_commit_at,_commit_hash,_id,_item,_version,_commit,description,tags,date,pdf-url,nature,title,url,timestamp,pdf-content,decision,_item_full_hash,_changed_columns
2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,43,43,1,952,"A financial penalty of $14,000 was imposed on Nature Society (Singapore) for breaches of the PDPA. First, the organisation failed to put in place reasonable measures to protect personal data on its website database. Second, it did not appoint a data protection officer. Lastly, it did not have written policies and practices necessary to comply with the PDPA.","[""Protection"", ""Accountability"", ""Financial Penalty"", ""Others""]",2022-01-14,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Summary-Decision---NSS---03122021.pdf,"Protection, Accountability",Breach of the Protection and Accountability Obligations by Nature Society (Singapore),https://www.pdpc.gov.sg/all-commissions-decisions/2021/12/breach-of-the-protection-and-accountability-obligations-by-nature-society,2022-01-14,"PERSONAL DATA PROTECTION COMMISSION
Case No. DP-2011-B7351
In the matter of an investigation under section 50(1) of the
Personal Data Protection Act 2012
And
Nature Society (Singapore)

SUMMARY OF THE DECISION

1. On 6 November 2020, the Personal Data Protection Commission (the
“Commission”) received information of an online article reporting about hacked
databases being made available for downloads on several hacking forums and
Telegram channels. In the article, Nature Society (Singapore) (the ""Organisation"")
was named as one of the affected Organisations (the “Incident”).

2. The personal data of 5,131 members and non-members who had created
membership and user accounts on the Organisation’s website were affected in the
Incident. The datasets affected comprised of names, usernames, passwords
(encrypted), email addresses, telephone numbers, types of membership, gender,
mailing addresses, dates of births, occupation, company and nationality.

1

3. Following the Incident, the Organisation engaged two IT professionals to carry out
an investigation and analysis of the Organisation's website. The investigation and
analysis revealed vulnerabilities in the Organisation's website and suspicious SQL
injection activities prior to the Incident. The possible attack vector was identified as
a SQL injection attack which led to personal data on the Organisation's website
database being accessed and exfiltrated by unknown parties.

4. The Organisation took the following remedial measures after the Incident:
(a)

Edited the website to stop all online membership sign-ups/renewals and
logins to the website;

(b)

Removed all members' and users' data from the website database;

(c)

Backed up the website database and kept all personal data offline;

(d)

Change all login passwords;

(e)

Notified all affected individuals of the Incident via email;

(f)

Appointed a Data Protection Officer (""DPO"")

(g)

Developed and implemented a personal data policy; and

(d)

Engaging vendors to develop a new website to improve security.

5. In its representations to the Commission, the Organisation admitted to having
breached the Accountability Obligation under sections 11(3) and 12(a) and the
Protection Obligation under section 24 of the Personal Data Protection Act 2012
(""PDPA""), and requested for the matter to be dealt with in accordance with the
Commission’s Expedited Decision Procedure.
2

Breach of Section 11(3) of the PDPA
6. First, the Organisation admitted it did not designate one or more individuals
(typically referred to as a DPO) to be responsible for ensuring that the Organisation
complies with the PDPA. The responsibilities of a DPO includes (a) ensuring
compliance with the PDPA, (b) fostering a data protection culture, (c) handling and
managing personal data queries and complaints, (d) alerting management to any
risks with regard to personal data and (e) liaising with the Commission if necessary.
From the foregoing, it is clear that the DPO plays a vital role in implementing and
building a robust data protection framework to ensure an organisation’s compliance
with its obligations under the PDPA.

Breach of Section 12(a) of the PDPA
7. Second, the Organisation admitted it did not develop and implement any personal
data protection policy prior to the Incident. In this regard, it is important to reiterate
that at the very basic level, an overarching personal data protection policy has to
be developed and implemented to ensure a consistent minimum data protection
standard across an organisation's practices, procedures and activities.

Breach of Section 24 of the PDPA

3

8. Third, the Organisation admitted that it did not make reasonable security
arrangements to protect the personal data on its website database. After the
Organisation's website was designed and developed by an external vendor in
2011, the Organisation did not have any contract/retainer agreement with the
external vendor to maintain the website's security. As a result, the responsibility of
protecting its website fell squarely on the Organisation. However, the Organisation
failed to carry out any security measures e.g. conducting necessary security
updates, patches and penetration tests, thus leaving its website vulnerable to
attacks.

9. In the circumstances, the Organisation is found to have breached sections 11(3),
12(a) and 24 of the PDPA.

Commission’s Decision
10. After considering the factors listed at section 48J(6) of the PDPA and the
circumstances of this case, including (i) the Organisation's upfront voluntary
admission of liability which significantly reduced the time and resources required
for investigations; (ii) the fact that the Organisation is a non-profit, registered
society and (iii) the Organisation's prompt remedial actions, the Organisation is
given notice to pay a financial penalty of $14,000.

4

11. The Organisation must make payment of the financial penalty within 30 days from

the date of the notice accompanying this decision, failing which interest at the rate
specified in the Rules of Court in respect of judgment debts shall accrue and be
payable on the outstanding amount of such financial penalty until the financial
penalty is paid in full.

12. In view of the remedial actions taken by the Organisation, the Commission will not
issue any directions under section 48I of the PDPA.

The following are the provision of the Personal Data Protection Act 2012 cited in the above summary:
Compliance with Act
11(3). An organisation shall designate one or more individuals to be responsible for ensuring that the
organisation complies with this Act.
Policies and practices
12(a). An organisation shall develop and implement practices that are necessary for the organisation
to meet the obligations of the organisation under this Act.
Protection of personal data
24. An organisation must protect personal data in its possession or under its control by making
reasonable security arrangements to prevent –
(a) unauthorised access, collection, use, disclosure, copying, modification or disposal or similar risks
and;
(b) the loss of any storage medium or device on which personal data is stored.

5

",Financial Penalty,50aef1ea4a6b3252366a112e13092602d7c8bd3b,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]"
2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,59,59,1,952,"A financial penalty of $25,000 was imposed on Webcada for breaches of the PDPA. First, the organisation failed to put in place reasonable measures to protect personal data on its database servers. Second, it did not have written policies and practices necessary to ensure its compliance with the PDPA.","[""Protection"", ""Accountability"", ""Financial Penalty"", ""Information and Communications"", ""Ransomware"", ""IPMI"", ""Database servers"", ""No Written Policy""]",2021-06-10,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Webcada-Pte-Ltd-06052021.pdf,"Protection, Accountability",Breach of the Protection and Accountability Obligation by Webcada,https://www.pdpc.gov.sg/all-commissions-decisions/2021/06/breach-of-the-protection-and-accountability-obligation-by-webcada,2021-06-10,"PERSONAL DATA PROTECTION COMMISSION
Case No. DP-2009-B6931
In the matter of an investigation under section 50(1) of the
Personal Data Protection Act 2012
And
Webcada Pte Ltd

SUMMARY OF THE DECISION
1. On 4 September 2020, Webcada Pte Ltd (the “Organisation”) notified the Personal Data
Protection Commission (the “Commission”) that three of its database servers had been
subjected to a ransomware attack on 29 August 2020 (the “Incident”).

2. The personal data of 522,722 individuals were affected in the Incident. The datasets
affected comprised of the individuals’ names, phone numbers, dates of birth, addresses and
order histories.

3. Following the Incident, the Organisation engaged an independent third-party consultant to
investigate, review and assist in the implementation of additional data protection measures.

4. Investigations revealed that the ransomware had been uploaded onto the affected servers
via the Intelligent Platform Management Interface (""IPMI""). The IPMI is a set of computer

interface specifications used for remote monitoring and management of servers. There was
no evidence of data exfiltration, and all affected data was restored from available back-ups.

5. The Organisation took the following remedial measures after the Incident:
(a) IPMI was permanently disabled for all servers;
(b) The public IP address of all servers was removed and all remote management access to
the servers was configured to allow only trusted IP addresses;
(c) End-point protection software with threat hunting capabilities was installed on all
servers and computers within the Organisation; and
(d) A written data protection policy was developed and implemented to comply with the
provisions of the Personal Data Protection Act 2012 (the ""PDPA"").

6. In its representations to the PDPC, the Organisation admitted to having breached the
Accountability Obligation under section 12 and the Protection Obligation under section 24
of the PDPA, and requested for the matter to be dealt with in accordance with the PDPC’s
Expedited Decision Procedure.

Section 12 of the PDPA
7. First, the Organisation admitted it did not have a written data protection policy prior to the
Incident. In this regard, it is important to reiterate that an organisation must document its
data protection policies and practices in writing as they serve to increase awareness and

ensure accountability of the organisation's obligations under the PDPA. This requirement
has been emphasized multiple times in previous decisions1.

Section 24 of the PDPA
8. Second, the Organisation admitted that it did not configure its IPMI access settings
correctly prior to the Incident. It enabled access to the IPMI from the public Internet when
this was not necessary. Furthermore, in the monthly vulnerability scans carried out by the
Organisation, it had omitted to scan the IPMI. Hence, it was not able to detect
vulnerabilities in its IPMI, which were exploited to gain access to and upload the
ransomware on the servers.

9. In the circumstances, the Organisation is found to have breached sections 12 and 24 of the
PDPA.

10. After considering the factors listed at section 48J(6) of the PDPA and the circumstances
of this case, including (i) the Organisation's upfront voluntary admission of liability which
significantly reduced the time and resources required for investigations; and (ii) the
Organisation's prompt remedial actions, the Organisation is given notice to pay a financial
penalty of $25,000.

1

See Re Aviva Ltd [2017] SGPDC 14 at [32]; Re Singapore Taekwondo Federation [2018] SGPDC 17 at [39] to
[42]; Re AgcDesign Pte Ltd [2019] SGPDC 23 at [4] to [5]; Re (1)Everlast Projects Pte Ltd (2)Everlast
Industries (S) Pte Ltd (3) ELG Specialist Pte Ltd [2020] SGPDC 20 at [8] to [9]

11. The Organisation must make payment of the financial penalty within 30 days from the date
of the notice accompanying this decision, failing which interest at the rate specified in the
Rules of Court in respect of judgment debts shall accrue and be payable on the outstanding
amount of such financial penalty until the financial penalty is paid in full.

12. In view of the remedial actions taken by the Organisation, the Commission will not issue
any directions under section 48I of the PDPA.

",Financial Penalty,a8330d4666d7631b3e448330fd698843754474f4,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]"
2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,81,81,1,952,"Directions, including a financial penalty of $7,500 were imposed on Majestic Debt Recovery for failing to obtain consent from its debtors to record the debt collection process. Majestic Debt Recovery also did not obtain consent to upload the recordings onto its Facebook Page. Additionally, Majestic Debt Recovery did not have written policies and practices necessary to ensure its compliance with the PDPA.","[""Protection"", ""Accountability"", ""Directions"", ""Financial Penalty"", ""Others"", ""Consent"", ""No DPO"", ""No Policy""]",2020-11-24,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Majestic-Debt-Recovery---02032020.pdf,"Protection, Accountability",Breach of the Consent and Accountability Obligations by Majestic Debt Recovery,https://www.pdpc.gov.sg/all-commissions-decisions/2020/11/breach-of-the-consent-and-accountability-obligations-by-majestic-debt-recovery,2020-11-24,"PERSONAL DATA PROTECTION COMMISSION

[2020] SGPDPC 7
Case No DP-1903-B3570

In the matter of an investigation under section 50(1) of the Personal
Data Protection Act 2012

And

Majestic Debt Recovery Pte Ltd

… Organisation

DECISION

1

Majestic Debt Recovery Pte Ltd
[2020] SGPDPC 7

Yeong Zee Kin, Deputy Commissioner — Case No DP-1903-B3570
2 March 2020

Introduction
1

This case concerns a debt collection company’s posting of a video recording on social

media as a tactic to shame a debtor. The recordings in question captured exchanges between
the company’s representative and staff of the debtor company.
Facts of the Case
2

Majestic Debt Recovery Pte Ltd (the “Organisation”) is a company in the business of

collecting debts on the behalf of its clients. On 22 March 2019, the Personal Data Protection
Commission (the “Commission”) received a complaint from the managing director (the
“Complainant”) of a debtor company (the “Company”) stating that the Organisation had been
engaged by the Company’s sub-contractor to recover debts from the Company. The
Complainant stated that on or around 21 March 2019, the Organisation’s representatives (the
“Representatives”) visited the Company’s premises to collect a debt on behalf of its client (the
“Incident”). Not surprisingly, heated words were exchanged with the Company’s personnel
when the Representatives attempted to recover the debt. The Representatives recorded video
footage of the exchanges with the Company’s personnel, including the Complainant (the
“Recording”), on a tablet device. The Complainant and the Company’s personnel could be
identified from the images and audio captured by the Recording. According to the
Complainant, he “protested against the taking of [the Recording and] posting it [on] social
media but [the Representative] said he would do it”. The Representatives nonetheless took the
Recording and subsequently posted it on the Organisation’s official public Facebook page (its
“Facebook Page”).

2

3

During its investigation, the Commission found other video recordings on the

Facebook Page. These videos also captured images and voices of other individuals who
appeared to be either individual debtors or representatives of corporate debtors of the
Organisation’s clients.
4

By its own admission to the Commission, the Organisation did not have any knowledge

of the Personal Data Protection Act 2012 (“PDPA”) prior to this incident and had not
developed any data protection policies or practices. The Organisation also admitted that it did
not have a data protection officer (“DPO”) prior to this incident.
5

Upon being notified by the Commission, the Organisation took the following remedial

actions:
(a)

Removed the Recording and all other videos from the Facebook Page;

(b)

Designated an individual tasked with data protection matters (i.e. a DPO); and

(c)

Assured the Commission that it will ensure that it obtains consent in writing

from individuals before recording and uploading their personal data onto its Facebook
Page.
Findings and Basis for Determination
Whether the Organisation had breached section 13 of the PDPA
6

Broadly, section 13 of the PDPA prohibits organisations from collecting, using or

disclosing personal data about an individual unless the individual’s consent is obtained (either
actual or deemed) or such collection, use or disclosure is required or authorised under the PDPA
or any written law. As stated at [2], the Organisation recorded the video using a tablet device.
The incident took place at the Company’s premises, after the Representatives were met at the
reception and brought into the office proper, which was not open to the public. The
Organisation posted the Recording on its Facebook Page despite the Complainant’s protests.
This disregard of the individual’s wishes is a breach of section 13 of the PDPA given that the
collection, use and disclosure of the Recording was not required or authorised under the PDPA
or other written law.

3

7

In relation to the Organisation’s assurance (noted at [5]) that it would in future obtain

consent from individuals concerned, it seems unlikely or even unconceivable that an individual
who owed a debt would willingly consent to be filmed by the debt collecting agency calling on
him, and for such recordings to be posted on social media. If such consent were obtained ex
ante by an organisation, for example at the time when the loan was first given, and the purpose
for posting the recording on social media is to shame the debtor, there is a real risk that this
purpose may not be one which a reasonable person would consider appropriate under section
18 of the PDPA; or that consent thus obtained is vitiated under section 14(3), as having been
obtained through unfair, or deceptive or misleading practices.
8

However, this is not to say that the capturing of personal data through video will never

be appropriate or in compliance with the PDPA. As an example, a security company may wish
to equip its security officers with body worn cameras to ensure that its officers are exercising
their duties in a responsible and lawful manner and their interactions with the public adhere to
their code of conduct. Any organisation that wishes to implement such a practice has to be
accountable and should ensure that it has sound legal basis to do so. Additionally, it will need
to put clear guidelines and policies in place for its employees in relation to their conduct and
the use of such cameras and the video footage captured. In developing such guidelines and
policies, such organisations should ensure that the use of these recording devices are in
compliance with the PDPA and have measures and controls in place to ensure that these
guidelines and policies are adhered to.
Whether the Organisation had breached sections 12 and 11(3) of the PDPA
9

Section 12 of the PDPA requires organisations to, inter alia, develop and implement

policies and practices that are necessary for the organisation to meet its obligations under the
PDPA, and section 11(3) of the PDPA requires organisations to designate one or more
individuals (i.e. the DPO) to be responsible for ensuring the organisations’ compliance with
the PDPA.
10

By nature of its business, the Organisation would be in possession and/or control of

various personal data, including those of its employees and its clients’ debtors or the debtors’
employees. As stated at [3], the Organisation admitted that it did not have any knowledge of

4

the PDPA prior to being notified by the Commission over this incident, did not have any data
protection policies or practices, and had not appointed a DPO.
11

In light of the foregoing, the Organisation was also in breach of sections 11(3) and 12

of the PDPA.
Representations by the Organisation

12

In the course of settling this decision, the Organisation made representations regarding

the findings as set out at [6]. The Organisation raised the following factors:
(a)

When the Representatives visited the Company to recover debts on various

occasions prior to the Incident they had made video recordings of those visits without
any objections from the Company; and
(b)

According to the Organisation, it had “video proof” of the Complainant

consenting to the Organisation posting video recordings of the Representative’s visits
to the Company on its Facebook Page.
13

Having carefully considered the representations, I maintain the finding that the

Organisation was in breach of Section 13 of the PDPA for the following reasons:
(a)

The Organisation was unable to provide any evidence to support its assertion

that there had been consent by the Company on previous occasions to the Organisation
video recording the Representatives’ visits to the Company’s premises. The
Organisation was also unable to provide the “video proof” referred to at [12(b)];
(b)

Even if consent had been obtained previously, section 16(1) of the PDPA

provides that on giving reasonable notice to the organisation, an individual may at any
time withdraw any consent given, or deemed to have been given in respect of the
collection, use or disclosure by that organisation of personal data about the individual
for any purpose. As mentioned at [2], the Complainant had expressly objected to the
video recording and the subsequent posting of the video on the Facebook Page. In the
circumstances, I find that even if consent was given previously as asserted by the
Organisation at [12], it had been withdrawn by virtue of the Complainant’s express
5

objections at the material time. Accordingly, the Organisation did not have consent to
post the Recording on its Facebook Page; and
(c)

Furthermore, even if consent had been obtained to post the video recording on

social media to shame the debtor, I have grave doubts if the consent will stand up to
scrutiny under section 14(2) of the PDPA, which vitiates consent obtained through
unfair, and deceptive or misleading practices. For example, if consent to post video
recordings made during debt recovery attempts was made a condition of obtaining the
loan, it could possibly go beyond what is reasonable in order to provide the loan: see
section 14(2)(a). Consent obtained through such unfair practice is vitiated by section
14(3). Neither would such a purpose be one which a reasonable person — on an
objective standard — would likely consider to be appropriate under section 18 of the
PDPA.
The Deputy Commissioner’s Directions
14

In determining the directions to be imposed on the Organisation under section 29 of the

PDPA, I took into account the following mitigating factors:
(a)

the Organisation was cooperative and forthcoming in the course of

investigations;
(b)

the Organisation took prompt remedial action after being notified by the

Commission; and
(c)

there was no evidence of any further unauthorised use of the personal data

captured in the Recording.
15

Having carefully considered all the relevant factors of this case, I hereby direct the

Organisation to:
(a)

pay a financial penalty of $7,500 within 30 days from the date of this direction,

failing which interest at the rate specified in the Rules of Court in respect of judgment
debts shall accrue and be payable on the outstanding amount of such financial penalty
until the financial penalty is paid in full;

6

(b)

develop and implement policies and practices which are necessary for its

compliance with the PDPA; and
(c)

put in place a program of compulsory training for its employees on compliance

with the PDPA.

YEONG ZEE KIN
DEPUTY COMMISSIONER
FOR PERSONAL DATA PROTECTION

7

","Directions, Financial Penalty",735c56aebf1838696565bb02754125b665e3d968,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]"
2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,104,104,1,952,Both MCST 3593 and New-E Security failed to put in place reasonable security arrangements to prevent the unauthorised disclosure of CCTV footage of a common property at Marina Bay Residences. MCST3593 also failed to appoint a data protection officer and put in place policies and practices necessary for the organisation to comply with the PDPA.,"[""Protection"", ""Accountability"", ""Financial Penalty"", ""Directions""]",2020-03-19,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---MCST-3593-and-Others---02032020.pdf,"Protection, Accountability",Breach of the Protection and Accountability Obligations by MCST 3593 and Breach of the Protection Obligation by New-E Security,https://www.pdpc.gov.sg/all-commissions-decisions/2020/03/breach-of-the-protection-and-accountability-obligations-by-mcst-3593-and-breach-of-the-protection-obligation-by-new-e-security,2020-03-19,"PERSONAL DATA PROTECTION COMMISSION

[2020] SGPDPC 6
Case No DP-1903-B3554

In the matter of an investigation under section 50(1) of the Personal
Data Protection Act 2012

And

(1) Management Corporation
Strata Title Plan No. 3593
(2) Edmund Tie & Company
Property Management Services
Pte Ltd
(3) New-E Security Pte Ltd
… Organisations

DECISION

1

Management Corporation Strata Title Plan No. 3593 & Others
[2020] SGPDPC 6
Yeong Zee Kin, Deputy Commissioner — Case No DP-1903-B3554
2 March 2020
Introduction
1

On 19 March 2019, Edmund Tie & Company Property Management Services Pte Ltd

(“ETCPM”) on behalf of Management Corporation Strata Title Plan No. 3593 (“MCST
3593”) notified the Personal Data Protection Commission (the “Commission”) of
unauthorised disclosure of closed-circuit television (“CCTV”) footage recorded at the
premises of MCST 3593, known as Marina Bay Residences (the “Condominium”), by NewE Security Pte Ltd (“New-E”), a company providing security services at the Condominium, to
an owner resident of a unit at the condominium (the “Incident”).
Facts of the Case
2

MCST 3593 had appointed ETCPM as the managing agent of the Condominium since

2012. In November 2014, MCST 3593 had also engaged New-E to provide security services at
the Condominium. ETCPM’s scope of work as managing agent included supervising New-E
to ensure it carried out its duties properly.
3

On 1 February 2019, an owner resident of a unit at the Condominium (the “Resident”)

approached the security supervisor on duty, who was an employee of New-E (the “Security
Supervisor”), to request a copy of the CCTV footage of the Condominium’s lobby on 29
January 2019 between 9.00 pm to 9.30 pm (the “Requested CCTV Footage”). The Requested
CCTV Footage had captured images of identifiable individuals who had passed through the
common property during that period, and hence contained personal data of those individuals.
The Security Supervisor proceeded to review the CCTV recordings and used his mobile phone
to record a copy of the Requested CCTV Footage. The Security Supervisor then sent a copy of
the Requested CCTV Footage which he had recorded on his mobile phone to the Resident using
WhatsApp messenger. The Security Supervisor also sent a copy of the same footage to the
residence manager of the Condominium, who was an employee of ETCPM (the “Residence
2

Manager”). Upon receiving the copy of the Requested CCTV Footage, the Residence Manager
contacted the Security Supervisor who informed him of the Resident’s request. The Residence
Manager instructed the Security Supervisor not to release the Requested CCTV Footage to the
Resident and to await further instructions. At that time, the Security Supervisor did not inform
the Residence Manager that he had already sent a copy of the Requested CCTV Footage to the
Resident.
4

On 2 February 2019, ETCPM informed MCST 3593 of the Resident’s request. MCST

3593 decided not to disclose the Requested CCTV Footage to the Resident and the Residence
Manager conveyed MCST 3593’s decision to the Security Supervisor. Both MCST 3593 and
ETCPM remained unaware that the Security Supervisor had already sent a copy of the
Requested CCTV Footage to the Resident.
5

On 9 February 2019, the Residence Manager was notified that the Resident’s Facebook

page contained a post with a copy of the Requested CCTV Footage (the “Facebook Post”). On
11 February 2019, the Residence Manager contacted the operations director of New-E to
inform him of the matter. On the same day, the Security Supervisor admitted to the Operation
Director of New-E that he had sent a copy of the Requested CCTV Footage to the Resident on
1 February 2019. On 13 February 2019, ETCPM informed MCST 3593 of the unauthorised
disclosure of the Requested CCTV Footage by the Security Supervisor to the Resident and the
Facebook Post.
6

Since the discovery of the Incident, the following remedial actions have been taken:
(a)

MCST 3593 appointed a Data Protection Officer (“DPO”) and implemented its

Personal Data Protection Policy and Standard Operating Procedure to comply with the
Personal Data Protection Act 2012 (“PDPA”). MCST 3593 also informed the
Commission that it will also be preparing and including additional data processing
provisions in addendum(s) to the respective contracts with its managing agent and
security company; and
(b)

New-E developed a personal data protection policy and operational procedure

on personal data protection for all its employees.

3

Findings and Basis for Determination
7

For the reasons set out below, I find MCST 3593 in breach of Sections 11(3), 12 and

24 of the PDPA and New-E in breach of section 24 of the PDPA. I find ETCPM not to be in
breach of any of its obligations under the PDPA in relation to the Incident.
Breach of Sections 11(3), 12 and 24 of the PDPA by MCST 3593
8

As an “organisation” under the PDPA, MCST 3593 had the primary responsibility of

ensuring that there are reasonable security arrangements in place to protect personal data in its
possession or under its control. 1 It is not disputed that MCST 3593 had possession and/or
control of the Requested CCTV Footage. To the extent that an MCST has appointed a
managing agent or vendor to process personal data on its behalf, it should have in place a
written agreement with clauses requiring them to comply with the data protection provisions
under the PDPA, and carried these contractual obligations through into implementing practices
like standard operating procedures.2
9

In the present case, MCST 3593 had engaged New-E to provide security services

(including the management of CCTV footage) for the Condominium. In the course of providing
security services, New-E was engaged to process personal data on behalf of MCST 3593, to
wit, New-E had to process video footages captured by the CCTV network and system. In this
case, the Security Supervisor retrieved CCTV footage, made a recording of an extract, and
transmitted it. These actions amount to “processing” as the term is defined in section 2(1) of
the PDPA. Hence, the true nature of the relationship between MCST 3593 and New-E is that
of a data controller and data intermediary. However, the contract between MCST 3593 and
New-E did not contain any clauses relating to the protection of personal data or any reference
to the PDPA. There were no written instructions in the contract in relation to the management
of CCTV footage, and MCST 3593 admitted to the Commission that it had not communicated
any data protection requirements to ETCPM or New-E. In the circumstances, I find MCST
3593 in breach of Section 24 of the PDPA.

1

Section 24 of the PDPA
See Re KBox Entertainment Group Pte. Ltd. [2016] SGPDPC 1 at [12] and 29(b)(ii); the Commission’s Guide
on Data Protection Clauses for Agreements Relating to the Processing of Personal Data (20 July 2016) which
provides sample data protection clauses that organisations may find helpful
2

4

10

In addition, during the course of investigations, MCST 3593 admitted that it had not

appointed any DPO and it had not developed and put in place any data protection policies, as
required under Sections 11(3) and 12 respectively of the PDPA. The importance of these
requirements have been emphasized multiple times in previous decisions, 3 as well as the
Commission’s Advisory Guidelines for Management Corporations (issued on 11 March 2019)
at [2.6]. In the circumstances, MCST 3593 was also in breach of Sections 11(3) and 12 of the
PDPA.
Breach of Section 24 of the PDPA by New-E
11

As mentioned at [9], the security services provided by New-E included the management

of CCTV footage. This amounted to “processing” of personal data as defined in section 2(1)
of the PDPA. New-E was accordingly acting as a data intermediary of MCST 3593 with respect
to the Requested CCTV Footage.
12

In my view, New-E failed to put in place reasonable security arrangements to protect

the Requested CCTV Footage and was in breach of section 24 of the PDPA for the following
reasons:
(a)

According to New-E, it had a practice of only releasing CCTV footage to

representatives of ETCPM which was communicated verbally to New-E’s employees
and ETCPM. However, New-E conceded that it did not have any written policies to
instruct and guide its employees with respect to their obligations under the PDPA, in
particular the usage of mobile phones to record CCTV footage. In the present case, the
Security Supervisor did not adhere to New-E’s practice and this may be due, at least in
part, to the lack of a written policy which clearly sets out the relevant procedures to be
followed before CCTV footage is disclosed.
(b)

New-E did not provide data protection training for its employees. It is well-

established that proper training is a key security arrangement in an organisation’s
compliance with the protection obligation under section 24 of the PDPA.4 Proper staff

3

See Re Aviva Ltd 2017 SGPDPC 14 at [32]; Re M Stars Movers & Logistics Specialist Pte Ltd [2017]
SGPDPC 15 at [31] to [37]; Re AgcDesign Pte Ltd [2019] SGPDPC 23 at [5]
4
Re National University of Singapore [2017] SGPDPC 5 at [15] – [28]; Re SLF Green Maid Agency [2018]
SGPDPC 27 at [12]; Re SME Motor Pte Ltd [2019] SGPDPC 21 at [10] and Advisory Guidelines On Key
Concepts in the Personal Data Protection Act (Revised 9 Oct 2019) at [17.5]

5

training – which creates data protection awareness amongst employees, imparts good
practices in handling personal data, and puts employees on the alert for threats to the
security of personal data – is necessary to complement an organisation’s data protection
policies.
No Breach of the PDPA by ETCPM
13

ETCPM was a data intermediary of MCST 3593 in relation to the personal data it

processed on their behalf when carrying out its duties as managing agent. As a data
intermediary, ETCPM had an obligation under section 24 of the PDPA to put in place
reasonable security arrangements to protect such personal data which was in its possession or
under its control.
14

However, the personal data which is the subject of the present case was not in the

possession or under the control of ETCPM. In particular, the Requested CCTV Footage was in
the possession and under the control of New-E and was within the scope of New-E’s
responsibilities as MCST 3593’s security services provider, as mentioned at [11]. Accordingly,
it was not ETCPM’s responsibility in the present case to put in place reasonable security
arrangements to protect the Requested CCTV Footage.
15

For completeness, I note that pursuant to the written agreement between the MCST

3593 and ETCPM, ETCPM’s scope of services as managing agent included supervising NewE and ensuring that it carried out its duties and responsibilities properly and efficiently. The
Incident did not arise due to ETCPM’s lack of supervision over New-E. As mentioned at [3]
and [4] above, the Residence Manager instructed the Security Supervisor not to disclose the
CCTV Footage to the Resident without further instructions, and subsequently conveyed MCST
3593’s instructions to the Security Supervisor that the Requested CCTV Footage should not be
disclosed. Unbeknown to the Residence Manager, his instructions came too late because the
Security Supervisor had already disclosed a copy of the Requested CCTV Footage to the
Resident before then.
16

In the circumstances, I find that ETCPM was not in breach of any of its obligations

under the PDPA in relation to the Incident.

6

Representations by MCST 3593

17

In the course of settling this decision, MCST 3593 made representations regarding the

findings as set out at [8] to [10], and on the quantum of financial penalty . The Organisation
raised the following factors:
(a)

MCST 3593 comprises of subsidiary proprietors, and its council is elected

annually at the annual general meeting to represent all subsidiary proprietors. All
members of the council serve on a voluntary basis;
(b)

MCST 3593 appointed ETCPM to advise on its obligations and act on its behalf.

MCST 3593’s management council relies on ETCPM to guide and help put in place
measures to comply with the PDPA. According to MCST 3593, measures and
safeguards had already been put in place to ensure that collection, use, disclosure of
personal data, as well as protection and retention of personal data are in compliance
with the PDPA;
(c)

The Security Supervisor disclosed the Requested CCTV Footage against the

Resident Manager’s instructions and usual standard operating procedures. The Resident
Manager’s instructions to the Security Supervisor was for and on behalf of the MCST
3593. No measures or safeguards could have prevented such wilful acts by the Security
Supervisor; and
(d)

MCST 3593 took immediate remedial actions to address the matter, including

voluntarily informing the Commission of the Incident.
18

Having carefully considered the representations, I have decided to maintain the

quantum of financial penalty set out at [19(a)] for the following reasons:
(a)

In relation to MCST 3593’s representations on its constitution and the voluntary

nature of the members of MCST 3593’s council, it is not disputed that MCST 3593 is
an “organisation” as defined in section 2(1) of the PDPA and is therefore required to
comply with the data protection provisions. The fact that the members of MCST 3593’s

7

council are volunteers does not lower the standard expected of MCST 3593 in
complying with its obligations under the PDPA.
(b)

It is not disputed that one of the roles that ETCPM had to perform as managing

agent was the supervision of New-E. However, the gravamen of the breach lies in the
fact that when MCST 3593 appointed New-E, there was nothing in the contract between
them, or any written instructions thereafter, that dealt with the protection of personal
data in the management of CCTV footage. New-E is a data intermediary to MCST 3593
insofar as it was managing personal data captured and stored in the CCTV system. As
such, the contract between MCST 3593 and New-E has to deal with the protection and
retention limitation obligations under the PDPA over this set of personal data. This
ought to be followed through in their standard operating procedures, which in this case
could either be supplied by ETCPM in its capacity as managing agent and supervisor
of New-E or put in place between MCST 3593 and New-E. A review of the contract
between MCST 3593 and New-E discloses this omission; and no written policies
concerning the management of personal data stored in CCTV footage has been
produced during investigations. On the contrary, New-E has admitted that there was
nothing written up and they relied on verbal instructions of practices: at [12(a)]; and
MCST 3593 admitted that it has not given any data protection instructions to either
ETCPM or New-E: at [9].
(c)

As for MCST 3593’s representations on the Resident Manager’s instructions to

the Security Supervisor and the Security Supervisor’s wilful conduct, this does not
absolve MCST 3593 from the requirement of having data protection clauses in its
respective contracts with ETCPM and New-E and implementing standard operating
procedures. The lack of these are sufficient reasons to find a contravention of section
24 of the PDPA by MCST 3593.
(d)

MCST 3593’s prompt remedial actions and voluntary notification to the

Commission of the Incident had already been taken into consideration in my
determination of the quantum of financial penalty.
The Deputy Commissioner’s Directions
19

Having considered all the relevant factors in this case, I hereby direct:
8

(a)

MCST 3593 to pay a financial penalty of $5,000 within 30 days from the date

of the directions, failing which interest at the rate specified in the Rules of Court in
respect of judgment debts shall accrue and be payable on the outstanding amount of
such financial penalty until the financial penalty is paid in full; and
(b)

New-E to:
(i)

put in place a data protection policy and internal guidelines, including

procedures for proper management and access control in respect of CCTV
footage within 30 days from the date of this direction; and
(ii)

inform the Commission of the completion of the above within 7 days of

implementation.

YEONG ZEE KIN
DEPUTY COMMISSIONER
FOR PERSONAL DATA PROTECTION

9

","Financial Penalty, Directions",eeb49dfd4acb4b4db0e54f38d3c03d45e12085b1,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]"
2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,105,105,1,952,Both MCST 4375 and A Best Security Management failed to put in place reasonable security arrangements to prevent the unauthorised disclosure of CCTV footage of an individual injured by a falling glass door at Alexandra Central Mall. MCST 4375 also failed to put in place policies and practices necessary for the organisation to comply with the PDPA.,"[""Protection"", ""Accountability"", ""Directions""]",2020-03-19,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/MCST-4375-and-Others---Decision---03022020.pdf,"Protection, Accountability",Breach of the Protection and Accountability Obligations by MCST 4375 and Breach of the Protection Obligation by A Best Security Management,https://www.pdpc.gov.sg/all-commissions-decisions/2020/03/breach-of-the-protection-and-accountability-obligations-by-mcst-4375-and-breach-of-the-protection-obligation-by-a-best-security-management,2020-03-19,"PERSONAL DATA PROTECTION COMMISSION

[2020] SGPDPC 4

Case No. DP-1903-B3437

In the matter of an investigation under section 50(1) of the Personal Data
Protection Act 2012

And

(1) Management
Corporation
Strata Title Plan No. 4375
(2) Smart Property Management
(Singapore) Pte Ltd
(3) A Best Security Management
Pte Ltd
… Organisations

DECISION

Management Corporation Strata Title Plan No. 4375 & Others
[2020] SGPDPC 4

Yeong Zee Kin, Deputy Commissioner — Case No DP-1903-B3437
3 February 2020

Introduction
1

In late February 2019, a woman was injured when a glass door fell on

her at the premises of Management Corporation Strata Title Plan No. 4375
(“MCST 4375”), also known as Alexandra Central Mall (the “Mall”). The
Personal Data Protection Commission (the “Commission”) subsequently
became aware that closed-circuit television (“CCTV”) footage showing the
glass door falling on the woman was disclosed on the Internet (the “Incident”).
Facts of the Case
2

At the time of the incident, MCST 4375 had appointed Smart Property

Management (Singapore) Pte Ltd (“SPMS”) as its managing agent and A Best
Security Management Pte Ltd (“ABSM”) to provide security services at the
Mall. These appointments took effect from 1 July 2018 and 1 June 2018
respectively. SPMS’ scope of work as managing agent included supervising
service providers such as ABSM to ensure it carried out its duties properly.
3

On 24 February 2019, the senior security supervisor from ABSM (the

“SSS”) who was on duty at the Mall’s Fire Control Centre, saw a glass door fall
on a woman at Level 4 of the Mall’s car park lift lobby (the “Accident”) through

Management Corporation Strata Title Plan No. 4375 & Others

[2020] SGPDPC 4

the CCTV monitors. The SSS immediately called for an ambulance and notified
MCST 4375’s Property Officer and ABSM’s Operations Manager of the
Accident. Shortly thereafter, MCST 4375’s Property Officer asked the SSS to
send her a copy of CCTV footage of the Accident. In response to this request,
the SSS replayed the portion of the CCTV footage showing the Accident (the
“Relevant CCTV Footage”) and recorded it with his mobile phone. The SSS
then sent the copy of the Relevant CCTV Footage which he had recorded on his
mobile phone to a WhatsApp group chat consisting of the SSS, the Security
Executive from ABSM (the “SE”) who was also on duty at the time of the
Accident, and MCST 4375’s Property Officer. The SSS also sent a copy of the
same footage to ABSM’s Operations Manager in a separate WhatsApp message.
Subsequently, the SE forwarded a copy of the Relevant CCTV Footage to the
cleaning supervisor (engaged by MCST 4375) on duty at the time of the
Accident (the “Cleaning Supervisor”). The SE also told the Cleaning
Supervisor to inform the cleaners not to enter the barricaded area (where the
Accident occurred) when carrying out their cleaning duties.
4

On 25 February 2019, a member of the management council of MCST

4375 (the “Management Council Member”) requested a copy of the Relevant
CCTV Footage from the SSS for purposes of relating to an emergency meeting
of MCST 4375’s management council. The SSS sent the Management Council
Member a copy of the Relevant CCTV Footage. The Management Council
Member then forwarded the Relevant CCTV Footage via WhatsApp to the other
members of MCST 4375’s management council for their information.
5

On or around 26 February 2019, a copy of the Relevant CCTV Footage

was posted onto the video-sharing website YouTube. The YouTube video
containing a copy of the Relevant CCTV Footage was subsequently made
available through various websites on the Internet.

2

Management Corporation Strata Title Plan No. 4375 & Others

6

[2020] SGPDPC 4

Since the discovery of the Incident, MCST 4375 took the following

remedial actions:
(a)

MCST 4375 replaced SPMS with a new managing agent with

effect from 18 March 2019; and
(b)

An internal memorandum was issued to all MCST 4375

employees specifying that there shall be no distribution of any
documents or media materials from the management office of MCST
4375, without prior approval from MCST 4375’s management council.
Findings and Basis for Determination
7

For the reasons set out below, I find MCST 4375 in breach of Sections

12 and 24 of the PDPA and ABSM in breach of section 24 of the PDPA. I find
SPMS not to be in breach of any of its obligations under the PDPA in relation
to the Incident.
Breach of Sections 12 and 24 of the PDPA by MCST 4375
8

Under section 24 of the PDPA, MCST 4375 had the primary

responsibility of ensuring that there are reasonable security arrangements in
place to protect personal data in its possession or under its control. It is not
disputed that MCST 4375 had possession and/or control of the Relevant CCTV
Footage. To the extent that an MCST has appointed a managing agent or vendor
to process personal data on its behalf, it should have in place a written agreement

3

Management Corporation Strata Title Plan No. 4375 & Others

[2020] SGPDPC 4

with clauses requiring them to comply with the relevant data protection
provisions under the PDPA1.
9

In the present case, MCST 4375 had engaged ABSM to provide security

services which included management of CCTV footage recorded via the Mall’s
CCTV system. In the course of providing security services, ABSM was engaged
to process personal data on behalf of MCST 4375, to wit, ABSM had to process
video footages captured by the Mall’s CCTV network and system. In this case,
the SSS retrieved CCTV footage recorded by the Mall’s CCTV system, made a
recording of an extract (i.e. the Relevant CCTV Footage) and transmitted it to
various parties. These actions amount to “processing” as the term is defined in
section 2(1) of the PDPA. Hence, the true nature of the relationship between
MCST 4375 and ABSM is that of a data controller and data intermediary.
10

The Commission’s investigations revealed that MCST 4375 had security

arrangements in place to restrict access to the Fire Control Centre (which was
the only place where CCTV footage could be viewed). However, MCST 4375
did not provide any instructions to ABSM or SPMS in relation to requests for
access to personal data, as well as the management of CCTV footage in general.
Given its duties (which included processing CCTV footage on behalf of MCST
4375), MCST 4375 should have had written instructions clearly setting out the
relevant procedures to be followed by ABSM and SPMS if they received a
request for access to, or disclosure of, any CCTV footage recorded at the Mall.
In the circumstances, I find MCST 4375 in breach of Section 24 of the PDPA.

1See Re KBox Entertainment Group Pte. Ltd. [2016] SGPDPC 1 at [12] and 29(b)(ii); the

Commission’s Guide on Data Protection Clauses for Agreements Relating to the Processing of
Personal Data (20 July 2016) which provides sample data protection clauses that organisations
may find helpful

4

Management Corporation Strata Title Plan No. 4375 & Others

11

[2020] SGPDPC 4

In addition, under section 12 of the PDPA, organisations are required to

develop and implement policies and practices that are necessary for the
organisation to meet the obligations of the organisation under the PDPA. The
importance of data protection policies have been emphasized multiple times in
previous decisions 2, as well as the Commission’s Advisory Guidelines for
Management Corporations (issued on 11 March 2019) at [2.6].
12

It emerged during the course of the Commission’s investigations that

MCST 4375 had not developed or put in place any data protection policies.
According to MCST 4375, it expected its managing agent (i.e. SPMS) to put in
place the necessary policies and practices for MCST 4375 to comply with the
PDPA. However, the contract between MCST 4375 and SPMS did not contain
any requirements or clauses to this effect. MCST 4375 also conceded that it had
not given any instructions to SPMS in this regard. In the circumstances, I also
find MCST 4375 in breach of Section 12 of the PDPA.
Breach of Section 24 of the PDPA by ABSM
13

As mentioned at [9], the security services provided by ABSM included

the management of CCTV footage. This amounted to “processing” of personal
data as defined in section 2(1) of the PDPA. ABSM was accordingly acting as
a data intermediary of MCST 4375 in respect of the Relevant CCTV Footage.
14

At the material time, ABSM had a Personal Data Protection Policy,

which specifically provided that ABSM would not disclose personal data to
third parties without MCST 4375’s consent. ABSM also had Standard

2See Re Aviva Ltd 2017 SGPDPC 14 at [32]; Re M Stars Movers & Logistics Specialist Pte Ltd

[2017] SGPDPC 15 at [31] to [37]; Re AgcDesign Pte Ltd [2019] SGPDPC 23 at [5]

5

Management Corporation Strata Title Plan No. 4375 & Others

[2020] SGPDPC 4

Operating Procedures (“SOP”) outlining the standards of conduct expected of
its employees. However, the SOP did not include provisions in relation to the
recording, retrieving or disclosure of CCTV footage recorded at the Mall or the
personal data captured therein. In addition, ABSM had a Crisis Report Flow
Chart for the reporting of incidents (such as the Accident) which also did not
contain any provisions relating to the handling of personal data.
15

Although the Relevant CCTV Footage contained personal data that was

publicly available and consent for disclosure is not required, section 18(a) of the
PDPA overlays the requirement that disclosure must nevertheless be for a
reasonably appropriate purpose in the circumstances. In my view, the disclosure
of the Relevant CCTV Footage by the SSS to MCST 4375’s Property Officer,
ABSM’s Operation Manager, the SE and the Management Council Member was
for a reasonably appropriate purpose. Pursuant to the Crisis Report Flow Chart,
the SSS had to inform representatives of MCST 4375 and his supervisor (i.e.
the ABSM Operation Manager) of the Accident. The SE was on duty at the time
of the Accident and would have been working with the SSS to manage the
situation post-Accident. As for the disclosure to the Management Council
Member, members of the Management Council are representatives of an MCST
and disclosure to them was akin to disclosure to MCST 4375.
16

However, the disclosure of the Relevant CCTV Footage by SE to the

Cleaning Supervisor was unauthorised and in direct contravention of both
ABSM’s Personal Data Protection Policy and Crisis Report Flow Chart. Given
that the Relevant CCTV Footage contained personal data that was recorded in
the Mall, ABSM’s Personal Data Protection Policy required the SE to obtain
MCST 4375’s approval before sending a copy of the Relevant CCTV Footage
to the Cleaning Supervisor. The SE’s failure to do so may be due, at least in

6

Management Corporation Strata Title Plan No. 4375 & Others

[2020] SGPDPC 4

part, to the lack of any provisions in the SOP setting out the procedures to be
followed before CCTV footage is disclosed.
17

It is well-established that proper training is a key security arrangement

in an organisation’s compliance with the protection obligation under section 24
of the PDPA3. Proper staff training – which creates data protection awareness
amongst employees, imparts good practices in handling personal data, and puts
employees on the alert for threats to the security of personal data – is necessary
to complement an organisation’s data protection policies. According to ABSM,
both the SSS and SE were briefed on the PDPA in August 2018 when they were
assigned to work at the Mall. However, the SE’s conduct evidenced a lack of
knowledge or understanding of ABSM’s internal policies and procedures.
18

In my view, ABSM failed to properly train and communicate its internal

policies and procedures in relation to the protection of personal data to its
employees. In particular, ABSM should have had a written policy setting out
the procedures to be followed in relation to the disclosure of CCTV footage and
the personal data therein. In the circumstances, I find ABSM in breach of
Section 24 of the PDPA.
No Breach of the PDPA by SPMS
19

SPMS was also a data intermediary of MCST 4375 in relation to the

personal data it processed on their behalf when carrying out its duties as
managing agent. As a data intermediary, SPMS had an obligation under section

3Re National University of Singapore [2017] SGPDPC 5 at [15] – [28]; Re SLF Green Maid

Agency [2018] SGPDPC 27 at [12]; Re SME Motor Pte Ltd [2019] SGPDPC 21 at [10] and
Advisory Guidelines On Key Concepts in the Personal Data Protection Act (Revised 9 Oct
2019) at [17.5]

7

Management Corporation Strata Title Plan No. 4375 & Others

[2020] SGPDPC 4

24 of the PDPA to put in place reasonable security arrangements to protect such
personal data which was in its possession or under its control.
20

Notably, the personal data which is the subject of the present case was

not in the possession or under the control of SPMS. In particular, the Relevant
CCTV Footage was in the possession and under the control of ABSM and was
within the scope of ABSM’s responsibilities as MCST 4375’s security services
provider.

Accordingly, it was not SPMS’ responsibility to put in place

reasonable security arrangements to protect the Relevant CCTV Footage.
21

While SPMS’ duty as managing agent was to exercise a supervisory role

over ABSM, the Commission’s investigations revealed that this was limited to
exercising broad oversight over the attendance and performance of duties by
ABSM’s employees. In both ABSM’s Personal Data Protection Policy and
Crisis Report Flow Chart, SPMS did not have a role with respect to the
management or approval of requests for access or disclosure of personal data.
In particular, there was no requirement for ABSM’s employees to consult or
seek approval from SPMS in relation to the disclosure of CCTV footage. The
Incident accordingly did not arise due to SPMS’ lack of supervision over
ABSM.
22

In the circumstances, I find that SPMS was not in breach of any of its

obligations under the PDPA in relation to the Incident.

8

Management Corporation Strata Title Plan No. 4375 & Others

[2020] SGPDPC 4

The Deputy Commissioner’s Directions
23

Having considered all the relevant factors in this case, I hereby direct:
(a)

MCST 4375 to:
(i)

Develop and implement policies necessary for the

protection of personal data in its possession and/or under its
control to meet its obligations under Section 12 of the PDPA
within 60 days from the date of this decision;
(ii)

Put in place reasonable security arrangements, including

policies necessary for the protection of personal data in its
possession and/or under its control to meet its obligations under
Section 24 of the PDPA within 60 days from the date of this
decision;
(iii)

As part of the security arrangements to be put in place,

conduct training to ensure that its staff are aware of, and will
comply with, the requirements of the PDPA when handling
personal data within 60 days from date of decision; and
(iv)

Inform the Commission of the implementation of each of

the above within 1 week of implementation; and
(b)

ABSM to:
(i)

Put in place reasonable security arrangements, including

policies necessary for the protection of personal data in its
possession and/or under its control to meet its obligations under
Section 24 of the PDPA within 60 days from the date of this
decision; and

9

Management Corporation Strata Title Plan No. 4375 & Others

(ii)

[2020] SGPDPC 4

Inform the Commission of the implementation of the

above within 1 week of implementation.

YEONG ZEE KIN
DEPUTY COMMISSIONER
FOR PERSONAL DATA PROTECTION

10

",Directions,c9534d20c08d9b7217ff8dd7e875c02139ab7e2a,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]"
2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,106,106,1,952,"Directions were imposed on Henry Park Primary School Parents’ Association for breaches of the PDPA. First, the organisation failed to put in place reasonable measures to protect its members’ personal data. Second, it did not appoint a data protection officer. Lastly, it did not have written policies and practices necessary to ensure its compliance with the PDPA.","[""Protection"", ""Accountability"", ""Directions""]",2020-02-11,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---HPPA.pdf,"Protection, Accountability",Breach of the Protection and Accountability Obligations by Henry Park Primary School Parents' Association,https://www.pdpc.gov.sg/all-commissions-decisions/2020/02/breach-of-the-protection-and-accountability-obligations-by-henry-park-primary-school-parents-association,2020-02-11,"PERSONAL DATA PROTECTION COMMISSION
Case No. DP-1903-B3531
In the matter of an investigation under section 50(1) of the
Personal Data Protection Act 2012
And
Henry Park Primary School Parents’ Association

SUMMARY OF THE DECISION
1. Henry Park Primary School Parents’ Association (the “Organisation”) is a registered
society whose membership comprised parent volunteers. To register as members of the
Organisation, individuals provided to the Organisation their names, contact numbers, name
of child and the child’s class in Henry Park Primary School (the “Personal Data Set”). The
Organisation had a website at https://hppa.org.sg (the “Website”) where members could
view their own account particulars upon logging in using their assigned user ID and
password.

2. On 15 March 2019, the Personal Data Protection Commission (“the Commission”)
received a complaint. The complainant informed that when she performed a Google search
using her name, she found a search result of a webpage of the Website which disclosed her
personal data (the “Incident”).

3. The Personal Data Sets of registered members were never intended to be disclosed online.
The Website had been developed by a parent volunteer using the WordPress content
management system.

4. The Organisation had conducted tests to verify that members who logged in to the Website
could view their own account particulars. The Organisation also verified that account
particulars could not be viewed when accessing the Website as a public user. Nevertheless,
the Personal Data Set was crawled, indexed and searchable by Google. This points to a
weakness in access control that had not been picked up by these rudimentary tests.

5. Security testing such as vulnerability scans would have identified the access control issue.
The Organisation failed to conduct adequate security testing before launching the Website.
On the above facts, the Commission found that the Organisation did not put in place
reasonable security arrangements to protect the Personal Data Sets.

6. The Commission also found that the Organisation had not appointed a person to be
responsible for ensuring its compliance with the Personal Data Protection Act 2012 (the
“PDPA”). Further, the Organisation had not developed and implemented any policies and
practices necessary for it to meet its obligations under the PDPA.

7. The Organisation had taken the Website offline after the Incident on 15 March 2019. On
14 November 2019, the Organisation had put online a new website that no longer allowed

online access to the database of the Organisation’s members. The new website also
included a data protection notice.

8. In the circumstances, the Deputy Commissioner for Personal Data Protection found the
Organisation in breach of sections 11(3), 12 and 24 of the PDPA. In determining the
directions, the Deputy Commissioner took into consideration that the Organisation was a
volunteer organisation made up primarily of parents.

The Organisation is directed to,

within 60 days, (i) appoint one or more individuals to be responsible for ensuring that it
complies with the PDPA, (ii) develop and implement internal data protection and training
policies, and (iii) to put all volunteers handling personal data through data protection
training.

",Directions,79c294efa7335db9a6489bfae8e1c1eedccbf23b,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]"
2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,115,115,1,952,"Directions, including a financial penalty of $20,000, were imposed on Society of Tourist Guides for breaches of the PDPA. First, the organisation failed to put in place reasonable measures to protect its members’ personal data. Second, it did not appoint a data protection officer. Lastly, it did not have written policies and practices necessary to ensure its compliance with the PDPA.","[""Protection"", ""Accountability"", ""Directions"", ""Financial Penalty""]",2020-01-09,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision--Society-of-Tourist-Guides-Singapore-261219.pdf,"Protection, Accountability",Breach of the Protection and Accountability Obligations by Society of Tourist Guides,https://www.pdpc.gov.sg/all-commissions-decisions/2020/01/breach-of-the-protection-and-accountability-obligations-by-society-of-tourist-guides,2020-01-09,"PERSONAL DATA PROTECTION COMMISSION
[2019] SGPDPC 48

Case No. DP-1903-B3445
In the matter of an investigation under section 50(1) of the
Personal Data Protection Act 2012
And
Society of Tourist Guides (Singapore)
… Organisation

DECISION

Society of Tourist Guides (Singapore)
[2019] SGPDPC 48
Tan Kiat How, Commissioner — Case No. DP-1903-B3445
26 December 2019

Introduction

1

On 3 March 2019, the Personal Data Protection Commission (the “Commission”)

received a complaint that personal data of individuals had apparently been exposed to
unauthorised access and disclosure through links on the Society of Tourist Guides
(Singapore)’s (the “Organisation”) website.

Facts of the Case

2

The Organisation is a non-profit organisation that works with the Singapore Tourism

Board (“STB”) to promote the professionalism of tourist guides as tourism ambassadors of
Singapore. Tourist guides registered with STB may sign up as members of the Organisation
(“Members”). In May 2018, the Organisation engaged a Vietnam-based IT company (the
“Vendor”) to develop its website https://societyoftouristguides.org.sg (the “Website”).

3

One of the Organisation’s purposes for the Website was to collect personal data from

its Members. Personal data was collected from Members through their respective user accounts
on the Website and included their names, photographs, contact numbers, e-mail addresses and
2

a write-up of themselves (for example, with the type of services they provided) (“Profile
Data”). Members could also upload images of their identification documents (e.g. NRIC,
employment pass, driving and vocational licences) which contained various personal data (“ID
Data”).

4

Members’ Profile Data were published on their respective public profile pages on the

Website. This enabled members of the public to find and engage a Member with the necessary
experience and expertise to provide services that he or she required.

5

As regards the ID Data, these were used by the Organisation for a few purposes. These

included (i) applying for SkillsFuture grants for training programmes conducted for Members;
(ii) facilitating arrangements for Members to gain access to secure locations when required
(e.g. transit areas in airports); and (iii) verifying that the Members were qualified to provide
transport services based on his or her driving and vocational licences.

6

The Organisation did not specify any requirements to its Vendor with respect to the

storage and protection of Members’ personal data collected through the Website. The Website
was launched on 1 October 2018. Since its launch, the Organisation has been managing the
Website, with the Vendor’s role limited to ad-hoc technical assistance.

7

On 3 March 2019, the Commission received a complaint that there had been disclosure

without consent of sensitive information of individuals, such as Singapore National
Registration Identity Card (“NRIC”), Driving Licence and photographs, through links on the
Website (the “Incident”). The Commission’s investigations revealed that a total of 111 unique

1

Members were affected by the Incident (the “Affected Members”)1. In this regard, the publicly
accessible directories on the Website (“Web Directories”) were found to store images of
identification documents set out below which contained ID Data of the Affected Members (the
“Disclosed Data”):
S/N. Type of Identification
Document

1

Type of Personal Data in the
Identification Document

Number of
Members
Affected

1.

Singapore National
Registration Identity
Card (“NRIC”)

Name, NRIC number,
photograph, thumbprint, address,
date of birth, country of birth,
race, gender and date of issue.

97

2.

Singapore Armed
Forces Identity Card

Name, NRIC number/colour,
1
photograph, address, date of birth,
country of birth, race, gender,
blood group, service status and
military rank status.

3.

Vietnamese Identity
Card

Name, card number, photograph,
date of birth, place of birth, place
of residence, fingerprints, ethnic
group, religion and date of issue.

1

4.

Singapore Employment Name, photograph, occupation,
Pass
Foreign Identification Number,
date of application, date of issue,
date of expiry and employer.

1

5.

Singapore Driving
Licence

Name, licence number (same as
NRIC number), photograph, date
of birth, classes of vehicles the
individual is licensed to drive and
each pass date and date of issue.

47

6.

Singapore Vocational
Licence

Name, licence number (same as
16
NRIC number), photograph, date
of issue and type and description
of each vocational licence held,
and their respective dates of issue.

A Member could have uploaded images of more than one type of identification document on the Website.

2

8

It also emerged in the course of the Commission’s investigations that the Organisation

had not appointed any data protection officer (“DPO”), and had not developed and put in place
any data protection policies that are necessary for it to meet its obligations under the Personal
Data Protection Act 2012 (the “PDPA”).

9

Following the Incident, the Organisation took the following remedial actions:
(a)

Appointed two DPOs;

(b)

With the assistance of its Vendor, disabled public access to the Web Directories

and contacted Google to remove all cached images of the Disclosed Data; and
(c)

Developed a data protection policy.

Findings and Basis for Determination

Whether the Organisation had contravened section 24 of the PDPA
10

As a preliminary point, the Organisation owned and managed the Website, and had

possession and control over the Disclosed Data at all material times. While the Vendor had
been engaged to develop the Website and subsequently provided technical assistance on an adhoc basis, the Vendor had not processed any personal data collected via the Website on the
Organisation’s behalf. The Vendor was therefore not a data intermediary of the Organisation,
and the Organisation was solely responsible for the protection of the Disclosed Data under the
PDPA.

3

11

Section 24 of the PDPA requires an organisation to protect personal data in its

possession or under its control by taking reasonable security steps or arrangements to prevent
unauthorised access, collection, use, disclosure, copying, modification, disposal or similar
risks.

12

In this regard, the Commissioner found that the Organisation had failed to put in place

reasonable security arrangements to protect the Disclosed Data for the following reasons. First,
as mentioned at [6], the Organisation did not specify any requirements to its Vendor with
respect to the storage and protection of personal data (including the ID Data) which was
collected from Members through the Website. The Organisation had intended for the Website
to have public profile pages for which Members’ Profile Data were displayed for public access,
but at the same time ID Data was collected and to be used for administrative purposes like
applying for training grants, facilitating access to secure location and verifying driving
qualifications. Clear requirements could and should have been communicated to its Vendor
that ID Data collected through the Website was not meant to be publicly accessible. This can
be done by the Organisation from the perspective of the business owner of the Website, while
relying on the Vendor to propose the technical implementation that will meet this business
requirement.

13

The Commission’s investigations also revealed that security testing had never been

conducted since the launch of the Website in October 2018. In this regard, the Organisation
admitted that it failed to take into consideration the security arrangements of the Website due
to its lack of experience. As observed in WTS Automotive Services Pte Ltd [2018] SGPDPC 26
at [24], while an organisation may not have the requisite level of technical expertise, a
4

responsible organisation would have made genuine attempts to give proper instructions to its
service providers. The gravamen in the present case was the Organisation’s failure to do so.

14

The Commission’s Guide on Building Websites for SMEs (revised 10 July 2018)

provides guidance on what is expected from organisations contracting professional services to
build their corporate websites or other online portals. In particular, organisations that engage
IT vendors to develop and/or maintain their websites should emphasize the need for personal
data protection to their IT vendors, by making it part of their contractual terms.2

15

Secondly, and as observed in Re Tutor City [2019] SGPDPC 5 at [21] to [23], where

documents containing personal data have to reside on web servers, folder or directory
permissions are common and direct methods of controlling access and preventing unauthorised
access by public users and web crawlers. Depending on its business needs and circumstances,
the Organisation could have instructed the Vendor to implement any of the following
reasonable technical security measures to protect the Disclosed ID Images:
(a)

place documents containing the Disclosed ID Images in a non-public

folder/directory.
(b)

place documents containing the Disclosed ID Images in a non-public folder or

directory, with access to these documents controlled through web applications on the
server.
(c)

place documents containing the Disclosed ID Images in a sub-folder within the

Public Directory but control access to files by creating a .htaccess file within that subfolder. This .htaccess file may specify the access restrictions (e.g. implement a
password requirement or an IP address restriction).

2

Guide on Building Websites for SMEs (revised 10 July 2018) at [4.2.1]

5

16

In view of the above, the Commissioner found that the Organisation had contravened

section 24 of the PDPA.
Whether the Organisation was in breach of sections 11(3) and 12 of the PDPA

17

In relation to the Organisation’s failure to appoint a DPO and develop and implement

any data protection policy, these are required under sections 11(3) and 12 respectively of the
PDPA. In particular, section 11(3) requires organisations to designate one or more individuals
(typically referred to as a DPO) to be responsible for ensuring that they comply with the PDPA.
Section 12 of the PDPA requires organisations to (among other things):
(a)

develop and implement policies and practices that are necessary for the

organisation to meet the obligations of the organisation under the PDPA; and
(b)

18

communicate information about such policies to its staff.

The importance of these requirements have been emphasised multiple times in previous

decisions. For example, it is important for an organisation to documents its data protection
policies and practices in writing as they serve to increase awareness and ensure accountability
of the organisation’s obligations under the PDPA (Re Aviva Ltd [2017] SGPDPC 14 at [32]).
Similarly, appointing a DPO is important in ensuring the proper implementation of an
organisation’s data protection policies and practices, as well as compliance with the PDPA (see
e.g. Re M Stars Movers & Logistics Specialist Pte Ltd [2017] SGPDPC 15 at [31] to [37]).

6

19

In the circumstances, the Organisation was clearly in breach of sections 11(3) and 12

of the PDPA. While it has since appointed DPOs, it has not yet developed written policies and
practices necessary to ensure its compliance with the PDPA.

Representations by the Organisation

20

In the course of settling this decision, the Organisation made representations on the

amount of financial penalty which the Commissioner intended to impose, and requested that
the financial penalty be paid in instalments. The Organisation raised the following factors for
the Commissioner’s consideration:
(a)

The Organisation had limited funds in its bank account and does not have any

tangible assets which may be sold to raise funds to pay the financial penalty;
(b)

The Organisation had been making losses in the preceding 3 months; and

(c)

The Organisation has been seeking funding assistance from the Singapore

Tourism Board.

21

Having carefully considered the representations, the Commissioner has decided to

maintain the financial penalty set out in [23(a)]. The matters raised by the Organisation in [20]
are not additional mitigating factors that justify a reduction in the financial penalty. However,
the Commissioner is agreeable to the Organisation’s request that the financial penalty be paid
in instalments.

7

The Commissioner’s Directions

22

In determining the directions, if any, to be imposed on the Organisation under section

29 of the PDPA, the Commissioner took into account the following mitigating factors:
(a)

The Organisation was cooperative in the investigations and provided

information promptly;
(b)

Upon being notified of the Incident, the Organisation took action to disable

public access to the Web Directories, and notified its Members of the Incident; and
(c)

There was limited unauthorised access and disclosure of the Disclosed ID

Images as the Web Directories had only been accessed a total of 6 times.

23

Having considered all the relevant factors of this case, the Commissioner hereby directs

the Organisation to:
(a)

Pay a financial penalty of $20,000 in 8 instalments by the due dates as set out

below, failing which, the full outstanding amount shall become due and payable
immediately and interest at the rate specified in the Rules of Court in respect of
judgment debts shall accrue and be payable on the outstanding amount of such financial
penalty until the financial penalty is paid in full:
(i)

1st instalment of $2,500 on 1 February 2020;

(ii)

2nd instalment of $2,500 on 1 March 2020;

(iii)

3rd instalment of $2,500 on 1 April 2020;

8

(iv)

4th instalment of $2,500 on 1 May 2020;

(v)

5th instalment of $2,500 on 1 June 2020;

(vi)

6th instalment of $2,500 on 1 July 2020;

(vii)

7th instalment of $2,500 on 1 August 2020; and

(viii) 8th instalment of $2,500 on 1 September 2020.
(b)

Complete the following within 60 days from the date of this direction:

(i)

Review the security of the Website and implement appropriate security
arrangements to protect the personal data in its possession or control;

(ii)

Put in place written internal policies and practices as required under
section 12 of the PDPA;

(iii)

Develop and implement a training policy for employees of the
Organisation handling personal data to be trained to be aware of, and to
comply with the requirements of, the PDPA when handling personal
data; and

(iv)

Require all existing employees to attend such training.

YEONG ZEE KIN
DEPUTY COMMISSIONER
FOR COMMISSIONER FOR PERSONAL DATA PROTECTION

9

","Directions, Financial Penalty",00f2b94a482f683c070998c51833856ca9a1a01a,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]"
2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,122,122,1,952,"Global Outsource Solutions was found in breach of the PDPA for failing to put in place reasonable security arrangements to protect the personal data collected by its website and for failing to develop and implement data protection policies. This resulted in the disclosure of personal data of customers on the organisation’s online warranty registration portal. Global Outsource Solutions was directed to develop and implement policies for data protection and staff training in data protection, and to put all employees handling personal data through such training.","[""Protection"", ""Accountability"", ""Directions""]",2019-12-05,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Summary-Decision---Global-Outsource.pdf,"Protection, Accountability",Breach of the Protection and Accountability Obligations by Global Outsource Solutions,https://www.pdpc.gov.sg/all-commissions-decisions/2019/12/breach-of-the-protection-and-accountability-obligations-by-global-outsource-solutions,2019-12-05,"PERSONAL DATA PROTECTION COMMISSION
Case No. DP-1809-B2767
In the matter of an investigation under section 50(1) of the
Personal Data Protection Act 2012
And
Global Outsource Solutions Pte. Ltd.

SUMMARY OF THE DECISION

1.

Global Outsource Solutions Pte. Ltd. (the “Organisation”) provided warranties for
products purchased by its clients’ customers. To be eligible for this warranty, customers
registered their purchases with the Organisation via the Organisation’s website at
http://www.globaloutsourceasia.com (the “Website”). The Organisation collected
various personal data from such customers for this purpose, including personal
information such as their name, email address, mailing address and contact number, and
details of the customers’ purchases such as the name of the product purchased, the
purchase date, the name of the retailer and the location of the physical store where the
product was purchased (collectively, the “Personal Data”).

2.

The Personal Data Protection Commission (“the Commission”) received a complaint on
23 September 2018 that the complainant could access the Personal Data of another
individual when viewing a warranty registration summary page on the Website (the
“Incident”).

3.

The Organisation admitted to the occurrence of the Incident but was unable to identify
the cause of the Incident. The Commission found that the Organisation had not provided
any security requirements to the vendor it had engaged sometime in 2013 to develop the
Website. Consequently, it had not reviewed the Website’s security arrangements or
conducted any security testing on the Website. In the circumstances, the Organisation
had not implemented reasonable security arrangements to protect the personal data
collected by the Website (including but not limited to the Personal Data disclosed in the
Incident) and is therefore in breach of section 24 of the PDPA.

4.

The Commission also found that the Organisation did not have any internal data
protection policies for its employees in relation to the handling of personal data for the
purposes of registering products through the Website. This failure to develop and
implement such internal data protection policies is a breach of section 12 of the PDPA.

5.

The Organisation has since removed the warranty registration section on its website and
is in the process of revamping its Website to incorporate the necessary security
arrangements. The Organisation is directed to develop and implement policies for data
protection and staff training in data protection, and to put all employees handling
personal data through data protection training.

",Directions,ab0971aeb10525bfdeea3bf683966ddd8fc40f11,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]"
2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,124,124,1,952,"A financial penalty of $12,000 was imposed on The Travel Corporation (2011) for breaches of the PDPA. The Organisation failed to appoint a data protection officer and did not put in place reasonable security arrangements to protect its customers’ personal data stored in portable storage devices.","[""Protection"", ""Accountability"", ""Financial Penalty""]",2019-12-05,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision---The-Travel-Corporation-2011-Pte-Ltd.pdf,"Protection, Accountability",Breach of the Protection and Accountability Obligations by The Travel Corporation (2011),https://www.pdpc.gov.sg/all-commissions-decisions/2019/12/breach-of-the-protection-and-accountability-obligations-by-the-travel-corporation-(2011),2019-12-05,"PERSONAL DATA PROTECTION COMMISSION
[2019] SGPDPC 42

Case No. DP-1810-B2821
In the matter of an investigation under section 50(1) of the
Personal Data Protection Act 2012
And
The Travel Corporation (2011) Pte. Ltd.
… Organisation

DECISION

The Travel Corporation (2011) Pte. Ltd.
[2019] SGPDPC 42

Tan Kiat How, Commissioner — Case No. DP-1810-B2821
19 November 2019
Introduction and Material Facts

1

The Travel Corporation (2011) Pte. Ltd. (the “Organisation”) offers travel packages

both directly to Singapore customers and via third party travel agencies. On 1 October 2018,
the Organisation notified the Personal Data Protection Commission (the “Commission”)
regarding the loss of a portable hard disk (the “Hard Disk”) which contained unencrypted files
with the personal data of the Organisation’s customers, employees and suppliers (the
“Incident”). The facts and circumstances of the Incident are as follows.

2

On 25 July 2018, a new employee of the Organisation left the office with her laptop

and the Hard Disk; and misplaced both these devices on her way home. She initially only
informed the Organisation about the loss of the laptop and a police report was made on 31 July
2018. The misplaced laptop did not contain any personal data. She eventually informed the
Organisation about the loss of the Hard Disk on 21 September 2018 and the Organisation made
another police report that day.

2

3

The table below summarises the number of affected individuals and their corresponding

types of personal data contained in the Hard Disk:
S/N. Category

Types of Personal Data in the
Hard Disk

1.

Name, Email Address, Phone
Number, Date of Birth and Postal
Address

Customers

Number of
Individuals
Affected
5,437

2.

Same as item 1 plus Passport
Number

21

3.

Same as item 1 plus NRIC
Number

242

4.

Prospective Customers

Same as item 1

11,000

5.

Employees

Name, Office Email Address and
Office Phone Number

30

6.

Suppliers

Names, Company Address, Email
Address, Mobile Number, Office
Number

1,900

Total number of individuals 18,630

4

It also emerged in the course of the Commission’s investigations that the Organisation

had not appointed any data protection officer (“DPO”) prior to the data breach incident on 25
July 2018.

Remedial actions by the Organisation

5

The Organisation subsequently took the following remedial measures:

1

(a)

The Organisation ceased the use of portable storage devices and implemented

the use of cloud-based storage for personal data in its possession; and
(b)

The Organisation appointed a DPO on 22 October 2018.

Findings and Basis for Determination

Whether the Organisation had breached its obligation to protect personal data under section
24 of the PDPA

6

Section 24 of the PDPA requires an organisation to protect personal data in its

possession or under its control by making reasonable security arrangements. A review of the
evidence disclosed that business contact information of the Organisation’s own employees and
its suppliers comprised about 10% of the total number of affected individuals. Pursuant to 4(5)
of the PDPA, section 24 of the PDPA did not apply to such personal data. However, the
personal data of the Organisation’s customers and prospective customers (the “Customers’
Personal Data”) have to be protected under the PDPA.

7

The Organisation failed to protect its Customers’ Personal Data as it failed to implement

appropriate internal policies governing the use of portable storage devices containing personal
data. While the Organisation has a Portable Computer and Storage Devices Policy that
stipulated that ‘portable computing and storage devices used for business purposes must have
designated custodians’, the Organisation did not have any operational frameworks or
procedures in place that effectively implements this policy in its individual business units. The
Organisation only relied on verbal instructions to instruct its employees not to bring any

2

portable storage devices out from the office premises. Further, the Organisation did not
implement any password protection policies or data encryption policies for its portable storage
devices, including the Hard Disk, although it had clear guidelines in its Acceptable User Policy
and Information Sensitivity Policy to do so.

8

In the circumstances, the Commissioner found that the Organisation had not made

reasonable security arrangements to protect its Customers Personal Data. The Organisation is
accordingly in breach of section 24 of the PDPA.

Whether the Organisation was in breach of section 11(3) of the PDPA

9

Section 11(3) of the PDPA requires organisations to designate one or more individuals

(typically referred to as a DPO) to be responsible for ensuring that they comply with the PDPA.
Appointing a DPO is important in ensuring the proper implementation of an organisation’s data
protections policies and practices, as well as compliance with the PDPA: see e.g. Re M Stars
Movers & Logistics Specialist Pte Ltd [2017] SGPDPC 15 at [31] to [37].

10

As the Organisation failed to appoint a DPO prior to the data breach incident, the

Commissioner found the Organisation in breach of section 11(3) of the PDPA.

The Commissioner’s Directions

11

In view of the above findings, the Commissioner directs the Organisation to pay a

financial penalty of $12,000 within 30 days from the date of this direction, failing which,
interest at the rate specified in the Rules of Court in respect of judgment debts shall accrue and

3

be payable on the outstanding amount of such financial penalty until the financial penalty is
paid in full.

12

In coming to this finding, the following mitigating factors were taken into account:
(a)

the Organisation notified the Commission of the Incident and fully co-operated

with the Commission’s investigations;
(b)

the Organisation promptly implemented remedial measures, as set out at

paragraph 5, to address the breach;
(c)

the

Organisation

is

actively

addressing

system

security

related

recommendations provided by an external auditor; and
(d)

13

the Commission had not received any complaints as a result of the Incident.

In view of the remedial measures taken by the Organisation, the Commissioner decided

not to impose any other directions.
The Organisation’s Representations

14

After the preliminary decision was issued to the Organisation, it made representations

for a warning be issued instead of an imposition of a financial penalty. The Organisation did
not dispute the finding that it had breached section 24 of the PDPA.

4

15

In support of its request for a warning instead of the imposition of a financial penalty,

the Organisation represented that it had taken the following rectification and remediation
measures:
(a)

conducting a PDPA impact and gap analysis;

(b)

developing and enhancing internal PDPA policies and procedures;

(c)

improving current back-up systems and disaster recovery plans across the

business promptly following the Incident;
(d)

notifying the affected individuals as soon as possible after the Incident;

(e)

filing a police report in case of potential misuse, ransom and/or other criminal

activity;

16

(f)

arranging for PDPA training for employees;

(g)

publishing a privacy notice / statement on its website; and

(h)

demonstrating proper coordination and practices in place; and

(i)

appointing a DPO.

The majority of the matters raised in mitigation are essentially remediation measures

following from the gap analysis that the Organisation had performed. Due consideration had
already been given to the prompt action that the Organisation took when the quantum of
financial penalty was initially determined. None of the measures warrants an adjustment to the

5

quantum of the financial penalty. Hence, the Organisation did not provide sufficient
justification for the financial penalty to be replaced with a warning.

17

In its representations, the Organisation had provided an explanation for its failure to

appoint a DPO. It had sent 2 employees to attend a data protection certification course. The
Organisation explained that it did not appoint a DPO at the material time as its employees who
attended the Certified Information Privacy Manager (“CIPM”) course had failed to pass the
CIPM exams despite multiple attempts and the Organisation was under the impression that they
could not be appointed as DPOs without passing the relevant exams.

18

This misapprehension conflates the obligation to appoint a DPO and what is a

reasonable way to go about it. The obligation for organisations to designate a DPO to ensure
compliance with the PDPA under section 11(3) of the PDPA is a mandatory requirement under
law. In the ideal case, the person appointed would be qualified to perform the role and
undertake the responsibilities of a DPO at the time of appointment. The PDPA does not specify
what these qualifications are. Furthermore, the pool of qualified DPOs, while growing, is small.
There will be many instances where organisations will not be able to identify a member of staff
or management who is already qualified. It is, therefore, perfectly acceptable to appoint a DPO
and then send her for the necessary courses. In these situations, the Organisation should monitor

6

the DPO’s progress to ensure that there is no tardiness in completing the courses and
achieving the requisite qualification.

YEONG ZEE KIN
DEPUTY COMMISSIONER
FOR COMMISSIONER FOR PERSONAL DATA PROTECTION

7

",Financial Penalty,673e8e9d7c2079f8018401c7ea6189c7ee37e666,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]"
2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,132,132,1,952,"Directions, including a financial penalty of $15,000, were imposed on EU Holidays for breaches of the PDPA. The organisation failed to put in place reasonable measures to protect its customers’ personal data and did not have written policies and practices necessary to ensure its compliance with the PDPA.","[""Protection"", ""Accountability"", ""Directions"", ""Financial Penalty""]",2019-11-04,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision---EU-Holidays-Pte-Ltd.pdf,"Protection, Accountability",Breach of the Protection and Accountability Obligations by EU Holidays,https://www.pdpc.gov.sg/all-commissions-decisions/2019/11/breach-of-the-protection-and-accountability-obligations-by-eu-holidays,2019-11-04,"PERSONAL DATA PROTECTION COMMISSION

[2019] SGPDPC 38
Case No DP-1901-B3254

In the matter of an investigation under section 50(1) of the Personal
Data Protection Act 2012

And

EU Holidays Pte. Ltd.

… Organisation

DECISION

1

EU Holidays Pte. Ltd.
[2019] SGPDPC 38

Tan Kiat How, Commissioner — Case No DP-1901-B3254
4 October 2019
Introduction
1

On 14 January 2019, the Personal Data Protection Commission (the “Commission”)

received a complaint that personal data of EU Holidays Pte. Ltd.’s (the “Organisation”)
customers was accessible through its website (the “Incident”).
Facts of the Case
2

Pursuant to a Quotation of Services dated 16 May 2017 (“Contract”), the Organisation

engaged an IT vendor (the “Vendor”) to develop a new website with e-commerce capabilities
(the “Website”). One of the purposes of the Website was to allow the Organisation’s customers
(“Customers”) to make online reservations for tour packages either directly or through the
Organisation’s partner agents. Information relating to travel reservations received from
Customers were stored in 2 web directories. For reservations made directly by Customers on
the Website, the tax invoice generated would be stored in a web directory (“Web Directory
1”). As for reservations made through the Organisation’s partner agents on the Website, the tax
invoice generated would be stored in another web directory (“Web Directory 2”).
3

The scope of work in the Contract did not specify any requirements with respect to the

storage and protection of Customers’ personal data which was collected through the Website.
The Website was launched on 9 December 2017. Since its launch, the Organisation has been
managing the Website, with the Vendor’s role limited to maintenance and technical
troubleshooting.
4

On or around 5 January 2019, a member of the public (“Complainant”) discovered

copies of tax invoices containing Customers’ personal information while browsing for tour
packages on the Website. The Complainant notified the Commission of the Incident on 14
January 2019.
2

EU Holidays Pte. Ltd.

5

[2019] SGPDPC 38

Based on the Organisation’s internal records, from 9 December 2017 to 14 January

2019, tax invoices containing information of 1,077 Customers were exposed to unauthorised
access and disclosure through links to Web Directory 1 and Web Directory 2.1 The information
contained in the invoices include the following personal data (collectively, the “Disclosed
Personal Data”):
(a)

Name;

(b)

Email address;

(c)

Address;

(d)

Contact number;

(e)

Booking date;

(f)

Travel destination;

(g)

Departure date;

(h)

Gender;

(i)

Date of birth;

(j)

Passport details (including number, date of issue and expiry);

(k)

Rooming arrangement (i.e. whether travellers are adults / children and the type

of beds required); and
(l)
6

Amount payable.

Upon being notified of the Incident, the Organisation promptly carried out the following

remedial actions:
(a)

Deleted all tax invoices stored on Web Directory 1; and

(b)

Disabled public access to Web Directory 2.

1

Specifically, the information of 336 Customers were stored in Directory 1 and the information of 741
Customers were stored in Directory 2.

3

EU Holidays Pte. Ltd.

7

[2019] SGPDPC 38

Separately, the Commission’s investigations revealed that the Organisation had not

developed or implemented any internal data protection policies that are necessary for it to meet
its obligations under the Personal Data Protection Act 2012 (the “PDPA”).
Findings and Basis for Determination
Whether the Organisation had contravened section 24 of the PDPA
8

As a preliminary point, the Organisation owned and managed the Website and had

possession and control over the Disclosed Personal Data at all material times. While the Vendor
had been engaged to develop the Website and subsequently provided maintenance and
technical troubleshooting services, the Vendor had not processed the Disclosed Personal Data
on the Organisation’s behalf. The Vendor was therefore not a data intermediary of the
Organisation, and the Organisation was solely responsible for the protection of the Disclosed
Personal Data under the PDPA.
9

Section 24 of the PDPA requires an organisation to protect personal data in its

possession or under its control by taking reasonable security steps or arrangements to prevent
unauthorised access, collection, use, disclosure, copying, modification, disposal or similar
risks. In the Commissioner’s view, the Organisation failed to put in place reasonable security
arrangements to protect the Disclosed Personal Data as explained below.
10

First, the Organisation failed to assess the risks to the Disclosed Personal Data collected

through its Website and stored in Web Directory 1 and Web Directory 2. The investigations
revealed that the Organisation had left it to the Vendor to put in place the appropriate security
arrangements to protect the Disclosed Personal Data. Consequently, as mentioned at [3], the
scope of work in the Contract did not include any requirements with respect to how the
Disclosed Personal Data was to be stored or protected. The Organisation also did not review
the standard of security of the Website and left it completely to the Vendor. In particular:
(a)

In relation to Web Directory 1, prior to the Incident, since the Organisation did

not provide any instructions to the Vendor on the storage of tax invoices generated from
direct reservations on its Website, it was unaware that such tax invoices were stored in
Web Directory 1 which was publicly accessible. In this regard, the Organisation’s
assertion was that it had intended for these tax invoices to be stored in a backend
4

EU Holidays Pte. Ltd.

[2019] SGPDPC 38

Content Management System which only authorised staff could log into and access. Its
intention was not translated into action.
(b)

In relation to Web Directory 2, the Organisation intended for tax invoices

generated from reservations through its partner agents to be stored in Web Directory 2,
and accessed by partner agents using their respective email addresses and password.
The Organisation asserted that did not intend for Web Directory 2 to be publicly
accessible. However, since the Organisation did not provide any instructions to the
Vendor in relation to access controls for Web Directory 2, none was implemented.
11

What is expected from organisations contracting professional services to build their

corporate websites or other online portals is explained in the Commission’s Guide on Building
Websites for SMEs (revised 10 July 2018). In particular, organisations that engage IT vendors
to develop and/or maintain their websites should emphasize the need for personal data
protection to their IT vendors, by making it part of their contractual terms.2 Given that the
development of the Website was for the purposes of e-commerce (including the collection of
Customers’ Disclosed Personal Data in relation to reservations for tour packages), the
Organisation’s failure to specify clear requirements with respect to the protection of personal
data is particularly glaring in this case.
12

Secondly, and as observed in Re Tutor City [2019] SGPDPC 5 at [21] to [23], where

documents containing personal data have to reside on web servers, folder or directory
permissions are common and direct methods of controlling access and preventing unauthorised
access by public users and web crawlers. Depending on its business needs and circumstances,
the Organisation could have instructed the Vendor to implement any of the following
reasonable technical security measures to protect the Disclosed Personal Data:
(a)

place documents containing the Disclosed Personal Data in a non-public

folder/directory.
(b)

place documents containing the Disclosed Personal Data in a non-public folder

or directory, with access to these documents controlled through web applications on the
server.

2

Guide on Building Websites for SMEs (revised 10 July 2018) at [4.2.1]

5

EU Holidays Pte. Ltd.

(c)

[2019] SGPDPC 38

place documents containing the Disclosed Personal Data in a sub-folder within

the Public Directory but control access to files by creating a .htaccess file within that
sub-folder. This .htaccess file may specify the access restrictions (e.g. implement a
password requirement or an IP address restriction).
13

In view of the above, the Commissioner found that the Organisation had contravened

section 24 of the PDPA.
Whether the Organisation had contravened section 12 of the PDPA
14

Section 12 of the PDPA requires organisations to develop and implement policies and

practices that are necessary for the organisation to meet its obligations under the PDPA and
communicate information about such policies to its staff.
15

By the nature of its business as a travel agency, the Organisation regularly collects

personal data of customers to fulfil reservations for tour packages. Notwithstanding this, the
Organisation did not have any internal data protection policies to provide guidance to its
employees on the handling of such personal data.
16

In the circumstances, the Commissioner found that the Organisation had contravened

section 12 of the PDPA.
The Commissioner’s Directions
17

In determining the directions, if any, to be imposed on the Organisation under section

29 of the PDPA, the Commissioner took into account the following mitigating factors:
(a)

the Organisation took prompt remedial actions following the Incident;

(b)

the Organisation was cooperative during the investigations; and

(c)

Although the Disclosed Personal Data of 1,077 Customers was at risk of

unauthorised access and disclosure, actual disclosure was only to the Complainant in
respect of Customers’ Disclosed Personal Data in 20 invoices albeit for a period of
more than 1 year.

6

EU Holidays Pte. Ltd.

18

[2019] SGPDPC 38

Having considered all the relevant factors of this case, the Commissioner hereby directs

the Organisation to:
(a)

Pay a financial penalty of $15,000 within 30 days from the date of the directions,

failing which interest at the rate specified in the Rules of Court in respect of judgment
debts shall accrue and be payable on the outstanding amount of such financial penalty
until the financial penalty is paid in full;
(b)

Complete the following within 60 days from the date of this direction:
(i)

Review the security of the Website and implement appropriate security

arrangements to protect personal data in its possession and/or under its control;
(ii)

Put in place a data protection policy, including written internal policies,

to comply with the provisions of the PDPA; and
(iii)

Develop a training programme for the Organisation’s employees in

respect of their obligations under the PDPA when handling personal data and
require all employees to attend such training

YEONG ZEE KIN
DEPUTY COMMISSIONER
FOR COMMISSIONER FOR PERSONAL DATA PROTECTION

7

","Directions, Financial Penalty",e42f8ca451f258f74f2ef56d5d97b02110634815,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]"
2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,138,138,1,952,"A financial penalty of $1,000 was imposed on Advance Home Tutors for failing to put in place reasonable security arrangements to protect the personal data collected from its tutors and for not developing and implementing data protection policies and practices necessary to ensure its compliance with PDPA.","[""Protection"", ""Accountability"", ""Financial Penalty"", ""Education"", ""Tuition""]",2019-10-10,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision---Advance-Home-Tutors.pdf,"Protection, Accountability",Breach of the Protection and Accountability Obligations by Advance Home Tutors,https://www.pdpc.gov.sg/all-commissions-decisions/2019/10/breach-of-the-protection-and-accountability-obligations-by-advance-home-tutors,2019-10-10,"PERSONAL DATA PROTECTION COMMISSION

[2019] SGPDPC 35

Case No DP-1806-B2218

In the matter of an investigation under section 50(1)
of the Personal Data Protection Act 2012
And
Advance Home Tutors
… Organisation

DECISION

Advance Home Tutors
[2019] SGPDPC 35
Yeong Zee Kin, Deputy Commissioner — Case No DP-1806-B2218

12 September 2019
Facts of the Case
1

On 7 June 2018, the Personal Data Protection Commission (the

“Commission”) received a complaint that personal data of many individuals
had apparently been disclosed without authorisation on the Organisation’s
website, www.advancetutors.com.sg (the “Website”). Upon investigation, the
Commission found the following facts leading to this apparent unauthorised
disclosure of personal data.

2

The Organisation is a sole proprietor who provides “matching services”

through the Website between freelance tutors and prospective clients seeking
tuition services.

3

In January 2017, the Organisation engaged a freelance web developer

based in the Philippines (the “Developer”) to provide the following services:
(a)

to design and develop the Website; and

(b)

to migrate the existing databases and files of the Organisation’s
old website to the Website.

1

Advance Home Tutors

4

[2019] SGPDPC 35

At that point in time, 834 freelance tutors had signed up with the

Organisation and some of these tutors had chosen to upload their educational
certificates to the Website’s server (the “Server”) via the Website. These
certificates would be used by the Organisation to evaluate the suitability of the
tutors for prospective jobs. In addition, copies of a tutor’s certificates were to
be disclosed on the tutor’s public profile on the Website if the tutor consented
to such disclosure. Out of the tutors who had uploaded educational certificates,
a total of 152 tutors (the “Affected Individuals”) had not consented to
disclosure of their educational certificates on their public profile.

5

The Developer subsequently migrated the educational certificates of the

tutors who had uploaded them to the Website and stored them in an image subdirectory of a public directory found on the Server (the “Image Directory”).
These directories were not secured with any form of access controls and were
accessible by the public via the Internet if the path to the relevant directory was
typed into a web browser. Furthermore, no measures were taken to prevent
automatic indexing of the Image Directory by Internet search engines. This
resulted in the contents of the Image Directory, including the educational
certificates of the Affected Individuals, showing up in search results on Google
after the Website went live on 17 October 2017.

6

On 6 April 2018, the Organisation informed the Developer to make

certain changes to the Website in order to disclose the education certificates of
consenting tutors on their public profile pages on the Website. The Organisation
provided written instructions to the Developer to “migrate all existing tutor
profiles from the [old website] to the [Website]”, and to “impose all pre-existing
conditions in the [old website] to the [Website] when migrating the tutors”.

2

Advance Home Tutors

[2019] SGPDPC 35

According to the Organisation, one of the pre-existing conditions of the old
website was to only disclose educational certificates of tutors who had consent.
7

The Organisation also represented that it had provided the following

verbal instructions to the Developer:
(a)

to “hide the educational certificates of tutors who did not give
consent”;

(b)

to “respect and protect the privacy and confidentiality of all the
data that is present in AHT website”;

(c)

it “should not disclose or share any of the personal data or AHT
Admin user account details with a third party”; and

(d)

to “ensure users’ data is protected as AHT had entrusted them
for the purpose of IT services”.

8

Acting on the Organisation’s instructions, the Developer wrote a coding

script to enable the retrieval and display of the educational certificates from the
Image Directory. However, the coding script lacked a validation condition to
ensure that only educational certificates of tutors who had consented to
disclosure were disclosed on the tutors’ profile pages on the Website. This
resulted in all of the educational certificates found in the Image Directory,
including those of the Affected Individuals, being retrieved and publicly
disclosed on the Website through the tutors’ respective profile pages.

9

The disclosure of the Affected Individuals’ educational certificates

(described at [5] and [8] above) resulted in the unauthorised disclosure their
personal data which were found on their respective educational certificates (the
“Incident”). The disclosed personal data included data such as the individual’s
name and NRIC number, educational institutions attended and grades attained
for each subject (the “Disclosed Data”).

3

Advance Home Tutors

10

[2019] SGPDPC 35

Separately, during the Commission’s investigations, the Organisation

admitted that it had not developed or implemented any data protection policies
relating to its compliance with the Personal Data Protection Act 2012 (the
“PDPA”).

Remedial measures taken by the Organisation

11

After being notified of the Incident, the Organisation took the following

steps to mitigate the effects of the breach and to prevent its reoccurrence:
(a)

deleted all the educational certificates that were stored in the
Image Directory;

(b)

ceased retention of any educational certificates received from the
tutors;

(c)

requested Google to remove any cached copies of the
educational certificates from the Image Directory;

(d)

conducted a penetration test to discover and address any gaps in
respect of its security arrangements in respect of the Website and
its server;

(e)

removed all front-end access to the “Search Tutor” and “Tutor
Profile” pages of the Website;

(f)

engaged an external system analyst to check the work which may
be performed by the Developer in future; and

(g)

developed a data protection policy.

Findings and Basis for Determination

Whether the Organisation had breached section 24 of the PDPA

4

Advance Home Tutors

12

[2019] SGPDPC 35

Although the Organisation had engaged the Developer to provide

various services, the Organisation retained possession and control over the
Disclosed Data at all material times. It was responsible for the security
arrangements to be implemented on the Website and its back-end system, as
well as to protect the Disclosed Data.
13

Section 24 of the PDPA requires an organisation to protect personal data

in its possession or under its control by making reasonable security
arrangements to prevent unauthorised access, collection, use, disclosure,
copying, modification, disposal and similar risks.

14

To determine whether the Organisation was in breach of section 24, the

relevant question is whether it had put in place reasonable security arrangements
to safeguard the Disclosed Data hosted on the Website and its Server. As the
Disclosed Data included the NRIC numbers of the tutors concerned, it should
be borne in mind that NRIC numbers are of special concern as they are “a
permanent and irreplaceable identifier which can be used to unlock large
amounts of information relating to the individual”.1 Further, the Commission’s
Advisory Guidelines on the PDPA for NRIC and Other National Identification
Numbers (issued 31 August 2018) at [2.4], albeit not effective at the time of the
breach, points to the risks and potential impact of any unauthorised use or
disclosure of personal data associated with an individual’s NRIC; and the
expectation that organisations are to provide a greater level of security to protect
NRIC numbers in its possession or control.
15

As the Organisation had engaged the Developer to develop the Website,

the onus is on the Organisation to ensure that its security requirements for the

1

Re Habitat for Humanity Singapore Ltd [2018] SGPDPC 9 at [19]

5

Advance Home Tutors

[2019] SGPDPC 35

Website and Server will be and have been met by the Developer. As part of this,
the Organisation could have done the following2:
(a)

emphasised the need for personal data protection to the
Developer by making it part of the written contract;

(b)

when discussing the Developer’s scope of work, required that
any changes the Developer made to the Website did not contain
vulnerabilities that could expose the personal data, and to discuss
whether the Developer had the necessary technical and nontechnical processes in place to prevent the personal data from
being exposed, accidentally or otherwise; and

(c)

tested the Website before any new changes went live to ensure
that the Organisation’s instructions to the Developer were
properly implemented and that the Website was sufficiently
robust and comprehensive to guard against a possible
cyberattack.

16

The Organisation admitted to the Commission that “there was a lack of

technical expertise within Advance Home Tutor to protect personal data”,
including the lack of expertise “on how to make the technical assessment and
ensure that the assessment is robust enough for adequate protection for
personal data”. This is also evident from the fact that the Organisation had
required the Developer to migrate the information of its then-existing tutors
from the old website to the Website “with the exact same conditions imposed”

2

Further information on the steps that the Organisation should have taken when outsourcing the
development of its Website may be found in the Commission’s Guide to Building Websites for
SMEs.

6

Advance Home Tutors

[2019] SGPDPC 35

on the old website, without having any idea of how its old website had been
configured.
17

Similar to Re Tutor City [2019] SGPDPC 5 (“Tutor City”), the

Organisation also did not:
(a)

communicate any specific security requirements to the
Developer to protect the personal data stored on the Server;

(b)

make reasonable effort to find out and understand the security
measures implemented by the Developer for the Website;

(c)

attempt to verify that the security measures implemented had
indeed

“respect[ed]

and

protect[ed]

the

privacy

and

confidentiality of all the data that is present on the Website” to
the extent expected by the Organisation; and

(d)

18

conduct any reasonable security testing (e.g. penetration tests).

To be clear, the lack of knowledge on the PDPA or expertise in the area

of IT security is not a defence against the failure to take sufficient steps to
comply with section 24 of the PDPA. There were resources, including the
guides published by the Commission, and skilled personnel available that the
Organisation could have relied on to increase its knowledge in the relevant areas
or to assist it in complying with its obligations under the PDPA.

19

Related to the above, I note that the Organisation’s purported instruction

to the Developer to “respect and protect the privacy and confidentiality of all
the data that is present on the Website” does not constitute a security measure.
The Organisation should have reviewed the security standard implemented on

7

Advance Home Tutors

[2019] SGPDPC 35

the Website and provided its Developer the intended use cases and identify
foreseeable risks.3

20

More generally, although the Organisation asserted that it had provided

verbal instructions to the Developer (see [7] above), these have not been
substantiated by any evidence. According to the document entitled “Project
Scope” entered into between the Organisation and the Developer, there was no
specification relating to the security arrangements that the Developer was
required to design into the Website and its back-end system. The Organisation
ought to have entered into a written agreement with the Developer that clearly
stated the standard of compliance that the Organisation expected its Website
and Server to have with the PDPA, and the Developer’s responsibilities in this
regard.

21

As regards security testing, while the Organisation had conducted some

testing of the Website from the functionality perspective, i.e., to verify that
certificates of consenting tutors were disclosed on their profile pages, it did not
check the profile pages of non-consenting tutors to ensure their certificates were
not disclosed. It also did not check if the Website contained any other
vulnerabilities that posed a risk to the personal data hosted on the Server. Had
the Organisation done a proper security test, the lack of access controls for the
certificates hosted on the Image Directory and the unauthorised disclosure of
the certificates of non-consenting tutors on their profiles would have been
apparent. It would then have been able to take the necessary steps to rectify
these security issues. That said, I understand that the Organisation has, since the
Incident, procured the Developer to conduct a penetration test and resolve the
high risk issues identified by it.
3

Re Tutor City [2019] SGPDPC 5 at [18]

8

Advance Home Tutors

22

[2019] SGPDPC 35

As regards the lack of access controls, it has been observed in Tutor City

(at [21] to [23]) that technical measures are available that prevent indexing of
images by web crawlers: viz,

23

(a)

First, the Organisation could have placed these
documents in a folder of a non-public folder/directory.

(b)

Second, the Organisation could have placed these
documents in a folder of a non-public folder or directory,
with access to these documents being through web
applications on the server.

(c)

Third, the Organisation could have placed these
documents in a sub-folder within the Public Directory
but control access to files by creating a .htaccess file
within that sub-folder. This .htaccess file may specify the
access restrictions (e.g. implement a password
requirement or an IP address restriction).

In view of the above, I find the Organisation in breach of section 24 of

the PDPA.

Role of the Developer

24

The Developer’s role in data migration constitutes “processing” within

the meaning of the PDPA. One of the causes for the breach of the protection
obligation may be traced to the migration of educational certificates to the
Image Directory which was publicly accessible and could be indexed by search
engines: see discussion at [4] above. As the Developer is in, and supplied the
Services from, the Philippines, I intend to refer this aspect of the case to the
Philippines National Privacy Commission.

9

Advance Home Tutors

[2019] SGPDPC 35

Whether the Organisation had breached section 12 of the PDPA

25

Section 12 of the PDPA requires an organisation to develop and

implement policies and practices that are necessary for the organisation to meet
its obligations under the PDPA.

Although the Organisation is a sole

proprietorship with no employees, it collects a significant amount of personal
data from the tutors and clients seeking tuition services via the Website. As
such, it is required to have an external data protection policy which sets out its
practices relating to such personal data and the purposes for which the tutors’
and students’ personal data are collected, used and disclosed by the
Organisation.
26

In view of the Organisation’s admission that it had not developed and

implemented any such policies, I also find the Organisation in breach of section
12 of the PDPA.
Representations by the Organisation
27

In the course of settling this decision, the Organisation made

representations to waive the imposition financial penalty for the following
reasons:

(a)

The Organisation is a small home business which does not
generate much revenue. If the proposed financial penalty is
imposed, the Organisation would take 5 to 6 years to recover the
financial penalty amount based on its annual revenue;

(b)

As a sole proprietor, the Organisation’s director neglected
operational duties of the business in order to assist the

10

Advance Home Tutors

[2019] SGPDPC 35

Commission with the investigations into the Incident. This
resulted in a significant drop in the Organisation’s annual
revenue in 2018 and its revenue has yet to recover;
(c)

The Organisation incurred significant costs in undertaking
remedial and preventive actions following the Incident;

(d)

This is the first time a data breach involving the Organisation has
occurred; and

(e)

The Organisation compared the present case to Tutor City with
similar facts where only a warning had been issued taking into
account the number of affected individuals, the type of and
duration for which personal data was at risk, and the remedial
actions taken.

28

While accepting full responsibility of its breach of Section 12, the

Organisation also asserted in its representations that based on the grounds of
decision of Tutor City, it “…implicitly understood that [Tutor City] also had no
policies and practices meeting the PDPA obligations set in place. However,
they were not found in breach of the Section 12”.

29

With respect to the Organisation’s representations comparing the

present case to Tutor City, I would like to emphasize that my decision is based
on the unique facts of each case. While the facts may appear similar in 2 cases,
my decision in each case takes into consideration the specific facts of the case
and the totality of the circumstances so as to ensure that the decision and
direction(s) are fair and appropriate for that particular organisation. In this
regard, I would highlight that Section 12 of the PDPA was never an issue of

11

Advance Home Tutors

[2019] SGPDPC 35

concern in Tutor City as the organisation in question did, in fact, have the
requisite policies and processes. Accordingly, this is not a point that would need
to be reflected in Tutor City. Unlike Tutor City, I have decided that a financial
penalty is warranted in this case because the Organisation has been found in
breach of Sections 12 and 24 of the PDPA, and there was a larger number of
individuals’ personal data at risk in the present case. I have also taken into
consideration the fact that the duration for which personal data was at risk in the
present case is significantly shorter than Tutor City.

30

Having carefully considered the representations, I have decided to

reduce the financial penalty to $1,000. The quantum of financial penalty has
been calibrated after due consideration of the Organisation’s financial
circumstances and to avoid imposing a crushing burden on the Organisation.
Although a lower financial penalty has been imposed in this case, the quantum
of financial penalty should be treated as exceptional and should not be taken as
setting any precedent for future cases.

Outcome

31

In assessing the breaches and determining the directions to be imposed

on the Organisation in this case, I also took into account the following
mitigating factors:

(a)

the Organisation fully cooperated with the Commission’s
investigations; and

(b)

the Organisation took prompt action to mitigate the effects of the
breaches and prevent reoccurrence of similar breaches.

12

Advance Home Tutors

32

[2019] SGPDPC 35

In consideration of the relevant facts and circumstances of the present

case, I hereby direct the Organisation:

(a)

to put in place a data protection policy to comply with section 12
of the PDPA within 60 days of this direction;

(b)

to inform the Commission within 7 days of implementing the
above; and

(c)

to pay a financial penalty of $1,000 within 30 days from the date
of this direction failing which, interest at the rate specified in the
Rules of Court in respect of judgment debts shall accrue and be
payable on the outstanding amount of such financial penalty
until the financial penalty is paid in full.

YEONG ZEE KIN
DEPUTY COMMISSIONER
FOR PERSONAL DATA PROTECTION

13

",Financial Penalty,6d5126ad62fbafa12fb94c50aff6b767e9edb84c,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]"
2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,181,181,1,952,"Directions were issued to Singapore Cricket Association for failing to make reasonable security arrangements to prevent unauthorised disclosure of individuals’ personal data on its website, and for failing to put in place data protection policies.","[""Protection"", ""Accountability"", ""Directions"", ""Arts, Entertainment and Recreation""]",2018-08-21,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds_of_Decision_Singapore_Cricket_Association_and_Ors_210818.pdf,"Protection, Accountability",Breach of Protection Obligation by Singapore Cricket Association,https://www.pdpc.gov.sg/all-commissions-decisions/2018/08/breach-of-protection-obligation-by-singapore-cricket-association,2018-08-21,"PERSONAL DATA PROTECTION COMMISSION

[2018] SGPDPC [19]

Case No DP-1704-B0707

In the matter of an investigation under section 50(1) of the Personal
Data Protection Act 2012

And

(1) Singapore Cricket Association
(UEN No. S65SS0010H)
(2) Massive Infinity Pte Ltd
(UEN No. 201131950M)

… Organisations

DECISION

Singapore Cricket Association & Ors

[2018] SGPDPC 19

Singapore Cricket Association & Ors.

[2018] SGPDPC [19]
Yeong Zee Kin, Deputy Commissioner — Case No DP-1704-B0707
21 August 2018

1

This case concerns the unauthorised disclosure of the personal data of cricket players

on the Singapore Cricket Association’s (“SCA”) websites (the “Incident”). On 20 April 2017,
the Personal Data Protection Commission (the “Commission”) received a complaint regarding
the unauthorised disclosure of personal data on the player profile pages on the SCA’s websites
and commenced its investigations thereafter. The Deputy Commissioner’s findings and
grounds of decision based on the investigations carried out in this matter are set out below.
2

The SCA is the official governing body of the sport of cricket in Singapore. It

administers various cricket leagues in Singapore with more than 100 cricket clubs participating
across several league divisions. The SCA owns the rights to the domain name
www.singaporecricket.org (the “First Domain”), which has served as the SCA’s official
website since August 2007 (“Website”). The SCA also owns the rights to the domain name,
www.cricketsingapore.com (“Second Domain”). Both domains were accessible to the public
and the hosting of both domains were set up and managed by the SCA or on its instructions.
3

All clubs and their players are required to register with the SCA in order to participate

in any of the SCA leagues. To register new players, clubs are required to submit the following
player personal data through the registration form on the SCA’s Website:1

1

(a)

Player name;

(b)

Player photograph;

Clubs were also required to provide information such as the season, league, division and club the player will be
playing in as well as the player’s category, role, bowling style and batting style.

Singapore Cricket Association & Ors

4

(c)

NRIC/FIN number;

(d)

Date of birth;

(e)

Email address; and

(f)

Mobile number.

[2018] SGPDPC 19

Player profile pages which showed the registered player’s name, photograph, player

code (a unique identifier assigned to players upon registration) as well as player statistics
(“Player Profile Information”) have been made available on the SCA’s Website since it was
launched in August 2007. Player Profile Information was disclosed on the SCA’s Website to
identify players participating in the leagues and to promote interest in the sport by providing
the public information on the league players in the same way that some soccer and tennis
players have public profiles.2
5

In February 2016, SCA engaged Massive Infinity Pte Ltd (“MI”), a Singapore-based

web design and development company, to revamp its Website and design and develop a new
custom web portal for SCA (“Revamped Website”) in accordance with the website
development specifications provided to MI. 3 However, as the SCA’s website development
specifications were set out in very general terms and did not specify the contents of the
Revamped Website, details of the exact contents of the Revamped Website were communicated
to MI in meetings, and through phone calls and Whatsapp text messages.
6

During the development and testing of the Revamped Website, the Second Domain was

used as a trial or user acceptance testing site.4 In the course of conducting user acceptance tests,
the SCA requested the inclusion of some additional pages to the Revamped Website, such as

Given the SCA’s long-standing practice of publishing Player Profile Information on its Website, players were
deemed to have consented to the disclosure of the Player Profile Information when they registered to participate
in the league through their respective clubs.
3
Together with the Website revamp, the SCA also switched the web hosting company for the First Domain from
an India-based web hosting company to one in Singapore. However, MI was only engaged to provide the user
interface design and web development of a new custom web portal and did not provide web hosting services.
4
The Second Domain was removed by the SCA on 17 April 2017 after the First Domain had stabilised. MI had
set up a staging environment (scastg.azurewebsites.net domain) (“Testing Domain”) for development and testing
purposes. The Testing Domain was the only web hosting setup maintained by MI for development purposes and
was closed soon after the code was pushed to the SCA’s testing environment, i.e. the Second Domain, on 17
November 2016. The Testing Domain was not accessible by search engines.
2

Singapore Cricket Association & Ors

[2018] SGPDPC 19

the player profile pages. These additional pages were not part of the original design and were
therefore not included in the design documents. Neither party was able to produce any evidence
of instructions from the SCA on the type of player information that was to be shown on the
new player profile pages. While the SCA represented that its intention was for the Revamped
Website to show the same Player Profile Information that was on its original Website, it
conceded that it did not expressly highlight the type of player information that was to be
included on the player profile pages on the Revamped Website.
7

In the absence of any specific instructions on the required fields for the new player

profile pages, MI created the new player profile pages based on the information collected from
the SCA’s player registration page on the Website. Consequently, in addition to the Player
Profile Information that had previously been disclosed on the Website, the new player profile
pages included fields for personal data such as the player’s NRIC/FIN number, date of birth,
email address and mobile number (the “Additional Player Personal Data”).
8

During the investigations, the parties gave conflicting accounts as to when the SCA was

first shown the new player profile pages. MI represented that before the new player profile
pages with actual player data were pushed to the Second Domain, mock-up player profile pages
created using “dummy data” were sent to the SCA for its review. The Revamped Website,
including the new player profile pages with actual player data from the database of registered
players’ data that the SCA had provided to MI (“Registered Players Database”),5 was pushed
to the Second Domain for the SCA’s review and approval on 17 November 2016. The SCA,
however, represented that it had only discovered that contrary to its intention, the Additional
Player Personal Data was disclosed after MI uploaded the new player profile pages on the
Second Domain and subsequently on the First Domain.
9

The SCA and MI held a meeting on 28 November 2016 to review the changes that MI

had made to the Revamped Website. However, the SCA claimed that at the time of the meeting,
the new player profile pages were missing from the Revamped Website. MI, in turn, stated that
as the SCA did not raise any issues with the new player profile pages at the meeting, MI

5

The SCA received the database of the registered players’ personal data from their previous vendor based in India.

Singapore Cricket Association & Ors

[2018] SGPDPC 19

assumed that the SCA had approved the content of the new player profile pages and they were
to proceed to production as created.
10

The Additional Player Personal Data was made available on the First Domain on or

around 9 January 2017 after the system was migrated from the staging server (i.e. the Second
Domain). Upon discovering that the Additional Player Personal Data was disclosed on the new
player profile pages, the SCA took steps to remove them from the player profile pages leaving
only the Player Profile Information.
11

The Additional Player Personal Data was disclosed on the respective player profile

pages and therefore publicly accessible for the following periods:
(a)

from the Second Domain, from 17 November 2016 until its removal on 6

February 2017;
(b)

from the First Domain, from around 9 January 2017 until its removal on 6

February 2017; and
(c)

cached versions of the Revamped Website continued to be listed among the

search results on major online search engines until the SCA submitted a request for
their removal in May 2017.
12

The parties were unable to determine conclusively the exact number of players whose

personal data had been disclosed on the Revamped Website on the First and Second Domains.
However, based on the number of pages cached by the search engines, the SCA estimated that
as many as 100 players were affected.
Findings and Basis for Determination
13

The main issues for determination are:
(a)

whether MI breached section 24 of the PDPA;

(b)

whether the SCA complied with its obligations under section 12(a) of the PDPA;
and

Singapore Cricket Association & Ors

(c)
14

[2018] SGPDPC 19

whether the SCA breached section 24 of the PDPA.

It was not disputed that the Player Profile Information and Additional Player Personal

Data disclosed on the new player profile pages were “personal data” as defined in section 2(1)
of the PDPA.
Whether MI breached section 24 of the PDPA
15

Section 24 of the PDPA requires an organisation to protect personal data in its

possession or under its control by taking reasonable security steps or arrangements to prevent
unauthorised access, collection, use, disclosure, copying, modification, disposal or similar
risks. MI was engaged by the SCA to revamp the Website and was subsequently instructed to
create new player profile pages on the Revamped Website. The SCA gave MI a copy of the
SCA’s Registered Players Database in order for MI to upload the players’ personal data to the
new player profile pages. Accordingly, the Deputy Commissioner is satisfied that the personal
data in the Registered Players Database was in MI’s possession or under its control at all
material times and MI was required to make reasonable security arrangements to prevent
unauthorised access, collection, use, disclosure, copying, modification, disposal or similar
risks.
16

However, MI intentionally disclosed the Additional Player Personal Data on the new

player profile pages because it was under the impression that the SCA had intended for the
Additional Player Personal Data to be disclosed on the new player profile pages. In this regard,
seeing as MI relied on the SCA for directions as to the personal data that was to be disclosed
on the player profile pages and there was no evidence that MI should have known what personal
data was to be disclosed from the SCA’s instructions or from the circumstances, the Deputy
Commissioner finds that MI did not act in breach of its Protection Obligation under section 24
of the PDPA when it disclosed the Additional Player Personal Data.
Whether the SCA complied with section 12(a) of the PDPA
17

Section 12(a) of the PDPA imposes an obligation on organisations to develop and

implement policies and practices that are necessary for the organisation to meet its obligations
under the PDPA. The SCA represented, in a witness statement dated 12 June 2017 provided by

Singapore Cricket Association & Ors

[2018] SGPDPC 19

a representative authorised by SCA, that it did not have any internal guidelines and/or policies
for the protection of personal data at the time of the Incident and that it was in the process of
reviewing this and coming up with a data protection policy and guidelines.6
18

It bears repeating that the development and implementation of data protection policies

is a fundamental and crucial starting point for organisations to meet their obligations under the
PDPA.7 As the Deputy Commissioner highlighted in Re Aviva Ltd [2017] SGPDPC 14 (at [32])
on the role of general data protection policies:
Data protection policies and practices developed and implemented by an
organisation in accordance with its obligations under section 12 of the PDPA are
generally meant to increase awareness and ensure accountability of the
organisation’s obligations under the PDPA.
19

In this regard, the Deputy Commissioner agrees with the observations in the Joint

Guidance Note issued by the Office of the Privacy Commissioner of Canada, the Office of the
Information and Privacy Commissioner of Alberta and the Office of the Information and
Privacy Commissioner for British Columbia that employees will be able to better protect
personal data when they are able to first recognise when a matter involves data protection:8
Training and general education on privacy are very important. Our Offices have
seen instances where issues were not identified as privacy issues when they
should have been. As a result, appropriate steps were not taken to prevent or
address privacy breaches. In other cases, we have seen a lack of awareness or
appreciation for privacy risks on the part of employees result in the development
of products or services that were not compliant with applicable privacy law. In
Alberta, human error is the most common cause of reported breaches resulting
in a real risk of significant harm to an individual. Examples include: misdirected
faxes and mail, e-mail addresses viewable in mass e-mails, inappropriate
disposal of documents, and disclosure of passwords.
Employees will be able to better protect privacy when they are able to recognize
a matter as one that involves personal information protection.

6

The SCA had a data protection officer but its data protection officer had not undergone any training on data
protection matters.
7
Re M Star Movers & Logistics Specialist Pte Ltd [2017] SGPDPC 15 (at [25]).
8
Office of the Privacy Commissioner of Canada, Office of the Information and Privacy Commissioner of
Alberta and the Office of the Information and Privacy Commissioner for British Columbia, Getting
Accountability Right with a Privacy Management Program <https://www.priv.gc.ca/en/privacy-topics/privacylaws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/pipeda-compliancehelp/pipeda-compliance-and-training-tools/gl_acc_201204/> at p 13.

Singapore Cricket Association & Ors

[2018] SGPDPC 19

[Emphasis added.]
20

Therefore, by the SCA’s own admission, it failed to meet its obligations under section

12(a) of the PDPA.
Whether the SCA complied with section 24 of the PDPA
21

The SCA obtained the Registered Players Database, which contained the personal data

of all its registered players, from its previous vendor based in India. A copy of the Registered
Players Database was handed over to MI “for a week” for MI to upload the players’ data onto
the new player profile pages. The SCA alone had the right to determine whether and how many
of the players’ personal data would be held and presented in the Revamped Website. Hence,
the Deputy Commissioner is satisfied that the personal data in the Registered Players Database
remained under the SCA’s control at all material times.
22

Having considered the matter, the Deputy Commissioner finds that the SCA failed to

put in place reasonable security arrangements to protect the personal data in its control and
therefore acted in breach of its Protection Obligation under section 24 of the PDPA.
23

Player profile pages were in the SCA’s original Website and the SCA’s eventual actions

disclose its intention to retain player profile pages as a function of the Revamped Website. As
stated in paragraph 5 above, the SCA did not provide sufficiently detailed requirements to MI.
The omission of the player profile pages was eventually discovered during user acceptance
testing. The SCA then requested that player profile pages be retained in the Revamped Website.
Again, the SCA did not provide detailed requirements specifications and MI was left to devise
player profile pages based on the information provided by players via the online registration
form. Needless to say, this disclosed too much personal data.
24

Despite the fact that the inclusion of player profile pages had been made during the

final stages of the project, the SCA failed to follow up to check that this function of the
Revamped Website had been properly implemented. Such an omission is particularly egregious
given its context and chronology. A flaw in the Revamped Website had been identified by the
SCA and certain directions had been given to MI. One would expect that the natural behaviour
of the owner of a website would be to ensure that identified flaws are properly fixed. The

Singapore Cricket Association & Ors

[2018] SGPDPC 19

omission of the player profile pages and how this has been resolved by MI ought to have been
in the SCA’s consciousness. This betrays the SCA’s lackadaisical attitude towards protection
of the personal data of registered players and sets the context for the severity of its negligence
which is examined below.
25

First, the SCA provided a database of all existing players in its Registered Players

Database to MI. It should have clarified whether its intention was for all the personal data in
the Registered Players Database to be displayed in the new player profile pages. The SCA
simply assumed that MI would replicate the same fields in the previous player profile pages.
As owner of the Revamped Website, the onus is on the SCA to give clear instructions to MI.
As a result of the SCA’s failure to state in clear terms the required fields to be created in the
new player profile pages, the Additional Player Personal Data of as many as 100 registered
players were disclosed on the First and Second Domains.
26

Second, considering that the registered players’ personal data would be disclosed in the

new player profile pages, the SCA ought, at the very least, to have reviewed the new player
profile pages before MI uploaded it to the First and Second Domains. Had the SCA done so,
the disclosure of the Additional Player Personal Data could have been avoided. It bears
repeating that this omission is especially egregious given the fact that the SCA had identified
a flaw, which would have meant that this omission should have been in its consciousness, but
it failed to follow up with ensuring that it had been properly addressed.
27

Simply assuming that MI would replicate the same fields in the previous player profile

pages is a clear derogation of its protection obligation. The provision of proper and clear
instructions to the designer and developer of a website that holds personal data can and should
form part of the protection obligations of the organisation that owns it. In failing to do so, the
SCA is in breach of the protection obligation. Further, as mentioned above, the Deputy
Commissioner found that the SCA’s website development specifications lacked website
content details. As a result, instructions and details of the SCA’s requirements were conveyed
to MI piecemeal in meetings and through phone calls and Whatsapp text messages, which
appears to have led to confusion and miscommunication between the parties as to the exact
requirements for the Revamped Website.

Singapore Cricket Association & Ors

28

[2018] SGPDPC 19

Regardless of whether the SCA was shown the new player profile pages at the 28

November 2016 meeting or earlier, the Deputy Commissioner finds that at least between 28
November 2016 and 6 February 2017,9 the SCA could have and ought to have, but failed to,
discover and prevent the unauthorised disclosure of the Additional Player Personal Data on the
new player profile pages. However, the SCA was unable to explain why it had failed to pick
up on the unintended disclosure of the Additional Player Personal Data earlier or provide
sufficient information on what arrangements or measures (if any) were implemented to review
the changes made to the Website.
29

At this juncture, the Deputy Commissioner reiterates that organisations that engage

service providers to process personal data on their behalf should clarify and properly document
the nature and extent of service provided.
30

This was highlighted in Re Smiling Orchid (S) Pte Ltd and Ors. [2016] SGPDPC 19 (at

[51]) where the Commissioner emphasised the need for a clear meeting of minds as to the
services the service provider has agreed to undertake:
It is unclear whether T2’s actions would have been different had it been engaged
to do more than enhancing the design of the site. Data controllers that engaged
outsourced service providers have to be clear about the nature and extent of
services that the service provider is to provide. There must be a clear meeting of
minds as to the services that the service provider has agreed to undertake, and
this should be properly documented. Data controllers should follow through with
the procedures to check that the outsourced provider is indeed delivering the
services. In the absence of such clarity of intent and procedures, it is risky to
hold that the outsourced service provider is a data intermediary. In any case, the
Commission has found that T2 is not a data intermediary for the reasons set out
at paragraphs 35 to 38 above.
[Emphasis added.]
31

Also, as highlighted in the Guide on Building Websites for SMEs (at [4.2.1]),

organisations that engage IT vendors to develop and/or maintain their websites should ensure
that their IT vendors are aware of the need for personal data protection:

9

As mentioned above, the SCA removed the Additional Player Personal Data from the First and Second
Domains on 6 February 2017.

Singapore Cricket Association & Ors

[2018] SGPDPC 19

Organisations should emphasise the need for personal data protection to their IT
vendors, by making it part of their contractual terms. The contract should also
state clearly the responsibilities of the IT vendor with respect to the PDPA. When
discussing the scope of the outsourced work, organisations should consider
whether the IT vendor’s scope of work will include any of the following:


Requiring that IT vendors consider how the personal data should be handled
as part of the design and layout of the website.



Planning and developing the website in a way that ensures that it does not
contain any web application vulnerabilities that could expose the personal
data of individuals collected, stored or accessed via the website through the
internet.



Requiring that IT vendors who provide hosting for the website should ensure
that the servers and networks are securely configured and adequately
protected against unauthorised access.



When engaging IT vendors to provide maintenance and/or administrative
support for the website, requiring that any changes they make to the website
do not contain vulnerabilities that could expose the personal data.
Additionally, discussing whether they have technical and/or non-technical
processes in place to prevent the personal data from being exposed
accidentally or otherwise.

[Emphasis added.]
32

Therefore, in light of the above, the Deputy Commissioner finds that the Organisation

failed to make reasonable security arrangements to prevent unauthorised disclosure of the
Additional Player Personal Data and is therefore in breach of section 24 of the PDPA.
Directions
33

Having found that the SCA is in breach of sections 12(a) and 24 of the PDPA, the

Deputy Commissioner is empowered under section 29 of the PDPA to give the SCA such
directions as it deems fit to ensure compliance with the PDPA.
34

The Deputy Commissioner took into account the following factors in assessing the

breach and determining the directions to be imposed:
Aggravating factors

Singapore Cricket Association & Ors

(a)

[2018] SGPDPC 19

the personal data disclosed included the registered players’ NRIC/FIN numbers;

Mitigating factors
(b)

the SCA took prompt action to mitigate the impact of the breach by removing

the Additional Player Personal Data from the player profile pages on the First and
Second Domains soon after it discovered the Incident; and
(c)
35

the SCA cooperated fully in the investigation.

Having considered all the relevant factors of this case, the Deputy Commissioner

hereby directs the SCA:
(a)

to develop and implement policies and practices that are necessary for the SCA

to meet its obligations under the PDPA within 90 days from the date of this direction;
(b)

to conduct personal data protection training for its employees to ensure that they

are aware of, and will comply with the requirements of the PDPA when handling
personal data within 90 days from the date of this direction; and
(c)

to inform the office of the Commissioner of the completion of the above

directions within 7 days of implementation.

YEONG ZEE KIN
DEPUTY COMMISSIONER
PERSONAL DATA PROTECTION

",Directions,25d5268ed669c201d4b55ce4d00b7442bfa8671e,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]"
2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,183,183,1,952,"A financial penalty of $30,000 was imposed on Singapore Taekwondo Federation for failing to make reasonable security arrangements to prevent the unauthorised disclosure of minors’ NRIC numbers on its website. Directions were also issued to the organisation to appoint a data protection officer and to put in place data protection policy.","[""Protection"", ""Accountability"", ""Financial Penalty"", ""Directions"", ""Arts, Entertainment and Recreation""]",2018-06-22,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds_of_Decision_Singapore_Taekwondo_Federation_220618.pdf,"Protection, Accountability",Breach of Protection Obligation by Singapore Taekwondo Federation,https://www.pdpc.gov.sg/all-commissions-decisions/2018/06/breach-of-protection-obligation-by-singapore-taekwondo-federation,2018-06-22,"PERSONAL DATA PROTECTION COMMISSION

[2018] SGPDPC 17
Case No DP-1705-B0810

In the matter of an investigation under section 50(1)
of the Personal Data Protection Act 2012
And
Singapore Taekwondo Federation
… Organisation

DECISION

Singapore Taekwondo Federation
[2018] SGPDPC 17
Tan Kiat How, Commissioner — Case No DP-1705-B0810

22 June 2018
Background
1

This matter involves the Singapore Taekwondo Federation (the

“Organisation”), a society registered with the Registry of Societies that is
responsible for promoting, supporting, and developing taekwondo-related
programmes and activities in Singapore.
2

Since 2015, the Organisation has been posting, on an annual basis, PDF

documents which contain the names and schools of students who are
participants

of the

Annual

Inter-School

Taekwondo Championships

(“Championships”) on the Organisation’s website which is accessible to the
general public. It was represented by the Organisation that the purpose of
uploading the PDF documents on its website was to enable students to verify
their participation in the Championships.
3

On 30 May 2017, a complaint was lodged by a member of the public

(“Complainant”)

with

the

Personal

Data

Protection

Commission

(“Commission”), alleging that there was an unauthorised disclosure of the
NRIC numbers of 782 students who were participants of the 2017
Championships. Whilst the NRIC numbers, within the PDF documents, were
set out in columns that were minimised, and, hence, not immediately visible,

Singapore Taekwondo Federation

[2018] SGPDPC 17

there was an unauthorised disclosure of these NRIC numbers when the
Complainant subsequently copied and pasted the contents of the PDF
documents on to another document.
4

The Commissioner sets out below his findings and grounds of decision

based on the investigations carried out in this matter.
Material Facts
5

On 19 May 2017, the Complainant chanced upon the PDF documents

on the Organisation’s website, which contained the names and schools of
students who were participants of the 2017 Championships.
6

The NRIC numbers of the students were not immediately visible to the

Complainant in the PDF documents, as the NRIC numbers were set out in
columns which were minimised. Nevertheless, when the Complainant copied
and subsequently pasted the contents of the PDF documents on to another
document, he was able to view the NRIC numbers of the students. The
Complainant proceeded to inform the Organisation of this unauthorised
disclosure of the students’ NRIC numbers via email on 19 May 2017.
7

As the Complainant did not receive any response from the Organisation,

he proceeded to lodge a complaint with the Commission on 30 May 2017. Upon
receiving the complaint, the Commission commenced an investigation into this
matter.
8

On 31 May 2017, after the Organisation was notified by the Commission

of the unauthorised disclosure of the students’ NRIC numbers, the Organisation
removed the PDF documents from its website. The Organisation represented
that it had also taken steps to contact Google to remove the cache, as well as

2

Singapore Taekwondo Federation

[2018] SGPDPC 17

instructed its staff to delete the relevant information in question before
uploading any documents on to the Organisation’s website.
9

During the course of the Commission’s investigation, the Organisation

made the following representations in relation to its process of handling the
personal data of the students intending to participate in the Championships.
Firstly, it would receive an encrypted Excel spreadsheet containing the personal
data of students intending to participate in the Championships, including their
names, NRIC numbers, dates of birth, gender, school, class, taekwondo grade,
names of taekwondo instructors and clubs, from the Physical Education Sport
Education Board of the Ministry of Education (“MOE”).
10

After receiving the encrypted Excel spreadsheet, the Organisation’s

Head of the Tournament Department (“Tournament Head”) would typically
proceed to rearrange the students’ personal data into programme lists and bout
sheets using Microsoft Excel. The Tournament Head asserted that in relation to
the Excel spreadsheets containing the students’ personal data, he would “hide”
their NRIC numbers, before converting the Excel spreadsheets into PDF
documents.
11

The Tournament Head describes the process as follows:
“I will copy and paste the names, NRIC numbers, and schools
into a new excel spreadsheet. I will then hide the NRIC numbers
and then add in the programmes into the new excel
spreadsheet. I have been doing this since 2015.
Thereafter, I will send the new excel spreadsheet with the
names, schools, programme list and hidden NRIC numbers to
[redacted] who will then convert it into a PDF list for uploading
onto STF’s website. She also has been doing this since 2015 but
she does not know that I simply hide the NRIC numbers”.
[Emphasis added.]

3

Singapore Taekwondo Federation

12

[2018] SGPDPC 17

The investigation carried out by the Commission sought to verify the

assertion made by the Tournament Head. A check on the internet, including the
website of Adobe Systems Incorporated, the proprietor of the Adobe PDF
software, did not reveal the reappearance of “hidden” contents when copied to
a separate Microsoft Word or Excel document (“Alleged Bug”) to be a known
issue or function.
13

In addition, officers of the Commission had conducted tests to replicate

the result of the Alleged Bug. The officers of the Commission first copied the
PDF documents in question found on the Organisation’s website to a newly
created Microsoft Word document and found that the columns which were not
visible on the PDF documents appeared when copied to the Microsoft Word
document. This verified the Complainant’s assertion. However, when the
officers of the Commission created a new Excel spreadsheet with properly
hidden columns, this Alleged Bug did not occur. Subsequently, the officers of
the Commission discovered that this issue would only occur if the columns were
minimised instead. In other words, if the columns in an Excel spreadsheet were
minimised instead of hidden, and the Excel spreadsheet were to be converted
into PDF format, then the contents of the minimised columns would reappear
when the PDF document was copied onto a Microsoft Word or Excel document.
14

Based on the foregoing, the Commissioner finds that the columns in the

Excel spreadsheet prepared by the Tournament Head were not hidden but
merely minimised.
15

In relation to the reason for purportedly hiding (but actually minimizing)

the column with NRIC numbers in the Excel spreadsheet, the Organisation
represented that this was for the sake of convenience in submitting the results
of the Championships to participating schools. Following the conclusion of the

4

Singapore Taekwondo Federation

[2018] SGPDPC 17

Championships, participating schools would typically request for the name lists
of the medalists and the results of the Championships, which would have to
contain the students’ NRIC numbers, so as to allow the schools to verify and
present colour awards to their students.
16

The Organisation conceded that it was not aware that there were

columns which had been minimised in the PDF documents, such that the NRIC
numbers in these columns appeared when the contents of the PDF documents
were copied and pasted to another document.
17

In addition, the Organisation admitted during the course of the

investigation that it was not aware of the Personal Data Protection Act 2012
(“PDPA”). Consequently, the Organisation did not appoint a data protection
officer (“DPO”), nor did it implement any policies or practices necessary for it
to meet its obligations under the PDPA.
Findings and Basis for Determination
18

The issues for determination are as follows:
(a)

whether the Organisation had complied with its obligation under

section 11 of the PDPA to designate one or more persons to be
responsible for ensuring that the Organisation complies with the PDPA;
(b)

whether the Organisation had complied with its obligation under

section 12 of the PDPA to develop and implement policies and practices
that are necessary for the Organisation to meet its obligations under the
PDPA; and
(c)

whether the Organisation had complied with its obligation under

section 24 of the PDPA to implement reasonable security arrangements

5

Singapore Taekwondo Federation

[2018] SGPDPC 17

to protect personal data in the Organisation’s possession or under the
Organisation’s control.
19

At the outset, although the Tournament Head represented during the

investigation that the Organisation is managed mostly by a team of volunteers,
pursuant to section 53(1) of the PDPA, the Organisation would be responsible
for its employees (which includes volunteers1) actions which are engaged in the
course of their employment2.
20

In addition, the NRIC numbers that were disclosed constitutes personal

data as defined in section 2(1) of the PDPA, as every single student in the PDF
documents could be identified from the NRIC numbers disclosed. Accordingly,
the Organisation would be subject to the data protection obligations under Parts
III to VI of the PDPA.
Nature of personal data
21

As a preliminary issue, the Commissioner first considered the nature of

the personal data in this matter.
22

The personal data disclosed NRIC numbers which, according to the

Commission’s Advisory Guidelines on Key Concepts in the Personal Data
Protection Act3 (“Key Concepts Guidelines”) and the Guide to Basic Data
Anonymisation Techniques4 (“Anonymisation Guide”), constitute a data

1

Section 2(1) of the PDPA.

2

Section 53 of the PDPA read with section 4(1)(b) of the PDPA.

3

Revised on 27 July 2017.

4

Published on 25 January 2018.

6

Singapore Taekwondo Federation

[2018] SGPDPC 17

attribute that is assigned to an individual for the purposes of identifying the
individual and, on its own, identifies an individual.5 The Commission’s
Advisory Guidelines on the PDPA for Selected Topics6 (“Selected Topics
Guidelines”) also recognise that “NRIC numbers are of special concern to
individuals as they are unique to each individual” (emphasis added).7
23

In addition, the NRIC numbers that were disclosed were the NRIC

numbers of students, minors who were less than 21 years of age. The Selected
Topics Guidelines recognise that certain considerations may arise in this regard,
including that “there is generally greater sensitivity surrounding the treatment
of minors” (emphasis added).8 Therefore, good practices in protecting minors’
personal data include, amongst other things, placing “additional safeguards
against [the] unauthorised disclosure of, or unauthorised access to, [the]
personal data of minors” (emphasis added).9
24

A similar approach in respect of minors’ personal data has been adopted

in several other jurisdictions. In Canada, the Office of the Privacy
Commissioner of Canada (“OPC”) has expressed that it “has consistently
viewed personal information relating to youth and children as being
particularly sensitive and must be handled accordingly” (emphasis added).10

5

Anonymisation Guide at [3.1] and Key Concept Guidelines at [5.9].

6

Revised on 28 March 2017.

7

Selected Topics Guidelines at [6.1].

8

Selected Topics Guidelines at [8.12].

9

Selected Topics Guidelines at [8.12].

10

OPC, Guidance for businesses that collect kids’ information
<https://www.priv.gc.ca/en/privacy-topics/privacy-and-kids/gd_bus_kids/>.

7

at

Singapore Taekwondo Federation

25

[2018] SGPDPC 17

In the United Kingdom, the Information Commissioner’s Office

(“ICO”) has taken the view that “children need particular protection when [an
organisation is] collecting and processing their personal data” (emphasis
added) and if an organisation processes children’s personal data, the
organisation “should think about the need to protect them from the outset, and
design [the organisation’s] systems and processes with this in mind”.11 The ICO
has also expressed that there are “important additional considerations that need
to [be taken] into account when [an organisation’s] data subject is a child”
(emphasis added).12
26

In Hong Kong, the Office of the Privacy Commissioner for Personal

Data (“PCPD”) has taken the view that “children are identified as a vulnerable
group who may have special needs in privacy protection” (emphasis added).13
27

Against this backdrop, it is evident that minors’ personal data would

typically be of a more sensitive nature, especially when it concerns unique
identifiers such as NRIC numbers. Accordingly, when it comes to the protection
of “sensitive” personal data, organisations are required to take extra precautions
and ensure higher standards of protection under the PDPA.

11

ICO, Guide to the General Data Protection Regulation (22 March 2018) at
<https://ico.org.uk/media/for-organisations/guide-to-the-general-data-protectionregulation-gdpr-1-0.pdf> at p. 155.

12

ICO, Consultation: Children and the GDPR Guidance (21 December 2017) at
<https://ico.org.uk/media/about-the-ico/consultations/2172913/children-and-thegdpr-consultation-guidance-20171221.pdf> at p. 19.

13

Hong Kong, PCPD, 2015 Study Report on Online Collection of Children’s Personal
Data
(December
2015)
at
<https://www.pcpd.org.hk/english/resources_centre/publications/surveys/files/sweep
2015_e.pdf>.

8

Singapore Taekwondo Federation

[2018] SGPDPC 17

Whether the Organisation had complied with its obligations under section
11 of the PDPA
28

At the outset, during the investigation, the Organisation admitted that it

had “no idea of the PDPA”, and consequently, was not aware of its data
protection obligations under Parts III to VI of the PDPA.
29

Notably, the Organisation’s lack of awareness of its data protection

obligations is not a legitimate defence to a breach under the PDPA, as set out in
Re M Stars Movers & Logistics Specialist Pte Ltd [2017] SGPDPC 15 (“M
Stars Movers”) at [16]:
“[i]t is a trite principle of law that ignorance of the law is no
excuse. Thus, the Organisation’s lack of awareness of its
obligations under the PDPA cannot excuse its breach of the
PDPA. The data protection provisions of the PDPA took effect on
2 July 2014 after a “sunrise” period of more than a year from 2
January 2013. Since then, organisations have had ample
opportunities to develop and implement appropriate policies
and practices to comply with the PDPA. In any event, an
organisation’s lack of awareness of its data protection
obligations is not a legitimate defence to a breach.”

30

Section 11(3) of the PDPA requires the Organisation to designate one or

more individuals, i.e. the DPO, to be responsible for ensuring the Organisation’s
compliance with the PDPA.
31

The Organisation confirmed that there was “no person appointed for the

role of Data Protection Officer”.
32

By the Organisation’s own admission, the Commissioner finds that the

Organisation has failed to meet its obligations under section 11(3) of the PDPA.
The Commissioner repeats the comments at paragraph 29 above that a lack of
awareness of the obligations imposed by the PDPA does not amount to a
legitimate defence against a breach by the Organisation.

9

Singapore Taekwondo Federation

33

[2018] SGPDPC 17

The Commissioner takes this opportunity to reiterate the importance of

the role of a DPO as set out in M Stars Movers at [33]:
“[t]he DPO plays an important role in ensuring that the
organisation fulfils its obligations under the PDPA. Recognition
of the importance of data protection and the central role
performed by a DPO has to come from the very top of an
organisation and ought to be part of enterprise risk
management frameworks…The DPO ought to be appointed
from the ranks of senior management and be amply empowered
to perform the tasks that are assigned to him/her… The DPO
need not – and ought not – be the sole person responsible for
data protection within the organisation…Every member of staff
has a part to play...”

34

Generally, the responsibilities of a DPO include, but are not limited to:14
(a)

ensuring compliance with the PDPA when developing and

implementing policies and processes for handling personal data;
(b)

fostering a data protection culture in an organisation and

communicating personal data protection policies to stakeholders;
(c)

handling and managing personal data protection related queries

and complaints;
(d)

alerting management to any risks that may arise with regard to

personal data; and
(e)

liasing with the Commission on data protection matters, if

necessary.

14

PDPC, Data Protection Officers at <https://www.pdpc.gov.sg/Organisations/DataProtection-Officers>.

10

Singapore Taekwondo Federation

35

[2018] SGPDPC 17

From the foregoing, it is clear that the DPO plays a vital role in

implementing and building a robust data protection framework to ensure an
organisation’s compliance with its obligations under the PDPA.
Whether the Organisation had complied with its obligations under section
12 of the PDPA
36

Section 12(a) of the PDPA requires an organisation to develop and

implement policies and practices that are necessary to meet its obligations under
the PDPA.
37

During the investigation, the Organisation confirmed that there was “no

personal data policy” implemented and represented that the manner of handling
the students’ personal data was an “unwritten SOP”.
38

By the Organisation’s own admission, the Commissioner finds that the

Organisation has failed to meet its obligations under section 12(a) of the PDPA.
Similar to the above, the Commissioner repeats his comments at paragraph 29
that a lack of awareness of the obligations imposed by the PDPA does not
amount to a legitimate defence against a breach by the Organisation.
39

The Commissioner takes this opportunity to reiterate the role of data

protection policies, as set out in Re Aviva Ltd [2017] SGPDPC 14 at [32]:

“…[d]ata protection policies and practices developed and
implemented by an organisation in accordance with its
obligations under section 12 of the PDPA are generally meant
to increase awareness and ensure accountability of the
organisation’s obligations under the PDPA…”

11

Singapore Taekwondo Federation

40

[2018] SGPDPC 17

In addition, M Stars Movers highlights the importance of the need for

organisations to develop and implement data protection policies and practices
at [27] to [28]:
“…[a]t the very basic level, an appropriate data protection policy
should be drafted to ensure that it gives a clear understanding
within the organisation of its obligations under the PDPA and
sets general standards on the handling of personal data which
staff are expected to adhere to. To meet these aims, the framers,
in developing such policies, have to address their minds to the
types of data the organisation handles which may constitute
personal data; the manner in, and the purposes for, which it
collects, uses and discloses personal data; the parties to, and
the circumstances in, which it discloses personal data; and the
data protection standards the organisation needs to adopt to
meet its obligations under the PDPA.
An overarching data protection policy will ensure a consistent
minimum data protection standard across an organisation’s
business practices, procedures and activities...”

41

Finally, the Commissioner reiterates past observations on the benefits

and importance of documenting an organisation’s data protection policies and
practices in a written policy, as per Re Furnituremart.sg [2017] SGPDPC 7 at
[14]:
“[t]he lack of a written policy is a big drawback to the protection
of personal data. Without having a policy in writing, employees
and staff would not have a reference for the Organisation’s
policies and practices which they are to follow in order to
protect personal data. Such policies and practices would be
ineffective if passed on by word of mouth, and indeed, the
Organisation may run the risk of the policies and practices
being passed on incorrectly. Having a written policy is
conducive to the conduct of internal training, which is a
necessary component of an internal data protection
programme.”

42

It is clear from the foregoing that the development and implementation

of written data protection policies and procedures are important in ensuring an
organisation’s compliance with its obligations under the PDPA.

12

Singapore Taekwondo Federation

[2018] SGPDPC 17

Whether the Organisation had complied with its obligations under section
24 of the PDPA
43

Section 24 of the PDPA requires an organisation to protect personal data

in its possession or under its control by implementing reasonable security
arrangements to prevent unauthorised access, collection, use, disclosure,
copying, modification, disposal or similar risks.
44

The Commissioner’s assessment of whether the Organisation had

complied with its obligations under section 24 of the PDPA would be confined
to the NRIC numbers of students. As admitted by the Organisation during the
course of the investigation, the NRIC numbers of students were not supposed to
be contained and disclosed in the PDF documents.
45

Whilst the encrypted Excel spreadsheet containing the students’

personal data was provided by the MOE, the entire process of compiling the
personal data into a separate Excel spreadsheet, converting the Excel
spreadsheet into PDF documents and uploading the PDF documents were
actions that were conducted solely by the Organisation, without any external
interference from the MOE or the entity responsible for maintaining the
Organisation’s website.
46

That said, the Organisation was unaware and unable to explain why the

NRIC numbers were left in the minimised columns in the PDF documents.

47

In this regard, the Organisation’s mistake of not realising that the NRIC

numbers were present in minimised columns in the PDF documents and could
have been disclosed without authorisation, could be quite easily repeated. Any
person could simply copy the contents of the PDF documents and paste it on to

13

Singapore Taekwondo Federation

[2018] SGPDPC 17

another document, thereby resulting in further unauthorised disclosures of the
students’ personal data. Such potential impact and harm cannot be ignored,
especially when it involves the NRIC numbers of 782 students who were also
minors, and whose personal data would thus be considered to be more sensitive
in nature.
48

It is precisely the fact that the unauthorised disclosure could have

reoccurred quite easily due to the same mistake, that focus is drawn to the issue
of whether the Organisation had complied with its obligations under section 24
of the PDPA.
49

On this issue, the Commission found that the Organisation did not

appear to have taken sufficient steps towards protecting the personal data in its
possession, to prevent the unauthorised disclosure of the personal data.
50

An example of an administrative security arrangement which the

Organisation could have made in respect of the personal data in its possession,
was to “[c]onduct regular training sessions for staff to impart good practices
in handling personal data and strengthen awareness of threats to security of
personal data”.15 The Organisation could have implemented staff training
sessions to “[e]nsure that staff are trained and familiar with the software used
to process…documents containing personal data. For example, staff using
spreadsheets should be aware of how sorting the data incorrectly may lead to
errors”.16 Similarly, the Organisation could have adopted any of the following
measures to ensure that personnel using Microsoft Excel to process personal

15

Key Concepts Guidelines at [17.5].

16

PDPC, Guide to Preventing Accidental Disclosure When Processing and Sending
Personal Data (20 January 2017), at [2.1].

14

Singapore Taekwondo Federation

[2018] SGPDPC 17

data were well apprised and updated on the functions of the software, in
particular, the difference between columns that were “minimised” and “hidden”
in an Excel spreadsheet:
(a)

“[e]nsure that new and existing staff receive regular training so

that they are well apprised and updated on the proper procedures for
processing and sending personal data”;17
(b)

“[train] staff to ensure only necessary personal data are

extracted”;18
(c)

“[k]eep ICT security awareness training for employees updated

and conduct such training regularly”;19 and
(d)

“[provide] the appropriate training to ensure proper usage of

the software used.”20
51

Given the nature of the personal data in question, the Organisation had

not taken into consideration what extra precautions would be required to protect
the sensitive personal data of the students, who are minors.
52

The Key Concepts Guidelines express that an organisation should

“implement robust policies and procedures for ensuring appropriate levels of

17

PDPC, Guide to Preventing Accidental Disclosure When Processing and Sending
Personal Data (20 January 2017), at [2.2].

18

PDPC, Guide to Data Protection Impact Assessment (1 November 2017), at [7.2].

19

PDPC, Guide to Securing Personal Data in Electronic Medium (revised on 20 January
2017), at [5.2].

20

PDPC, Guide to Securing Personal Data in Electronic Medium (revised on 20 January
2017), at [17.7].

15

Singapore Taekwondo Federation

[2018] SGPDPC 17

security for personal data of varying levels of sensitivity”.21 As set out in the
Commission’s Guide to Preventing Accidental Disclosure When Processing and
Sending Personal Data, “[d]ocuments or communications that contain sensitive
personal data should be processed…with particular care” (emphasis added).22
53

The Key Concepts Guidelines goes on to state that (at [8.12]):
“…given that there is generally greater sensitivity surrounding
the treatment of minors, it may be prudent for organisations to
consider putting in place relevant precautions, if they are (or
expect to be) collecting, using or disclosing personal data about
minors. For example, organisations that provide services
targeted at minors could state terms and conditions in language
that is readily understandable by minors, or use pictures and
other visual aids to make such terms and conditions easier to
understand. Other good practices could include placing
additional safeguards against unauthorized disclosure of, or
unauthorized access to, personal data of minors, or
anonymising personal data of minors before disclosure, where
feasible.”

54

In this regard, the Commissioner agrees with the OPC that, in the context

of children’s personal data, safeguards that are implemented must be
“commensurate with the amount and potential sensitivity of the information at
risk” and if the appropriate safeguards are not implemented, this “could, in the
wrong hands, put children at unnecessary risk of harm”.23 In that case, the OPC
found that the personal data of approximately 316,000 Canadian children, in
addition to approximately 237,000 Canadian adults, that were in the possession

21

Key Concepts Guidelines at [17.3].

22

PDPC, Guide to Preventing Accidental Disclosure When Processing and Sending
Personal Data (20 January 2017), at [2.2].

23

PIPEDA Report of Findings #2018-001: Connected toy manufacturer improves
safeguards to adequately protect children’s information (8 January 2018) at
<https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigationsinto-businesses/2018/pipeda-2018-001/> at Overview.

16

Singapore Taekwondo Federation

[2018] SGPDPC 17

of a toy manufacturer had been compromised as the organisational and
technological safeguards that were implemented at the time of the data breach
incident were not commensurate with the amount and potential sensitivity of the
personal data.
55

When it comes to the protection of “sensitive” personal data, the

Organisation had failed to take extra precautions to guard against and prevent
unauthorised disclosures of personal data, and failed to ensure a relatively
higher standard of protection of personal data under the PDPA. At a minimum,
the Organisation ought to have ensured that its staff in charge of creating,
processing and converting the Excel spreadsheets were given proper and regular
training to equip them with the knowledge to utilise the correct function to
convert the Excel spreadsheets into PDF documents that were routinely
published on the Organisation’s website.
56

Not only did the Organisation fail to develop and implement the

appropriate security arrangements upon the PDPA coming into full force on 2
July 2014, this failure had carried on well after 2 July 2014. Considering how
there were two other instances where the Organisation had uploaded the
personal data of students in the same manner, specifically for the 2015 and 2016
Championships, the Organisation’s prolonged failure to develop and implement
reasonable security measures (for instance, in the form of proper and regular
staff training to equip staff with the knowledge to use the right Microsoft Excel
feature) to protect the personal data is also taken into consideration in this
decision.
57

Given the absence of any security arrangements to protect personal data

in its possession against unauthorised disclosure, the Commissioner finds that
the Organisation has contravened section 24 of the PDPA.

17

Singapore Taekwondo Federation

[2018] SGPDPC 17

Directions
58

Having found that the Organisation is in breach of sections 11, 12 and

24 of the PDPA, the Commissioner is empowered under section 29 of the PDPA
to give the Organisation such directions as he deems fit to ensure compliance
with the PDPA.
59

In assessing the breach and determining the directions to be imposed on

the Organisation, the Commissioner took into account, as a mitigating factor,
the Organisation’s prompt remedial actions to rectify and prevent the recurrence
of the data breach.
60

The Commissioner also took into account the following aggravating

factors:
(a)

the personal data disclosed involved the NRIC numbers of

minors, which constitute personal data of a sensitive nature, and the
disclosure of which could cause substantial actual or potential harm to
the students;
(b)

the Organisation showed a lack of awareness of its obligations

under the PDPA; and
(c)

the Organisation caused quite some delays in the investigation

process. Despite the approval of an extension of time for responding to
the Commission’s Notice to Require Production of Documents and
Information issued under the Ninth Schedule of the PDPA, the
Organisation only responded after the Commission had sent subsequent
reminders requesting for the Organisation’s response, and only after the
President of the Organisation was copied in one of such email reminders.

18

Singapore Taekwondo Federation

61

[2018] SGPDPC 17

The Commissioner has also reviewed the representations made by the

Organisation seeking a reduction in the financial penalty imposed, a summary
of which follows:
(a)

The Organisation is a small registered charity with a thin budget;

(b)

The Organisation did not appoint a Data Protection Officer and

as such were unaware of the requirement to have a Data Protection
Policy;
(c)

The Organisation took immediate remedial action;

(d)

The breach was due to inadvertence and ignorance that the NRIC

data could be seen on its website;
(e)

The Organisation acknowledged the unauthorized disclosure of

782 students but that there is no specific information to suggest that the
data of the students involved in the 2015 and 2016 tournaments had been
similarly disclosed;
(f)

The delay was caused by their surprise at the lapse and their

need to obtain external advise as well as the Organisation’s internal
approval process to respond to the PDPC;
62

It should be noted that the Commissioner had already taken (c) above

into consideration in determining the financial penalty quantum. The
Commissioner finds that the rest of the above representations do not justify a
reduction in the financial penalty. The PDPA applies to all organisations and
the mere fact that the Organisation is a small charity is not a mitigating factor.
If the Organisation has cash flow issues, it is open to the Organisation to request

19

Singapore Taekwondo Federation

[2018] SGPDPC 17

that the penalty be paid in installments. Also, inadvertence and ignorance of the
law are not mitigating factors.
63

On the point of delay, the Organisation took 2 months to respond to the

first Notice to Produce issued to the Organisation. The initial deadline to
respond to the Notice to Produce was on 23 June 2017, 2 weeks after the Notice
to Produce was issued. PDPC granted the Organisation’s request for an
extension of time to respond to the Notice to Produce by 31 July 2017. The
Organisation failed to meet this extended deadline and did not respond even
after a first reminder was sent on 2 August 2017. The Organisation only
responded to the Notice to Produce after a second reminder was issued on 10
August 2017 and copied to the President of the Organisation. The Organisation
had already been granted the requested 5-month extension of time to respond
and failed to do so within that time, only responding after 2 reminders were
issued. The Commissioner finds that the 7 weeks given to the Organisation to
respond was more than sufficient to engage third party experts to assist the
Organisation in its investigations and to obtain the necessary internal approval.
The delay was therefore unacceptable.
64

In consideration of the relevant facts and circumstances of the present

case, the Commissioner hereby directs the Organisation to:
(a)

pay a financial penalty of S$30,000 within 30 days from the date

of this direction, failing which interest, at the rate specified in the Rules
of Court in respect of judgment debts, shall be payable on the
outstanding amount of such financial penalty;
(b)

appoint a DPO within 30 days from the date of this direction;

20

Singapore Taekwondo Federation

(c)

[2018] SGPDPC 17

develop and implement policies and practices that are necessary

for the Organisation to meet its obligations under the PDPA within 30
days from the date of this direction; and
(d)

inform the Commission of the completion of each of the above

directions in (b) and (c) within 1 week of implementation.

YEONG ZEE KIN
DEPUTY COMMISSIONER
FOR COMMISSIONER FOR PERSONAL DATA PROTECTION

21

","Financial Penalty, Directions",94bdb127f92702f7e738acf0d5281fd6d086147b,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]"
2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,226,226,1,952,"A financial penalty of $3,000 and $1,000 were imposed on Fu Kwee Kitchen Catering Services and its data intermediary, Pixart, respectively, for failing to implement proper and adequate protective measures to prevent unauthorised access of its customers’ personal data, whereby users could access other customers’ personal data by altering the URL of its order preview webpage. Fu Kwee was also issued directions to send employees for training, appoint a Data Protection Officer and conduct a security audit of its website.","[""Protection"", ""Accountability"", ""Financial Penalty"", ""Directions"", ""Accommodation and F&B"", ""Information and Communications"", ""FU KWEE"", ""PIXART""]",2016-09-21,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/grounds-of-decision---fu-kwee-and-pixart-(210916).pdf,"Protection, Accountability",Breach of Data Protection and Other Obligations by Fu Kwee Kitchen Catering Services and Pixart,https://www.pdpc.gov.sg/all-commissions-decisions/2016/09/breach-of-data-protection-and-other-obligations-by-fu-kwee-kitchen-catering-services-and-pixart,2016-09-21,"DECISION OF THE PERSONAL DATA PROTECTION COMMISSION
Case Number: DP-1410-A163
(1)

FU KWEE KITCHEN CATERING SERVICES
(UEN No. 52824092K)

(2)

PIXART PTE. LTD. (UEN No. 201011239D)
…Respondents

Decision Citation: [2016] SGPDPC 14
GROUNDS OF DECISION
21 September 2016
Background
1.

On 30 September 2014, the Personal Data Protection Commission
(“Commission”) received a complaint against Fu Kwee Kitchen
Catering Services (“Fu Kwee”) regarding an alleged data breach by Fu
Kwee involving unauthorised access of Fu Kwee’s customers’ personal
data.

2.

The Commission commenced an investigation under section 50 of the
Personal Data Protection Act 2012 (“PDPA”) to ascertain whether there
had been a breach by Fu Kwee and/or Pixart Pte. Ltd. (“Pixart”) (the
Respondents in this investigation) of their respective obligations under
the PDPA.

Material Facts and Documents
Fu Kwee’s relationship with Pixart
3.

Fu Kwee provides food and beverage catering services in Singapore. It
owned and managed the following website at the material time of the
complaint: http://www.fukweecatering.sg, where different customer
orders could be viewed through at the following URLs
http://www.fukweecatering.sg/fixmenu1preview.aspx?pid=[number].

4.

Pixart is an IT vendor engaged by Fu Kwee in 2010 to (a) develop an
online ordering system for Fu Kwee and Fu Kwee’s corporate website,
and (b) host, support and maintain the website. The PDPA came fully
Page 1 of 10

into force on 2 July 2014, and as the contract between Fu Kwee and
Pixart was only terminated sometime around April or May 2015, Pixart
remained responsible for hosting, supporting and maintaining the
website at the time of the alleged data breach incident in September
2014.
Data breach incident
5.

The Complainant stated that she was a customer of Fu Kwee, and
alleged that she could retrieve another customer’s order details and
personal data (specifically the customer’s name, postal address and
personal contact number) by changing the numerals at the end of the
URL
of
Fu
Kwee’s
order
preview
webpage
at
http://www.fukweecatering.sg/fixmenu1preview.aspx?pid=102
from “102” to “97”1
(i.e. http://www.fukweecatering.sa/fixmenu1preview.aspx?pid=97).

6.

At the material time, on 17 September 2014, while Fu Kwee had a default
anti-virus programme for its server, it did not implement any measures
to protect its customers’ personal data from unauthorised access
through the type of vulnerability discovered by the Complainant (ie that
the personal data of other customers could be viewed by altering the
numerals at the end of the URL for Fu Kwee’s order preview webpage).

7.

Fu Kwee appeared to be unaware of this vulnerability until the
Commission issued its first Notice to Require Production of Documents
and Information on 12 December 2014 (“First NTP”). Fu Kwee then
instructed Pixart to address the vulnerability on 30 December 2014. No
notifications were sent by either Fu Kwee or Pixart to the customers
affected by the data breach.

8.

Pixart confirmed, from its checks on the system, that the URL of each
order preview webpage that was generated after a customer’s order did
not expire. Pixart also confirmed that the URL of the order preview
webpage would include the customer’s order ID number, which was as
short as three digits and generated sequentially via Fu Kwee’s website.
This enabled anyone who had a pre-existing URL to access other
customers’ orders and their personal data simply by altering the
numerals at the end of the URL of Fu Kwee’s order preview webpage.

9.

Pixart implemented a “one-time URL” solution on 30 December 2014.
This technical solution incorporates a 20-minutes exposure security
feature that permits a customer to view his or her own order only once
before the URL automatically expires after 20 minutes. The URL would
Page 2 of 10

also similarly expire if the webpage was closed or refreshed by the
customer.
10.

Investigations revealed that the scope of the contract between Fu Kwee
and Pixart did not include the implementation of security measures on
Fu Kwee’s website to protect customers’ personal data. Pixart had also
not conducted any penetration tests on Fu Kwee’s website. Such
penetration tests could have enabled Fu Kwee to discover the design
flaw of its order preview webpages.

11.

Additionally, in the course of the investigations, Fu Kwee was found not
to have implemented any password policy to restrict or control staff
access to its database of customers’ personal data. Fu Kwee also
neither implemented personal data protection policies for the collection,
use or disclosure of personal data nor appointed a data protection officer
to safeguard its customers’ personal data (“DPO”).

12.

Having carefully considered the relevant facts and circumstances,
including the statements and representations made by Fu Kwee and
Pixart, the Commission sets out its findings and assessment herein.

THE COMMISSION’S FINDINGS AND ASSESSMENT
Issues for determination
13.

The issues to be determined in the present case are as follows:
(a)

Whether Fu Kwee had breached the obligation under section 24 of
the PDPA (the “Protection Obligation”);

(b)

Whether Fu Kwee had breached the obligation under sections 11
and 12 of the PDPA (the “Openness Obligation”), specifically,
sections 11(3) and 12(a), for failure to appoint a DPO and put in
place privacy policies and practices, in contravention of those
sections of the PDPA;

(c)

Whether Pixart is a data intermediary of Fu Kwee; and

(d)

Whether Pixart had breached the Protection Obligation.

Page 3 of 10

Issue A: Whether Fu Kwee had breached the Protection Obligation
14.

Section 24 of the PDPA states:
“Protection of Personal Data
24.
An organisation shall protect personal data in its possession or
under its control by making reasonable security arrangements to prevent
unauthorised access, collection, use, disclosure, copying, modification,
disposal or similar risks.”

15.

Pursuant to section 24 of the PDPA, Fu Kwee, being an organisation
which had its customers’ personal data under its possession and/or
control, is required to make reasonable security arrangements to prevent
unauthorised access, collection, use, disclosure, copying, modification,
disposal or similar risks. The Protection Obligation applies equally to all
personal data in the possession or under the control of the organisation,
including personal data that the organisation may have collected before
2 July 2014, when the data protection provisions under Parts III to VI of
the PDPA came into effect.

16.

Following a careful assessment of the relevant facts and circumstances,
the Commission is of the view that Fu Kwee had not reasonably
discharged its obligation under section 24 of the PDPA until the fixes
introduced on 30 December 2014. In particular, the Commission has
identified the following vulnerabilities in Fu Kwee’s security
arrangements, which illustrate how Fu Kwee failed to make reasonable
security arrangements to protect customers’ personal data:
(a)

Fu Kwee’s website did not require password access, which could
have reasonably restricted unauthorised access to customers’
personal data using the website.

(b)

The order preview URLs that were generated by Fu Kwee’s
website whenever a customer placed an order not only did not
expire, but were also predictable. This enabled any customer to
simply alter the last few digits of an order preview URL in order
to access the order details and personal data of other customers.

(c)

Fu Kwee acknowledged that it had not instructed Pixart to put in
place security measures to protect its customers’ personal data
even after 2 July 2014, when the data protection obligations in
the PDPA came into force.

Page 4 of 10

(d)

The investigations also found that there were no access controls
to Fu Kwee’s database of customers’ personal data. Accordingly,
though Fu Kwee had sought to protect its server containing the
database using a default Windows firewall, the database
remained vulnerable to unauthorised access.

17.

The vulnerabilities set out above demonstrate that Fu Kwee could have
done more to protect its customers’ personal data that was in its
possession or under its control. When viewed in totality, the Commission
is of the view that Fu Kwee had failed to make reasonable security
arrangements to protect its customers’ personal data because these
vulnerabilities were preventable.

18.

Although Fu Kwee had outsourced the hosting, support and
maintenance of its online ordering system and corporate website to
Pixart (which the Commission has determined to be a data intermediary
of Fu Kwee for the reasons set out below), Fu Kwee was ultimately
responsible for the security of the website and customers’ personal data
as if the personal data was processed by Fu Kwee itself (per section 4(3)
of the PDPA).

19.

In light of the foregoing, the Commission finds that Fu Kwee had
breached the Protection Obligation at the material time.

Issue B: Whether Fu Kwee had breached the Openness Obligation
20.

Sections 11 and 12 of the PDPA together constitute the Openness
Obligation under the PDPA, which provides that an organisation must
implement the necessary policies and procedures in order to meet its
obligations under the PDPA, and shall make information about its
policies and procedures publicly available. In particular, section 11(3) of
the PDPA provides that an organisation shall designate one or more
individuals as a DPO to be responsible for ensuring that the organisation
complies with the PDPA. In the same vein, section 12(a) of the PDPA
requires organisations to develop and implement policies and practices
that are necessary for the organisation to meet the obligations of the
organisations under the PDPA.

21.

Fu Kwee confirmed that between 2 July 2014 and 12 December 2014,
Fu Kwee neither implemented any personal data protection policies for
the collection, use or disclosure of personal data, nor appointed a DPO.

Page 5 of 10

22.

In light of the foregoing lapses, the Commission finds that Fu Kwee had
breached the Openness Obligation.

Issue C: Whether Pixart is a data intermediary of Fu Kwee
23.

Under section 2(1) of the PDPA, a “data intermediary” is an organisation
which processes personal data on behalf of another organisation but
does not include an employee of that other organisation. The term
“processing” in relation to personal data means the carrying out of any
operation or set of operations in relation to the personal data and
includes, but is not limited to, any of the following: recording; holding;
organisation, adaptation or alteration; retrieval; combination;
transmission; erasure or destruction. Section 4(2) of the PDPA imposes
on a data intermediary the obligation to protect personal data under
section 24 of the PDPA and the obligation to cease to retain personal
data under section 25 of the PDPA in respect of its processing of
personal data on behalf of and for the purposes of another organisation
pursuant to a contract which is evidenced or made in writing. Save for
the aforementioned obligations, Parts III to VI of the PDPA do not impose
any other obligations on the data intermediary, in respect of its
processing of personal data on behalf of and for the purposes of another
organisation pursuant to a contract which is evidenced and made in
writing.

24.

Based on the facts and representations by Fu Kwee and Pixart, the
Commission notes that Pixart was contractually engaged by Fu Kwee in
2010 to (a) develop an online ordering system for Fu Kwee and Fu
Kwee’s corporate website, and (b) host, support and maintain Fu Kwee’s
website. As the contract was only terminated sometime in April/May
2015, Pixart was still responsible for hosting, supporting and maintaining
Fu Kwee’s corporate website and ordering system at the material time
of the data breach incident in September 2014.

25.

The Commission is of the view that Pixart had processed personal data
of Fu Kwee’s customers, pursuant to the contract between Fu Kwee and
Pixart in relation to the hosting, support and maintenance of the online
ordering system and Fu Kwee’s corporate website, and Pixart had done
so on behalf of and for the purposes of Fu Kwee.

26.

In this regard, the Commission finds that Pixart was acting as a data
intermediary of Fu Kwee with respect to the relevant websites at the
URLs set out above in connection with the data breach incident, as Pixart
essentially processed Fu Kwee’s customers’ personal data on behalf of
Page 6 of 10

and for the purposes of Fu Kwee in hosting, supporting and maintaining
the online ordering system and Fu Kwee’s website.
Issue D: Whether Pixart had breached the Protection Obligation
27.

Section 24 read with section 4(2) of the PDPA imposes a Protection
Obligation on data intermediaries in that a data intermediary is obliged
to make “reasonable security arrangements to prevent unauthorised
access, collection, use, disclosure, copying, modification, disposal or
similar risks”. In view of the Commission’s finding that Pixart was a data
intermediary of Fu Kwee at the material time of the data breach incident,
Pixart was required to comply with the Protection Obligation under
section 24 of the PDPA to protect the personal data it was processing
on behalf of and for the purposes of Fu Kwee.

28.

In the Commission’s view, as a data intermediary, Pixart had an
obligation to protect the personal data of Fu Kwee’s customers using the
ordering system on Fu Kwee’s website. Pixart has clearly not discharged
the Protection Obligation imposed on it under the PDPA, as it did not
have in place reasonable measures to protect the personal data that it
was processing for and on behalf of Fu Kwee when it developed, hosted,
maintained and provided support in relation to the online ordering
system and Fu Kwee’s website.

29.

In this connection, the Commission notes that if Pixart had advised Fu
Kwee on its obligations to protect personal data, but Fu Kwee had
rejected Pixart’s advice, this could have been taken into account by the
Commission as a mitigating factor. However, there is presently no
evidence before the Commission suggesting that Pixart had actually
advised Fu Kwee on the need to have in place adequate security
measures to protect the personal data of Fu Kwee’s customers in Fu
Kwee’s database.

30.

In light of the above, the Commission finds that there had been a breach
of the Protection Obligation under section 24 of the PDPA by Pixart.

THE COMMISSION’S DIRECTIONS
31.

In assessing the breach and the remedial directions to be imposed, the
Commission took into consideration various factors relating to the case,
including the mitigating and aggravating factors set out below.

Page 7 of 10

Fu Kwee’s breach of the Protection Obligation and the Openness Obligation
32.

In relation to Fu Kwee’s breach of the Protection Obligation and
Openness Obligation, the Commission took into account the following
factors:
(a)

Although Fu Kwee had ample opportunity to put in place
reasonable security measures from 2 January 2013 to 2 July
2014, or even after 2 July 2014, when the data protection
provisions of the PDPA came into force, it did not do so;

(b)

Fu Kwee’s disregard for its obligations under the PDPA is also
apparent as it had failed to appoint a DPO or put in place policies
and practices to comply with the PDPA as at June 2015 (when it
appointed a new vendor), even after being notified about the data
breach incident in December 2014 by the Commission;

(c)

Fu Kwee was not forthcoming in providing information during the
investigation, and only provided bare facts in its responses during
the investigations; and

(d)

Notwithstanding that the Commission did not receive any other
complaints regarding the relevant websites at the URLs described
above, the lapses by Fu Kwee meant that anyone who had the
exact URL or who had correctly guessed the parameters could
potentially access all the personal data of Fu Kwee’s customers
who had placed orders online at Fu Kwee’s website.

Pixart’s breach of the Protection Obligation
33.

In relation to Pixart’s breach of the Protection Obligation, the following
factors were taken into consideration:
(a)

Pixart was not forthcoming in providing information during the
investigation, and did not respond to the Second Notice to
Require Production of Documents and Information dated 10
March 2015, which was addressed to Pixart; and

(b)

Pixart took active steps to fix the vulnerability in about two weeks
after the Commission informed Fu Kwee about the data breach.
Based on the Commission’s assessment, the remedial actions
taken were acceptable.

Page 8 of 10

34.

35.

Having completed its investigation and assessment of this matter, the
Commission is satisfied that Fu Kwee had been in breach of the
Protection Obligation under Section 24 of the PDPA, and the Openness
Obligation under sections 11(3) and 12(a) of the PDPA for the reasons
cited above. Pursuant to section 29 of the PDPA, the Commission
hereby directs Fu Kwee to do as follows:
(a)

Pay a financial penalty of $3,000 within 30 days from the date of
the Commission’s direction;

(b)

For all employees of Fu Kwee handling personal data to attend a
training course on the obligations under the PDPA and the
organisation’s data protection policies and practices within 6
months from the date of the Commission’s direction;

(c)

Conduct
a
security
audit
of
the
website
at
http://fukweecatering.com.sg/ to be performed by duly qualified
competent contractors or staff. Fu Kwee is to furnish to the
Commission, within 30 days from the date the Commission’s
direction, a schedule stating the scope of the risks to be assessed
and the time within which a full report of the audit can be provided
to the Commission, and to confirm in the said report that Fu Kwee
no longer stores any personal data of its customers on its website;
and

(d)

To take steps to appoint a DPO and to develop and implement
policies and practices that are necessary for Fu Kwee to comply
fully with its obligations under the PDPA, and to provide the
Commission with a compliance status update within 30 days from
the date of the Commission’s direction.

The Commission is also satisfied that Pixart has not complied with the
Protection Obligation under section 24 of the PDPA for the reasons cited
above. Pursuant to Section 29(2) of the PDPA, the Commission hereby
directs that a financial penalty of S$1,000 be meted out against Pixart.

Page 9 of 10

36.

The Commission emphasises that it takes a very serious view of any
instance of non-compliance under the PDPA and with the Commission’s
directions. The Commission will not hesitate to take the appropriate
enforcement action against the organisation(s) accordingly.

LEONG KENG THAI
CHAIRMAN
PERSONAL DATA PROTECTION COMMISSION

1

The URL had been taken down shortly after the data breach incident.

Page 10 of 10

","Financial Penalty, Directions",db94a5779e9ecd6a07c41892161ed40d87b027f0,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]"
2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,237,237,1,952,"Financial penalties of $50,000 and $10,000 were imposed on K Box Entertainment Group (K Box) and its data intermediary, Finantech Holdings, for failing to implement proper and adequate protective measures to secure its IT system, resulting in unauthorised disclosure of the personal data of 317,000 K Box members. K Box was also issued directions and penalised for the absence of a Data Protection Officer.","[""Protection"", ""Accountability"", ""Financial Penalty"", ""Financial Penalty"", ""Arts, Entertainment and Recreation"", ""Information and Communications"", ""KBOX"", ""FINANTECH""]",2016-04-21,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/grounds-of-decision---k-box-entertainment-(210416).pdf,"Protection, Accountability",Breach of Protection and Openness Obligations by K Box Entertainment Group and Finantech Holdings,https://www.pdpc.gov.sg/all-commissions-decisions/2016/04/breach-of-protection-and-openness-obligations-by-k-box-entertainment-group-and-finantech-holdings,2016-04-21,"DECISION OF THE PERSONAL DATA PROTECTION COMMISSION
Case Number: DP-1409-A100
(1)
(2)

K BOX ENTERTAINMENT GROUP PTE. LTD.
FINANTECH HOLDINGS PTE. LTD.
…Respondents

Decision Citation: [2016] SGPDPC 1

GROUNDS OF DECISION
20 April 2016
Background
1.

K Box Entertainment Group Pte. Ltd. (“K Box”) operates a chain of
karaoke outlets in Singapore. Finantech Holdings Pte. Ltd. (“Finantech”)
is a third party IT vendor, which is owned and managed by its sole
director, [Redacted] (Replaced with Mr G).

2.

On 16 September 2014, the website “The Real Singapore” (“TRS”)
published a post which indicated that a list containing personal data of
about “317,000” K Box members (the “List”) had been disclosed online
at http://pastebin.com/bnVhn3mp (“pastebin.com”).

3.

The List contained personal data which all customers who sign up for a
K Box membership, both before and after 2 July 2014, are required to
provide, namely:
(a)
(b)
(c)
(d)
(e)
(f)
(g)
(h)
(i)

4.

Name (as per NRIC);
NRIC / Passport / FIN number;
Mailing Address (Singapore only);
Contact number;
Email address;
Gender;
Nationality;
Profession; and
Date of birth.

After receiving complaints from members of the public regarding the data
breach, the Commission commenced an investigation under section 50
of the Personal Data Protection Act 2012 (“PDPA”) to ascertain whether

1

there had been a breach by K Box and/or Finantech of their respective
obligations under the PDPA.
Material Facts and Documents
K Box’s relationship with Finantech
5.

As at 16 September 2014, K Box had engaged Finantech through the
“website revamp contract dated 2012” and the “webhosting and server
management contract dated 2009” to develop K Box’s Content
Management System (“CMS”) system from the ground up and to
revamp, manage and host its website. What the parties referred to as
“contracts” were actually quotations sent by Finantech to K Box for their
confirmation and acceptance. K Box’s CMS stored and processed the
personal data of its members. The CMS system also utilised FCKEditor
– a software library component which allowed the user to input formatted
text.

6.

Mr G of Finantech was the only one who had direct and full access to all
the K Box members’ personal data as the sole administrator of K Box’s
CMS system. In the past, a former project manager of Finantech,
[Redacted] (Replaced with Mrs G], whose role was to help Mr G in
managing K Box’s customer data, also had access through the
administrative account in the CMS system, i.e. the ‘admin’ account with
the password “admin”.1 Mrs G left Finantech on or around 2013. Apart
from that, no one else, not even K Box’s IT manager [Redacted]
(Replaced with Mr C) or K Box’s Chief Operation Officer, [Redacted]
(Replaced with Ms N), had direct access to the database.

7.

K Box employees with the title “Captain” and above2 (of which there were
about 75 people with such a title) had restricted access to a function that
allowed viewing of members’ personal data such as name, package,
booking date and time, contact number, members’ number and visit date
and time to check and confirm members’ booking. However, they could
only view the details of each member one at a time, and not extract the
entire members’ list. As such, whenever K Box required members’
personal data with selected criteria for marketing and promotional
purposes, they would have to inform Mr G of the data required and he
would perform the relevant queries on the database, export the
information to an MS Excel document and email the document
(unencrypted) via Gmail to K Box’s IT manager, Mr C, who would in turn
email the document to K Box’s marketing department via Gmail. During
investigations, it was discovered that Finantech had once sent K Box
over 90,000 members’ personal data via unencrypted email via Gmail.
2

By its own admission, K Box had never instructed Finantech to
password-protect or encrypt emails containing a large volume of
personal data prior to 16 September 2014.
K Box’s Protection Measures
8.

According to K Box, measures that were reasonable and appropriate
taking into account “the nature of the K Box’s business (i.e. value for
money, family-orientated, karaoke entertainment for everyone) and the
fact that the data are non-financial in nature” were adopted with regard
to the security of its members’ data.

9.

K Box represented that secure server practices such as access controls
and data protection policies that were established and observed in the
organisation whether before 2 July 2014 or between 2 July 2014 and 16
September 2014 had been put in place since the implementation of its
current website to protect individuals’ personal data. In addition, K Box
represented that before 16 September 2014, employees were required
to set alphanumeric passwords consisting of eight alphabets/numbers,
one capital and one special case in accordance with K Box’s password
policy. However, Mr C admitted that K Box did not “conduct audit on
whether the staff really use eight numbers/letters alphanumeric, one
capital and one special case password (sic.)” and Mr G had noted a
receptionist using a one-letter password in the past. A software system
“to force employees to adopt passwords that adhered to the KBox’s
password policy (sic.)” was only implemented in November 2014.

10.

Although K Box had outsourced its website maintenance, which includes
maintenance of its backend CMS, and web hosting of its website to
Finantech (“Services”), K Box represented that Finantech agreed and
undertook that it would keep K Box’s data confidential as it was a term
in their agreements. K Box had also held regular meetings with Mr
G/Finantech on all aspects of the Services including any IT security
concerns and Finantech would not conduct any major works or
modification to the Services without first consulting K Box. K Box had “no
reason to doubt” the competence or integrity of Finantech or that
Finantech would not comply with the security measures and
undertaking. However, by Finantech’s own admission, Finantech did not
do any system monitoring in terms of IT security, security testing or
regular IT security audits at the time of the breach and prior to 17
September 2014.

11.

K Box had also represented that it did not have a Data Protection Officer
(“DPO”) since 2 July 2014 to 20 April 2015 and conceded that its privacy

3

policy prior to 16 September 2014 was not comprehensive. While each
employee’s employment contract contains a term to keep all information
relating to the operations of K Box confidential, there was no policy and
physical or online security system in place to monitor whether a staff
removed personal data from its premises.
12.

In this connection, the “contracts” between K Box and Finantech did not
include any contractual clauses that required Finantech to comply with
a standard of protection in relation to the personal data transferred to it
that is at least comparable to industry standards. According to
Finantech’s representations, K Box had also never emphasised the need
for data protection and their obligation towards K Box under the PDPA
or informed Finantech of its data protection obligation after September
2014. Mr G had also represented that while he was aware of the
existence of the PDPA, he was not aware of the specifics of it.

The List
13.

On 16 September 2014, the same day that TRS published the post
mentioned at paragraph 2 above, K Box’s management realised, via the
“Social Media, employees and The Real Singapore website”, that K Box
members’ personal data had been uploaded on pastebin.com. Mr C had
also received a call on his mobile phone from an unknown person to
inform him that TRS had “posted information of K Box members” and to
ask him to verify whether the information belonged to its members. Mr
G investigated the breach by matching the disclosed personal data in
the List with the information of K Box’s members from its database and
confirmed that the List matched the one in K Box’s database. Thereafter,
K Box notified its members of the data breach by way of a letter dated
16 September 2014 that was published online on the K Box homepage.

14.

The next day, 17 September 2014, Mr C “deleted all the accounts of the
staff who left (sic.)” and the unauthorised ‘admin’ account with the weak
password “admin” was “deactivated”, “disabled” and the “password to
the account was changed”. The CMS user activity log showed that Mr C
had removed 36 accounts on 17 September 2014.

No Conclusive Evidence that Data Breach Occurred Before 2 July 2014
15.

Although the List was uploaded on pastebin.com on 16 September 2014,
the List only contained members’ data up to 23 April 2014. There is no
evidence available to conclusively ascertain when the List was obtained.

4

16.

Based on Finantech’s initial investigation on the day the List was
published, Finantech deduced that the List containing the personal data
of K Box members could have been obtained by the cyber-attacker on
or around 23 April 2014 for the following reasons:
(a)

The List stopped at the member record that was created on 23
April 2014 at 5.43am;

(b)

The CMS’s “user activity 2014.csv” (“User Activity Log File”)
recorded that someone had logged in using the ‘admin’ account
on 23 April 2014 at 9.59am;

(c)

A new member record was created on 23 April 2014 at 12.17pm
but this was not included in the List; and

(d)

Subsequent member records created after 23 April 2014 were
also not included in the List.

17.

The User Activity Log File recorded that the user of the ‘admin’ account
had logged in on 23 April 2014. The ‘admin’ user account was the
account used by Finantech’s former employee, Mrs G. However, given
that Mrs G had already left Finantech on or around 2013 and there was
no evidence to suggest that she had been remotely accessing the
‘admin’ account, any use of this account after Mrs G had left Finantech
would likely have been unauthorised and could be taken to be done by
the cyber-attacker.

18.

While it is possible that the data breach occurred on or around 23 April
2014, as there was evidence of unauthorised access to K Box’s CMS
system in April 2014 or even earlier in 2013, the Commission is of the
view that further data breaches could also have occurred in the following
months until the new CMS was put in place in November 2014 for the
following reasons:
(a)

The message “Remote session from client name a exceeded the
maximum allowed failed logon attempts (sic.). The session was
forcibly terminated”, indicating that more than 240 attempts were
made in a single day, appeared frequently in the operating system
log (“System Log”). The frequency of these messages may
indicate unsuccessful attempts to hack into the operating system.
The messages started appearing as early as October 2012 and
continued until the latest parts of the log file in September 2014;
and

5

(b)

Finantech itself noted that the System Log showed that the
“[unauthorised user of the ‘admin’ account] was used to login a
number of times after the breach. However, there was no
indication that he had modified any user data.” The Commission
has reviewed the System Log and the unauthorised user of the
‘admin’ account had performed about 83 logins in the period from
25 February 2014 to 16 September 2014, and about 15 logins in
the entire calendar year 2013.

Probable Cause of Breach
19.

While the List only contains members’ data up to 23 April 2014, given
the number of times the unauthorised user of the ‘admin’ account had
logged in to K Box’s CMS system, it is possible that the cyber-attacker
had accessed K Box’s CMS system after 2 July 2014 when the data
protection provisions in the PDPA came into effect, but chose to publish
the List reflecting the members’ list as at 23 April 2014.

20.

Finantech had hypothesised that someone hacked into K Box’s CMS
using the ‘admin’ user account with ‘admin’ password and planted a
malware control and command centre to retrieve and export the
members’ data. K Box similarly represented that Mr G had informed Mr
C that the breach occurred because “he suspected someone used
admin user account with the password also admin to login (sic.)” and
“[Redacted] (Mr G) told me there was a Trojan in the hosting server and
he suspected that was how the leak occurred (sic.)”.

21.

While the System Log showed unauthorised usage of the ‘admin’ user
account in 2014 and files detected as malware were found in the CMS
folder, the Commission has not been able to conclusively verify
Finantech’s hypothesis even after analysing the User Activity Log File
and System Log. Nonetheless, the Commission considers that the
‘admin’ user account, which had a weak password “admin” was one of
the possible ways that the data breach could have occurred.

22.

Having reviewed the relevant facts and circumstances, including the
statements and representations made by K Box and Finantech, the
Commission has completed its investigation into the matter, and sets out
its findings and assessment herein.

6

THE COMMISSION’S FINDINGS AND ASSESSMENT
Issues for Determination
23.

The issues to be determined in the present case are as follows:
(A)

Whether K Box had breached its obligation under section 24 of
the PDPA (the “Protection Obligation”);

(B)

Whether K Box had breached its obligation under sections 11 and
12 of the PDPA (the “Openness Obligation”), specifically,
sections 11(3) and 12(a), for failure to appoint a DPO and put in
place privacy policies and practices in contravention of those
sections of the PDPA;

(C)

Whether Finantech is a data intermediary of K Box; and

(D)

Whether Finantech had breached the Protection Obligation.

Issue A: Whether K Box had breached the Protection Obligation
24.

Section 24 of the PDPA states:
“Protection of personal data
24.
An organisation shall protect personal data in its
possession or under its control by making reasonable security
arrangements to prevent unauthorised access, collection, use,
disclosure, copying, modification, disposal or similar risks.”

25.

Pursuant to section 24 of the PDPA, K Box, being an organisation which
had its members’ personal data under its possession and/or control, is
required to make reasonable security arrangements to prevent
unauthorised access, collection, use, disclosure, copying, modification,
disposal or similar risk. The Protection Obligation applies equally to all
personal data in the possession or under the control of the organisation,
including personal data that the organisation may have collected before
2 July 2014, when the data protection provisions under Parts III to VI of
the PDPA came into effect.

26.

Following a careful assessment of the relevant facts and circumstances,
the Commission is of the view that K Box had not discharged the
Protection Obligation under section 24 of the PDPA. There are sufficient
grounds (whether each on its own or altogether) to show that K Box
failed to make reasonable security arrangements to protect the personal

7

data in its possession or under its control from 2 July 2014 to November
2014. In particular, the Commission has identified the following
vulnerabilities in K Box’s security arrangements which show how K Box
failed to make reasonable security arrangements to protect the
members’ personal data:
(a)

(b)

K Box could have, but failed to enforce its password policy, at
least between 2 July 2014 and November 2014, thereby
permitting the use of weak passwords:
(i)

As noted at paragraph 9 above, K Box did not “conduct
audit on whether the staff really use eight numbers/letters
alphanumeric, one capital and one special case password
(sic.)”; and

(ii)

Even though it is a common industry practice to implement
an organisation’s password policy in its system, K Box had
not done so earlier and the feature where the system would
enforce the password policy by rejecting passwords that
did not meet the password policy was only built into the
CMS system in November 2014.

K Box had weak control over unused accounts, specifically,
unused accounts were not removed:
(i)

As stated at paragraph 14 above, as many as 36 accounts
were removed from the CMS system on 17 September
2014, which suggests that K Box may not have had the
practice of deleting the accounts of staff that had left the
company until it conducted the review on 17 September
2014. This is despite the fact that K Box was able to
remove the unused accounts within a day after the List had
been disclosed online which shows that K Box could have
easily removed the unused CMS accounts earlier but it had
failed to do so;

(ii)

As a result of K Box and/or Finantech’s failure to promptly
remove unused accounts from the CMS system, the
unused administrative CMS account with the user name
‘admin’ and a weak password of ‘admin’ remained in the
CMS for about one year after Mrs G had left Finantech.
This had put the personal data of K Box’s members at risk
because as noted at paragraph 20 above, Finantech itself
had hypothesised that someone could have hacked into K
8

Box’s CMS using this ‘admin’ user account and planted a
malware control and command centre to retrieve and
export the members’ data.; and
(iii)

(c)

27.

Further, as noted at paragraph 18 above, there was
evidence of multiple unauthorised accesses to the CMS
system through this ‘admin’ user account in 2013 and
between 25 February 2014 and 16 September 2014. As
such, it is possible that K Box members’ personal data
could have been further compromised through this ‘admin’
user account between 2 July 2014 and 16 September 2014
as a result of the failure to remove the unused
administrative account.

K Box failed to utilise newer versions of the software library and/or
to conduct audits of the security of its database and system:
(i)

K Box’s CMS system utilised an older version of the
FCKEditor which according to security vulnerability website
CVE, had at least 9 known vulnerabilities which would have
allowed cyber-attackers to install remote shells and
execute malicious codes and to execute such codes to
extract the full member list from the database. Even though
this vulnerability could have been prevented by utilising
newer versions of the software library or by patching,
Finantech, whose role was to manage the CMS system,
had failed to do either; and

(ii)

K Box had also failed to conduct audits to supervise the
security of its database and system. As noted at paragraph
10 above, Finantech admitted that it did not carry out any
system monitoring in terms of IT security, security testing
or regular IT security audits at the time of the breach and
prior to 17 September 2014.

K Box’s weak enforcement of their password policy and weak control of
unused accounts and passwords alone could have enabled an attacker
to gain access to substantial personal data simply through the CMS
system. Furthermore, K Box’s use of vulnerable software could have
allowed the attacker to gain access to the system beyond the CMS
limitations and to perform direct access to all data from K Box’s database
and potentially misuse the personal data.

9

28.

The vulnerabilities set out above demonstrate that K Box could have
done more to protect the members’ personal data that was in its
possession or under its control. When viewed in totality, the Commission
is of the view that K Box had failed to make reasonable security
arrangements to protect the members’ personal data because these
vulnerabilities were preventable and were likely the main reasons for the
data breach and subsequent disclosure of the List on 16 September
2014. In this regard, while K Box had outsourced the developing, hosting
and managing of its CMS system to Finantech, it was still the data
controller and was ultimately responsible for the security of the CMS
system.

29.

Apart from the system-related shortcomings highlighted above,
investigations disclosed that there was also poor practises.
(a)

Emails containing large volume of personal data were sent via
Gmail without any password-protection or encryption:
(i)

(b)

Even though the unauthorised access to the personal data
of about “317,000” K Box members was not caused by a
breach that was the result of the use of unencrypted
emails, as noted at paragraph 7 above, Finantech had
previously sent K Box over 90,000 members’ personal data
via unencrypted email via Gmail. The practice of sending
large volumes of members’ personal data via unencrypted
email is a vulnerability and an example of how K Box had
not sufficiently protected the members’ personal data. The
better practice would have been for Finantech to encrypt or
to ensure that the MS Excel document containing the list of
members’ personal data was password protected before
sending it to K Box.3

K Box failed to effectively manage its vendor (Finantech) to
ensure that they undertook adequate measures to protect
members’ personal data:
(i)

For the reasons stated at paragraphs 33 and 34 below, the
Commission finds that Finantech is a data intermediary of
K Box and pursuant to section 4(3) of the PDPA, K Box has
the same obligations in respect of the personal data
processed on its behalf and for its purpose by Finantech as
if the personal data were processed by K Box itself. As
highlighted in the Commission’s Advisory Guidelines on

10

Key Concepts in the PDPA issued on 23 September 2013
(at paragraph 6.21) that:
“… it is very important that an organisation is clear
as to its rights and obligations when dealing with
another organisation and, where appropriate,
include provisions in their written contracts to
clearly set out each organisation’s responsibilities
and liabilities in relation to the personal data in
question including whether one organisation is to
process personal data on behalf of and for the purposes
of the other organisation.”
[Emphasis added.]; and
(ii)

30.

However, as noted at paragraph 12 above, K Box failed to
ensure that its data intermediary, Finantech, complied with
a standard of protection in relation to the personal data
transferred to it that is at least comparable to industry
standards through its agreements and in its interactions
with Finantech.

On the facts of the case and the assessment conducted, the
Commission finds that both K Box and Finantech did not put in place
adequate IT security arrangements between 2 July 2014 and November
2014, prior to the implementation of the new CMS system in November
2014.

Issue B: Whether K Box had breached the Openness Obligation
31.

Sections 11 and 12 of the PDPA together constitute the Openness
Obligation under the PDPA, which provides that an organisation must
implement the necessary policies and procedures in order to meet its
obligations under the PDPA and shall make information about its policies
and procedures publicly available. In particular, section 11(3) of the
PDPA provides that an organisation shall designate one or more
individuals, a DPO, to be responsible for ensuring that the organisation
complies with the PDPA. In the same vein, section 12(a) of the PDPA
requires organisations to develop and implement policies and practices
that are necessary for the organisation to meet the obligations of the
organisations under the PDPA.

32.

Based on investigations and representations made by K Box, the
Commission is not satisfied that K Box has complied with the Openness

11

Obligation under sections 11(3) and 12(a) of the PDPA. To begin with,
as noted at paragraph 11 above, K Box conceded in its representations
that it did not have a comprehensive privacy policy prior to 16 September
2014. By K Box’s own admission, as there was no policy and physical or
online security system in place to monitor whether a staff removed
personal data from its premises, a K Box staff could have simply copied
the member’s list it received from Finantech and abused that list. In
addition, K Box had also represented that it did not have a DPO. In fact,
to date, it is unclear whether K Box has appointed a DPO because Mr C
represented that K Box was in the midst of appointing a DPO even as
late as 20 April 2015 when he gave his statement to the Commission. In
light of the foregoing lapses, the Commission finds that K Box has been
in breach of the Openness Obligation.
Issue C: Whether Finantech is a data intermediary of K Box
33.

Under section 2(1) of the PDPA, a “data intermediary” is an organisation
which processes personal data on behalf of another organisation but
does not include an employee of that other organisation. The term
“processing” in relation to personal data means the carrying out of any
operation or set of operations in relation to the personal data and
includes, but is not limited to, any of the following: recording; holding;
organisation, adaptation or alteration; retrieval; combination;
transmission; erasure or destruction.4 Section 4(2) of the PDPA confers
on a data intermediary the obligation to protect personal data under
section 24 of the PDPA and the obligation to cease to retain personal
data under section 25 of the PDPA. Save for the aforementioned
obligations, Parts III to VI of the PDPA do not impose any other
obligations on the data intermediary.

34.

Having considered the facts and the representations made by K Box and
Finantech, the Commission is satisfied that Finantech is a data
intermediary of K Box. The fact that (i) K Box employees, including K
Box’s IT manager and the Chief Operating Officer, only had restricted
access to the information of members, and (ii) K Box relied on Mr G to
extract and send them members’ personal data with selected criteria
from the database clearly shows that in practice, Finantech processed
(by having access to, storing and retrieving) all personal data of K Box’s
customers pursuant to the arrangement between Finantech and K Box.

35.

Notwithstanding that the “contracts”, which were in fact quotations sent
by Finantech to K Box for their confirmation and acceptance, pre-date
the commencement of the data protection provisions of the PDPA and
do not identify Finantech as a data intermediary of K Box, in light of the

12

above practices which continued after the commencement of the data
protection provisions, the Commission finds that Finantech is a data
intermediary of K Box for the purposes of the PDPA.
Issue D: Whether Finantech had breached the Protection Obligation
36.

Section 24 read with section 4(2) of the PDPA confers an obligation on
the data intermediary to “[make] reasonable security arrangements to
prevent unauthorised access, collection, use, disclosure, copying,
modification, disposal or similar risks”. In view of the Commission’s
finding that Finantech is a data intermediary of K Box, Finantech is
required to comply with the obligation under section 24 of the PDPA to
protect the personal data that it was processing on behalf of K Box.

37.

In this regard, on the facts and circumstances, the Commission is of the
view that Finantech had failed to put in place the required security
measures that K Box needed in order to provide adequate protection for
the personal data in K Box’s database and system. In particular, the
Commission notes that Finantech had been involved in the setting up
and day-to-day processing of K Box’s personal databases from 2007. By
dint of its role and function, Finantech is expected to up hold a certain
basic professional standard and the vulnerabilities identified at
paragraphs 26 to 29 above show that Finantech had not undertaken due
diligence in executing its role. Finantech’s failures had led to multiple
unauthorised accesses and Finantech had put the personal data of K
Box’s members at risk.

38.

If Finantech had advised K Box on its obligations but K Box had rejected
their advice, the Commission could have taken this into account in its
assessment of Finantech’s culpability. However, investigations did not
disclose any evidence to suggest that Finantech had actually advised K
Box of the need to have in place adequate security measures to protect
the personal data in K Box’s database. In fact, as stated at paragraph
12 above, Mr G admitted that he was only aware of the existence of the
PDPA but not the specifics.

39.

In view of all the relevant facts and circumstances, the Commission is
not satisfied that Finantech has complied with the Protection Obligation
under section 24 of the PDPA.

THE COMMISSION’S DIRECTIONS
40.

Under section 29(1) of the PDPA, the Commission may, “if it is satisfied
that an organisation is not complying with any provision in Parts III to VI

13

of the Act, give the organisation such directions as the Commission
thinks fit in the circumstances to ensure compliance with that provision.”
Section 29(2) of the PDPA also empowers the Commission to make all
or any of the following directions:
(a)

To stop collecting, using or disclosing personal data in
contravention of this Act;

(b)

To destroy personal data collected in contravention of this Act;

(c)

To comply with any direction of the Commission under section
28(2) of the Act; and

(d)

To pay a financial penalty of such amount not exceeding $1
million as the Commission thinks fit.

Other Factors Considered
41.

In assessing the breach and the remedial directions to be imposed, the
Commission took into consideration various factors relating to the case,
including the mitigating and aggravating factors set out below.

K Box’s Breach of the Protection Obligation and the Openness Obligation
42.

In relation to K Box’s breach of the Protection Obligation and the
Openness Obligation, the Commission took into account the following
factors:
(a)

The remedial actions undertaken by K Box were fair and prompt
when they discovered the data breach in September 2014;

(b)

Most of the remedial actions were taken either in September or
November 2014;

(c)

The Commission found no evidence to suggest that the data
breach was due to actions taken by K Box staff, through the CMS
system;

(d)

A fairly large amount of personal data (approximately “317,000” K
Box members or more) had been disclosed as a result of the lack
of security. The personal data comprising their full names, contact
numbers, email addresses, residential addresses, contact
numbers, gender, profession, date of birth, and member number
were sensitive data because it could have led to identify theft;

14

(e)

K Box (as the primary data owner) had disregarded its obligations
under the PDPA. K Box had ample opportunities to put in place
reasonable security measures from 2 January 2013 to 2 July 2014
but it did not do so. K Box had also failed to appoint a DPO or put
in place privacy policies or practices as late as April 2015. K Box
had also failed to put in place data protection terms and conditions
in its contract with Finantech, and instructed it (as the main data
processor of K Box members’ personal data) to protect personal
data; and

(f)

K Box was not forthcoming in providing information during the
investigation. They had only provided bare facts in their
responses during the investigations, which did not facilitate the
Commission’s investigations.

Finantech’s breach of the Protection Obligation
43.

In relation to Finantech’s breach of the Protection Obligation, the
following factors were taken into consideration:
(a)

The remedial actions undertaken by Finantech were fair and
prompt when they discovered the data breach in September 2014;

(b)

Most of the remedial actions were taken either in September or
November 2014;

(c)

A fairly large amount of personal data (approximately “317,000” K
Box members or more) had been put at risk as a result of the lack
of security. The personal data comprising their full names, contact
numbers, email addresses, residential addresses, contact
numbers, gender, profession, date of birth, and member number
were sensitive data because it could have led to identify theft;

(d)

Finantech as the data intermediary had disregarded its
obligations under the PDPA. Finantech had ample opportunities
to put in place reasonable security measures from 2 January 2013
to 2 July 2014 but it did not. There was no evidence to show that
Finantech had advised K Box on the reasonable security
measures that the owner of an online system ought to implement
in order to protect personal data held by the system; and

(e)

Finantech appeared not to be forthcoming in providing information
during the investigation. Although the Notices to Require
Production of Documents and Information under the Ninth

15

Schedule of the PDPA (“NTPs”) were sent to Finantech as early
as October 2014, Finantech’s responses to these NTPs were only
provided in April 2015 – almost seven months after the NTPs were
first issued. This delayed the investigation process.
44.

45.

Having completed its investigation and assessment of this matter, the
Commission is satisfied that K Box has been in breach of the Protection
Obligation under section 24 of the PDPA and the Openness Obligation
under sections 11(3) and 12(a) of the PDPA for the reasons cited in
paragraphs 26 to 28 and paragraph 31 above. Pursuant to section 29(2)
of the PDPA, the Commission hereby directs K Box to do as follows:
(a)

Pay a financial penalty of $50,000 within 30 days from the date of
the Commission’s direction, failing which interest at the rate
specified in the Rules of Court in respect of judgment debts shall
be payable on the outstanding amount of such financial penalty;
and

(b)

Appoint a DPO within 30 days from the date of the Commission’s
direction (if it has not already done so).

The Commission is also satisfied that Finantech has not complied with
the Protection Obligation under section 24 of the Act for the reasons
cited in paragraphs 33, 34, 36 and 37 above. Pursuant to section 29(2)
of the PDPA, the Commission hereby directs Finantech to do as follows:
(a)

46.

Pay a financial penalty of $10,000 within 30 days from the date of
the Commission’s direction, failing which interest at the rate
specified in the Rules of Court in respect of judgment debts shall
be payable on the outstanding amount of such financial penalty.

The Commission emphasises that it takes a very serious view of any
instance of non-compliance under the PDPA and with the Commission’s
directions.

LEONG KENG THAI
CHAIRMAN
PERSONAL DATA PROTECTION COMMISSION

16

1 Mr G was the only employee at the material time of Finantech. Mrs G was the only person

assisting Mr G in the past.
2 Captain is the supervisor of the service crews and his or her role is to access the customers’
information to check their booking.
3 See paragraph 14.3 of the PDPC’s Guide to Securing Personal Data in Electronic Medium
issued on 8 May 2015.
4 See section 2(1) of the PDPA.

17

","Financial Penalty, Financial Penalty",0f17cc82606ea4b02faecc4e12ee601c188e3db7,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]"