure of personal data of the Complainant. But based on the assessment above, it did not appear to the Commission that the Respondent had afforded the appropriate care, protection and sensitivity to the data that it was disclosing. The Respondent’s actions in the circumstances were unreasonable. 14. For completeness, the Commission considered whether Section 20(4) of the PDPA, which provides that an organisation must inform the individual of the purpose of disclosure where the collection, use or disclosure was made for the purpose of managing or terminating the employment relationship between the organisation and the individual, is applicable in the present case. In the Commission’s view, Section 20(4) of the PDPA is not relevant as it deals with collection, use or disclosure for the purpose of either managing an ongoing employment relationship or for the purpose of terminating an employment relationship. In the 4 present case, the employment relationship between the Complainant and the Respondent had already been terminated by the time the disclosure through the Email took place. 15. On account of the above, the Respondent is in breach of Sections 11, 13, and 20 of the PDPA. D. ENFORCEMENT ACTION BY THE COMMISSION 16. Given the Commission’s findings that the Respondent is in breach of Sections 11, 13 and 20 of the PDPA, the Commission is empowered under Section 29 of the PDPA to give the Respondent such directions as it deems fit to ensure compliance with the PDPA. This may include directing the Respondent to pay a financial penalty of such amount not exceeding $1 million as the Commission thinks fit. 17. In considering whether a direction should be given to the Respondent in this case, the Commission considered the following: 18. (a) the disclosures were made to a limited number of government schools; (b) the personal data that was disclosed was limited, and was in relation to limited individuals; and (c) the Respondent had been cooperative with the Commission and forthcoming in its responses to the Commission during the Commission’s investigation. In view of the factors set out above, and having regard to the overall circumstances of the matter, the Commission has decided not to issue any direction to the Respondent to take remedial action or to pay a financial penalty. Instead, the Commission has decided to issue a Warning to the Respondent for breach of its obligations under Sections 11, 13 and 20 of the PDPA. YEONG ZEE KIN DEPUTY COMMISSIONER PERSONAL DATA PROTECTION COMMISSION 5 ",Warning,fe526eedfbd39c4afe655dd5a1fe2bb66ec6b1a7,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]"