_commit_at,_commit_hash,_id,_item,_version,_commit,description,tags,date,pdf-url,nature,title,url,timestamp,pdf-content,decision,_item_full_hash,_changed_columns 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,14,14,1,952,"RedMart had failed to obtain consent and inform its suppliers of the purpose for collecting images of the physical NRICs and other identification documents. However, the Commission had subsequently assessed that RedMart had met the requirements for reliance on the Legitimate Interests Exception and complied with the proposed direction. As such, no direction was issued to RedMart.","[""Consent"", ""Notification"", ""Purpose Limitation"", ""No Further Action"", ""Wholesale and Retail Trade""]",2023-02-10,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---RedMart-Limited---18012023.pdf,"Consent, Notification, Purpose Limitation","Breach of the Consent, Notification and Purpose Limitation Obligations by RedMart","https://www.pdpc.gov.sg/all-commissions-decisions/2023/02/breach-of-the-consent,-notification-and-purpose-limitation-obligations-by-redmart",2023-02-10,"PERSONAL DATA PROTECTION COMMISSION Case No. DP-2105-B8405 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And RedMart Limited … Organisation DECISION Page 1 of 11 RedMart Limited [2023] SGPDPC 1 Yeong Zee Kin, Deputy Commissioner — Case No. DP-2105-B8405 18 January 2023 Introduction 1 On 31 May 2021, the Personal Data Protection Commission (the “Commission”) received a complaint that RedMart Limited (the “Organisation”) was collecting images of the physical NRICs and other identification documents of suppliers making deliveries to its warehouses (the “Incident”), and that this practice did not appear to be in compliance with the Personal Data Protection Act 2012 (“PDPA”). Facts of the Case 2 Investigations revealed that the Organisation operated two warehouses at 47 Jalan Buroh, CWT Distripark, Singapore 619491 (“Warehouses”) which were used to store goods and produce sold by the Organisation. The Warehouses were regularly visited by suppliers delivering goods and produce (“Visitors”), and the Organisation implemented measures to regulate such Visitors’ access to the Warehouses. Security checkpoints at the Warehouses used an Organisation-issued tablet computer Page 2 of 11 (“Tablet”) to take photographs of Visitors’ NRIC or other identification documents (“ID Photographs”). The Organisation said it collected ID Photographs to Visitors seeking access to areas where food safety risks had to be managed. The Organisation explained that these measures are intended to deter acts that could compromise food safety and facilitate investigations of food safety incidents. 3 Prior to the Incident, there were no notices at the Warehouses’ security checkpoints informing Visitors of the purpose for collection of ID Photographs. After being notified by the Commission of the Incident, the Organisation put up notices at the Warehouses’ security checkpoints to inform Visitors of the purpose of collection of ID Photographs. Findings and Basis for Determination 4 Considering that the Tablets remained in the possession of the Organisation’s security team at all times, and that there was no evidence of misuse of the ID Photographs collected, the impact of the Incident was limited. Having collected the ID Photographs, the Organisation is obliged to protect these and associated personal data to a standard commensurate to the risks that unauthorised access, use or disclosure might pose to respective individuals. The nub of the issue in this case is the legal basis upon which these ID Photographs were collected. The Organisation could have relied on two possible grounds. Page 3 of 11 5 First, Visitors may have volunteered their IDs to be photographed on request. However, the Organisation’s failure to inform Visitors of the purpose for collecting the ID Photographs was contrary to sections 14(1)(a) and 18(b) of the PDPA read with section 20. Further, the collection of a photographic image of their IDs was a condition for entry. Visitors enter the Warehouses to make deliveries as part of their employment or business. It is not a product or service that they chose to access, as contemplated by section 14(2)(a) of the PDPA. Hence, even if the requirement of notification of purpose had been met, this is not a situation where persons making deliveries as part of their employment or business could be said to have consented to allowing a photographic image of the IDs to be taken as a condition for a product or service provided by the Organisation which such persons wanted access to. Consent is not the most appropriate basis for collection and use of the ID Photographs. Accordingly, the Organisation did not obtain valid consent from the Visitors for collecting the ID Photographs, and would have breached section 13 of the PDPA if this ground was relied on. 6 There was an alternate ground available to the Organisation. The purpose of public food hygiene and safety, cited by the Organisation in the present case, is a legitimate interest of the Organisation, and also of its business partners and ultimately, consumers. Ensuring good public hygiene and safety benefits all downstream food and beverage businesses, supermarkets and diners who eventually consume food that was stored in the Warehouses. The Organisation may therefore rely on the exception at Paragraph 1, Part 3 of the First Schedule of the PDPA (“Legitimate Page 4 of 11 Interests Exception”) to collect the ID Photographs without Visitors’ consent. The Legitimate Interests Exception was introduced in the PDPA effective 1 February 2021, and could have been invoked by the Organisation any time after this date. 7 To rely on the Legitimate Interests Exception, prior to collecting the ID Photographs, the Organisation would have had to conduct and document an assessment determining whether the Organisation’s interests in collecting the ID Photographs outweighed the adverse effect to Visitors. For any adverse effects identified, the Organisation would have had to implement reasonable measures to eliminate, mitigate or reduce the likelihood of occurrence. The Organisation would also have had to provide Visitors with reasonable access to information about the Organisation’s collection of the ID Photographs, which could have been done by way of disclosure in the Organisation’s public data protection policy. 8 The Commission accepts that the Organisation implemented access controls to regulate how the ID Photographs were collected and stored, which in turn reduced the risk of misuse of the ID Photographs. Notwithstanding, based on the reasons provided by the Organisation, the collection had been solely or primarily to deter acts that could compromise food safety and facilitate investigations into food safety incidents. The collected ID Photographs contained full NRIC / ID numbers together with other personal information that, in combination, had identified Visitors to a high degree of fidelity. The Commission noted that the collection of ID Photographs or full NRIC numbers had not been required by law in this case, and it is incumbent on the Page 5 of 11 Organisation to justify why the collection of ID Photographs had been a reasonable practice in these circumstances. The Commission’s Preliminary Decision 9 In view of the above, bearing in mind that the Organisation had taken some steps to remediate the Incident, the Commission’s preliminary decision was to give the following directions to the Organisation: (a) To within 60 days of this decision, conduct and document an assessment to: (i) evaluate whether the collection of ID Photographs from Visitors is reasonably necessary for the Organisation’s interests in deterring and investigating security incidents at the Warehouses. (ii) If the Organisation intends to rely on the Legitimate Interests Exception for such collection, to: (A) identify whether the Organisation’s collection of ID Photographs (or other personal data) from Visitors is likely to have an adverse effect on Visitors; (B) identify reasonable measures that could be implemented to eliminate, mitigate, or reduce the likelihood of such adverse effects occurring; and Page 6 of 11 (C) determine whether the Organisation’s interest in collecting the ID Photographs (or other personal data) outweighs the adverse effect to Visitors (if any) after the above measures are implemented. (iii) If the Organisation does not intend to rely on the Legitimate Interests Exception, to identify the basis under which the Organisation intends to collect the ID Photos (or other personal data) from Visitors, and to implement the necessary policies and processes for such collection to be in compliance with the PDPA. (b) To provide the Commission with a copy of the Organisation’s above assessment within 14 days of its completion. The Organisation’s Representations 10 The Commission’s preliminary decision was communicated to the Organisation on 8 July 2022. On 22 July 2022, the Commission received representations from the Organisation in respect of the preliminary decision. The Organisation claimed that it had complied with the PDPA when collecting ID Photographs from Visitors, on the following bases: (a) It was in the national interest to collect ID Photographs in order to establish the identities of Visitors to a high fidelity and deter potential food security incidents Page 7 of 11 at the Warehouses, an exception to the obligation to obtain consent pursuant to Paragraph 2, Part 2 of First Schedule to the PDPA (“National Interest Exception”); (b) The collection of ID Photographs was necessary to facilitate investigations into food security incidents at the Warehouses, an exception to the obligation to obtain consent pursuant to Paragraph 3, Part 3 of First Schedule to the PDPA (“Investigations Exception”); and/or (c) There was deemed consent from Visitors for collection of the ID Photographs, as these were volunteered, and collected for the reasonable purposes as part of efforts to ensure food security (pursuant to section 15 of the PDPA). 11 The Organisation’s representations are not accepted: (a) The National Interest Exception does not apply. The Organisation’s food security concerns, while valid, are limited to its own Warehouses and are not at the level of the “national defence or “national security” concerns contemplated by the definition of “national interest” at section 2 of the PDPA. (b) The Investigations Exception does not apply. In order to rely on the Investigations Exception, the collection of personal data must be for the purpose of an ongoing investigation and cannot be for a hypothetical future investigation. (c) There was no deemed consent from Visitors for the Organisation’s collection of the ID Photographs. Visitors were not given a choice in the matter and cannot be said to have voluntarily provided their IDs as contemplated under section 15(1) Page 8 of 11 of the PDPA. Further, it would not have been obvious to Visitors that fact that photographic images of IDs would be taken and then stored. 12 Insofar as collection and use of ID Photographs from Visitors prior to 8 July 2022 had been on the bases cited by the Organisation above, the Commission finds that the Organisation had not been in compliance with the PDPA. Reliance on Legitimate Interests Exception 13 However, the Organisation also informed the Commission of its intention to rely on the Legitimate Interests Exception as the basis for such collection going forward. Together with its representations, the Organisation provided the Commission with a copy of an internal assessment it had carried out on 22 July 2022 for its reliance on the Legitimate Interests Exception going forward (“LIE Assessment”). 14 In the LIE Assessment, the Organisation identified that there was a need to establish and/or verify the identities of Visitors to the Warehouses to a high degree of fidelity, when they were entering areas of the Warehouses containing dry food and fresh produce that were susceptible to contamination and tampering. Collection of ID Photographs served the legitimate interests of deterring and investigating potential food security incidents, which could cause harm to the public and damage to the Organisation’s reputation. Page 9 of 11 15 The Organisation identified that its collection of the ID Photographs exposed Visitors to the risks of unauthorised use and disclosure of their personal data, and detailed the measures it had implemented to eliminate or mitigate these adverse effects. These included: (a) limiting collection of ID Photographs to only Visitors accessing areas of the Warehouses with higher risk of food security incidents; (b) restricting access to the Tablets; (c) restricting the application used to collect ID Photographs on the Tablets to only work when connected to a dedicated Wi-Fi network at the Warehouses; (d) immediately uploading the collected ID Photographs to the Organisation’s backend server (and not storing them locally on the Tablets); (e) limiting access to the ID Photographs (on the backend server) to the Organisation’s DevOps team, and only when such access was on-site at the Organisation’s offices and connected to its internal network; and (f) retaining the ID Photographs for a maximum of one year. 16 The Organisation assessed the benefit in collecting the ID Photographs to be “significant” considering the potential harm that could be caused to the public by a food contamination incident. The Organisation also assessed that its implementation of the above measures rendered the “adverse impact from users” to be “low”. The Organisation confirmed that it would notify Visitors of its reliance on the Legitimate Interests Exception by way of notices posted at the relevant security posts. Page 10 of 11 17 The Commission accepts that the Organisation’s interest in deterring food security incidents at the Warehouses is legitimate. The Commission also accepts that there may be a legitimate interest served in implementing enhanced identification requirements to regulate access to high risk areas, and that the collection of ID Photographs promote this interest. Most importantly, the Commission recognises that the risks of unauthorised access, use and/or disclosure of the ID Photographs have been significantly lowered on account of the enhanced access controls implemented by the Organisation to protect the ID Photographs. The Commission’s Decision 18 For the above reasons, the Commission is satisfied that the Organisation has met the requirements for reliance on the Legitimate Interests Exception in this case. As the Organisation has already complied with the proposed direction (contemplated at [9] above) by carrying out the LIE Assessment to the Commission’s satisfaction, it is no longer necessary for the direction to be issued. YEONG ZEE KIN DEPUTY COMMISSIONER FOR PERSONAL DATA PROTECTION Page 11 of 11 ",No further action,4eaff99c5b7557a88a0ca128e03e4b18ea52c953,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-12-14T14:54:52+00:00,0e20feac9c1e16c30580baa727a897e3bfcf8791,483,243,1,958,Directions were issued to Tipros for failing to use or disclose personal data about an individual only for purposes that a reasonable person would consider appropriate.,"[""Consent"", ""Notification"", ""Purpose Limitation"", ""Directions"", ""Others""]",14 Dec 2023,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/GD_TIPROS_080623.pdf,"Consent, Notification, Purpose Limitation",Breach of the Purpose Limitation Obligation by Tipros,https://www.pdpc.gov.sg/all-commissions-decisions/2023/12/breach-of-the-purpose-limitation-obligation-by-tipros,2023-12-14,"PERSONAL DATA PROTECTION COMMISSION [2023] SGPDPC 7 Case No. DP-2207-C0019 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Tipros … Organisation DECISION Page 1 of 8 Tipros Yeong Zee Kin, Deputy Commissioner — Case No. DP-2207-C0019 8 June 2023 Introduction 1. On 21 July 2022, the Personal Data Protection Commission (the “Commission”) received a complaint that Tipros (the “Organisation”), a sole proprietorship in the wholesale of and repair of electrical appliances, had unreasonably disclosed the personal data of the complainant when responding to the complainant’s review on the Organisation’s Google reviews page (the “Incident”). 2. The Commission commenced investigations to determine the Organisation’s compliance with the Personal Data Protection Act 2012 (“PDPA”) and for suspected breaches of the same. Facts of the Case 3. The complainant had engaged the Organisation to repair a refrigerator. Following the repairs made, the complainant gave a “1-star” review on a Google reviews page “24hr fridge refrigerator #1 Quick repair service Trusted in Singapore”, which has since been renamed “Tipros.sg”. 4. The Organisation promptly responded to the complainant’s review. What is problematic was that the Organisation included the complainant’s personal data, including the complainant’s residential address and mobile number in their Page 2 of 8 response. The complainant filed a complaint with the Commission as the complainant was of the view that there was no reason for the Organisation to disclose her personal data in the course of responding to the review she left on the Organisation’s Google reviews page. 5. Apart from the Organisation’s response to the complainant’s review, the Commission found 13 other responses on the Organisation’s Google reviews page which disclosed, in a similar fashion, the personal data of other customers who had given reviews. Our Investigations 6. The Commission commenced investigations. In the course of investigations, it was ascertained that the Organisation’s place of business was vacant and its registered office was occupied by another business which was not related to the Organisation. Thus, a Notice to Produce Documents and Information for Investigation (“NTP”) was delivered by hand on 25 October 2022 to the residential address belonging to the Organisation’s sole proprietress, one Er Lee Cheng @ Angela Er Wei Leng (“Angela”). The Organisation failed to respond by the stated deadline. 7. Thereafter, the Commission issued three further notices to Angela to attend interviews, which were delivered by hand to Angela’s residential address on 8 November 2022, 15 December 2022, and 10 January 2023. Page 3 of 8 8. Following these notices, an individual claiming to be Angela contacted the Commission through an unlisted number on various occasions, namely 11 November 2022, 17 November 2022, and 27 December 2022, and declined our request to attend an interview, or to schedule any other alternative dates for an interview. 9. The Commission is satisfied that the Organisation had received due notice of our investigative proceedings. Given the Organisation’s refusal to respond to our NTP and our notices to attend an interview, the Commission proceeded with its investigations based on the evidence available to it. 10. The Commission is satisfied on a balance of probabilities that the Organisation’s responses which disclosed the complainant’s personal data had been posted by the Organisation for the following reasons: First, The Google reviews page reflects the name of the Organisation; and second, the Organisation has a direct and material interest in the reviews given by the complainant and other individuals on the Organisation’s Google reviews page. Findings and Basis for Determination 11. Based on the circumstances disclosed above, the Commission’s investigations centered on whether the Organisation had breached the Purpose Limitation Obligation under section 18 of the PDPA. Page 4 of 8 The Purpose Limitation Obligation under section 18 of the PDPA 12. Under section 18(a) of the PDPA, organisations may collect, use or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances and — under section 18(b) — that the individual had been informed prior to the intended collection, use or disclosure (the “Purpose Limitation Obligation”). 13. I had previously discussed the ambit of when it would be acceptable for an organisation to disclose personal data when responding to public comments in M Stars Movers & Logistics Specialist Pte Ltd [2017] SGPDPC 15 and in Big Bubble Centre [2018] SGPDPC 25. In Re M Stars Movers, I stated at [18] and [19] as follows: “The Deputy Commissioner advises caution in disclosing personal data when responding to public comments. An organisation should not be prevented or hampered from responding to comments about it using the same mode of communications that its interlocutor has selected. In some situations, it may be reasonable or even necessary to disclose personal data in order to advance an explanation. … An individual who makes false or exaggerated allegations against an organisation in a public forum may not be able to rely on the PDPA to prevent the organisation from using material and relevant personal data of the individual to explain the organisation’s position on the allegations through the same public forum. The following observations may be made in this context about the approach that the Commission adopts. First, the Commission will not engage in weighing Page 5 of 8 allegations and responses on golden scales in order to establish proportionality. The better approach is to act against disclosures that are clearly disproportionate on an objective standard before the Commission intervenes in what is essentially a private dispute…” 14. When an individual chooses a public platform to pass comments about an organisation, the organisation is fully entitled to respond on the same platform in a proportionate and reasonable manner. In such circumstances, the individual had initiated the communication and selected the public platform. The nature of the individual’s comments will determine whether a response from the organisation is necessary. Where the nature of the individual’s comments invites a response for the purpose of advancing an explanation, such a purpose is considered reasonable in the circumstances under section 18(a). In advancing an explanation, it may be necessary to use or disclose relevant facts in order for the explanation to be effective. Such disclosure is reasonable in the circumstances provided that the extent of disclosure is proportionate. 15. Further, the requirement under section 18(b) read with section 20(1)(b) that the individual be informed of the purpose prior to use or disclosure is also met in these circumstances. The raison d’être for this requirement is to keep the individual informed of the purposes for which his or her personal data is to be used or disclosed, unless such use or disclosure is for purposes that are authorised by law. In cases such as the present, the individual initiated the communication and the nature of his or her comments shapes the organisation’s response. As long as the organisation’s response is for a reasonable purpose that is a natural consequence Page 6 of 8 of the individual’s comments, the individual is deemed to have been informed of such purpose. Thus, where an individual makes a complaint on a public platform in relation to an interaction with the organisation, it is natural that the organisation responds on the same platform for the purpose of providing an explanation. And if use or disclosure of personal data is necessary for such a purpose, the individual is deemed to have been informed prior to such user or disclosure since it is the individual’s earlier actions that had elicited the response. 16. In the present case, I am of the view that the Organisation’s disclosure of the complainant’s personal data was unreasonable and disproportionate. The complaint related to the poor standard of service that the Organisation delivered. 17. The complainant alleged that two weeks after the Organisation repaired his or her refrigerator, the refrigerator stopped working. The complainant was aggrieved that the Organisation sought a payment of $80 ($20 transport fees and $60 checking fees) to check on the refrigerator two weeks after the Organisation fixed the refrigerator, and that the Organisation’s technician was supposedly not available over the weekend when the complainant had only engaged the Organisation because the Organisation had supposedly advertised itself as providing round-theclock service. Given the grievances flagged in the complainant’s review, there was no issue about the location for delivery of the service. Thus, it was unnecessary for the Organisation to disclose the complainant’s residential address. In the same vein, I do not see how disclosure of the complainant’s mobile number was necessary to advance an explanation in response to the complaint. Page 7 of 8 The Commission’s Decision 18. Based on the facts established, the Commission finds the Organisation in breach of its obligation under section 18(a) of the PDPA. The Organisation’s failure to respond to NTP and refusal to attend for an interview are duly considered as aggravating factors. As the Organisation had not taken any action to remove or amend its response to the complaint, there is no mitigating factors to speak of. 19. In the circumstances, I hereby direct the Organisation to: (a) Remove the disclosure of the complainant’s residential address and mobile number in its response to the complainant’s comments on the Organisation’s Google reviews page; and (b) Review the 13 other responses on the Organisation’s Google reviews page where it had also disclosed personal data of other customers in response to their reviews, and to remove disclosure of personal data if such disclosure is not reasonable or proportionate in order for the Organisation to respond to the Google reviews. The Organisation is given 30 days to comply with these directions. YEONG ZEE KIN DEPUTY COMMISSIONER FOR PERSONAL DATA PROTECTION Page 8 of 8 ",Directions,acd36e3274c5e29fe0627b24b99136461cdd6c47,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]"