pdpc_decisions_version_detail (view)
4 rows where "date" is on date 2018-05-14
This data as json, CSV (advanced)
Suggested facets: nature, decision, _commit_at (date), date (date), timestamp (date), tags (array), _changed_columns (array)
| _commit_at | _commit_hash | _id | _item | _version | _commit | description | tags | date | pdf-url | nature | title | url | timestamp | pdf-content | decision | _item_full_hash | _changed_columns |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 186 | 186 | 1 | 952 | Credit Bureau (Singapore) was not found to be in breach of the PDPA in relation to the information contained in its Enhanced Consumer Credit Report. | [
"Not in Breach",
"Finance and Insurance"
] |
2018-05-14 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds_of_Decision_Credit_Bureau_Singapore_140518.pdf | No Breach of Accuracy and Retention Obligations by Credit Bureau Singapore | https://www.pdpc.gov.sg/all-commissions-decisions/2018/05/no-breach-of-accuracy-and-retention-obligations-by-credit-bureau-singapore | 2018-05-14 | PERSONAL DATA PROTECTION COMMISSION Case No DP-1707-B0946 [2018] SGPDPC [14] In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Credit Bureau (Singapore) Pte Ltd … Organisation DECISION Credit Bureau (Singapore) Pte Ltd [2018] SGPDPC [14] Mr. Yeong Zee Kin, Deputy Commissioner — Case No DP-1707-B0946 14 May 2018 Background 1 This complaint concerns the accuracy and retention of the Complainant’s personal data by Credit Bureau (Singapore) Pte Ltd (“the Organisation”). The Organisation is a consumer credit bureau. It aggregates credit-related information from its participating members. The risk profiles of individuals are presented in its Enhanced Consumer Credit Report (“ECCR”). 2 The complainant had a bankruptcy application taken out against him in June 2012. The bankruptcy application was withdrawn by the creditor in July 2012. The Complainant was given a “HX” risk grade in this ECCR. A “HX” risk grading meant that there could be a past or existing bankruptcy record associated with the Complainant. The Complainant felt that a “HX” risk grading was inaccurate as he thought that it implied that he had an outstanding bankruptcy record or was not creditworthy. He therefore requested the Organisation to amend his risk grading. 3 The Organisation informed the Complainant that it was its practice to display bankruptcy-related data for 5 years. The Complainant then lodged a complaint against the Organisation to the Personal Data Protection Commission Credit Bureau (Singapore) Pte Ltd [2018] SGPDPC 14 on 24 May 2017. The complaint was that the Organisation had retained his personal data when it was no longer necessary for legal or business purposes. Findings and Basis for Determination 4 This case concerns the accuracy and retention obligations under the Personal Data Protection Act (“PDPA”), with respect to the bankruptcy information in the ECCR. In particular, the issues are: a. Whether the Organisation had made a reasonable effort to ensure that the… | Not in Breach | 00dfc6779bc3e2fa6234e35d2fe5563a6e0d7bf6 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
|
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 187 | 187 | 1 | 952 | MyRepublic was found not in breach of the consent obligation with respect to the use of an individual’s personal data for debt recovery purposes. | [
"Not in Breach",
"Information and Communications"
] |
2018-05-14 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds_of_Decision_MyRepublic_140518.pdf | No Breach of Consent Obligation by MyRepublic | https://www.pdpc.gov.sg/all-commissions-decisions/2018/05/no-breach-of-consent-obligation-by-myrepublic | 2018-05-14 | PERSONAL DATA PROTECTION COMMISSION [2018] SGPDPC 13 Case No DP-1701-B0463 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And MyRepublic Limited … Organisation DECISION MyRepublic Limited [2018] SGPDPC 13 Yeong Zee Kin, Deputy Commissioner — Case No DP-1701-B0463 14 May 2018 Background 1 The Complaint concerns the use of a customer’s personal data by MyRepublic Limited’s (the “Organisation”) appointed debt collection company, Apex Credit Management Pte Ltd (“Apex Credit”), for the purpose of debt recovery. The Organisation is a telecommunications company which provides fibre broadband services in Singapore. 2 The Complainant terminated his account with the Organisation on 25 September 2016. He claimed that he did not have any outstanding debt with the Organisation. However, he was subsequently contacted by Apex Credit on two occasions. The purpose was to pursue payment of outstanding amounts purportedly owed to the Organisation. First was via letter sent to the Complainant on 3 October 2016. Second was via a phone call on 10 October 2016. The Organisation disclosed that its systems had identified the Complainant’s account for debt collection based on its debt aging status. MyRepublic Limited 3 [2018] SGPDPC 13 This case concerns section 131 of the Personal Data Protection Act 2012 (“PDPA”). In particular, the issues are: (a) Whether consent was given by the Complainant for his personal data to be used for debt collection purposes; and (b) whether it was reasonable for the Organisation to have deemed that the Complainant was in debt at the material time. (a) Whether consent was given by the Complainant for his personal data to be used for debt collection purposes? 4 When customers sign up for the Organisation’s services, their consent were obtained for the use of their personal data for debt management purposes. This was accomplished through the Organisation’s terms and conditions, which state: “By having the Services we provide activated i… | Not in Breach | 660bde1be84f105fe469f14ec38d8fcfc2ccc1f7 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
|
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 188 | 188 | 1 | 952 | A warning was issued to Watami Food Service Singapore for failing to make reasonable security arrangements to prevent unauthorised access of employees’ personal data stored online. | [
"Protection",
"Warning",
"Accommodation and F&B"
] |
2018-05-14 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds_of_Decision_Watami_Food_Service_Singapore_140518.pdf | Protection | Breach of the Protection Obligation by Watami Food Service Singapore | https://www.pdpc.gov.sg/all-commissions-decisions/2018/05/breach-of-the-protection-obligation-by-watami-food-service-singapore | 2018-05-14 | PERSONAL DATA PROTECTION COMMISSION [2018] SGPDPC [12] Case No DP-1711-B1312 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Watami Food Service Singapore Pte Ltd … Organisation DECISION Watami Food Service Singapore Pte Ltd Watami Food Service Singapore Pte Ltd [2018] SGPDPC [12] Mr. Yeong Zee Kin, Deputy Commissioner — Case No DP-1711-B1312 14 May 2018 1. Watami Food Service Singapore Pte Ltd (the “Organisation”) is in the restaurant business. On 10 November 2017, information was received the Organisation’s internal Staff Code Name List (the “List”) was accessible via its website. The List contained personal data of 405 employees of the Organisation, namely their full names and staff codes. 2. The List was to facilitate the entry of new employee staff codes into the Organisation’s point-of-sale system. This information is not current as it was dated between 2009 and 2013. The List was meant for internal use within the Organisation. 3. The Organisation did not know when or why the List was uploaded into the Organisation’s website server. As there was no restriction on access, the List was indexed by search engines and made publicly searchable online. The URL containing the List was subsequently removed by Fairwin International Limited (“Fairwin”), a vendor the Organisation engaged to maintain its website. 4. The Organisation was in possession and/or control of the personal data in the List. Section 241 of the Personal Data Protection Act (“PDPA”) required the Organisation to protect the personal data in the List. This included protection against risk of unauthorised access. 5. I rely on the common law concept of res ipsa loquitur in this case as the Organisation is unable to explain how the List which it maintained for internal use was uploaded onto its 1 Section 24 of the PDPA requires an organisation to protect personal data in its possession or under its control by taking reasonable security arrangements to prevent unauthorised access, collectio… | Warning | f45717d03de524b6fa179a72b9fc9f78d3267b40 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 189 | 189 | 1 | 952 | A warning was issued to Information Technology Management Association (Singapore) for failing to put in place reasonable security measures to prevent the accidental disclosure of the personal data of 28 individuals via email. | [
"Protection",
"Warning",
"Information and Communications"
] |
2018-05-14 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds_of_Decision_Information_Technology_Management_Association_Singapore_140518.pdf | Protection | Breach of the Protection Obligation by Information Technology Management Association Singapore | https://www.pdpc.gov.sg/all-commissions-decisions/2018/05/breach-of-the-protection-obligation-by-information-technology-management-association-singapore | 2018-05-14 | PERSONAL DATA PROTECTION COMMISSION [2018] SGPDPC 11 Case No DP-1708-B1019 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Information Technology Management Association (Singapore) … Organisation DECISION Information Technology Management Association (Singapore) Information Technology Management Association (Singapore) [2018] SGPDPC 11 Mr. Yeong Zee Kin, Deputy Commissioner — Case No DP-1708-B1019 14 May 2018 1. On 10 August 2017, the Organisation informed the Commission of its inadvertent disclosure of personal data. The facts disclose a straightforward breach of section 24 of the Personal Data Protection Act 2012 (“PDPA”). 2. The Organisation engaged a travel service provider to organise a study trip for 49 delegates. On 8 August 2017, the Organisation received an email with two attachments from the travel service provider. One attachment was a list containing full names, gender, nationality, dates of birth and passport numbers of 28 delegates (the “List”). 3. The Organisation forwarded the email to the 49 delegates on 10 August 2017. The List was inadvertently included in the email. This resulted in the inadvertent disclosure of the personal data in the List. 4. One delegate provided feedback to the Organisation on the List. Upon notification of the error, the Organisation promptly emailed an apology to the 28 delegates. It subsequently contacted all 49 recipients and requested that they delete the copy of the List that they had received. 5. The issues to be determined in this case are: a. Whether the Organisation breached section 24 of the PDPA to protect the personal data in the List; and b. Whether the Organisation breached section 12(a) of the PDPA to develop and implement policies and practices to comply with the Act. 2 Information Technology Management Association (Singapore) Did the Organisation breach section 24? 6. An organisation must protect personal data in its possession or under its control under section 24 of the PDPA (“Protect… | Warning | 1738f6c24182e6507b40b564d5a960c96b9d29d0 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
Advanced export
JSON shape: default, array, newline-delimited
CREATE VIEW pdpc_decisions_version_detail AS select
commits.commit_at as _commit_at,
commits.hash as _commit_hash,
pdpc_decisions_version.*,
(
select json_group_array(name) from columns
where id in (
select column from pdpc_decisions_changed
where item_version = pdpc_decisions_version._id
)
) as _changed_columns
from pdpc_decisions_version
join commits on commits.id = pdpc_decisions_version._commit;