pdpc_decisions_version_detail (view)
8 rows where "date" is on date 2020-08-03
This data as json, CSV (advanced)
Suggested facets: decision, _commit_at (date), date (date), timestamp (date), tags (array), _changed_columns (array)
| _commit_at | _commit_hash | _id | _item | _version | _commit | description | tags | date | pdf-url | nature | title | url | timestamp | pdf-content | decision | _item_full_hash | _changed_columns |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 95 | 95 | 1 | 952 | A financial penalty of $5,000 was imposed on Singapore Accountancy Commission for failing to put in place reasonable security arrangements to prevent the unauthorised access of 6,541 Singapore Chartered Accountant Qualification programme personnel and candidates’ personal data. | [
"Protection",
"Financial Penalty",
"Professional",
"Scientific and Technical",
"Unintended recipient",
"Email attachments"
] |
2020-08-03 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Singapore-Accountancy-Commission---22062020.pdf | Protection | Breach of the Protection Obligation by Singapore Accountancy Commission | https://www.pdpc.gov.sg/all-commissions-decisions/2020/08/breach-of-the-protection-obligation-by-singapore-accountancy-commission | 2020-08-03 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-1911-B5296 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Singapore Accountancy Commission SUMMARY OF THE DECISION 1. On 18 November 2019, Singapore Accountancy Commission (the “Organisation”) notified the Personal Data Protection Commission (the “Commission”) that a folder containing personal data of 6,541 Singapore Chartered Accountant Qualification programme personnel and candidates was mistakenly enclosed in emails sent to 41 unintended recipients between 12 June 2019 and 22 October 2019. The folder comprised information such as names, National Registration Identification Card numbers, dates of birth, contact details, education and employment information and Singapore Chartered Accountant Qualification examination results. Following the incident, 41 unintended recipients confirmed deletion of the email and folder they each received. 2. The Organisation admitted to a lack of robust processes to protect personal data when sending emails. The staff involved in the sending of the emails were not informed of the Organisation’s personal data policies as part of their induction training. The Organisation’s data protection policies and procedures were not translated into security arrangements for protection of personal data. There were, for example, no second-tier or supervisory checks or technical measures to reduce the risk of sending content with personal data to unintended parties at the time of the incident. 3. Following the incident, the Organisation undertook remediation. This included training sessions on cybersecurity and personal data protection for all employees and revision of policies and procedures on handling of personal data. 4. In the circumstances, the Deputy Commissioner for Personal Data Protection found that the Organisation did not adopt reasonable steps to protect personal data in its possession or under its control against unauthorised access. The Organisation was in breach of the Pro… | Financial Penalty | 3a8e7894f9d69623906f336fc824af00e156f58e | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 96 | 96 | 1 | 952 | A warning was issued to Zero1 and IP Tribe respectively for failing to put in place reasonable security arrangements to prevent the unauthorised disclosure of 118 individuals’ personal data contained in invoices which were sent to incorrect recipients. | [
"Protection",
"Warning",
"Information and Communications",
"Unintended recipient",
"Duplication of batch ID",
"Inadequate scoping of testing"
] |
2020-08-03 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Zero1-and-IP-Tribe---07042020.pdf | Protection | Breach of the Protection Obligation by Zero1 and IP Tribe | https://www.pdpc.gov.sg/all-commissions-decisions/2020/08/breach-of-the-protection-obligation-by-zero1-and-ip-tribe | 2020-08-03 | PERSONAL DATA PROTECTION COMMISSION Case Nos. DP-1903-B3630, DP-1908-B4431 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And 1. Zero1 Pte. Ltd. 2. IP Tribe Pte Ltd SUMMARY OF THE DECISION 1. On 22 March 2019, Zero1 Pte Ltd (the “Organisation”) voluntarily informed the Personal Data Protection Commission (the “Commission”) that invoices containing the personal data of their subscribers had been emailed to unintended recipients (the “Incident”). Each invoice contained the name, address, subscriber ID, mobile number, mobile charges, and the call details of any international calls made by a subscriber (the “Personal Data”). Each email contained a subscriber’s invoice which was unintendedly sent to another subscriber instead. 2. The Organisation was a licensed Mobile Virtual Network Operation that provided mobile services. It partnered Singtel Mobile Singapore Pte. Ltd. (“Singtel”), which appointed IP Tribe Pte Ltd (“IPT”) to develop and deploy a Mobile Virtual Network Enabler (the “1st Platform”) to manage subscriber accounts. 3. IPT ran the 1st Platform for the Organisation, including generating and sending monthly emails to subscribers. IPT then subcontracted the provision of the billing system within the 1st Platform to Openet Telecom Sales Limited (“Openet”). The 1st Platform was deployed in August 2018. 4. A replacement platform (the “New Platform”) was deployed in 2019. Openet subcontracted 6D Technologies (“6D”) to migrate subscriber data from the 1st Platform to the New Platform. In February 2019, 6D migrated the data of 12,000 to 15,000 subscribers. 5. The Incident was caused by Batch ID duplication. The Batch ID was a unique number that tagged each subscriber to his name and email address. The migration was staggered and some errors made it necessary to delete data migrated earlier. However, due to a coding error, not all previously migrated data had been deleted. The New Platform failed to recognise the Batch IDs that were not deleted and re-iss… | Warning | 9289b77ccf9c91c7e895f86b99071f8723ce5faf | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 97 | 97 | 1 | 952 | A warning was issued to Actstitude for failing to put in place reasonable security arrangements to prevent the unauthorised disclosure of individuals' personal data. Over 160 individuals uploaded their resumes to Actstitude's website and their personal data were accessible over the Internet. | [
"Protection",
"Warning",
"Information and Communications",
"URL manipulation",
"Vulnerability",
"Access control",
"Security"
] |
2020-08-03 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Actstitude-Pte-Ltd---20032020.pdf | Protection | Breach of the Protection Obligation by Actstitude | https://www.pdpc.gov.sg/all-commissions-decisions/2020/08/breach-of-the-protection-obligation-by-actstitude | 2020-08-03 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-1910-B5129 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Actstitude Pte Ltd SUMMARY OF THE DECISION 1. Actstitude Pte Ltd (the “Organisation”) is a social media platform marketing agency. It has a webpage allowing individuals interested in joining the Organisation to upload their resumes. For each resume uploaded, a file was created with a Uniform Resource Locator (“URL”) and stored in a database. Between August 2018 to October 2019, over 160 individuals uploaded their resumes. 2. The Organisation, however, admitted that it did not put in place controls to restrict access to the resume files. The URLs generated by the Organisation could also be manipulated to access resume files uploaded by different individuals. 3. When the webpage was created on 5 July 2018, the Organisation did not conduct vulnerability scanning as part of pre-launch testing; neither did the Organisation conduct periodic security reviews. Such scans offer a reasonable chance of detecting both the lack of access controls and the vulnerability of the URLs to manipulation. 4. The result of this failure to put in place access controls or to conduct security testing was that Google indexed and disclosed the URLs when a search was made of the names in the uploaded resumes. The URLs could then be manipulated to access the resumes of other individuals. This led to a complaint to the Personal Data Protection Commission on 25 October 2019. 5. The Deputy Commissioner for Personal Data Protection therefore found that the Organisation did not adopt reasonable steps to protect personal data in its possession or under its control against risk of unauthorised disclosure. The Organisation was in breach of the Protection Obligation under section 24 of the Personal Data Protection Act 2012. Upon consideration of the facts, a warning was issued to the Organisation. No directions are required as the Organisation had taken action to address the gaps in i… | Warning | f67b98aac5af051e0230fe4d74d422bae5c57230 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 98 | 98 | 1 | 952 | A warning was issued to Jean Yip Salon for failing to put in place reasonable security arrangements to prevent the unauthorised disclosure of personal data of its employees. As a result, the personal data of 28 individuals were accessible over the Internet. | [
"Protection",
"Warning",
"Wholesale and Retail Trade",
"Password",
"Public access"
] |
2020-08-03 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Jean-Yip-Salon-Pte-Ltd--13032020.pdf | Protection | Breach of the Protection Obligation by Jean Yip Salon | https://www.pdpc.gov.sg/all-commissions-decisions/2020/08/breach-of-the-protection-obligation-by--jean-yip-salon | 2020-08-03 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-1907-B4281 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Jean Yip Salon Pte Ltd SUMMARY OF THE DECISION 1. The Personal Data Protection Commission (the “Commission”) received a complaint on 16 July 2019 about an employee system (the “System”) maintained by Jean Yip Salon Pte Ltd (the “Organisation”) that was publicly accessible via the internet. The personal data of 28 individuals disclosed via the System included their name, NRIC number, residence status, date of birth, nationality, gender, mobile number and job designation. 2. The Commission found that the Organisation did not adopt reasonable measures to protect personal data in its possession against risk of unauthorised access. First, the Organisation opened public access to a server without ascertaining what it hosted. As a result, while enabling public access to the Customer Online Appointment Booking System, it inadvertently also allowed access to the System (meant only for internal use), which was also hosted on the same server. Second, there were no processes in place to remove or deactivate unnecessary user accounts of the System. Finally, the Organisation did not enforce a password policy for the user accounts of the System. As such, the complainant was able to gain access to the System by simply using a wellknown and weak default username and password pair. 3. In the circumstances, the Deputy Commissioner for Personal Data Protection found the Organisation in breach of section 24 of the Personal Data Protection Act 2012 and issued a warning to the Organisation. No directions were required as the Organisation had implemented corrective measures that addressed the gaps in its security arrangements. | Warning | ebdd2c957a9673f4bcab7ed28d18a885209a8e04 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 99 | 99 | 1 | 952 | A warning was issued to FWD Singapore for failing to put in place reasonable security arrangements to prevent the unauthorised disclosure of 71 individuals’ personal data contained in payment advice letters which were sent to incorrect recipients. | [
"Protection",
"Warning",
"Finance and Insurance",
"Letters",
"Logic error",
"Code review"
] |
2020-08-03 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/FWD-Singapore-Pte-Ltd---Summary-of-Decision---13032020.pdf | Protection | Breach of the Protection Obligation by FWD Singapore | https://www.pdpc.gov.sg/all-commissions-decisions/2020/08/breach-of-the-protection-obligation-by-fwd-singapore | 2020-08-03 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-1907-B4352 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And FWD Singapore Pte Ltd SUMMARY OF THE DECISION 1. The Personal Data Protection Commission (the “Commission”) was notified on 26 July 2019 by FWD Singapore Pte Ltd (the “Organisation”) of the unintended disclosure of 71 individuals’ (the “Affected Individuals”) personal data contained in 42 payment advice letters sent to incorrect recipients between 20 June 2019 and 17 July 2019 (the “Incident”). 2. The Incident arose from the Organisation’s attempt to fix a logic error in the system that it used to generate payment advice letters. The error was introduced when a fix for an earlier logic error was deployed. The Commission found that the second logic error could have been detected if manual code review and unit testing had been conducted to a reasonable standard. 3. The second logic error caused the extraction of incorrect mailing addresses for payment advice letters in some circumstances. This resulted in the Affected Individuals’ names and identification numbers in payment advice letters being sent to incorrect addresses. The Organisation should have taken care in conducting its manual code review and unit testing to avoid another logic error. In the circumstances, the Deputy Commissioner for Personal Data Protection found the Organisation in breach of its Protection Obligation under section 24 of the Personal Data Protection Act 2012 (the “PDPA”). 4. The Deputy Commissioner took into account the following factors in deciding to issue a warning to the Organisation: a. The Organisation had managed to retrieve letters containing the personal data of 67 out of the 71 Affected Individuals. b. The Organisation voluntarily notified the Commission of the Incident. c. The second logic error resulted in the extraction of incorrect mailing addresses only in limited circumstances. 5. No directions are required as the Organisation took steps to improve it… | Warning | bb248e5764c08e64f81212ce9f5a5c65012fd88c | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 100 | 100 | 1 | 952 | A financial penalty of $32,000 was imposed on CDP for failing to put in place reasonable security arrangements to prevent the unauthorised disclosure of individuals’ personal data. Mail sent by CDP were addressed to incorrect recipients. | [
"Protection",
"Financial Penalty",
"Finance and Insurance",
"Mail",
"Unintended recipient"
] |
2020-08-03 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---The-Central-Depository-(Pte)-Limited-30032020.pdf | Protection | Breach of the Protection Obligation by CDP | https://www.pdpc.gov.sg/all-commissions-decisions/2020/08/breach-of-the-protection-obligation-by-cdp | 2020-08-03 | PERSONAL DATA PROTECTION COMMISSION [2020] SGPDPC 12 Case No DP-1905-B3847 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And The Central Depository (Pte) Limited … Organisation DECISION 1 The Central Depository (Pte) Limited [2020] SGPDPC 12 Tan Kiat How, Commissioner — Case No DP-1905-B3847 30 March 2020 Introduction 1 The Central Depository (Pte) Limited (the “Organisation”) provides integrated clearing, settlement and depository facilities for its account holders (“CDP Account Holders”) in the Singapore securities market. On 3 May 2019, the Organisation notified the Personal Data Protection Commission (the “Commission”) that dividend cheques of some CDP Account Holders had been mailed to outdated addresses, resulting in the disclosure of their personal data to other individuals. Facts of the Case 2 Prior to 10 December 2018, the Organisation used a software known as the Post Trade System (“PTS”) for the purposes of post trade processing. The Organisation developed and customised additional modules that interfaced with PTS, including a module for the printing of dividend cheques (“Dividend Cheque Module”). The Dividend Cheque Module was used to automate the generation of dividend cheque mailers (i.e. mailers enclosing dividend cheques to be posted to CDP Account Holders). 3 Subsequently, the Organisation purchased another software, the New Post Trade System (“NPTS”) to replace the PTS. In comparison to the PTS, the NPTS facilitated record keeping that was more comprehensive. The PTS only recorded a CDP Account Holder’s latest address, while the NPTS kept records of the CDP Account Holder’s updated address as well as historical addresses.1 Arising from the new feature of the NPTS that kept records of CDP Account Holders’ updated addresses and historical addresses, the Organisation updated the programming logic of the Dividend Cheque Module (and all other modules that required retrieving of addresses) to extract the CDP Account Holders’ updated addresse… | Financial Penalty | c533793aa9a8e3bfcebfd59e65b4ee2051754090 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 101 | 101 | 1 | 952 | A financial penalty of $10,000 was imposed on MDIS Corporation for failing to put in place reasonable security arrangements to protect the personal data of individuals on its website. These individuals had provided their personal data to MDIS Corporation for registration purposes to attend its courses. | [
"Protection",
"Financial Penalty",
"Education",
"Public access",
"Database"
] |
2020-08-03 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---MDIS-Corporation-Pte-Ltd---17032020.pdf | Protection | Breach of the Protection Obligation by MDIS Corporation | https://www.pdpc.gov.sg/all-commissions-decisions/2020/08/breach-of-the-protection-obligation-by-mdis-corporation | 2020-08-03 | PERSONAL DATA PROTECTION COMMISSION [2020] SGPDPC 11 Case No DP-1905-B3832 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And MDIS Corporation Pte Ltd. … Organisation DECISION MDIS Corporation Pte Ltd [2020] SGPDPC 11 Tan Kiat How, Commissioner — Case No DP-1905-B3832 17 March 2020 Introduction 1 On 2 May and 17 June 2019, the Personal Data Protection Commission (the “Commission”) received two complaints from an individual (the “Complainant”) in relation to a Microsoft Excel spreadsheet (the “Spreadsheet”) containing personal data of individuals who had signed up for courses with MDIS Corporation Pte Ltd (the “Organisation”). The Complainant was able to access the Spreadsheet through a Google search of her NRIC number on 2 May and 17 June 2019 (the “First Incident” and “Second Incident” respectively). Facts of the Case 2 The Organisation is a not-for-profit, professional institute for lifelong learning. The Organisation’s server and webpage were maintained by a web development vendor (the “Vendor”). In October 2017, the Organisation engaged the Vendor to develop its website (the “Website”) to include a content management system (“CMS”) for the Organisation to manage training and courses provided, and an online registration form (the “Form”) for course participants to provide their personal data. The purpose of the Form was for the Organisation to use the personal data collected to identify course attendees, create certificates for individuals who had completed their courses and verify their details for the purposes of claiming SkillsFuture credits. The Vendor subsequently engaged a freelance developer based in India (the “Developer”) to assist in developing the Website. 3 There were no written contracts between (i) the Organisation and the Vendor; and (ii) the Vendor and the Developer setting out the parties’ respective scope of work and responsibilities with respect to the development of the Website. During development of the Website, the Organisation … | Financial Penalty | 25ed2dfd0034231d7bc91c9c8c2ca09ccadc268f | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 102 | 102 | 1 | 952 | A warning was issued to MCST 3400 for failing to put in place reasonable security arrangements to prevent the unauthorised access of 562 individuals’ personal data stored in an internal directory. | [
"Protection",
"Warning",
"Real Estate",
"MCST",
"Directory",
"Security",
"Public access"
] |
2020-08-03 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---MCST-3400-17032020.pdf | Protection | Breach of the Protection Obligation by MCST 3400 | https://www.pdpc.gov.sg/all-commissions-decisions/2020/08/breach-of-the-protection-obligation-by-mcst-3400 | 2020-08-03 | PERSONAL DATA PROTECTION COMMISSION [2020] SGPDPC 10 Case No. DP-1909-B4797 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Management Corporation Strata Title Plan No. 3400 … Organisation DECISION Management Corporation Strata Title Plan No. 3400 [2020] SGPDPC 10 Management Corporation Strata Title Plan No. 3400 [2020] SGPDPC 10 Yeong Zee Kin, Deputy Commissioner — Case No. DP-1909-B4797 17 March 2020 Introduction 1 On 2 September 2019, the Personal Data Protection Commission (the “Commission”) was notified that a directory containing personal data belonging to Management Corporation Strata Title Plan No. 3400 (the “Directory”) was accessible on the Internet by any member of the public (the “Incident”). Facts of the Case 2 In April 2012, Management Corporation Strata Title Plan No. 3400 (the “Organisation”) purchased a Network Attached Storage Device (the “NAS”) for the purposes of internal file sharing among its administrative staff over a local network. The Directory was one of the files stored on the NAS. The 2 Management Corporation Strata Title Plan No. 3400 [2020] SGPDPC 10 Organisation did not intend for the NAS to be connected to the Internet. Prior to the Incident, the Organisation was unaware that the Directory could be accessed via an Internet Protocol address without the need for any login credentials. 3 The Directory contained personal data of 562 individuals collected for the purposes of complying with the Building Maintenance and Strata Management Act, the Building Maintenance (Strata Management) Regulations 2005, as well as to contact subsidiary proprietors of the Organisation. 4 The following types of personal data of the Affected Individuals were exposed to the risk of unauthorised disclosure (collectively, the “Disclosed Data”): (a) 12 council members of the Organisation: Name; NRIC / Passport Number; Contact number; Email address; and (b) 550 subsidiary proprietors of the Organisation: Name; Email address; Contac… | Warning | 315029b0a5e1ce7489dea7f836f1f9a64435e6bc | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
Advanced export
JSON shape: default, array, newline-delimited
CREATE VIEW pdpc_decisions_version_detail AS select
commits.commit_at as _commit_at,
commits.hash as _commit_hash,
pdpc_decisions_version.*,
(
select json_group_array(name) from columns
where id in (
select column from pdpc_decisions_changed
where item_version = pdpc_decisions_version._id
)
) as _changed_columns
from pdpc_decisions_version
join commits on commits.id = pdpc_decisions_version._commit;