pdpc_decisions_version_detail (view)
5 rows where "date" is on date 2020-11-24
This data as json, CSV (advanced)
Suggested facets: nature, decision, _commit_at (date), date (date), timestamp (date), tags (array), _changed_columns (array)
| _commit_at | _commit_hash | _id | _item | _version | _commit | description | tags | date | pdf-url | nature | title | url | timestamp | pdf-content | decision | _item_full_hash | _changed_columns |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 77 | 77 | 1 | 952 | A financial penalty of $4,000 was imposed on Novelship for failing to put in place reasonable security arrangements to protect the personal data collected from its sellers from unauthorised access on its website. | [
"Protection",
"Financial Penalty",
"Wholesale and Retail Trade",
"Public access",
"URL manipulation",
"No Security Arrangements"
] |
2020-11-24 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Novelship-Pte-Ltd---22072020.pdf | Protection | Breach of the Protection Obligation by Novelship | https://www.pdpc.gov.sg/all-commissions-decisions/2020/11/breach-of-the-protection-obligation-by-novelship | 2020-11-24 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-1905-B3820 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Novelship Pte. Ltd. SUMMARY OF THE DECISION 1. Novelship Pte. Ltd. (the “Organisation”) operates an e-commerce website for individuals to sell or buy luxury brands of streetwear (the “Website”). To create a buyer or seller account on the Website, individuals would have to provide their personal data to the Organisation. The Organisation does not, in usual course, reveal the personal data it had collected to any buyer or seller transacting on the Website. Instead, the Organisation, together with an external payment processor, facilitates transaction payments on behalf of the parties. 2. On 1 May 2019, the Personal Data Protection Commission (the “Commission”) received information that a registered seller (“User”) was able to gain unauthorised access to the personal data of other sellers by employing software tools and manipulating the public URLs of active listings (“the “Incident”). 3. The User had accessed the personal data of six unique sellers who had active listings at the time of the Incident. The personal data concerned included: (i) first and last names; (ii) email addresses; (iii) shipping addresses; (iv) hashed account passwords; and (v) the name of bank and bank account numbers (“Personal Data Sets”). No buyer data was accessed in the Incident. 4. Investigations revealed that the Organisation had not conducted adequate security testing before the launch of the Website. The testing it had conducted was limited to design and functionality issues, such as verifying the password hashing and password requirement functions. Critically, the Organisation should have—but had not—conducted vulnerability scanning. Vulnerability scanning that is reasonably and competently conducted should include scanning for OWASP Top Ten, i.e. the top 10 security vulnerabilities listed by the Open Web Application Security Project (“OWASP”). The vulnerability of URLs … | Financial Penalty | e78daf1170808149ba7ab6af446c1836acb0e555 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 78 | 78 | 1 | 952 | A financial penalty of $5,000 was imposed on Worksmartly for breaches of the PDPA. First, the Organisation failed to put in place reasonable security arrangements to protect the personal data of its client’s employees. Second, it was also found to be retaining personal data which was no longer necessary for legal or business purposes. | [
"Protection",
"Retention Limitation",
"Financial Penalty",
"Admin and Support Services",
"Database",
"Public access",
"Retention"
] |
2020-11-24 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision----Worksmartly-Pte-Ltd---17092020.pdf | Protection, Retention Limitation | Breach of the Protection and Retention Limitation Obligations by Worksmartly | https://www.pdpc.gov.sg/all-commissions-decisions/2020/11/breach-of-the-protection-and-retention-limitation-obligations-by-worksmartly | 2020-11-24 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-2004-B6162 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Worksmartly Pte. Ltd. SUMMARY OF THE DECISION 1. On 2 April 2020, Roche Singapore Pte Ltd (“Roche”) informed the Personal Data Protection Commission (the “Commission”) of a data security incident involving its former vendor, Worksmartly Pte. Ltd. (the “Organisation”). Roche had detected an unauthorised disclosure of their employees’ data on GitHub repository (“GitHub”) on 3 March 2020 (the “Incident”). 2. The Organisation subsequently requested for this matter to be handled under the Commission’s expedited decision procedure. In this regard, the Organisation voluntarily provided and unequivocally admitted to the facts set out in this decision. It also admitted that it was in breach of sections 24 and 25 of the Personal Data Protection Act (the “PDPA”). Background 3. The Organisation was engaged by Roche in 2017 to provide finance and payroll processing services. In order for the Organisation to provide the said services, Roche handed over its employees’ personal data to the Organisation. The contract between the parties was subsequently terminated, and the Organisation’s last day of service was 31 December 2018. The Incident 4. On or around 28 February 2020, one of the Organisation’s employees uploaded a file on the Organisation’s GitHub account (the “File”). When doing so, the employee changed the setting of the GitHub account from “private” to “public” under the mistaken belief that the File would only be accessible to other members of the Organisation. In fact, the change in setting had resulted in the File being accessible to the public. 5. The File contained the personal data of 308 individuals, which comprised Roche’s current and former employees (the “Employees”), and their dependents (the “Dependents”). The personal data included: a. For the Employees: name, NRIC/FIN/Passport number, address, date of birth, race, citizenship, employee I… | Financial Penalty | 583ab7758251c5c2e5fe07f3e5f542c582089f9d | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 79 | 79 | 1 | 952 | A financial penalty of $20,000 was imposed on Times Software, a data intermediary, for: (i) failing to make reasonable security arrangements to prevent the unauthorised disclosure of personal data belonging to the employees of its clients; and (ii) retaining personal data which was no longer necessary for legal or business purposes. Separately, Dentons and TMF were each issued a warning for failing to put in place reasonable security arrangements with Times Software to prevent unauthorised disclosure of the personal data belonging to their employees. | [
"Protection",
"Retention Limitation",
"Financial Penalty",
"Legal",
"Data Intermediary",
"Functionality",
"Software"
] |
2020-11-24 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Times-and-Others---18062020.pdf | Protection, Retention Limitation | Breach of the Protection and Retention Limitation Obligations by Times Software, Breach of the Protection Obligation by Dentons and TMF | https://www.pdpc.gov.sg/all-commissions-decisions/2020/11/breach-of-the-protection-and-retention-limitation-obligations-by-times-software-breach-of-the-protection-obligation-by-dentons-and-tmf | 2020-11-24 | PERSONAL DATA PROTECTION COMMISSION [2020] SGPDPC 18 Case Nos.: DP-1802-B1719, DP-1802-B1744, DP-1803-B1834, DP-1804-B1942, DP-1804-B1943 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And (1) Times Software Pte Ltd (2) Dentons Rodyk & Davidson LLP (3) Liberty Specialty Markets Singapore Pte Limited (4) Red Hat Asia Pacific Pte Ltd (5) TMF Singapore H Pte Ltd … Organisations DECISION Times Software Pte Ltd & Ors [2020] SGPDPC 18 Tan Kiat How, Commissioner — Case Nos. DP-1802-B1719, DP-1802-B1744, DP1803-B1834, DP-1804-B1942, DP-1804-B1943 18 June 2020 Introduction 1 Times Software Pte Ltd (“Times”) is an information technology services vendor that provides various services to its clients. Between January and February 2018, three organisations which directly or indirectly used Times’ services became aware that the personal data of some their current and former employees (the “Employee Data”) had been exposed online from Times’ servers and could be found using the Google search engine (the “Incident”). These three organisations were Dentons Rodyk & Davidson LLP (“Dentons”), Red Hat Asia Pacific Pte Ltd (“Red Hat”) and Liberty Specialty Markets Singapore Pte Limited (“LIU”). Each of these organisations submitted a data breach notification to the Personal Data Protection Commission (the “Commission”) after the Incident. The Facts The Relationship between the Parties and how Times had obtained the Employee Data 2 Dentons had, since 2001, engaged Times to use a payroll software application developed by Times (the “Payroll Software”). The Payroll Software was hosted internally on Dentons’ servers. In or around November 2015, Dentons commissioned the development of a new functionality of the Payroll Software which would enable 1 Times Software Pte Ltd & Ors 2020 SGPDPC [18] Dentons to create customised employee reports. Dentons provided their Employee Data to Times to test this functionality. 3 In December 2015 and February 2016, Red Hat and LIU respective… | Financial Penalty | 976a574a38eb0225fbf7a43d418a4b5c6717efc8 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 80 | 80 | 1 | 952 | A financial penalty of $120,000 was imposed on Secur Solutions Group for failing to put in place reasonable security arrangements to protect a database containing the personal data of blood donors from being publicly accessible online. | [
"Protection",
"Financial Penalty",
"Professional",
"Scientific and Technical",
"Database",
"Gaps",
"Public access"
] |
2020-11-24 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Secur-Solutions-Group-Pte-Ltd---30032020.pdf | Protection | Breach of the Protection Obligation by Secur Solutions Group | https://www.pdpc.gov.sg/all-commissions-decisions/2020/11/breach-of-the-protection-obligation-by-secur-solutions-group | 2020-11-24 | PERSONAL DATA PROTECTION COMMISSION [2020] SGPDPC 8 Case No DP-1903-B3501 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Secur Solutions Group Pte Ltd … Organisation DECISION Secur Solutions Group Pte Ltd [2020] SGPDPC 8 Secur Solutions Group Pte Ltd [2020] SGPDPC 8 Tan Kiat How, Commissioner — Case No DP-1903-B3501 30 March 2020 Introduction 1 This case relates to an incident where one of Secur Solutions Group Pte Ltd’s (the “Organisation”) servers, which stored a database (the “Database”) containing personal data of blood donors, was discovered to be accessible from the internet (the “Incident”). 2 The Personal Data Protection Commission (the “Commission”) received a formal request from the Organisation requesting for this matter to be handled under the Commission’s Expedited Breach Decision procedure. In this regard, the Organisation voluntarily provided and unequivocally admitted to the facts as set out in this Decision and that it was in breach of section 24 of the Personal Data Protection Act (the “PDPA”). 2 Secur Solutions Group Pte Ltd [2020] SGPDPC 8 Facts of the Case 3 The Organisation has been engaged by the Health Sciences Authority (“HSA”) since 2013 to develop and maintain various IT systems. One of the projects for which the Organisation was engaged was the development, maintenance and enhancement of its queue management system (“ QMS”) for blood donors (the “QMS Engagement”). Pursuant to the QMS Engagement, HSA provided the Organisation with files containing copies (in part or otherwise) of the Database (“Files”) for the purposes of testing and developing the QMS. HSA would also provide the Organisation with copies or updates of the Database (“Updates”) from time to time during the period of the QMS Engagement (hereinafter, the use of the phrase “Files” will include “Updates”, unless the context specifies otherwise). 4 The Organisation stored the Files in a storage server that was designated for the purposes of testing a… | Financial Penalty | aa05055fb8dd4b8379487aa1343e9e005c42257d | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 81 | 81 | 1 | 952 | Directions, including a financial penalty of $7,500 were imposed on Majestic Debt Recovery for failing to obtain consent from its debtors to record the debt collection process. Majestic Debt Recovery also did not obtain consent to upload the recordings onto its Facebook Page. Additionally, Majestic Debt Recovery did not have written policies and practices necessary to ensure its compliance with the PDPA. | [
"Protection",
"Accountability",
"Directions",
"Financial Penalty",
"Others",
"Consent",
"No DPO",
"No Policy"
] |
2020-11-24 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Majestic-Debt-Recovery---02032020.pdf | Protection, Accountability | Breach of the Consent and Accountability Obligations by Majestic Debt Recovery | https://www.pdpc.gov.sg/all-commissions-decisions/2020/11/breach-of-the-consent-and-accountability-obligations-by-majestic-debt-recovery | 2020-11-24 | PERSONAL DATA PROTECTION COMMISSION [2020] SGPDPC 7 Case No DP-1903-B3570 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Majestic Debt Recovery Pte Ltd … Organisation DECISION 1 Majestic Debt Recovery Pte Ltd [2020] SGPDPC 7 Yeong Zee Kin, Deputy Commissioner — Case No DP-1903-B3570 2 March 2020 Introduction 1 This case concerns a debt collection company’s posting of a video recording on social media as a tactic to shame a debtor. The recordings in question captured exchanges between the company’s representative and staff of the debtor company. Facts of the Case 2 Majestic Debt Recovery Pte Ltd (the “Organisation”) is a company in the business of collecting debts on the behalf of its clients. On 22 March 2019, the Personal Data Protection Commission (the “Commission”) received a complaint from the managing director (the “Complainant”) of a debtor company (the “Company”) stating that the Organisation had been engaged by the Company’s sub-contractor to recover debts from the Company. The Complainant stated that on or around 21 March 2019, the Organisation’s representatives (the “Representatives”) visited the Company’s premises to collect a debt on behalf of its client (the “Incident”). Not surprisingly, heated words were exchanged with the Company’s personnel when the Representatives attempted to recover the debt. The Representatives recorded video footage of the exchanges with the Company’s personnel, including the Complainant (the “Recording”), on a tablet device. The Complainant and the Company’s personnel could be identified from the images and audio captured by the Recording. According to the Complainant, he “protested against the taking of [the Recording and] posting it [on] social media but [the Representative] said he would do it”. The Representatives nonetheless took the Recording and subsequently posted it on the Organisation’s official public Facebook page (its “Facebook Page”). 2 3 During its investigation, the Commission found other… | Directions, Financial Penalty | 735c56aebf1838696565bb02754125b665e3d968 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
Advanced export
JSON shape: default, array, newline-delimited
CREATE VIEW pdpc_decisions_version_detail AS select
commits.commit_at as _commit_at,
commits.hash as _commit_hash,
pdpc_decisions_version.*,
(
select json_group_array(name) from columns
where id in (
select column from pdpc_decisions_changed
where item_version = pdpc_decisions_version._id
)
) as _changed_columns
from pdpc_decisions_version
join commits on commits.id = pdpc_decisions_version._commit;