pdpc_decisions_version_detail (view)
7 rows where "date" is on date 2019-12-05
This data as json, CSV (advanced)
Suggested facets: nature, decision, _commit_at (date), date (date), timestamp (date), tags (array), _changed_columns (array)
| _commit_at | _commit_hash | _id | _item | _version | _commit | description | tags | date | pdf-url | nature | title | url | timestamp | pdf-content | decision | _item_full_hash | _changed_columns |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 120 | 120 | 1 | 952 | Saturday Club was found in breach of the PDPA for failing to put in place written policies and practices necessary to ensure its compliance with the PDPA. Saturday Club was directed to put in place a data protection policy to comply with the provisions of the PDPA and to conduct training to ensure its employees are aware of and comply with the requirements of the PDPA. | [
"Accountability",
"Directions"
] |
2019-12-05 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Summary-Decision---Saturday-Club.pdf | Accountability | Breach of the Accountability Obligation by Saturday Club | https://www.pdpc.gov.sg/all-commissions-decisions/2019/12/breach-of-the-accountability-obligation-by-saturday-club | 2019-12-05 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-1906-B4109 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Saturday Club Pte Ltd SUMMARY OF THE DECISION 1. Upon investigation into a suspected data breach, it was found that Saturday Club Pte Ltd (the “Organisation”) had not developed any internal policies and practices that are necessary for it to meet its obligations under the Personal Data Protection Act 2012 (“PDPA”). In the circumstances, the Deputy Commissioner for Personal Data Protection found the Organisation in breach of section 12 of the PDPA and decided to issue the directions to the Organisation. | Directions | d047195a60d37294c9b55687dc7b54978590b389 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 121 | 121 | 1 | 952 | A financial penalty of $8,000 was imposed on Honestbee for failing to put in place reasonable security arrangements to protect the personal data of individuals. The data of about 8,000 individuals was stored in the cloud without access restrictions. | [
"Protection",
"Financial Penalty",
"Wholesale and Retail Trade"
] |
2019-12-05 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Summary-Decision---Honestbee.pdf | Protection | Breach of the Protection Obligation by Honestbee | https://www.pdpc.gov.sg/all-commissions-decisions/2019/12/breach-of-the-protection-obligation-by-honestbee | 2019-12-05 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-1905-B3827 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Honestbee Pte Ltd SUMMARY OF THE DECISION 1. Honestbee Pte Ltd (the “Organisation”) is an online food and grocery delivery service. Third party merchants, which either engaged or were planning to engage the Organisation for delivery services, provided it with personal data of their customers in order to test its logistics service delivery platform. The Organisation stored this personal data in its Amazon Web Services (“AWS”) file repository. The personal data (the “Personal Data”) included names, email addresses, residential addresses and mobile numbers. 2. The Personal Data Protection Commission (the “Commission”) was informed on 2 May 2019 that the Personal Data was accessible to the public. The number of individuals whose personal data was accessible was about 8,000. The Organisation admitted that it had mistakenly placed the Personal Data in a ‘bucket’ (which is similar to a file folder) without access restrictions. This allowed anyone with knowledge of AWS’s command line to gain access to the Personal Data. 3. The Commission found that the Organisation omitted to put in place the most rudimentary security measures necessary to protect the Personal Data. For example, the Organisation could have implemented a requirement to conduct checks to confirm that any personal data used in testing was stored in a ‘bucket’ with the appropriate access restrictions. In the circumstances, the Organisation had not implemented reasonable security arrangements to protect the Personal Data and is therefore in breach of section 24 of the Personal Data Protection Act 2012. 4. The Organisation has since blocked public access to the Personal Data by modifying the relevant access settings and circulated a report to its engineering team to ensure that similar mistakes would not be repeated in code reviews. The Organisation is also in discussions with cybersecurity com… | Financial Penalty | e5c308da0f082ff90e6a4873039b1d55f4c3f94f | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 122 | 122 | 1 | 952 | Global Outsource Solutions was found in breach of the PDPA for failing to put in place reasonable security arrangements to protect the personal data collected by its website and for failing to develop and implement data protection policies. This resulted in the disclosure of personal data of customers on the organisation’s online warranty registration portal. Global Outsource Solutions was directed to develop and implement policies for data protection and staff training in data protection, and to put all employees handling personal data through such training. | [
"Protection",
"Accountability",
"Directions"
] |
2019-12-05 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Summary-Decision---Global-Outsource.pdf | Protection, Accountability | Breach of the Protection and Accountability Obligations by Global Outsource Solutions | https://www.pdpc.gov.sg/all-commissions-decisions/2019/12/breach-of-the-protection-and-accountability-obligations-by-global-outsource-solutions | 2019-12-05 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-1809-B2767 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Global Outsource Solutions Pte. Ltd. SUMMARY OF THE DECISION 1. Global Outsource Solutions Pte. Ltd. (the “Organisation”) provided warranties for products purchased by its clients’ customers. To be eligible for this warranty, customers registered their purchases with the Organisation via the Organisation’s website at http://www.globaloutsourceasia.com (the “Website”). The Organisation collected various personal data from such customers for this purpose, including personal information such as their name, email address, mailing address and contact number, and details of the customers’ purchases such as the name of the product purchased, the purchase date, the name of the retailer and the location of the physical store where the product was purchased (collectively, the “Personal Data”). 2. The Personal Data Protection Commission (“the Commission”) received a complaint on 23 September 2018 that the complainant could access the Personal Data of another individual when viewing a warranty registration summary page on the Website (the “Incident”). 3. The Organisation admitted to the occurrence of the Incident but was unable to identify the cause of the Incident. The Commission found that the Organisation had not provided any security requirements to the vendor it had engaged sometime in 2013 to develop the Website. Consequently, it had not reviewed the Website’s security arrangements or conducted any security testing on the Website. In the circumstances, the Organisation had not implemented reasonable security arrangements to protect the personal data collected by the Website (including but not limited to the Personal Data disclosed in the Incident) and is therefore in breach of section 24 of the PDPA. 4. The Commission also found that the Organisation did not have any internal data protection policies for its employees in relation to the handling of perso… | Directions | ab0971aeb10525bfdeea3bf683966ddd8fc40f11 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 123 | 123 | 1 | 952 | Directions, including a financial penalty of $8,000, were imposed on Chizzle for failing to put in place reasonable security arrangements to protect the personal data of users of its mobile application in Re Chizzle Pte Ltd [2019] SGPDPC 44. The organisation was also directed to develop an IT security policy, review and revise its developmental processes in order to adopt a data protection by design approach for future enhancements to its mobile application. An application for reconsideration was filed against the decision in Re Chizzle Pte Ltd [2019] SGPDPC 44. Upon review and careful consideration of the application, the Commissioner has decided to affirm the finding of breach of section 24 of the PDPA as set out in the decision and the direction, in the Reconsideration Decision. | [
"Protection",
"Directions",
"Financial Penalty"
] |
2019-12-05 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision---Chizzle-Pte-Ltd.pdf | Protection | Breach of the Protection Obligation by Chizzle | https://www.pdpc.gov.sg/all-commissions-decisions/2019/12/breach-of-the-protection-obligation-by-chizzle | 2019-12-05 | PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC 44 Case No. DP-1807-B2495 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Chizzle Pte. Ltd. … Organisation DECISION Chizzle Pte. Ltd. [2019] SGPDPC 44 Tan Kiat How, Commissioner — Case No. DP-1807-B2495 26 November 2019 Introduction 1 Chizzle Pte. Ltd. (the “Organisation”) provides a mobile application (the “Mobile App”) designed to connect learners and teachers in Singapore, Australia and India. On 31 July 2018, the Organisation notified the Personal Data Protection Commission (the “Commission”) of a cyberattack (the “Incident”) which had compromised the personal data of about 2,213 users of the Mobile App, including some users in Singapore (the “Affected Individuals”). Material Facts 2 On 30 July 2018, the Organisation noticed that the Mobile App had stopped responding. It was found that an unauthorised party had deleted its database containing the personal data of the Affected Individuals (the “Chizzle Database”) and left a ransom demand in text. The personal data in question included the names, dates of birth, genders, email addresses and some mobile numbers and residential addresses of the Affected Individuals (the “Compromised 2 Chizzle Pte Ltd [2019] SGPDPC 44 Personal Data”). Before this, on 9 July 2018, the Organisation had changed the Chizzle Database from Amazon’s Relational Database Service to the MySQL relational database. 3 Since 2016, the Organisation had a “L.A.M.P.” stack (i.e. Linux operating system, Apache HTTP server, MySQL server and PHP) (collectively with the Mobile App, the “System”) as part of its IT infrastructure. “phpMyAdmin”, a MySQL database administration tool, was installed with the L.AM.P stack. The tool was configured to allow remote access to it from the Internet. The Organisation believed that the unauthorised party gained entry into the Chizzle Database through the phpMyAdmin tool by a brute force attack. However, it did not have the logs to prove that a br… | Directions, Financial Penalty | d2f01a3d69daa429f27a8ad071d760e7006d4489 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 124 | 124 | 1 | 952 | A financial penalty of $12,000 was imposed on The Travel Corporation (2011) for breaches of the PDPA. The Organisation failed to appoint a data protection officer and did not put in place reasonable security arrangements to protect its customers’ personal data stored in portable storage devices. | [
"Protection",
"Accountability",
"Financial Penalty"
] |
2019-12-05 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision---The-Travel-Corporation-2011-Pte-Ltd.pdf | Protection, Accountability | Breach of the Protection and Accountability Obligations by The Travel Corporation (2011) | https://www.pdpc.gov.sg/all-commissions-decisions/2019/12/breach-of-the-protection-and-accountability-obligations-by-the-travel-corporation-(2011) | 2019-12-05 | PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC 42 Case No. DP-1810-B2821 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And The Travel Corporation (2011) Pte. Ltd. … Organisation DECISION The Travel Corporation (2011) Pte. Ltd. [2019] SGPDPC 42 Tan Kiat How, Commissioner — Case No. DP-1810-B2821 19 November 2019 Introduction and Material Facts 1 The Travel Corporation (2011) Pte. Ltd. (the “Organisation”) offers travel packages both directly to Singapore customers and via third party travel agencies. On 1 October 2018, the Organisation notified the Personal Data Protection Commission (the “Commission”) regarding the loss of a portable hard disk (the “Hard Disk”) which contained unencrypted files with the personal data of the Organisation’s customers, employees and suppliers (the “Incident”). The facts and circumstances of the Incident are as follows. 2 On 25 July 2018, a new employee of the Organisation left the office with her laptop and the Hard Disk; and misplaced both these devices on her way home. She initially only informed the Organisation about the loss of the laptop and a police report was made on 31 July 2018. The misplaced laptop did not contain any personal data. She eventually informed the Organisation about the loss of the Hard Disk on 21 September 2018 and the Organisation made another police report that day. 2 3 The table below summarises the number of affected individuals and their corresponding types of personal data contained in the Hard Disk: S/N. Category Types of Personal Data in the Hard Disk 1. Name, Email Address, Phone Number, Date of Birth and Postal Address Customers Number of Individuals Affected 5,437 2. Same as item 1 plus Passport Number 21 3. Same as item 1 plus NRIC Number 242 4. Prospective Customers Same as item 1 11,000 5. Employees Name, Office Email Address and Office Phone Number 30 6. Suppliers Names, Company Address, Email Address, Mobile Number, Office Number 1,900 Total number of … | Financial Penalty | 673e8e9d7c2079f8018401c7ea6189c7ee37e666 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 125 | 125 | 1 | 952 | A financial penalty of $6,000 was imposed on i-vic International (i-vic) for failing to put in place reasonable security arrangements to protect the personal data of individuals which it had processed on another organisation’s behalf. i-vic as the data intermediary did not put in place diligent and properly scoped testing of software which led to the disclosure of personal data of individuals via email. | [
"Protection",
"Financial Penalty",
"Employment"
] |
2019-12-05 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision---i-vic-International.pdf | Protection | Breach of the Protection Obligation by i-vic International | https://www.pdpc.gov.sg/all-commissions-decisions/2019/12/breach-of-the-protection-obligation-by-i-vic-international | 2019-12-05 | PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC 41 Case No. DP-1804-B1991 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And i-vic International Pte. Ltd. … Organisation DECISION i-vic International Pte. Ltd. [2019] SGPDPC 41 Yeong Zee Kin, Deputy Commissioner — Case No. DP-1804-B1991 12 November 2019. Introduction 1 The Employment and Employability Institute Ltd (“e2i”) administers a work trial programme on behalf of a public agency, Workforce Singapore (“WSG”). e2i engaged i-vic International Pte Ltd (the “Organisation”) to process claims and queries from members of the public relating to the work trial programme (the “Engagement”). 2 On 16 April 2018, e2i reported to the Personal Data Protection Commission (the “Commission”) that documents containing personal data of three individuals (the “Affected Individuals”) involved in the work trial programme were inadvertently attached to emails sent out by the Organisation to 9 individuals (the “Incident”). Material Facts 3 As part of the Engagement, the Organisation was required to manage e2i’s mailbox which received emails from members of the public with their claims and queries. It was also required to develop and/or maintain the IT infrastructure and customer relationship management (“CRM”) software (collectively, the “System”) used to operate and manage e2i’s mailbox. As part of this, the Organisation was required to either reply to the emails from members of the public (providing the appropriate responses) or escalate the queries in the emails to the relevant e2i representatives. Where an email query needed to be escalated, an employee of the Organisation would submit an escalation request in the System. The System would then automatically generate two emails for the Organisation’s employee to send (the “Automated Email Generation Process”). The first was a holding reply email to the person who had sent the email query to e2i’s mailbox and the second was an email to escalate the query to the rel… | Financial Penalty | e47bddcc5f36c79ec219edf1cb404ced43a0874d | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 126 | 126 | 1 | 952 | A financial penalty of $60,000 was imposed on Learnaholic for failing to put in place reasonable measures to protect the personal data of students, students’ parents and staff of various schools. | [
"Protection",
"Financial Penalty",
"Education"
] |
2019-12-05 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision---Learnaholic.pdf | Protection | Breach of the Protection Obligation by Learnaholic | https://www.pdpc.gov.sg/all-commissions-decisions/2019/12/breach-of-the-protection-obligation-by-learnaholic | 2019-12-05 | PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC 31 Case No DP-1703-B0567 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Learnaholic Pte. Ltd. … Organisation DECISION [This is a redacted version of the Decision which omits certain confidential details] Learnaholic Pte. Ltd. [2019] SGPDPC 31 Tan Kiat How, Commissioner — Case No DP-1703-B0567 26 August 2019. Background 1 The Organisation is an IT vendor that was providing attendance-taking and e-learning systems to schools pursuant to a contract with the Ministry of Education (“MOE”). The central issue to this case, in so far as it is related to the Personal Data Protection Act 2012 (“PDPA”), is whether the Organisation had made reasonable security arrangements to protect the personal data of approximately 47,802 students, students’ parents and staff of various schools that it had in its possession and control at the material time. Material Facts 2 The Organisation was responsible for the maintenance and installation of the attendance-taking system installed in [redacted] (“the School”). The School’s attendance-taking system was designed such that the attendance records would be updated each time a student “taps in” with his or her student pass at any one of the card readers located around the School. This attendancetaking system consisted of an attendance server (the “Attendance Server”) Learnaholic Pte. Ltd. [2019] SGPDPC 31 connected to clusters of attendance controllers linked to card readers. One such cluster was located at the guard post of the School (the “Guard Post Cluster”). 3 In or around March 2016, the School informed the Organisation of an intermittent problem with the Guard Post Cluster: students’ names were not being displayed despite them tapping in at the Guard Post Cluster. In order to investigate into the issues reported by the School, the Organisation decided to troubleshoot the problem remotely as this was more convenient than sending someone down to the School. In order to d… | Financial Penalty | 4688b3584b68394e1105d7f6245cbffdd9d23107 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
Advanced export
JSON shape: default, array, newline-delimited
CREATE VIEW pdpc_decisions_version_detail AS select
commits.commit_at as _commit_at,
commits.hash as _commit_hash,
pdpc_decisions_version.*,
(
select json_group_array(name) from columns
where id in (
select column from pdpc_decisions_changed
where item_version = pdpc_decisions_version._id
)
) as _changed_columns
from pdpc_decisions_version
join commits on commits.id = pdpc_decisions_version._commit;