pdpc_decisions_version_detail (view)
9 rows where "date" is on date 2016-04-21
This data as json, CSV (advanced)
Suggested facets: nature, decision, _commit_at (date), date (date), timestamp (date), tags (array), _changed_columns (array)
| _commit_at | _commit_hash | _id | _item | _version | _commit | description | tags | date | pdf-url | nature | title | url | timestamp | pdf-content | decision | _item_full_hash | _changed_columns |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 232 | 232 | 1 | 952 | Directions were issued to Universal Travel Corporation for disclosing a passenger list, consisting of 37 customers' personal data, to four of its customers without consent. The organisation was also penalised for its lack of data protection policies. | [
"Consent",
"Purpose Limitation",
"Notification",
"Directions",
"Others"
] |
2016-04-21 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/grounds-of-decision---universal-travel-corporation-(210416).pdf | Consent, Purpose Limitation, Notification | Breach of Consent and Other Obligations by Universal Travel Corporation | https://www.pdpc.gov.sg/all-commissions-decisions/2016/04/breach-of-consent-and-other-obligations-by-universal-travel-corporation | 2016-04-21 | DECISION OF THE PERSONAL DATA PROTECTION COMMISSION Case Number: DP-1508-A496 UNIVERSAL TRAVEL CORPORATION PTE LTD (UEN. 197302113R) ... Respondent Decision Citation: [2016] SGPDPC 4 GROUNDS OF DECISION 20 April 2016 A. BACKGROUND 1. The Personal Data Protection Commission (“Commission”) received a complaint from a credible source concerning the alleged disclosure by the Respondent of personal data of 37 customers (the “passenger list”) in early March 2015 to certain individual(s) who participated in the 12 Days Legend of the Balkans Tour from 17 February 2015 to 28 February 2015 (“Balkans Tour”). 2. In the premises, the Commission decided to carry out an investigation into the matter. The Commission’s findings are set out below. B. MATERIAL FACTS AND DOCUMENTS 3. Sometime in or around late February 2015, four of the customers of the Balkans Tour requested the Respondent to furnish formal documentation confirming the cancellation of their transit flight to Sofia on 18 February 2015 (TK1027/18FEB15 ISTANBUL-SOFIA) (“formal confirmation”) to process their insurance claims. 4. The Respondent therefore requested from Turkish Airline written confirmation of the flight cancellation and the affected passenger list. 5. Sometime in early March 2015, the Respondent sent the formal confirmation together with the letter from Turkish Airline and the passenger list by email to four of the customers of the Balkans Tour. The passenger list that was sent contained the name, nationality, date of birth, passport number, passport expiry date and passenger name record (a record in the database of a computer reservation system (CRS) that contains the itinerary for a passenger, or a group of passengers travelling together) of all 37 of the passengers/customers that were on the Balkans Tour. The passengers’ details were not masked or redacted when it was sent by the Respondent. It is not disputed that the passengers’ details constituted personal data under the control of the Respondent at the material time. 6. In the R… | Directions | 5a0ff182bd0082f840e509fc39079487ae98fb3a | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 233 | 233 | 1 | 952 | A warning was issued to YesTuition Agency for disclosing tutors’ personal data on its website without consent. | [
"Consent",
"Warning",
"Education",
"YESTUITION",
"Tuition"
] |
2016-04-21 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/grounds-of-decision---yestuition-agency-(210416).pdf | Consent | Breach of Consent Obligation by YesTuition Agency | https://www.pdpc.gov.sg/all-commissions-decisions/2016/04/breach-of-consent-obligation-by-yestuition-agency | 2016-04-21 | DECISION OF THE PERSONAL DATA PROTECTION COMMISSION Case Number: DP-1407-A028 YESTUITION AGENCY (UEN No. 53084839B) …Respondent Decision Citation: [2016] SGPDPC 5 GROUNDS OF DECISION 20 April 2016 BACKGROUND 1. On 16 July 2014, the Personal Data Protection Commission (“Commission”) received information that YESTUITION AGENCY (UEN 53084839B) (the “Respondent”) had disclosed on its website the NRIC numbers and images of certain individuals who had registered to be tutors with the Respondent and it was alleged that they had done so without the consent of the individuals concerned. 2. In light of the information received, the Commission commenced an investigation under section 50 of the Personal Data Protection Act 2012 (No. 26 of 2012) (the “PDPA”) to ascertain whether there had been a breach by the Respondent of its obligations under the PDPA. The Commission’s findings are set out below. MATERIAL FACTS AND DOCUMENTS 3. The Respondent is a locally registered business providing home tuition matching services to individuals seeking tutors for primary to A-levels education. The Respondent renders its matching services via a website, which it operates at www.yestuition.sg (the “Site”). 4. The Site consists of various webpages that are accessible to the public and a tutors’ log-in portal which is accessible only by individuals who had registered with the Respondent to be a tutor. Disclosure of NRIC numbers and images by the Respondent 5. From the Commission’s examination of the Site, it was found that the Respondent had published images of its tutors on its Site. The tutors’ images were stored in a JPEG file format and named using the tutors’ respective NRIC particulars, for example, as 1234567A.jpg. As such, the Respondent had also disclosed the tutors’ respective NRIC numbers with the images. CONFIDENTIAL Page 1 of 5 6. The NRIC numbers and images were at the material time made publicly discoverable and accessible via a directory listing on one of the Site’s pages. Investigations by the Commission indica… | Warning | 20a97b6ebe97b71c317c4befaebf71b555f828dd | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 234 | 234 | 1 | 952 | A warning was issued to Challenger Technologies and its data intermediary, Xirlynx Innovations, for failing to make reasonable security arrangements to prevent unauthorised disclosure of Challenger members’ personal data while sending out emails to some 165,000 members. | [
"Protection",
"Warning",
"Wholesale and Retail Trade",
"Others",
"CHALLENGER",
"XIRLYNX"
] |
2016-04-21 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/grounds-of-decision---challenger-technologies-(210416).pdf | Protection | Breach of Protection Obligation by Challenger Technologies and Xirlynx Innovations | https://www.pdpc.gov.sg/all-commissions-decisions/2016/04/breach-of-protection-obligation-by-challenger-technologies-and-xirlynx-innovations | 2016-04-21 | DECISION OF THE PERSONAL DATA PROTECTION COMMISSION Case Number: DP-1409-A103 (1) (2) CHALLENGER TECHNOLOGIES LIMITED (U.E.N. 198400182K) XIRLYNX INNOVATIONS (U.E.N. 52942580K) …Respondents Decision Citation: [2016] SGPDPC 6 GROUNDS OF DECISION 20 April 2016 BACKGROUND 1. The Personal Data Protection Commission (the “Commission”) received a complaint from a member of the public on 15 September 2014 concerning an alleged data breach by Challenger Technologies Limited (“Challenger”). In brief, the complainant alleged that Challenger had sent email communications to members of its ValueClub programme, which contained the personal data of another ValueClub member. 2. The Commission commenced an investigation under section 50 of the Personal Data Protection Act 2012 (“PDPA”) to ascertain whether there had been a breach by Challenger of its obligations under the PDPA. 3. In the course of its investigation, the Commission found that the email communications in question (which were sent to Challenger’s ValueClub members) had been sent by Xirlynx Innovations (“Xirlynx”), a business engaged by Challenger to handle all its email communications to members of Challenger’s ValueClub programme. The Commission’s investigation therefore also examined whether there had been a breach by Xirlynx of its obligations under the PDPA. 4. The Commission’s findings are set out below. MATERIAL FACTS AND DOCUMENTS 5. Challenger is a retailer of information technology (“IT”) and other electronic products with several outlets around Singapore. As part of its customer relations efforts, Challenger established a customer membership programme known as ValueClub, which provides members with membership savings and discounts (amongst other benefits), and enables them to earn and accumulate ValueClub programme points which may be redeemed to offset the cost of purchases made at Challenger outlets. 1 6. Xirlynx is a third party IT vendor, which is registered and managed by its sole proprietor, [Redacted] (Replaced with Mr T). 7. Some … | Warning | cfdfd40c619176ddcb5c6ee791b4020b5ac902bc | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 235 | 235 | 1 | 952 | A warning was issued to Full House Communications for failing to make reasonable security arrangements to prevent unauthorised disclosure of personal data on its computers at a furniture fair, which collected the data for a lucky draw. | [
"Protection",
"Warning",
"Admin and Support Services",
"FULL HOUSE"
] |
2016-04-21 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/grounds-of-decision---full-house-communications-(210416).pdf | Protection | Breach of Protection Obligation by Full House Communications | https://www.pdpc.gov.sg/all-commissions-decisions/2016/04/breach-of-protection-obligation-by-full-house-communications | 2016-04-21 | DECISION OF THE PERSONAL DATA PROTECTION COMMISSION Case Number: DP-1503-A368 FULL HOUSE COMMUNICATIONS PTE LTD [Reg. No. 199405394C] ... Respondent Decision Citation: [2016] SGPDPC 8 GROUNDS OF DECISION 20 April 2016 A. INTRODUCTION 1. The Complainant, [Redacted] (Replaced with Mr L), submitted a complaint to the Personal Data Protection Commission (the “Commission”) on 4 March 2015 in respect of the way that the Respondent had collected and protected1 personal data2 at a lucky draw redemption counter operated by the Respondent. The specific matters that were raised in his complaint were as follows: a. The auto-fill function was enabled for the forms on the Respondent’s laptops that a participant had to fill up to register for the lucky draw. This allowed a user to view from a drop-down box the historical entries containing the personal information of the previous registering participants. b. The Respondent’s laptop screens were in plain view of customers waiting in line behind the Complainant, which allowed them to view the personal information that was being entered into the laptop. c. The page containing the form was accessed through an unsecured Mozilla Firefox browser at the site: http://localhost/coupon/finish.php. d. The Respondent’s staff did not appear to be adequately trained to ensure the protection of personal data collected at the redemption counter. B. MATERIAL FACTS AND DOCUMENTS 2. The lucky draw that the Respondent had organised was for a Furniture Fair that took place from 28 February 2015 to 8 March 2015 at the Singapore Expo Hall 7. On 1 March 2015, the Complainant and his mother had attended the Furniture Fair and had purchased items which entitled the Complainant to CONFIDENTIAL Page 1 of 5 participate in the Respondent’s lucky draw. To participate in the lucky draw, a participant was required to register his or her personal details in the laptops provided by the Respondent at the redemption counter, including the individual’s name, identity card number, occupation, contac… | Warning | c855c0d45a390605ad222378eaba45c50f51a246 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 236 | 236 | 1 | 952 | A financial penalty of $5,000 was imposed and directions issued to Fei Fah Medical Manufacturing for failing to implement proper and adequate protective measures to secure its website and server, resulting in unauthorised disclosure of the personal data of more than 900 customers. | [
"Protection",
"Financial Penalty",
"Directions",
"Healthcare",
"FEI FAH",
"MEDICAL",
"TCM"
] |
2016-04-21 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/grounds-of-decision---fei-fah-medical-manufacturing-(210416).pdf | Protection | Breach of Protection Obligation by Fei Fah Medical Manufacturing | https://www.pdpc.gov.sg/all-commissions-decisions/2016/04/breach-of-protection-obligation-by-fei-fah-medical-manufacturing | 2016-04-21 | DECISION OF THE PERSONAL DATA PROTECTION COMMISSION Case Number: DP-1409-A145 FEI FAH MEDICAL MANUFACTURING PTE. LTD. (UEN No. 199800455H) …Respondent Decision Citation: [2016] SGPDPC 3 GROUNDS OF DECISION 20 April 2016 Background 1. Fei Fah Medical Manufacturing Pte. Ltd. (UEN 199800455H) (“Fei Fah Medical”) is a locally registered company specialising in the development and manufacture of healthcare and beauty products. The Ripple Website 2. Fei Fah Medical operates a website under the name Ripple Tea Company at www.ripple.com.sg (“Site”). 3. The Site consists of both publicly accessible pages, and a members’ portal (which is accessible only by individuals who had signed up with Fei Fah Medical under a membership scheme called Ripple Club, upon logging into the portal with their respective user identifications (“IDs”) and passwords). Data Leak Incident 4. On 29 September 2014, the Personal Data Protection Commission (“Commission”) was informed that information of users of the Site had been posted on http://pastebin.com (“Pastebin”), a website which allows members of the public to post and share text online publicly (the “Data Leak”). 5. The relevant information was ostensibly uploaded onto the Pastebin website by a Pastebin user with the username “KAMI_HAXOR”, in the form of a post in plain text that could be publicly viewed by any visitor to the Pastebin website. 6. The post was undated and captioned “Ripple Tea Company Singapore 900+ Users emails+passes+Names+mobile Numbers With Subscribers Emails Leaked By KaMi HaXor”. CONFIDENTIAL Page 1 of 7 7. 8. The post contained a list of data, which were numbered from 1 to 2,981, ostensibly to indicate that there were 2,981 entries in it. The data in the post appeared to be have been sorted into the following three categories: (a) Email addresses – there were 1114 entries of email addresses. The email addresses were unaccompanied by other data or identifiers. 219 of the entries contained “.sg” domain names; (b) User ID and encrypted passwords to R… | Financial Penalty, Directions | 5fcc9a763e0542a3c0b5b5064e7e18de2255f864 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 237 | 237 | 1 | 952 | Financial penalties of $50,000 and $10,000 were imposed on K Box Entertainment Group (K Box) and its data intermediary, Finantech Holdings, for failing to implement proper and adequate protective measures to secure its IT system, resulting in unauthorised disclosure of the personal data of 317,000 K Box members. K Box was also issued directions and penalised for the absence of a Data Protection Officer. | [
"Protection",
"Accountability",
"Financial Penalty",
"Financial Penalty",
"Arts, Entertainment and Recreation",
"Information and Communications",
"KBOX",
"FINANTECH"
] |
2016-04-21 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/grounds-of-decision---k-box-entertainment-(210416).pdf | Protection, Accountability | Breach of Protection and Openness Obligations by K Box Entertainment Group and Finantech Holdings | https://www.pdpc.gov.sg/all-commissions-decisions/2016/04/breach-of-protection-and-openness-obligations-by-k-box-entertainment-group-and-finantech-holdings | 2016-04-21 | DECISION OF THE PERSONAL DATA PROTECTION COMMISSION Case Number: DP-1409-A100 (1) (2) K BOX ENTERTAINMENT GROUP PTE. LTD. FINANTECH HOLDINGS PTE. LTD. …Respondents Decision Citation: [2016] SGPDPC 1 GROUNDS OF DECISION 20 April 2016 Background 1. K Box Entertainment Group Pte. Ltd. (“K Box”) operates a chain of karaoke outlets in Singapore. Finantech Holdings Pte. Ltd. (“Finantech”) is a third party IT vendor, which is owned and managed by its sole director, [Redacted] (Replaced with Mr G). 2. On 16 September 2014, the website “The Real Singapore” (“TRS”) published a post which indicated that a list containing personal data of about “317,000” K Box members (the “List”) had been disclosed online at http://pastebin.com/bnVhn3mp (“pastebin.com”). 3. The List contained personal data which all customers who sign up for a K Box membership, both before and after 2 July 2014, are required to provide, namely: (a) (b) (c) (d) (e) (f) (g) (h) (i) 4. Name (as per NRIC); NRIC / Passport / FIN number; Mailing Address (Singapore only); Contact number; Email address; Gender; Nationality; Profession; and Date of birth. After receiving complaints from members of the public regarding the data breach, the Commission commenced an investigation under section 50 of the Personal Data Protection Act 2012 (“PDPA”) to ascertain whether 1 there had been a breach by K Box and/or Finantech of their respective obligations under the PDPA. Material Facts and Documents K Box’s relationship with Finantech 5. As at 16 September 2014, K Box had engaged Finantech through the “website revamp contract dated 2012” and the “webhosting and server management contract dated 2009” to develop K Box’s Content Management System (“CMS”) system from the ground up and to revamp, manage and host its website. What the parties referred to as “contracts” were actually quotations sent by Finantech to K Box for their confirmation and acceptance. K Box’s CMS stored and processed the personal data of its members. The CMS system also utilised FCKEditor – a s… | Financial Penalty, Financial Penalty | 0f17cc82606ea4b02faecc4e12ee601c188e3db7 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 238 | 238 | 1 | 952 | A financial penalty of $10,000 was imposed and directions issued to the Institution of Engineers, Singapore for failing to implement proper and adequate protective measures to secure its IT system, resulting in unauthorised disclosure of the personal data of more than 4,000 members. | [
"Protection",
"Financial Penalty",
"Directions",
"General (eg. Chamber of Commerce)",
"IES"
] |
2016-04-21 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/grounds-of-decision---institute-of-engineers-singapore-(210416).pdf | Protection | Breach of Protection Obligation by Institution of Engineers, Singapore | https://www.pdpc.gov.sg/all-commissions-decisions/2016/04/breach-of-protection-obligation-by-institution-of-engineers--singapore | 2016-04-21 | DECISION OF THE PERSONAL DATA PROTECTION COMMISSION Case Number: DP-1411-A213 THE INSTITUTION OF ENGINEERS SINGAPORE …Respondent Decision Citation: [2016] SGPDPC 2 GROUNDS OF DECISION 20 April 2016 Background 1. The Institution of Engineers Singapore (UEN S66SS0041B) (“IES”) is a society registered with the Registry of Societies. IES was formally established on July 1966 as the national society of engineers in Singapore. Its functions include the accreditation of engineering academic programmes (through its Engineering Accreditation Board); the maintenance of professional registries; and the promotion of social, business, professional, and career development amongst engineers in Singapore. The IES Website 2. IES operates a website at www.ies.org.sg (“Site”), which consists of both publicly-accessible pages, and a members’ portal, accessible only by members of IES, upon logging into the portal with their respective user identifications (“IDs”) and passwords. The Site also allows members of the public, who are non-IES members, to create an account on the Site in order to login to access and post on the Site’s forums. 3. According to information provided by IES, the functions of the Site include: (a) enabling members to update their membership details such as addresses, emails and contact information; (b) applying for courses and events that are created by IES; (c) applying for email abc@ies.org.sg; (d) payment for membership and courses via PayPal; (e) accessing webmail; (f) allowing members to search for information about other members; addresses with CONFIDENTIAL ies.org.sg domain, e.g., Page 1 of 9 4. (g) publishing information on IES events, courses, seminars, job listings, and information on various registries (e.g., ABC Waters Professional Registry and others); (h) applying for IES membership; and (i) accessing IES forums. Members of IES who log in to the Site using their membership user IDs are able to access certain dedicated membership Site functions, including receipt of a… | Financial Penalty, Directions | 5e4c42b6a1aec075b5207d0eb67aa18523a6767e | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 239 | 239 | 1 | 952 | A warning was issued to Metro for failing to make reasonable security arrangements to prevent unauthorised access to personal data held in Metro’s IT systems. | [
"Protection",
"Warning",
"Wholesale and Retail Trade",
"METRO"
] |
2016-04-21 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/grounds-of-decision---metro-(210416).pdf | Protection | Breach of Protection Obligation by Metro | https://www.pdpc.gov.sg/all-commissions-decisions/2016/04/breach-of-protection-obligation-by-metro | 2016-04-21 | DECISION OF THE PERSONAL DATA PROTECTION COMMISSION Case Number: DP-1504-A421 METRO PTE LTD [Reg. No. 195700030E] ... Respondent Decision Citation: [2016] SGPDPC 7 GROUNDS OF DECISION 20 April 2016 BACKGROUND 1. On 21 April 2015, the Complainant, [Redacted] (Replaced with Ms C), complained to the Personal Data Protection Commission (the “Commission”) that she had been receiving calls from unknown numbers, and that when she conducted a search on Google, she discovered that her personal data and those of her family members were posted online on http://siph0n.net (“Siph0n website”). The Complainant had attributed the posting on the Siphon website to a data “leak” on the Respondent’s part. A. MATERIAL FACTS AND DOCUMENTS 2. On account of the complaint made, the Commission undertook an investigation, and sought the Respondent’s response on the matter. The material facts of the case are as follows. 3. The Respondent had acknowledged that the personal data that was posted on the Siph0n website came from the database stored on its website, such data comprising personal data of individuals.1 4. The Respondent’s corporate website was developed and supported by Grey Digital Southeast Asia (also known as Yolk Pte Ltd) (“Grey Digital”). The website was hosted by Limebox Hosting Solutions. 5. The Respondent’s corporate website (http://www.metro.com.sg) was hacked into on 9 and 10 February 2014. Investigations were subsequently carried out by the Respondent’s IT (information technology) support partners, namely Grey Digital and Vodien Internet Solutions Pte Ltd (“Vodien”), into the hacking incidents. However, the investigations were unable to determine the cause of the February 2014 hacking incidents or the person(s) that had carried out the hacking(s). The Respondent produced to the Commission a report from Grey Digital in respect of the two hacking incidents (“Grey Digital’s report”). The Commission understands that the Respondent had taken steps to improve on its web security following the hacking incidents in Fe… | Warning | 5648d5fbfdd896cfce595bd0167287ff83fa5a2e | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 240 | 240 | 1 | 952 | A warning was issued to Singapore Computer Society for failing to put in place reasonable security measures to prevent the accidental disclosure of the personal data of 214 registrants of an event via email. | [
"Protection",
"Warning",
"General (eg. Chamber of Commerce)",
"SCS",
"COMPUTER",
"SOCIETY"
] |
2016-04-21 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/grounds-of-decision---singapore-computer-society-(210416).pdf | Protection | Breach of Protection Obligation by Singapore Computer Society | https://www.pdpc.gov.sg/all-commissions-decisions/2016/04/breach-of-protection-obligation-by-singapore-computer-society | 2016-04-21 | DECISION OF THE PERSONAL DATA PROTECTION COMMISSION Case Number: DP-1504-A390 SINGAPORE COMPUTER SOCIETY (Reg. No. S67SS0039C) ... Respondent Decision Citation: [2016] SGPDPC 9 GROUNDS OF DECISION 20 April 2016 A. BACKGROUND 1. On 17 March 2015, the Respondent notified the Commission that it inadvertently disclosed certain personal data of individuals attending an event organised by the Respondent to other individuals and had received information about the disclosure from some of the individuals concerned. After being notified of the incident by the Respondent, the Commission undertook an investigation to determine whether there had been a breach of the Personal Data Protection Act 2012 (the “PDPA”). The material facts of the case are as follows. B. MATERIAL FACTS AND DOCUMENTS 2. In April 2015, the Respondent jointly organised and conducted an event with the Infocomm Development of Singapore (“IDA”) named “IDEAS on Security Analytics”. Prior to the event, on 16 March 2015, an employee of the Respondent, [Redacted] (Replaced with Ms L), sent out an email to all individuals who had registered to attend the event (“registrants”), which had attached a copy of the registration list for the event. The registration list contained personal data of about 214 registrants (individuals). 11 of the registrants subsequently raised concerns about the unauthorised disclosure of their personal data to the Respondent. The personal data which had been disclosed included information such as the registrants’ full names, NRIC numbers, contact numbers, email addresses, organisation and designation information. The Respondent confirmed that it was not acting on behalf of IDA in relation to the collection, use, disclosure or processing of the registrants’ personal data. 3. The Respondent acknowledged to the Commission that the registration list was not meant to be disclosed externally and had been inadvertently sent to registrants on 16 March 2015. The Respondent explained that Ms L’s supervisor (who was also an employee of the… | Warning | d6c9678309af2f8f67777e02000fcdddf237bd78 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
Advanced export
JSON shape: default, array, newline-delimited
CREATE VIEW pdpc_decisions_version_detail AS select
commits.commit_at as _commit_at,
commits.hash as _commit_hash,
pdpc_decisions_version.*,
(
select json_group_array(name) from columns
where id in (
select column from pdpc_decisions_changed
where item_version = pdpc_decisions_version._id
)
) as _changed_columns
from pdpc_decisions_version
join commits on commits.id = pdpc_decisions_version._commit;