pdpc_decisions_version_detail (view)
8 rows where "date" is on date 2019-11-04
This data as json, CSV (advanced)
Suggested facets: tags, nature, decision, _commit_at (date), date (date), timestamp (date), tags (array), _changed_columns (array)
| _commit_at | _commit_hash | _id | _item | _version | _commit | description | tags | date | pdf-url | nature | title | url | timestamp | pdf-content | decision | _item_full_hash | _changed_columns |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 127 | 127 | 1 | 952 | A warning was issued to CampVision for failing to put in place reasonable security arrangements to prevent the unauthorised disclosure of personal data of individuals. As a result, the personal data of 106 individuals were compromised through a data breach from an online survey platform. Click here to learn more. | [
"Protection",
"Warning",
"Education"
] |
2019-11-04 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Summary-Decision---CampVision.pdf | Protection | Breach of the Protection Obligation by CampVision | https://www.pdpc.gov.sg/all-commissions-decisions/2019/11/breach-of-the-protection-obligation-by-campvision | 2019-11-04 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-1808-B2508 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And CampVision Ltd. SUMMARY OF THE DECISION 1. CampVision Ltd (the “Organisation”) engaged SHINE Children and Youth Services (“SHINE”) to collect evaluation feedback from youths participating in its programmes. For this purpose, SHINE collected information from the youths on the Organisation’s behalf, including their names, NRIC numbers, email addresses and schools (the “Personal Data”). SHINE did this using a platform provided by Typeform S.L. (“Typeform”), a company based in Spain, which provides online survey services. In June 2018, Typeform discovered that an unknown third party had gained access to its server and downloaded information provided by many Typeform users, including Personal Data collected by SHINE on behalf of the Organisation (the “Incident”). 2. The Personal Data Protection Commission (the “Commission”) found that Personal Data of 106 individuals collected by SHINE on behalf of the Organisation had been exposed to the risk of unauthorised access and disclosure in the Incident. The Commission’s investigations revealed that there was no written contract between the Organisation and SHINE setting out SHINE’s obligations with respect to the processing and protection of Personal Data, which it collected on the Organisation’s behalf. The Organisation also admitted that it had not conveyed any instructions to SHINE with respect to protection of the Personal Data. In the circumstances, the Deputy Commissioner for Personal Data Protection found the Organisation in breach of section 24 of the Personal Data Protection Act 2012 and decided to give a warning to the Organisation. | Warning | 54437433b71aa75c2e22ffde6236759e61fc677f | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 128 | 128 | 1 | 952 | A warning was issued to Tan Tock Seng Hospital for failing to put in place reasonable security arrangements to prevent the unauthorised disclosure of personal data of its patients. 85 Notification letters to patients to reschedule appointments were sent to wrong addresses. | [
"Protection",
"Warning",
"Healthcare"
] |
2019-11-04 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Summary-Decision---TTSH.pdf | Protection | Breach of the Protection Obligation by Tan Tock Seng Hospital | https://www.pdpc.gov.sg/all-commissions-decisions/2019/11/breach-of-the-protection-obligation-by-tan-tock-seng-hospital | 2019-11-04 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-1902-B3372 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Tan Tock Seng Hospital Pte. Ltd. SUMMARY OF THE DECISION 1. Tan Tock Seng Hospital Pte Ltd (the “Organisation”) voluntarily informed the Personal Data Protection Commission (the “Commission”) on 14 February 2019 that it had discovered on 12 February 2019 that letters sent to 85 patients (the “Affected Individuals”) to reschedule their appointments with the Organisation (the “Letters”) had been sent to the wrong addresses (the “Incident”). These Letters contained the names, NRIC numbers and appointment of the Affected Individuals (the “Personal Data”). Such letters were usually generated automatically. However, on 12 February the Letters were generated manually using the mail merge function in Microsoft Word to extract the Personal Data from a spreadsheet (the “Spreadsheet”) and insert the data in the letters. However, the staff that had been tasked to generate these letters only selected and sorted the address field in the Spreadsheet. As a result, the addresses in the Spreadsheet no longer corresponded to the correct patient information and when the staff ran the mail merge function, the incorrect addresses were inserted in the letters. 2. The Commission found that the Organisation did not conduct any checks on the generation and printing of the letters. A simple random sampling of the letters would have likely averted the Incident or greatly reduced the number of individuals affected. In the circumstances, the Deputy Commissioner for Personal Data Protection found the Organisation in breach of section 24 of the Personal Data Protection Act 2012 and decided to give a warning to the Organisation. No directions are required as the Organisation has implemented corrective measures that addressed the gap in its security arrangements. | Warning | 9ac644185c04bc82207d036718c6b813da4a98e0 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 129 | 129 | 1 | 952 | A financial penalty of $7,000 was imposed on SearchAsia Consulting for failing to put in place reasonable security arrangements to protect jobseekers’ resumes from unauthorised disclosure via its online website. | [
"Protection",
"Financial Penalty"
] |
2019-11-04 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision---SearchAsia-Consulting-Pte-Ltd.pdf | Protection | Breach of the Protection Obligation by SearchAsia Consulting | https://www.pdpc.gov.sg/all-commissions-decisions/2019/11/breach-of-the-protection-obligation-by-searchasia-consulting | 2019-11-04 | PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC 40 Case No DP-1809-B2790 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And SearchAsia Consulting Pte. Ltd. … Organisation DECISION SearchAsia Consulting Pte. Ltd. [2019] SGPDPC 40 SearchAsia Consulting Pte. Ltd. [2019] SGPDPC 40 Yeong Zee Kin, Deputy Commissioner — Case No DP-1809-B2790 24 October 2019 Introduction and Material Facts 1. SearchAsia Consulting Pte. Ltd. (the “Organisation”) is a recruitment company established in Singapore which matches job seekers with organisations that are looking to recruit employees for a specific role. On 26 September 2018, the Organisation notified the Personal Data Protection Commission (the “Commission”) of a data breach incident involving the inadvertent disclosure of résumés (the “Incident”) which were uploaded by individual job seekers to the Organisation’s website, www.searchasia.com.sg (the “Website”). Specifically, when a search was conducted on the names or email addresses of affected individuals using an Internet search engine, the search results would include links to the affected individuals’ résumés which had been uploaded to the Website. These résumés were accessible by clicking on the listed links. 2. The Organisation provided job seekers with the ability to upload their résumés on the Website so that the Organisation could assess their suitability for roles which the Organisation has been engaged to fill. The résumés would generally include personal data such as the name, phone numbers, employment history, educational qualifications, achievements and skillset of the job seekers. In one instance, it was discovered that a job seeker included additional information such as nationality, date of birth, marital status and current salary. (The personal data on the affected individuals’ résumés is collectively referred to as the “Personal Data”.) 1 SearchAsia Consulting Pte. Ltd. 3. [2019] SGPDPC 40 The résumés uploaded to the Website were intende… | Financial Penalty | b892605e222afd2a3621ecbe08ca82ac7ebccbac | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 130 | 130 | 1 | 952 | Directions, including a financial penalty of $90,000, were imposed on Ninja Logistics for failing to put in place reasonable security arrangements to protect customers’ data in relation to the Tracking Function Page on the Ninja Logistics website. This resulted in customers’ data on the website to be accessible by the public. Click here to learn more. | [
"Protection",
"Directions",
"Financial Penalty",
"Wholesale and Retail Trade"
] |
2019-11-04 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision---Ninja-Logistics-Pte-Ltd.pdf | Protection | Breach of the Protection Obligation by Ninja Logistics | https://www.pdpc.gov.sg/all-commissions-decisions/2019/11/breach-of-the-protection-obligation-by-ninja-logistics | 2019-11-04 | PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC 39 Case No DP-1804-B2020 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Ninja Logistics Pte Ltd … Organisation DECISION 1 Ninja Logistics Pte Ltd [2019] SGPDPC 39 Tan Kiat How, Commissioner — Case No DP-1804-B2020 14 October 2019 Introduction 1 Ninja Logistics Pte Ltd (the “Organisation”) is a logistics company providing packaging, delivery and tracking services on behalf of retailers (“Retailers”) to the Retailers’ customers (“Customers”). This case concerns the disclosure of personal data via a delivery order tracking function on the Organisation’s website (the “Tracking Function Page”). 2 On 23 April 2018, the Personal Data Protection Commission (the “Commission”) received a complaint that the Tracking Function Page could potentially be used to harvest personal data of the Customers. By changing a few digits of a Tracking ID, the complainant could access personal data of another Customer (the “Incident”). Facts of the Case 3 The Organisation first set up the Tracking Function Page in December 2014 to allow Customers to (i) enquire on the delivery status of their parcels; and (ii) confirm the identity of individuals who collect parcels on their behalf (where applicable). Generally, for a delivery, only a Retailer and the relevant Customers of the Retailer would be provided with a Tracking ID for parcels sent by the Retailer that were to be delivered by the Organisation to the Customer. 4 There were 2 types of Tracking IDs used by the Organisation, namely sequential and non-sequential Tracking IDs. According to the Organisation, the reason for having sequential numbers in some of the Tracking IDs was for recording and business analytics purposes. Since the launch of the Tracking Function Page, the Organisation was aware that Tracking IDs could potentially be manipulated by changing the last few digits of the Tracking ID. While Tracking IDs with non-sequential numbers may have a lower risk of ma… | Directions, Financial Penalty | 15f399417f152a9a341caa9715008baacdbf0985 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 131 | 131 | 1 | 952 | iClick was found in breach of the PDPA for failing to put in place written policies and practices necessary to ensure its compliance with the PDPA. iClick was directed to put in place a data protection policy to comply with the provisions of the PDPA; to develop a training programme for its employees and require them to attend the training. | [
"Accountability",
"Directions",
"Information and Communications"
] |
2019-11-04 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Summary-Decision---iClick-Media.pdf | Accountability | Breach of the Accountability Obligation by iClick Media | https://www.pdpc.gov.sg/all-commissions-decisions/2019/11/breach-of-the-accountability-obligation-by-iclick-media | 2019-11-04 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-1901-B3254 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And iClick Media Pte. Ltd. SUMMARY OF THE DECISION 1. Following a complaint against EU Holidays Pte Ltd, (“EU Holidays”), the Personal Data Protection Commission conducted an investigation to determine whether EU Holidays had contravened the Personal Data Protection Act 2012 (the “PDPA”). In the course of investigations, it was found that EU Holiday’s IT vendor, iClick Media Pte Ltd (the “Organisation”), had not developed any internal policies and practices that are necessary for it to meet its obligations under the PDPA. In the circumstances, the Deputy Commissioner for Personal Data Protection found the Organisation in breach of section 12 of the PDPA and decided to direct the Organisation to, within 60 days: 2. Put in place a data protection policy, including written internal policies, to comply with the provisions of the PDPA; 3. Develop a training programme for the Organisation’s employees in respect of their obligations under the PDPA when handling personal data and require all employees to attend such training; and 4. By no later than 7 days after the above actions have been carried out, the Organisation shall, in addition, submit to the Commission a written update. | Directions | bf9f246a0db6172bb647c44e87dcaa6e5793dce4 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 132 | 132 | 1 | 952 | Directions, including a financial penalty of $15,000, were imposed on EU Holidays for breaches of the PDPA. The organisation failed to put in place reasonable measures to protect its customers’ personal data and did not have written policies and practices necessary to ensure its compliance with the PDPA. | [
"Protection",
"Accountability",
"Directions",
"Financial Penalty"
] |
2019-11-04 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision---EU-Holidays-Pte-Ltd.pdf | Protection, Accountability | Breach of the Protection and Accountability Obligations by EU Holidays | https://www.pdpc.gov.sg/all-commissions-decisions/2019/11/breach-of-the-protection-and-accountability-obligations-by-eu-holidays | 2019-11-04 | PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC 38 Case No DP-1901-B3254 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And EU Holidays Pte. Ltd. … Organisation DECISION 1 EU Holidays Pte. Ltd. [2019] SGPDPC 38 Tan Kiat How, Commissioner — Case No DP-1901-B3254 4 October 2019 Introduction 1 On 14 January 2019, the Personal Data Protection Commission (the “Commission”) received a complaint that personal data of EU Holidays Pte. Ltd.’s (the “Organisation”) customers was accessible through its website (the “Incident”). Facts of the Case 2 Pursuant to a Quotation of Services dated 16 May 2017 (“Contract”), the Organisation engaged an IT vendor (the “Vendor”) to develop a new website with e-commerce capabilities (the “Website”). One of the purposes of the Website was to allow the Organisation’s customers (“Customers”) to make online reservations for tour packages either directly or through the Organisation’s partner agents. Information relating to travel reservations received from Customers were stored in 2 web directories. For reservations made directly by Customers on the Website, the tax invoice generated would be stored in a web directory (“Web Directory 1”). As for reservations made through the Organisation’s partner agents on the Website, the tax invoice generated would be stored in another web directory (“Web Directory 2”). 3 The scope of work in the Contract did not specify any requirements with respect to the storage and protection of Customers’ personal data which was collected through the Website. The Website was launched on 9 December 2017. Since its launch, the Organisation has been managing the Website, with the Vendor’s role limited to maintenance and technical troubleshooting. 4 On or around 5 January 2019, a member of the public (“Complainant”) discovered copies of tax invoices containing Customers’ personal information while browsing for tour packages on the Website. The Complainant notified the Commission of the Incident on 14 Janua… | Directions, Financial Penalty | e42f8ca451f258f74f2ef56d5d97b02110634815 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 133 | 133 | 1 | 952 | A financial penalty of $25,000 was imposed on Singtel for failing to put in place reasonable security arrangements to protect the personal data of users on its My Singtel mobile application. | [
"Protection",
"Financial Penalty"
] |
2019-11-04 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision---Singapore-Telecommunications-Limited.pdf | Protection | Breach of the Protection Obligation by Singtel | https://www.pdpc.gov.sg/all-commissions-decisions/2019/11/breach-of-the-protection-obligation-by-singtel | 2019-11-04 | PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC 36 Case No DP-1705-B0781 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Singapore Telecommunications Limited … Organisation DECISION 1 Singapore Telecommunications Limited [2019] SGPDPC 36 Tan Kiat How, Commissioner — Case No DP-1705-B0781 12 September 2019 Background 1 This case concerns a design issue in a previous version of Singapore Telecommunications Limited’s (the “Organisation”) “My Singtel” mobile app (the “Mobile App”), which resulted in the unauthorised disclosure of the personal data of the Organisation’s customers. The current version of the Organisation’s Mobile App does not have this design issue as it has been fixed. 2 On 17 May 2017, the Personal Data Protection Commission (the “Commission”) received information from an anonymous informant alleging that there was a vulnerability in the Organisation’s Mobile App, which allowed the informant to access the account details of other customers (the “Data Breach”). Following an investigation into the matter, the Commissioner found the Organisation to be in breach of section 24 of the Personal Data Protection Act 2012 (“PDPA”). The Commissioner sets out below his findings and grounds of decision. 1 Singapore Telecommunications Limited [2019] SGPDPC 36 Material Facts and Documents 3 The Organisation is a telecommunications company in Singapore. The Mobile App was developed by the Organisation’s IT team to enable its customers to track their account information and manage add-on services. Communications between the Mobile App and the Organisation’s servers are conducted via Application Programming Interfaces (“API”). 4 The Organisation’s customers can login to the Mobile App via the following methods: (a) Mobile Station International Subscriber Directory Number (“MSISDN”) login: where a customer’s mobile phone is connected to the Organisation’s mobile data network (3G/4G), the Organisation’s servers will verify that the MSISDN and … | Financial Penalty | 1cfca0515da19cdcbdfd450d34bfa1d3c2583b97 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 134 | 134 | 1 | 952 | A financial penalty of $40,000 was imposed on Marshall Cavendish Education for failing to put in place reasonable measures to protect the personal data of users of its learning management system. | [
"Protection",
"Financial Penalty"
] |
2019-11-04 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision---Marshall-Cavendish-Education-Pte-Ltd.pdf | Protection | Breach of the Protection Obligation by Marshall Cavendish Education | https://www.pdpc.gov.sg/all-commissions-decisions/2019/11/breach-of-the-protection-obligation-by-marshall-cavendish-education | 2019-11-04 | PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC [34] Case No DP-1704-B0699 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Marshall Cavendish Education Pte. Ltd. …Organisation(s) DECISION Re Marshall Cavendish Education Pte. Ltd. [2019] SGPDPC [34] Tan Kiat How, Commissioner – Case No DP-1704-B0699 30 August 2019 1. With the increasing prevalence of ransomware attacks online, this case gives occasion to restate the importance of making adequate security arrangements to protect personal data and to limit unnecessary exposure of an organisation’s computer systems to such potential threats on the internet. Background 2. Marshall Cavendish Education Pte Ltd (“MCE”) provided a learning management system (“LMS”) at www.mconline.com.sg (“Website”) to the Ministry of Education (“MOE”) schools. This was pursuant to a contract between MCE and MOE. 3. On 1 February 2017, ransomware affected a substantial portion of MCE’s network (“Incident”). On 3 February 2017, MCE informed MOE of the Incident. The relevant government agencies were notified of the Incident accordingly, including the Personal Data Protection Commission (“PDPC”). The ransomware had encrypted the files found on MCE’s servers, including files containing personal data of individuals stored in the LMS, and made them inaccessible until a payment was paid to decrypt them. 4. Investigations revealed that the ransomware was an executable file on 1 server. However, it affected data on 11 servers and network storage devices in MCE’s network. These 11 affected servers and network storage devices mostly held teaching material. However, the server in question and a network storage device Re Marshall Cavendish Education Pte. Ltd. [2019] SGPDPC 34 each held copies of the database of 206,240 active and 44,688 inactive users. The database held the following personal data of its users, which were mandatory fields that every user who signed up for accounts on the Website had to provide: a. Login ID com… | Financial Penalty | 08a8fe2b2bb4c3daaa4126990a15b41870870f01 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
Advanced export
JSON shape: default, array, newline-delimited
CREATE VIEW pdpc_decisions_version_detail AS select
commits.commit_at as _commit_at,
commits.hash as _commit_hash,
pdpc_decisions_version.*,
(
select json_group_array(name) from columns
where id in (
select column from pdpc_decisions_changed
where item_version = pdpc_decisions_version._id
)
) as _changed_columns
from pdpc_decisions_version
join commits on commits.id = pdpc_decisions_version._commit;