_commit_at,_commit_hash,_id,_item,_version,_commit,description,tags,date,pdf-url,nature,title,url,timestamp,pdf-content,decision,_item_full_hash,_changed_columns 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,185,185,1,952,Spring College International failed to notify and obtain consent from the parents of young students before disclosing online the students’ personal data for marketing purposes. Directions were issued to Spring College International.,"[""Consent"", ""Purpose Limitation"", ""Notification"", ""Directions"", ""Education""]",2018-05-24,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds_of_Decision_Spring_College_International_240518.pdf,"Consent, Purpose Limitation, Notification",Breach of Consent and Purpose Limitation Obligations by Spring College International,https://www.pdpc.gov.sg/all-commissions-decisions/2018/05/breach-of-consent-and-purpose-limitation-obligations-by-spring-college-international,2018-05-24,"PERSONAL DATA PROTECTION COMMISSION [2018] SGPDPC 15 Case No DP-1705-B0799 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Spring College International Pte. Ltd. … Organisation DECISION Spring College International Pte. Ltd. Mr Yeong Zee Kin, Deputy Commissioner — Case No DP-1705-B0799 24 May 2018 Background 1 This matter involves a private educational institution that posted information about its students, including their names and photographs, on a public social media page, in order to promote its courses. The Organisation operates a private educational institution, known as “Spring College International Pte. Ltd.” (“SCI”), that offers various academic courses to students of varying ages and levels. A complaint was made to the Personal Data Protection Commission (“PDPC”) regarding the unauthorised disclosure of a student’s personal data on the Organisation’s Facebook page. The complaint was made by the student’s parent (“the Complainant”). 2 The Commissioner’s findings and grounds of decision, based on the investigations carried out in this matter, are set out below. Material Facts 3 Since September 2010, the Organisation has maintained a Facebook page which is accessible to the general public, titled “Spring College International”. In December 2015, the Complainant enrolled her son (“Individual A”) as a student in SCI. Sometime thereafter, the Spring College International Pte. Ltd. [2018] SGPDPC 15 Complainant came across a post on the Organisation’s Facebook page, dated 24 April 2016 (“Post A”). The post contained the following text: Application for Supplementary Admissions Exercise for International Students 1 We are pleased to inform you that your application for admission to a secondary school through the Supplementary Admissions Exercise for International Students is successful. The results of your application are as follows: … 4 Post A further set out the following information about Individual A: full name; partially masked passport number; date of birth; application result for Supplementary Admissions Exercise for International Students (“AEIS”); primary school assigned to; level of study; and the length of Individual A’s study period in SCI. 5 The Complainant subsequently discovered that Post A had been indexed by Google’s search engine, and would be publicly displayed as a search result on Google if Individual A’s name was used as the search term. The summary on Google’s search results page displayed part of the information contained in Post A, including Individual A’s name, partially masked passport number and date of birth. 6 The Complainant informed the Organisation of her objection to the publication of her son’s details on its Facebook page, following which the Organisation took down Post A and took steps to render Post A nonindexable by online search engines. The Complainant also submitted a complaint to PDPC, in which the Complainant alleged that the Organisation had not obtained consent to publish her son’s personal data on its Facebook page. 2 Spring College International Pte. Ltd. 7 [2018] SGPDPC 15 In the course of the investigation, three other posts containing student data on the Organisation’s Facebook page were uncovered, dated on or around 25 April 2016: (a) Post B: data set of an individual student (“Individual B”), containing full name; partially masked FIN number; partially masked passport number; date of birth; photograph of Individual B standing under the Organisation’s wall logos, next to another individual; application result for AEIS; primary school assigned to; level of study; and the length of Individual B’s study period in SCI; (b) Post C: data set of an individual student (“Individual C”), containing full name; partially masked FIN number (without passport number); date of birth; photograph of Individual C standing, in between two other individuals, and under the Organisation’s wall logos; application result for AEIS; primary school assigned to; level of study; and the length of Individual C’s study period in SCI; and (c) Post D: titled “Top students of the preparatory course for AEIS”, containing information on multiple individual SCI students comprising full names; mugshots of these individuals; course duration; schools assigned to; and the level of study. 8 The Organisation did not dispute that the various Facebook posts contained the personal data of its students. The Organisation also did not deny responsibility for publishing the various Facebook posts. According to the Organisation, the various Facebook posts were made in order to share the activities and courses of SCI, for the purpose of 3 Spring College International Pte. Ltd. [2018] SGPDPC 15 creating brand awareness and attracting more students to register with SCI. Findings and Basis for Determination 9 The issues for determination are: (a) whether the Organisation had complied with its obligation under section 13 of the PDPA to obtain valid consent before disclosing the personal data of its students; and (b) whether the Organisation had complied with its obligation under section 18 of the PDPA to only use and disclose personal data for purposes (i) that a reasonable person would consider appropriate in the circumstances; and (ii) that its students have been informed of. The Consent and Notification Obligations 10 Under the PDPA, the concepts of notification of purpose and consent are closely intertwined. The PDPA adopts a consent-first regime. Unless an exception to consent applies, individual’s consent has to be sought: see section 13 of the PDPA, which imposes on an organisation the obligation to obtain the consent of an individual before collecting, using or disclosing that individual’s personal data (“Consent Obligation”). Consent must, of course, be obtained from the individual with reference to the intended purpose of collection, use or disclosure of that individual’s personal data; section 20 of the PDPA requires an organisation to notify an individual of such intended purpose (“Notification Obligation”). 4 Spring College International Pte. Ltd. [2018] SGPDPC 15 Personal Data Relating to Minors 11 At this juncture, it is relevant to note that this case involved the personal data of minors. Individual A was 9 years old at the time Post A was made; Individual B was 8 years old at the time Post B was made; and Individual C was 11 years old at the time Post C was made. Post D contained the personal data of numerous individuals who were also minors at the time the post was made. 12 As discussed in the PDPC’s Advisory Guidelines on the Personal Data Protection Act for Selected Topics (“Selected Topics Guidelines”), certain considerations may arise when dealing with the personal data of minors.1 In particular, where the personal data of a minor is involved, the issue of whether the minor is able to effectively give consent on his own behalf may arise. In this regard, organisations should take appropriate steps to ensure that the minor can effectively give consent on his own behalf, or if not, the organisation should obtain consent from an individual who is legally able to provide consent on the minor’s behalf, such as the minor’s parent or guardian.2 13 As stated in the Selected Topics Guidelines:3 8.1 The PDPA does not specify the situations in which a minor (that is, an individual who is less than 21 years of age) may give consent for the purposes of the PDPA. In general, whether a minor can give such consent would depend on other legislation and the common law… 1 PDPC, Advisory Guidelines on the Personal Data Protection Act for Selected Topics (revised 28 March 2017) at [8.1] to [8.13]. 2 Selected Topics Guidelines at [8.7] to [8.9]. 3 Selected Topics Guidelines at [8.1], [8.3], [8.5] to [8.6]. 5 Spring College International Pte. Ltd. [2018] SGPDPC 15 … 8.3 For situations where there is no legislation that affects whether a minor may give consent, the issue would be governed by the common law. In this regard, the Commission notes that there is no international norm on when minors may exercise their own rights under data protection laws… some countries have enacted legislation to specifically protect minors below a certain age. For example, in the United States, the Children’s Online Privacy Protection Act (“COPPA”) requires certain organisations to obtain verifiable parental consent to collect personal data from children under 13 years of age. … 8.5 The Commission notes that the age threshold of 13 years appears to be a significant one in relation to according protection to minors… 8.6 The Commission is of the view that organisations should generally consider whether a minor has sufficient understanding of the nature and consequences of giving consent, in determining if he can effectively provide consent on his own behalf for purposes of the PDPA… the Commission will adopt the practical rule of thumb that a minor who is at least 13 years of age would typically have sufficient understanding to be able to consent on his own behalf. However, where, for example, an organisation has reason to believe or it can be shown that a minor does not have sufficient understanding of the nature and consequences of giving consent, the organisation should obtain consent from an individual, such as the minor’s parent or guardian, who is legally able to provide consent on the minor’s behalf. [Emphasis added.] 14 While there was no allegation in this case that the Organisation had purported to obtain consent from individuals who lacked sufficient legal capacity to give such consent, it is nevertheless worth highlighting that it would be prudent for organisations to take additional precautions and/or safeguards when collecting, using or disclosing the personal data of minors, bearing in mind that there is “generally greater sensitivity surrounding the treatment of minors”.4 There is no magic in the age of 4 Selected Topics Guidelines at [8.12]. 6 Spring College International Pte. Ltd. [2018] SGPDPC 15 13 years as selected by the PDPC. The key determinant is whether the minor or young person is capable of understanding the nature and consequences of giving consent. The onus is on the organisation to determine whether consent may be obtained from a young person above the age of 13 years or whether, despite being above 13 years of age, it is more prudent to obtain consent from the young person’s parent or guardian. Restricting my analysis only to the circumstances of this case, I would have thought that the use of minors’ personal data to publicise and market the Organisation’s services is one of those purposes that an organisation ought to have conducted itself with a greater degree of prudence and should have sought consent from the young person’s parent or guardian, even if the young person had been older than 13 years. I probably would have come to a different conclusion if, for example, the young person was participating in a school activity and a photograph had been taken during the event and used by the organisation in its regular newsletter, college annual or blog that reports on its activities and sporting achievements. In any event, the minors in this case were all below 13 years and thus, even by the rule of thumb adopted in the Selected Topics Guidelines, consent ought to have been obtained from the minors’ parents or guardians. Whether the Organisation Complied with its Obligation to Obtain Consent for the Disclosure of its Students’ Personal Data 15 In its responses to the PDPC, the Organisation stated that, when registering with SCI, students (or their parents, as the case may be) would be required to sign an enrolment form which contained a term stipulating that they would adhere to SCI’s student handbook. The relevant term in the enrolment form is stated as follows: 7 Spring College International Pte. Ltd. [2018] SGPDPC 15 By signing the form, I acknowledge that I was informed that the course is on-going. I confirm that all documents provided by me are true. I have received and will adhere to the student handbook issued by SCI. 16 Clause 15.1 of SCI’s student handbook, entitled “Data Protection Notice & Consent”, states: 15.1 The information provided in Application Form is to enable to SCI to: (a) Administering and/or managing the application(s) for Admission and Enrolment; (b) Applicant’s Managing the Applicant’s relationship with SCI (including the announcement of statements or notices of the Applicant, sending the Applicant marketing, advertising and promotional information, including materials and information on courses in SCI, general student-related activities within SCI, as well as related talks, seminars and/or events via postal mail, electronic mail, SMS or MMS, fax and/or voice calls; and); (c) Processing the Applicant’s application(s) for scholarships and/or financial aid, and if successful, administering and/or managing the Applicant’s scholarship and/or financial aid programmes, which may include use of personal data for direct marketing purposes for event invitations, surveys and/or publicity of SCI’ financial aid programmes; (d) Responding to requests for information from public agencies, ministries, statutory boards or other similar authorities (e) Allow the compilation and analysis of statistics for marketing purpose [Emphasis added.] 17 Clauses 15.1(a) to (d) of the student handbook are concerned with matters that can best be described as administrative in nature. These clauses are not relevant to the disclosure of students’ personal data on the Organisation’s Facebook page in the present case. 8 Spring College International Pte. Ltd. 18 [2018] SGPDPC 15 In its responses to the PDPC, the Organisation sought to rely on clause 15.1(e) of its student handbook, in order to assert that it had obtained consent for the disclosure of its students’ personal data in its various Facebook posts. However, I do not think that clause 15.1(e) of the student handbook adequately covers the disclosure of personal data in the various Facebook posts by the Organisation in this case. Clause 15.1(e) contains a general reference to the “compilation and analysis of statistics”. The intent and purpose of statistical analysis is very different from the use in this case. Statistical analysis goes towards identifying how the Organisation may be more effective in delivering its services, in this case, educational services. This is an acceptable use of personal data, whether in an anonymised form, aggregated (or compiled) or even in personally identifiable form (with consent or in reliance on the research exceptions in the PDPA). Organisations ought to, and are encouraged to do so, in order that they understand their customers better and can fine tune their products or services to better cater to their customers’ needs and preferences. Of course, one of the ends is to enable the organisation to design its marketing strategy more effectively. The point to note is that the use of the data is indirect and goes towards a business function, in this case the Organisation’s marketing strategy. 19 The use of data directly in marketing is also a valid business purpose. But the intent and purpose is markedly different from statistical research. Marketing is intended to promote the organisation’s products or services to new or existing customers. While I am no expert in marketing practices, what I do know is that the profiling of positive examples and the association of an organisation’s products or services with success stories is not an uncommon practice. Its effectiveness is a question that each organisation that chooses to adopt such a practice 9 Spring College International Pte. Ltd. [2018] SGPDPC 15 needs to be satisfied with, and is not within the domain of personal data protection laws. What is within the domain of personal data protection laws is whether the individual whose image and other personal data will be used has consented to such use, or whether there is some other lawful justification that an organisation may rely upon. In this regard, the various Facebook posts published by the Organisation clearly identified students individually, and showed their details on an individual basis. It is clear that the Organisation’s aim of profiling these individuals was for marketing purposes with the intent to promote its services to new (or even existing) customers. In the premises, I do not think that the purpose for which such personal data was disclosed can reasonably be said to fall within a “compilation” or “analysis of statistics” for marketing purposes. On the contrary, the personal data was used directly as part of the Organisation’s marketing campaign by featuring success stories. Parenthetically, I had intimated in my earlier decision in Re My Digital Lock Pte. Ltd. [2018] SGPDPC 3 that this is an area where there is overlapping coverage between personal data protection law and the laws protecting privacy, specifically personality rights that may be protected under defamation law. In the present case, I have confined my analysis to breaches of the Consent and Notification Obligations under the PDPA. 20 The student handbook also contained the following Clause 15.5: 15.5 By attending school activities & event, you consent to the use of your photograph, voice, likeness, and image in any broadcasts of this event and in subsequent productions drawn from video or audio recordings of this event. The photographs and recordings may be published or broadcasted in the official SCI and affiliates’ publications and in publicity materials, including the SCI and affiliates’ websites and social media… 10 Spring College International Pte. Ltd. 21 [2018] SGPDPC 15 As Clause 15.5 of the student handbook refers to “photographs” and “publicity materials”, the Organisation could arguably rely on this clause of the student handbook for consent to post photographs of students on its Facebook page for publicity purposes, if such photographs were taken at events organised by the Organisation. The purposes that are notified by Clause 15.5 relates to how the Organisation may use video footage and photographs of its activities for publicity purposes. For such purposes, the primary focus is on the activities of the Organisation and the involvement of the individual students are secondary (although it may not be incidental or minor). The intent is to create favourable impressions of the Organisation by featuring its activities and perhaps even in its students’ achievements in sporting and other activities. This purpose is markedly different from profiling selected students and associating their academic achievements with the Organisation. In this type of use, the student becomes the subject and the focus. Where the student becomes the subject and the purpose is to associate his or her academic achievement for the commercial objectives of the Organisation, specific consent ought to be obtained, and this ought to be obtained from his or her parent or guardian, as the purpose of use has probably crossed into commercial use. Moreover, this clause of the student handbook would not cover the disclosure of other personal data on the Organisation’s Facebook page, such as students’ names, date of birth, school assigned to and level of study. 22 In light of the above, it follows that the Organisation has not complied with its Notification Obligation under section 20 of the PDPA, to inform the parents or guardians of its students, who are minors, of the purpose(s) for which the Organisation disclosed its students’ personal data on its Facebook page, in respect of Posts A, B, C and D minimally. 11 Spring College International Pte. Ltd. [2018] SGPDPC 15 The Organisation has, therefore, breached its Consent Obligation under section 13 of the PDPA to obtain consent from such minors’ parents or guardians for the same. 23 Further, given the finding that the Organisation has not complied with its Notification Obligation under section 20 of the PDPA, the Organisation is also in breach of section 18 of the PDPA. The Organisation’s Follow-Up Remedial Actions 24 As mentioned above, the Organisation took steps to remove Post A from its Facebook page and to make the post non-indexable by online search engines. Sometime after the aforementioned breaches had occurred, the Organisation represented that it had “created” a “Marketing Consent and Release Form” (“MRF”), which the Organisation then instructed its staff to use in order to obtain consent for using students’ personal data for marketing purposes. 25 An extract from the MRF reads: I, ____________________ (name), __________________(NRIC) irrevocably authorize the school, its employees, and its agents, to use my / my child’s name, information, picture, and likeness as recorded by the school for any purpose that the school deems appropriate, including promotional or advertising efforts. I specifically authorize the school, its employees, and its agents, to use, reproduce, exhibit, or distribute my / my child’s name & information and likeness for such purpose in any communications medium currently existing or later created, including without limitation print media, television, and the Internet. [Emphasis added.] 26 The MRF purports to give the Organisation a very broad discretion to use students’ information, by using the catch-all phrase “for any purpose that the school deems appropriate”. In this respect, apart 12 Spring College International Pte. Ltd. [2018] SGPDPC 15 from the accompanying words “including promotional or advertising efforts”, the MRF does not provide individuals with any greater specificity or details as to the purposes for which the Organisation may use their personal data. 27 It falls on me to highlight the following passage from the Advisory Guidelines on Key Concepts in the Personal Data Protection Act, which would be pertinent in this instance:5 … if an organisation’s Data Protection Policy sets out its purposes in very general terms (and perhaps for a wide variety of services), it may need to provide a more specific description of its purposes to a particular individual who will be providing his personal data in a particular situation (such as when subscribing for a particular service), to provide clarity to the individual on how his personal data would be collected, used or disclosed. [Emphasis added.] 28 In my view, the language used in the MRF is so broad such that it cannot reasonably be said to provide adequate clarity to individuals on the purposes for which their personal data would be used, and does not fulfill the requirements of section 20 of the PDPA. 29 Additionally, I note from the extract of the MRF as set out in paragraph 25 above, that the MRF purports to “irrevocably authorize” the Organisation to use students’ personal data for “any purpose that the school deems appropriate”. Needless to say, an overly-broad consent clause like this is unlikely to stand up to scrutiny and will probably not be effective in notifying purpose and thus any consent obtained in reliance 5 PDPC, Advisory Guidelines on Key Concepts in the PDPA (revised 27 July 2017) at [14.13]. 13 Spring College International Pte. Ltd. [2018] SGPDPC 15 on it rests on weak foundations. Furthermore, this provision in the MRF is potentially contrary to the requirements of section 16 of the PDPA: (a) section 16(1) of the PDPA provides that individuals may at any time withdraw any consent given under the PDPA in respect of the collection, use or disclosure of their personal data for any purpose; and (b) section 16(3) of the PDPA further provides that an organisation must not prohibit an individual from withdrawing such consent.6 30 In my view, the provision in the MRF that the Organisation be “irrevocably” authorised to use students’ personal data effectively seeks to prohibit such individuals from withdrawing their consent to the use of their personal data. Supposing that the MRF had been obtained by the Organisation from the students’ parents or guardians in this case, I may not have hesitated to find that it is ineffective as being contrary to the requirements under section 16 of the PDPA. However, I am also mindful of other circumstances where an irrevocable promise may be permissible, for example, in a professional modelling agreement an individual executes an irrevocable release in return for modelling fees from an advertisement agency for a specific client’s marketing campaign, in which case the bargain that is struck ought to be respected. The analysis would involve a detailed discussion of the interaction of the consent provisions of the PDPA and contractual principles. But this is 6 Section 16(3) of the PDPA further provides that this section does not affect the legal consequences arising from such withdrawal. 14 Spring College International Pte. Ltd. [2018] SGPDPC 15 not an analysis for this case nor do I need to reach such a conclusion in these grounds. 31 In the final analysis, I do not think that the MRF validly notifies the parents or guardians of the minors of the specific marketing use of their child or ward’s personal data, nor is it acceptable in its current form for use in the context of the present pedagogical relationship between the Organisation and its students, as it purports to provide for an irrevocable waiver of the students’ right to withdraw their consent, which is contrary to section 16 of the PDPA. Directions 32 Having found that the Organisation is in breach of sections 13 and 18 of the PDPA, I am empowered under section 29 of the PDPA to give the Organisation such directions as I deem fit to ensure compliance with the PDPA. This may include directing the Organisation to pay a financial penalty of such amount not exceeding S$1 million. 33 In assessing the breach and determining the directions to be imposed on the Organisation, I took into account the following factors in its mitigation: (a) there was no complaint or allegation received to the effect that there was any loss or damage accruing to individuals as a result of the Organisation’s breach; (b) the Organisation demonstrated a willingness to take remedial actions upon being informed of the breach by the Complainant; and 15 Spring College International Pte. Ltd. (c) [2018] SGPDPC 15 the Organisation was generally cooperative throughout the investigation process and did not seek to obfuscate its role or the facts in this matter. 34 In consideration of the relevant facts and circumstances of the present case, I hereby direct the Organisation to: (a) remove Posts B, C and D, and any other posts of a similar nature for which consent had not been obtained from the relevant individuals for their personal data to be used and disclosed on the Organisation’s Facebook page; (b) revise the MRF and all other documents used by the Organisation for obtaining consent from its students for the collection, use and disclosure of its students’ personal data, taking care: (i) to provide sufficient clarity and avoid the use of “catch-all” phrases in the articulation of the purposes for which personal data would be collected, used and disclosed; (ii) in particular, where the Organisation collects, uses or discloses personal data for purposes that involve marketing and profiling, to ensure that consent be obtained specifically for those purposes; and (iii) to clarify that individuals are not prohibited from withdrawing their consent; and 16 Spring College International Pte. Ltd. (c) [2018] SGPDPC 15 take all other steps and make such other arrangements as would reasonably be required to meet (a) and (b) above. YEONG ZEE KIN DEPUTY COMMISSIONER PERSONAL DATA PROTECTION 17 ",Directions,ab610ebd87a5e51bcfa08294b0f5948e87401467,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,193,193,1,952,"A financial penalty of $12,500 was imposed on Aventis for using the personal data of individuals beyond the notified purposes, and for failure to give effect to the withdrawal of consent within a reasonable time.","[""Consent"", ""Purpose Limitation"", ""Notification"", ""Financial Penalty"", ""Directions"", ""Education""]",2018-04-30,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds_of_Decision_Aventis_300418.pdf,"Consent, Purpose Limitation, Notification",Breach of Notification and Consent Obligations by Aventis,https://www.pdpc.gov.sg/all-commissions-decisions/2018/04/breach-of-notification-and-consent-obligations-by-aventis,2018-04-30,"PERSONAL DATA PROTECTION COMMISSION Case No DP-1705-B0766 [2018] SGPDPC [7] In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Aventis School of Management Pte. Ltd. … Organisation DECISION Aventis School of Management Pte. Ltd. [2018] SGPDPC [7] Tan Kiat How, Commissioner — Case No DP-1705-B0766 30 April 2018 Background 1 The present matter concerns an individual (the “Complainant”) who had signed up to receive a free brochure for a specific programme organised by the Organisation, but ended up also receiving numerous marketing emails from the Organisation that were unrelated to the programme which the individual was interested in. The question raised is whether the Organisation’s “use” of the Complainant’s personal data to send him the marketing emails without his consent is a breach of the Personal Data Protection Act 2012 (“PDPA”). In the Commissioner’s findings, the answer is in the affirmative. 2 The Commissioner also found that the Organisation had failed to carry out the Complainant’s request to remove his email address from the Organisation’s mailing list in a timely manner, which led to further marketing emails being sent to the Complainant after the withdrawal request was made. 3 The Commissioner’s findings and grounds of decision of the matter are now set out below. Aventis School of Management Pte. Ltd. [2018] SGPDPC 7 Material Facts 4 The Organisation is an educational institution that collaborates with overseas universities to offer degrees, courses, and programmes to students across various disciplines such as Finance, Marketing, and Business. 5 The Complainant was interested in one of the programmes offered by the Organisation, and submitted his name, email address, and contact number through a web form on the Organisation’s website, titled “Take Action Today – Download Free Brochure”, at http://asm.edu.sg/california-state-university on 12 January 2017. 6 After signing up for this free brochure, the Complainant started receiving marketing emails from the Organisation promoting various courses and programmes. For example, one of the marketing emails was titled “3 Psychological Discoveries on How to Convert Difficult People into Cooperative Comrades”. Another title was “How to Lead and Motivate Multi-Generational Teams through ‘Yin’ and ‘Yang’”. The email addresses of the senders were often different for each marketing email, such as “noreply@training-event.net” or “noreply@singapore-event.net”. The email addresses did not display a visible association to the Organisation’s domain name (as set out in the preceding paragraph). 7 The Complainant then lodged a complaint with the Personal Data Protection Commission (“PDPC”) on 15 May 2017, and subsequently provided 2 Aventis School of Management Pte. Ltd. [2018] SGPDPC 7 the PDPC with screenshots or actual samples of 15 such emails (“the Marketing Emails”) he had received from the Organisation.1 8 According to the Complainant, he had attempted to unsubscribe from the Marketing Emails by clicking on the “unsubscribe” hyperlink found in the Marketing Emails. Additionally, the Complainant had also sent messages to two email addresses, namely “success@aventisglobal.edu.sg” and “shirley@aventisglobal.edu.sg”, which were found within the Marketing Emails, with a request to be removed from the Organisation’s mailing list. Between 19 April 2017 to 24 May 2017, the Complainant made a total of 5 unsubscribe requests, but to no avail. 9 According to the Organisation, it had only received the Complainant’s request on 15 May 2017 because the two email addresses that the Complainant had sent his request to were no longer in use by the Organisation, as the email addresses were assigned to a staff who had left the Organisation. 10 Following the Complainant’s complaint of the matter to the PDPC, the PDPC had also informed the Organisation to remove the Complainant’s email address from the mailing list. At that point in time, the Organisation was undergoing a system upgrade and transitioning from its existing customer relationship management (“CRM”) system to a new one. Due to a technical and administrative glitch in the process of porting over customer data to the new CRM system, the Complainant’s email address was still included in the Organisation’s mailing list, causing the Complainant to continue to receive the 1 These 15 Marketing Emails comprised emails from the Organisation that were sent on 5 May 2017; 7 May 2017; another on 7 May 2017; 8 May 2017; 15 May 2017; 18 May 2017; 23 May 2017; another on 23 May 2017; 10 June 2017; 14 June 2017; 15 June 2017; 16 June 2017; 17 June 2017; 18 June 2017; and 19 June 2017. 3 Aventis School of Management Pte. Ltd. [2018] SGPDPC 7 Marketing Emails. The Organisation finally corrected this issue in June 2017, and provided confirmation to the PDPC that it had fulfilled the Complainant’s request on 21 June 2017. 11 Based on the Commissioner’s investigations, the Organisation had used the same web form to collect the personal data of 6,109 individuals, and had sent marketing emails to 719 other individuals. Findings and Basis for Determination Issues in this case 12 At the heart of the matter lies the issue of whether the Complainant consented to receive the Marketing Emails when he submitted his personal details to the Organisation. 13 Section 13 of the PDPA requires that organisations collect, use or disclose personal data about an individual if consent is obtained unless an exception to consent applies. Section 14(1)(a) of the PDPA requires that such consent must be given for purposes that have been notified to the individual. 14 Further, section 18 of the PDPA allows organisations to collect, use and disclose personal data only for purposes which a reasonable person would consider appropriate in the circumstances and for which the impacted individual has been notified. 15 Given the above, if an organisation were to collect, use or disclose personal data for a purpose different than what an individual has been notified of, or has consented to, then the organisation would be in breach of the consent obligation under section 13 of the PDPA and the purpose limitation obligation under section 18 of the PDPA. 4 Aventis School of Management Pte. Ltd. 16 [2018] SGPDPC 7 The Commissioner also considered whether, even if the Organisation had complied with its obligations under sections 13 and 18 of the PDPA, the Organisation would nevertheless be in breach of section 16(4) of the PDPA. Section 16(4) requires organisations to give effect to the withdrawal of an individual’s consent for the collection, use or disclosure of his personal data. This issue arises due to the Organisation’s delay in removing the Complainant’s email address from its mailing list, which consequently led to the Organisation’s continued use of the Complainant’s personal data to send him additional Marketing Emails. The Organisation did not have valid consent to use the Complainant’s personal data to send him the Marketing Emails 17 According to the Complainant, he had provided his personal data on the web form only for the purposes of receiving a copy of the free brochure from the Organisation to find out more about the specific programme which he was interested in. This consent did not extend to the Organisation being able to use the personal data that was collected to send the Complainant the Marketing Emails which were unrelated to the programme he was interested in. By this reasoning, the Organisation had not complied with section 13 of the PDPA because the Organisation had used his name and email address for a different purpose (ie to send him Marketing Emails) from which the Complainant had agreed to when submitting his information. 18 The Organisation disagreed with this, and provided the PDPC with its website’s Terms of Use and Privacy Policy, claiming that the Complainant was sufficiently notified of, and had consented to, the Organisation using his personal data to send him the Marketing Emails. Having reviewed the Organisation’s website (including the web form), Terms of Use and Privacy 5 Aventis School of Management Pte. Ltd. [2018] SGPDPC 7 Policy, the Commissioner did not accept the Organisation’s explanation for the following reasons. The web form did not indicate that the Organisation would use the personal data keyed into the form by individuals to send out the Marketing Emails 19 The pertinent presentation and content of the web form is as follows: (a) The title of the web form states “Take Action Today – Download (b) This is followed by a line beneath the title which reads: “Kindly (c) Below this line, there are 5 input boxes, comprising of three two drop-down (d) Right below the last input box, there is a text which reads: Free Brochure”. fill in the simple form and download a FREE brochure”. boxes for a user to input his name, email address, contact number, and “Specialization”. boxes labelled “Program Interested” and “[s]ubmitting this form meant your consent for our representative to contact you”. (e) The last item in the web form is a button labelled “Submit Now” for the user to click to submit the form. 20 To an ordinary user of this web form (“user”), these elements convey that upon submitting the form, the user would have agreed to the Organisation collecting the user’s personal data for the purposes (a) of the Organisation providing a free brochure to the interested user, and (b) for a representative of the Organisation to contact the user with regard to the programme which the user was interested in. There is nothing in the web form that suggests that the 6 Aventis School of Management Pte. Ltd. [2018] SGPDPC 7 Organisation intends to use the name, email address or contact number to send out marketing emails to the user, in particular marketing emails on a subject matter that did not relate to the programme that the user was interested in. In the present case, the information provided did not sufficiently notify the Complainant of these additional purposes and the Complainant cannot be said to have consented to the Organisation using his personal data for the purpose of sending him the Marketing Emails. The Organisation’s Privacy Policy allowed the Organisation to use the personal data of the Complainant only for the purposes of providing the Complainant with the brochure of the specific programme he requested and to contact the Complainant in respect of the said programme 21 The Organisation claims that besides the web form, its website’s Terms of Use and Privacy Policy also provided valid notification of the purposes for the use of the personal data collected through the web form and thereby had obtained consent for the purposes of sending Marketing Emails to the Complainant. The Commissioner did not find this explanation satisfactory. 22 The portion of the Privacy Policy found on the Organisation’s website pertinent to the collection of the Complainant’s personal data through the web form states the following under the section “Information Collected by E-mail and Online Transactions”: “If you send us an e-mail, we will collect your email address and the contents of your message. We will use your email address and the information included in your message to respond to you, to address the issues you identify, and to improve this web site. We may also use your email address to notify you about updates, services, special events or activities offered by us and our partners. If you would prefer not to receive e-mail or other communications from us, contact us at info@aventisglobal.edu.sg. If you complete a transaction such as an online application or an information request 7 Aventis School of Management Pte. Ltd. [2018] SGPDPC 7 form, we will collect the information, including personal information that you volunteered in completing the transaction. We will use this information only for purposes for which the transaction was intended. We may redirect your email message or information you provided through an online transaction to our office other than the one which originally received the message or information in order to better respond to you. [Emphasis added.] 23 The references to “an online application or an information request form” includes the web form completed by the Complainant as the web form was essentially a request for further information on a specific programme and would, therefore, be considered a “transaction” for the purposes of the Privacy Policy. 24 Looking at the pertinent portion of the Privacy Policy, the Organisation has conveyed that it will only use personal data collected as a result of a transaction “for purposes for which the transaction was intended”. In this case, the intention in respect of the transaction in question – the provision of personal data in the web form to obtain a brochure on a specific programme – was for the purposes as set out above in paragraph 20. In the circumstances, the consent obtained by the Organisation from the Complainant was for the Organisation to provide a brochure to the Complainant on the specific programme in which he was interested and for a representative of the Organisation to contact the Complainant with regard to the said programme, and not for the purposes of sending Marketing Emails to the Complainant. 8 Aventis School of Management Pte. Ltd. [2018] SGPDPC 7 The Organisation’s Terms of Use does not apply in respect of personal data collected through the web form 25 While the Organisation’s Terms of Use is referred to in the Privacy Policy, the Commissioner is of the view that the Terms of Use does not provide the Organisation with the consent to use the Complainant’s personal data for the purposes of sending out Marketing Emails. The reference to the Terms of Use in the Privacy Policy reads as follows: “By using the Site, you consent to the collection, use and processing of your personally identifiable information by us in the manner and for the uses described in this Privacy Policy and our Terms of Use. We reserve the right to make changes to these policies as appropriate, and will alert you to any changes made” [emphasis added.] 26 Certain portions of the Terms of Use only apply to specific groups of people, i.e. “Students”, “Employees/Staff”, and the “General Public”. In the present case, the Complainant is neither a student nor employee or staff of the Organisation. As such, the Commissioner has focused on the following portion of the Terms of Use applicable to the “General Public” in determining whether consent had been obtained from the Complainant to allow the Organisation to send Marketing Emails to him: Purpose for the Collection, Use & Disclosure of Personal Data Depending on your relationship with us, the personal data which we collect from you may be used and/or disclosed for the following purpose: For General Public AVENTIS as an educational institution often organise a myriad of training, upgrading and career related activities in which general public are invited to participate. While it is impossible to list all the events in which we hope the public will participate, some events that you as a member of the public can look forward to include corporate outreach programmes, seminars, workshops, talks, exhibitions, etc. Naturally, in encouraging a vibrant interaction with the public, there will be opportunity, 9 Aventis School of Management Pte. Ltd. [2018] SGPDPC 7 and often a need, to collect, use and/or disclose personal data from members of the public. The key reasons are as follows:  For verification purposes for Events  To keep you updated of future Aventis Events/products which we feel may interest you    For administrative purposes for certain Events For marketing/publicity purposes For any other purpose arising in respect of the environment within which an institution of higher learning such as AVENTIS operates which is reasonable given your relationship with AVENTIS In almost all of the above situations, it will be up to you as to whether, and to what extent, you wish to provide us with your personal data. Typical data collected include participant’s name, email and phone numbers. Based on the information provided, the general public may be contacted by various channels including through social media, Whatsapp, emails, phone calls, postal mail, electronic mail, SMS and/or voice calls; … [Emphasis added.] 27 While the Organisation’s Terms of Use as set out above do refer to the use of personal data for the purposes of keeping users updated of future events and products as well as for marketing and publicity purposes, the Terms of Use, unlike the Privacy Policy, does not mention the collection of personal data online, either through any online application, information request form, or web forms. Applying the legal maxim generalia non specialibus derogant (ie where a contract contains general terms and specific terms the specific terms are to be given greater weight than the general terms if there is a conflict between the two2), the Commissioner finds that greater weight should be given to the Privacy Sir Kim Lewison, The Interpretation of Contracts, 6th ed. (London: Sweet & Maxwell, 2015) at [7.05]. 2 10 Aventis School of Management Pte. Ltd. [2018] SGPDPC 7 Policy which specifically deals with the purposes for which personal data collected through the web form would be used. The provisions in the Terms of Use would be inconsistent with the Privacy Policy if the Terms of Use are generally applicable to personal data collected through the web form. 28 Accordingly, in the Commissioner’s findings, the Organisation did not provide notification of the purposes for which the marketing emails were sent out, and consequently, the Complainant also did not provide consent to his personal data being used for such purposes. The observations made above are equally applicable in respect of the Organisation’s failure to limit the use of the Complainant’s personal data to the notified purposes. In the circumstances, the Organisation is in breach of sections 13 and 18 of the PDPA. Even if the Organisation had consented to the sending of the Marketing Emails, it failed to give effect to the Complainant’s withdrawal of consent 29 In the case at hand, even if the Organisation had obtained the requisite consent and provided the relevant notification, the Organisation would have nevertheless failed to comply with section 16(4) of the PDPA as it did not give effect to the Complainant’s withdrawal of consent within a reasonable time. 30 In this regard, the unsubscribe requests and the emails from the Complainant requesting to be removed from the Organisation’s mailing list (as set out in paragraph 8 above) as well as the same request made through PDPC (as set out in paragraph 10 above) would have all, individually, triggered the Organisation’s obligation to give effect to the Complainant’s withdrawal of consent. These requests were sent between 19 April 2017 and 24 May 2017. However, the Organisation only fulfilled the Complainant’s request in June 2017; with the PDPC receiving confirmation of this from the Organisation on 21 June 2017. The Organisation admitted to receiving the Complainant’s emails 11 Aventis School of Management Pte. Ltd. [2018] SGPDPC 7 at least by 15 May 2017. It took the Organisation about a month to effect the Complainant’s request to be removed from the Organisation’s mailing list from the time it admitted to receiving the Complainant’s request. 31 This runs afoul of the obligation under section 16(4) of the PDPA which requires organisations to put in place accessible means for data subjects to be able to withdraw consent to the collection, use and disclosure of their personal data. 32 As stated in the PDPC’s Advisory Guidelines on Key Concepts in the PDPA, as a general rule of thumb, organisations should give effect to a withdrawal notice within ten (10) business days.3 Should the organisation require more time to give effect to a withdrawal notice, it is good practice for the organisation to inform the individual of the time frame by which the withdrawal of consent will take place. 33 Accordingly, given that the Organisation has taken such a long time to give effect to the withdrawal of consent to use the Complainant’s personal data to send the Marketing Emails, the Commissioner is also of the view that the Organisation has, in the alternative, failed to comply with section 16(4) of the PDPA. 34 Before leaving the discussion on the Organisation’s section 16 obligation, the Commissioner notes that the unsubscribe facility provided for in the Organisation’s Marketing Emails was included to comply with section 11 of the Spam Control Act (Cap. 311A) (“Spam Control Act”) which states that: 3 PDPC, Advisory Guidelines on Key Concepts in the PDPA (revised 27 July 2017) at [12.42]. 12 Aventis School of Management Pte. Ltd. [2018] SGPDPC 7 “Any person who sends, causes to be sent or authorises the sending of unsolicited commercial electronic messages in bulk shall comply with the requirements in the Second Schedule.” 35 The Second Schedule provides that every unsolicited commercial electronic message (such as marketing emails sent in bulk without having obtained the consent of the individual recipients) shall contain a method for the recipients to unsubscribe from receiving such electronic messages in the future.4 The sender is not allowed to send any further unsolicited commercial electronic messages to recipients who have unsubscribed after the expiration of 10 business days after the day on which the unsubscribe request was submitted.5 36 The Commissioner is of the view that any recipient of a marketing email who submits an unsubscribe request using the unsubscribe facility provided by the sender of the marketing email (as required by the Spam Control Act) provides notice to the sending organisation, for the purposes of the PDPA, of the recipient’s withdrawal of consent in respect of the use of the recipient’s personal data for the purposes of sending the recipient marketing emails. 37 Organisations should therefore be aware that the unsubscribe facility serves a twofold purpose – (a) compliance with section 11 of the Spam Control Act, and (b) as a way for an individual recipient of marketing emails to provide notice to the sending organisation of his withdrawal of consent to the use or disclosure of his personal data for the purposes of sending him marketing emails, in accordance with section 16 of the PDPA. A failure to give effect to an unsubscribe request may lead to a breach of section 11 of the Spam Control Act and, as in this case, a breach of section 16(4) of the PDPA. 4 5 Paragraph 2(1) of the Second Schedule of the Spam Control Act. Paragraph 2(7) of the Second Schedule of the Spam Control Act. 13 Aventis School of Management Pte. Ltd. 38 [2018] SGPDPC 7 For the avoidance of doubt, the Commissioner is not making any determination in respect of the Organisation’s compliance with its obligations under section 11 of the Spam Control Act as such disputes are within the jurisdiction of the courts. Enforcement Action by the Commissioner 39 Given the Commissioner’s findings that the Organisation is in breach of its obligations under the PDPA, the Commissioner is empowered under section 29 of the PDPA to issue the Organisation such directions as it deems fit to ensure compliance with the PDPA. This may include directing the Organisation to pay a financial penalty of such amount not exceeding S$1 million. 40 In assessing the breach and determining the directions to be made, the Commissioner considered, as an aggravating factor, the fact that the Organisation had failed to take timely or reasonable steps to resolve or remediate the matter, despite receiving multiple requests from both the Complainant and the PDPC. Another aggravating factor the Commissioner took into account was the high number of affected individuals; the Organisation had used the same web form to collect the personal data of 6,109 individuals, out of which 719 individuals had received similar marketing emails not specific to the programmes that these individuals were interested in from the Organisation. 41 The Commissioner also considered, as a mitigating factor, the fact that the Organisation has been generally cooperative with the investigation and provided its responses to the PDPC’s questions promptly. 42 The Commissioner hereby directs the Organisation to pay a financial penalty of S$12,500 within 30 days from the date of the Commissioner’s 14 Aventis School of Management Pte. Ltd. [2018] SGPDPC 7 direction. Additionally, the Organisation is directed to carry out the following within 30 days: (a) cease the use of personal data about individuals for purposes (b) review its procedures and processes for the withdrawal of which the individuals have not been notified; and consent by individuals to ensure that such withdrawals are effected upon the receipt of reasonable notice. Representations by the Organisation 43 The Organisation submitted its representations by way of a letter dated 5 April 2018 from its solicitors. The Organisation indicated that the Commissioner should consider its track record of acting in accordance with unsubscribe requests, that it acted quickly to improve its administration of unsubscribe requests by on-boarding a new platform to deal with such unsubscribe requests and that the delay in responding to the Complainant’s unsubscribe request was due to its migration to the new platform which is a one- off occurrence. The Organisation also indicated that it had not received the initial unsubscribe requests of the Complainant. 44 The Commissioner is of the view that the above representations do not warrant a reduction in the penalty imposed for the following reasons: (a) The Organisation has not adduced any evidence to show that it has a track record of acting in accordance with unsubscribe requests. In any event, even if it was able to show the same, the main finding here is that there was a breach of the consent obligation. Complying with the wishes of individuals to be unsubscribed from mailing lists does not address the main finding that the Organisation collected and used 15 Aventis School of Management Pte. Ltd. [2018] SGPDPC 7 personal data for purposes for which the Complainant did not consent to in the first place. At most, it is a remediation of its initial breach. (b) While the Organisation may have on-boarded a new platform to better comply with its obligations to give effect to a withdrawal of consent, the Organisation took about a month to give effect to the Complainant’s wishes to be removed from its mailing list. While the Organisation has attempted to explain this by claiming that this delay was caused by the on-boarding of the new platform, the Organisation should have put in place measures in the interim to ensure that the Complainant did not receive any further marketing material from the Organisation. (c) The Commissioner had already given the Organisation the benefit of the doubt with respect to the date on which it became aware of the unsubscribe requests and based his findings and the determination of the penalty quantum on the Organisation’s agreement that it at least became aware of the Complainant’s unsubscribe request on 15 May 2017. 16 Aventis School of Management Pte. Ltd. 45 [2018] SGPDPC 7 The Organisation also sought to compare the penalty imposed against them with previous cases. The Commissioner highlights that the penalty imposed in each case is based on the facts in each case and is only arrived at after a detailed consideration of the facts in each case and a comparison with past cases which are broadly similar. In this case, given the aggravating and mitigating factors present as set out at paragraphs 40 and 41 above, the Commissioner decided that a penalty of $12,500 was warranted. YEONG ZEE KIN DEPUTY COMMISSIONER FOR COMMISSIONER FOR PERSONAL DATA PROTECTION 17 ","Financial Penalty, Directions",ee94ae697675c228c71fd7f5fba9305226984d44,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,232,232,1,952,"Directions were issued to Universal Travel Corporation for disclosing a passenger list, consisting of 37 customers' personal data, to four of its customers without consent. The organisation was also penalised for its lack of data protection policies.","[""Consent"", ""Purpose Limitation"", ""Notification"", ""Directions"", ""Others""]",2016-04-21,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/grounds-of-decision---universal-travel-corporation-(210416).pdf,"Consent, Purpose Limitation, Notification",Breach of Consent and Other Obligations by Universal Travel Corporation,https://www.pdpc.gov.sg/all-commissions-decisions/2016/04/breach-of-consent-and-other-obligations-by-universal-travel-corporation,2016-04-21,"DECISION OF THE PERSONAL DATA PROTECTION COMMISSION Case Number: DP-1508-A496 UNIVERSAL TRAVEL CORPORATION PTE LTD (UEN. 197302113R) ... Respondent Decision Citation: [2016] SGPDPC 4 GROUNDS OF DECISION 20 April 2016 A. BACKGROUND 1. The Personal Data Protection Commission (“Commission”) received a complaint from a credible source concerning the alleged disclosure by the Respondent of personal data of 37 customers (the “passenger list”) in early March 2015 to certain individual(s) who participated in the 12 Days Legend of the Balkans Tour from 17 February 2015 to 28 February 2015 (“Balkans Tour”). 2. In the premises, the Commission decided to carry out an investigation into the matter. The Commission’s findings are set out below. B. MATERIAL FACTS AND DOCUMENTS 3. Sometime in or around late February 2015, four of the customers of the Balkans Tour requested the Respondent to furnish formal documentation confirming the cancellation of their transit flight to Sofia on 18 February 2015 (TK1027/18FEB15 ISTANBUL-SOFIA) (“formal confirmation”) to process their insurance claims. 4. The Respondent therefore requested from Turkish Airline written confirmation of the flight cancellation and the affected passenger list. 5. Sometime in early March 2015, the Respondent sent the formal confirmation together with the letter from Turkish Airline and the passenger list by email to four of the customers of the Balkans Tour. The passenger list that was sent contained the name, nationality, date of birth, passport number, passport expiry date and passenger name record (a record in the database of a computer reservation system (CRS) that contains the itinerary for a passenger, or a group of passengers travelling together) of all 37 of the passengers/customers that were on the Balkans Tour. The passengers’ details were not masked or redacted when it was sent by the Respondent. It is not disputed that the passengers’ details constituted personal data under the control of the Respondent at the material time. 6. In the Respondent’s response to the Commission during the investigation, the Respondent confirmed to the Commission that it did not obtain consent from the 37 passengers to disclose their personal data to other parties. It also mentioned that none of the passengers had authorised the release of their personal data to third parties. The Respondent confirmed to the Commission that it also did not have any personal data policy in place at the material time. C. COMMISSION FINDINGS AND BASIS FOR DETERMINATION 7. The issues in this case to be determined are as follow: i. Has the Respondent complied with sections 131 and 202 of the Personal Data Protection Act 2012 (“PDPA”) in disclosing the personal data to the customers of the Balkans Tour? ii. Was the disclosure of the personal data made in accordance with section 18 of the PDPA,3 ie for purposes that a reasonable person would consider appropriate in the circumstances? iii. Has the Respondent complied with section 12(a) of the PDPA4 in developing and implementing policies and practices necessary to meet its obligations under the PDPA? Contraventions by the Respondent under sections 13 and 20 of the PDPA 8. The Commission notes that the Respondent intentionally sent the passenger list to the four individuals who had requested for confirmation of the flight cancellation. 9. However, the Respondent had not sought for or obtained any of the 37 passengers’ consent in disclosing their information contained in the passenger list to the other individual(s) who were requesting for the formal confirmation from the Respondent. In this regard, the Respondent did not have the requisite consent from the 37 passengers to disclose their personal data to other individual(s) under section 14 of the PDPA. 10. In relation to whether the 37 passengers could be deemed to have consented to the disclosure of the personal data under section 15 of the PDPA, the Commission finds that no such deemed consent can be imputed on the facts. The Commission notes that when the 37 passengers voluntarily provided their personal data to the Respondent, the purposes for providing their personal data did not include the purpose of allowing another passenger(s) to process his/her insurance claim. This is fortified by the Respondent’s confirmation that none of the passengers had agreed or authorised the release of their personal data to a third party. The Commission notes that each individual only required his or her flight details and confirmation of the flight delay in order to process his or her insurance claim. 11. In its submissions to the Commission, the Respondent claimed that the exception provided for in paragraph 1(a) of the Fourth Schedule of the PDPA (the “exception”) applied5 to the case and hence it was not required to seek the consent of the individuals concerned for the disclosure of the 37 passengers’ personal data. 12. Having considered the context and circumstances of the case, the Commission concludes that the aforesaid exception does not apply for the following reasons: i. “Interests of the individual” under Paragraph 1(a) of the Fourth Schedule should refer to the interests of the data subject. Disclosing the personal data of other passengers to a fellow passenger for the purpose of enabling that passenger to make a claim against his travel insurance policy for himself cannot be said to be in the interest of any one or all of the other passengers. ii. It does not appear obvious to the Commission that in order to make an insurance claim, details of all other affected passengers on the Balkans Tour had to be disclosed. For one, the Respondent could have provided the confirmation with only the details of the individual making the insurance claim. Alternatively, the other passengers’ details could be removed or redacted in the list when it was forwarded to the recipients. There is no suggestion otherwise that these actions could not be carried out. iii. There is nothing to suggest that consent for disclosure could not be secured from the passengers in the list in a timely manner, or that there was urgency in the matter which warranted the consent from the other passengers to be dispensed with. 13. In the circumstances, by disclosing the passenger list containing the personal data of the 37 passengers without obtaining their prior consent, the Respondent had contravened section 13 of the PDPA. Additionally, since the Respondent had also not informed of the purposes for which it was disclosing their personal data, it is also in breach of section 20 of the PDPA. Disclosure of personal data was not for purposes reasonable or appropriate in the circumstances or for purposes that the individual has been informed of under section 20 14. In view that the disclosure of the entire passenger list goes beyond supporting an individual customer’s insurance claim (as set out in paragraphs 12i and 12ii above), the disclosure could not be for purposes that a reasonable person would consider appropriate in the circumstances. 15. In addition, since the Respondent had not been informed of the purposes for which it was disclosing the passengers’ personal data, it was also not in compliance with section 20 of the PDPA. 16. In this regard, the Respondent was also in breach of section 18 of the PDPA. Failure to develop and implement policies and practices necessary to meet obligations under the PDPA 17. Given that the Respondent had not put in place data protection policies to ensure compliance with the PDPA at the material time when the data breach transpired, as confirmed by the Respondent in its response to the Commission’s request for information and documents on 13 August 2015, the Respondent was in breach of section 12(a) of the PDPA. 18. The Commission notes from the Respondent’s response of 24 August 2015 that the Respondent is taking steps to set up guidelines with regard to the use and disclosure of customers’ personal data to comply with section 12(a) of the PDPA. D. ENFORCEMENT ACTION TAKEN BY THE COMMISSION 19. Given the Commission’s findings that the Respondent is in breach of its obligations under sections 12(a), 13, 18 and 20 of the PDPA, the Commission is empowered under section 29 of the PDPA to give the Respondent such directions as it deems fit to ensure compliance with the PDPA. This may include directing the Respondent to pay a financial penalty of such amount not exceeding $1 million as the Commission thinks fit. 20. In exercise of the power conferred upon the Commission pursuant to section 29 of the PDPA, the Commission directs the Respondent to take the following steps: i. To put in place within 3 months a data protection policy and internal guidelines to comply with the provisions of the PDPA and, in particular, to prevent future recurrences of the breaches that has occurred in this matter; ii. To inform within 2 weeks the individuals who received the passenger list not to disclose the list to other third parties; iii. For all employees of the Respondent handling personal data to attend a training course on the obligations under the PDPA and the organisation’s data protection policies within 6 months from the date of this decision; and iv. To inform the Commission of the completion of each of the above within 1 week. 21. On a balance, the Commission has decided not to impose a financial penalty on the Respondent in view of the overall circumstances of the matter, namely: i. that the disclosures were made to a limited number of persons and to their personal email addresses; ii. that the personal data that was disclosed was in relation to limited individuals; iii. that the disclosures were not due to a systemic issue that could result in further disclosures to be made or further harm to be caused; iv. that the disclosures appear to be caused by the lack of awareness on the Respondent’s employees’ part of data protection obligations; and v. that the disclosures were bona fide mistakes made by the Respondent’s employees who were seeking to assist the passengers with their insurance claims, and not one where there was a wilful disregard for the provisions in the PDPA. 22. The Commission emphasises that it takes a very serious view of any instance of non-compliance with the PDPA, and it urges organisations to take the necessary action to ensure that they comply with their obligations under the PDPA. The Commission will not hesitate to take the appropriate enforcement action against the organisation(s) accordingly. YEONG ZEE KIN COMMISSION MEMBER PERSONAL DATA PROTECTION COMMISSION 1 Section 13 of the PDPA prohibits an organisation from collecting, using or disclosing an individual’s personal data unless the individual gives, or is deemed to have given, his consent for the collection, use or disclosure of his personal data. This provision is also to be read with Section 14, 15 and Section 20 of the PDPA. 2 Section 20 of the PDPA requires, amongst other things, that an organisation informs an individual of (a) the purposes for the collection, use or disclosure of personal data, on or before collecting the personal data; and (b) any other purpose of the use or disclosure of the personal data of which the individual has not been informed under paragraph (a) above before the use or disclosure of the personal data for that purpose. 3 Section 18 of the PDPA provides that an organisation may collect, use or disclose personal data about an individual only for purposes (a) that a reasonable person would consider appropriate in the circumstances; and (b) that the individual has been informed of under section 20, if applicable. 4 Section 12(a) of the PDPA provides that an organisation shall develop and implement policies and practices that are necessary for the organisation to meet the obligations of the organisation. 5 Paragraph 1(a) of the Fourth Schedule of the PDPA states that an organisation may disclose personal data about an individual without the consent of the individual if the disclosure is necessary for any purpose which is clearly in the interests of the individual and if consent for its disclosure cannot be obtained in a timely way. ",Directions,5a0ff182bd0082f840e509fc39079487ae98fb3a,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]"