pdpc_decisions_version_detail (view)
33 rows where decision = "Directions"
This data as json, CSV (advanced)
Suggested facets: _commit_at, _commit_hash, _commit, tags, date, nature, timestamp, _commit_at (date), date (date), timestamp (date), tags (array), _changed_columns (array)
| _commit_at | _commit_hash | _id | _item | _version | _commit | description | tags | date | pdf-url | nature | title | url | timestamp | pdf-content | decision | _item_full_hash | _changed_columns |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 6 | 6 | 1 | 952 | Directions were issued to Kingsforce Management Services to ensure the implementation of regular patching, updates and upgrades for all software and firmware supporting its website(s) and application through which personal data in its possession may be accessed. | [
"Protection",
"Directions",
"Employment",
"Protection",
"Patching"
] |
2023-05-11 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/GD_KingsforceManagementServicesPteLtd_100323.pdf | Protection | Breach of the Protection Obligation by Kingsforce Management Services | https://www.pdpc.gov.sg/all-commissions-decisions/2023/05/breach-of-the-protection-obligation-by-kingsforce-management-services | 2023-05-11 | PERSONAL DATA PROTECTION COMMISSION [2023] SGPDPCS1 Case No. DP-2202-B9480 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Kingsforce Management Services Pte Ltd SUMMARY OF THE DECISION 1. On 31 January 2022, the Personal Data Protection Commission (the “Commission”) was notified by Kingsforce Management Services Pte Ltd (the “Organisation”) of the sale on RaidForums, on or about 27 December 2021, of data from its jobseeker database (the “Incident”). 2. The affected database held approximately 54,900 jobseeker datasets, comprising name, address, email address, telephone number, date of birth, job qualifications, last and expected salary, highest qualification and other data related to job searches. 3. External cyber security investigators identified outdated website coding technology, with critical vulnerabilities, as the cause of the Incident. 4. The Commission accepted the Organisation’s request for handling under the Commission’s expedited breach decision procedure. The Organisation voluntarily provided and unequivocally admitted to the facts set out in this decision, and to breach of section 24 of the Personal Data Protection Act (“the PDPA”). 5. The Organisation admitted work had not been completed on the website at launch owing to contractual disputes with the developer. The Organisation subsequently engaged IT maintenance vendors in an effort to ensure the security of the website. However, maintenance had been ad-hoc and limited to troubleshooting functionality issues from bugs, glitches and/or when a page failed to load. 6. In breach of the Protection Obligation, the Organisation failed to provide sufficient clarity and specifications to its vendors on how to protect its database and personal data. In Re Civil Service Club, the Commission had pointed out that organisations that engage IT vendors can provide clarity and emphasize the need for personal data protection to their IT vendors by a) making it part of their contractual terms, and b) revi… | Directions | 55f101a661c1696120dbd78b07f569b7bba4c9db | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 8 | 8 | 1 | 952 | Directions were issued to The Law Society of Singapore to conduct a security audit of its technical and administrative arrangements for accounts with administrative privileges that can access directly and/or create access to personal data, and to rectify any gaps identified. This is pursuant to a data breach incident where The Law Society’s servers were subjected to a ransomware attack. | [
"Protection",
"Directions",
"Professional",
"Scientific and Technical",
"Ransomware",
"Patching",
"Security",
"Password"
] |
2023-05-11 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/GD_LawSocietyofSingapore_140323.pdf | Protection | Breach of the Protection Obligation by The Law Society of Singapore | https://www.pdpc.gov.sg/all-commissions-decisions/2023/05/breach-of-the-protection-obligation-by-the-law-society-of-singapore | 2023-05-11 | PERSONAL DATA PROTECTION COMMISSION [2023] SGPDPC 4 Case No. DP-2102-B7850 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And The Law Society of Singapore … Organisation DECISION 1 The Law Society of Singapore Yeong Zee Kin, Deputy Commissioner — Case No. DP-2102-B7850 14 March 2023 Introduction 1 On 4 February 2021, the Law Society of Singapore (the “Organisation”) notified the Personal Data Protection Commission (the “Commission”) of a ransomware attack on its servers which had encrypted and denied the Organisation access to the personal data of its members and former members (the “Incident”). The Commission commenced investigations to determine whether the circumstances behind the Incident disclosed any breaches by the Organisation of the Personal Data Protection Act 2012 (“PDPA”). Facts of the Case 2 The Organisation is a body corporate established under the Legal Profession Act 1966 and represents members of the legal profession in Singapore. Every advocate and solicitor called to the Singapore bar is a statutory member of the Organisation as long as they have a practising certificate in force. At the material time, the Organisation stored the personal data of its current and former members (“Members”) in one of its servers for the purposes of carrying out its statutory functions. 2 3 The Organisation had implemented an off-the-shelf secure VPN solution, FortiOS, to manage remote access to its servers (the “VPN System”). The Organisation also engaged a vendor (the “Vendor”) to provide IT support services, including maintenance of the VPN System. For completeness, the Vendor was not the Organisation’s data intermediary as it did not access or process the personal data of the Members in the course of carrying out its IT support services. 4 The Organisation also implemented antivirus / malware detection software at the servers, and password complexity requirements for its users’ accounts. In particular, account passwords had a maximum lifes… | Directions | 7d6096f9562cfde74f556a2117cc264960050a02 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 13 | 13 | 1 | 952 | Directions were issued to CPR Vision Management Pte Ltd to conduct a security audit of its technical and administrative arrangements for the protection of personal data in its possession or control and rectify any security gaps identified in the audit report. This is pursuant to a data breach incident where CPR Vision Management Pte Ltd’s server and network storage devices were subjected to a ransomware attack. | [
"Protection",
"Directions",
"Others",
"Ransomware",
"Data Intermediary",
"Retention"
] |
2023-02-10 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---CPR-Vision-Management-Pte-Ltd---071222.pdf | Protection | Breach of the Protection Obligation by CPR Vision Management Pte Ltd | https://www.pdpc.gov.sg/all-commissions-decisions/2023/02/breach-of-the-protection-obligation-by-cpr-vision-management-pte-ltd | 2023-02-10 | PERSONAL DATA PROTECTION COMMISSION [2022] SGPDPCS 17 Case No. DP-2207-B8974 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And CPR Vision Management Pte Ltd L’Oreal Singapore Pte Ltd L’Occitane Singapore SUMMARY OF THE DECISION 1. The Personal Data Protection Commission (the “Commission”) received data breach notification reports from (i) L’Oreal Singapore Pte Ltd (“L’Oreal”) on 29 October 2021 and (ii) L’Occitane Singapore Pte Ltd (“L’Occitane”) on 1 November 2021 respectively of a ransomware attack on their customer relationship management (“CRM”) system vendor, CPR Vision Management Pte Ltd (the “Organisation”). The Organisation is a data intermediary that helped to process personal data collected by L’Oreal and L’Occitane. 2. The ransomware attack affected a server and three network attached storage (“NAS”) devices in the Organisation’s office (“office network”), and led to the Page 1 of 6 encryption of the personal data belonging to 83,640 L’Occitane’s customers and 35,079 L’Oreal’s customers, which included their name, address, email address, mobile number, NRIC number, date of birth, age, gender, race, nationality, loyalty points and amount spent. 3. The Organisation requested, and the Commission agreed, for this matter to proceed under the Expedited Decision Breach Procedure. To this end, the Organisation voluntarily and unequivocally admitted to the facts set out in this decision. It also admitted to a breach of the Protection Obligation under Section 24 and the Retention Limitation Obligation under Section 25 of the Personal Data Protection Act (the “PDPA”). 4. The Organisation’s internal investigations found the threat actor had first gained access to the office network via a compromised user account VPN connection on 13 October 2021 before executing the ransomware attack on or about 15 October 2021. However, due to the limited data logs available on the Organisation’s FortiGate firewall and VPN appliance, the Organisation was not able to determi… | Directions | 7e9168136ea5e122bc3f4577c70535e0fc6c7689 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 15 | 15 | 1 | 952 | Directions were issued to Thomson Medical to conduct scan of the web to ensure no publication of affected personal data online and to include in the review of its application deployment process, measures such as the arrangements for security testing and the implementation of data retention policy. This is pursuant to a data breach incident from an unsecured Health Declaration Portal which enabled public access to visitors' personal data. | [
"Protection",
"Directions",
"Healthcare"
] |
2022-12-19 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Thomson-Medical-Pte-Ltd---140922.pdf | Protection | Breach of the Protection Obligation by Thomson Medical | https://www.pdpc.gov.sg/all-commissions-decisions/2022/11/breach-of-the-protection-obligation-by-thomson-medical | 2022-12-19 | PERSONAL DATA PROTECTION COMMISSION [2022] SGPDPCS 15 Case No. DP-2010-B7246 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Thomson Medical Pte. Ltd. SUMMARY OF THE DECISION 1. On 26 October 2020, the Personal Data Protection Commission (the “Commission”) was notified that the Thomson Medical Pte. Ltd. (the “Organisation”) Health Declaration Portal was not secure, enabling public access to the personal data of visitors (the “Incident”) stored in a CSV (comma separated values) file. 2. Visitor data collected on the Organisation’s Health Declaration Portal had been stored concurrently in a publicly-accessible CSV file as well as a secured 1 database from 16 April 2020, when the health declaration portal was first used by the Organisation to 8 September 2020, when the storage of the visitor data was changed to only the secured database instead of the CSV file. The CSV file was hosted on the Organisation’s web server. 3. The Organisation admitted that, contrary to the instructions given to the employee to switch the data storage from the CSV file to secured database exclusively, and the organisation’s protocols, its in-house developer had omitted to remove a software code, causing the visitor data to be stored in the CSV file and the same in-house developer had omitted to change the default web server configuration, thereby allowing public access to the hosted CSV file. The switch to storage in a secured database would have ensured access controls by requiring user login ID and secure password protection, as well as encryption of data transfers using SSL certificates. The access controls would ensure that only authorized users would be able to access the data. 4. The Commission’s investigations revealed that the affected CSV file contained the personal data of 44,679 of the Organisation’s visitors, including the date and time of visit, temperature, type of visitor (purpose of visit), name of visitor, name of newborn, contact number, NRIC/FIN/passport num… | Directions | 2e2e404473e7fa064a0c51315f167b10b4810806 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 17 | 17 | 1 | 952 | Directions were issued to both Shopify Commerce Singapore and Supernova to put in place a process to ensure compliance with the Transfer Limitation Obligation following a data breach incident of Shopify Inc's database. | [
"Transfer Limitation",
"Directions",
"Others",
"Data Intermediary"
] |
2022-11-18 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/GD_Supernova-Pte-Ltd_06102022.pdf | Transfer Limitation | Breach of the Transfer Limitation Obligation by Shopify Commerce Singapore and Supernova | https://www.pdpc.gov.sg/all-commissions-decisions/2022/11/breach-of-the-transfer-limitation-obligation-by-shopify-commerce-singapore-and-supernova | 2022-11-18 | PERSONAL DATA PROTECTION COMMISSION [2022] SGPDPC 7 Case No: DP-2103-B8147 / DP-2206-B9935 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And (1) Supernova Pte Ltd (2) Shopify Commerce Singapore Pte Ltd … Organisation DECISION Page 1 of 12 Supernova Pte Ltd & Anor Yeong Zee Kin, Deputy Commissioner — Case No. DP-2103-B8147/ DP-2206-B9935 6 October 2022 Introduction 1 On 8 October 2020, the Personal Data Protection Commission (the “Commission”) was notified by Supernova Pte Ltd (“SNPL”) of a data breach incident of Shopify Inc’s database affecting the personal data of certain Singapore-based customers (the “Incident”). The Commission commenced investigations to determine whether the circumstances relating to the Incident disclosed any breaches of the Personal Data Protection Act 2012 (“PDPA”). Facts of the Case Background 2 Shopify Inc (“Shopify”) is a company based in Canada that operates an e- commerce platform for online retailers to conduct sales (the “Platform”). SNPL is an online retailer that began using the Platform in 2018 to sell its products to customers. Shopify provided payment processing and other services (the “Services”) to SNPL pursuant to the Shopify Plus Agreement, executed by Shopify and SNPL on 4 December 2018. Shopify Commerce Singapore Pte Ltd (“Shopify SG”) acted as the Page 2 of 12 Asia-Pacific data sub-processor of Shopify pursuant to the Shopify Data Processing Addendum to the Shopify Plus Agreement, and its role was confined to collecting customer personal data (including SNPL’s) via the Platform and transferring the data out of Singapore to Shopify for both Purchase Processing and Platform Processing. 3 The Platform collected personal data from customers of its online retailers for two broad sets of purposes. First, to facilitate billing, payment and shipping on behalf of the Platform’s online retailers (“Purchase Processing”). Second, for Shopify’s own commercial and administrative purposes. This mainly included th… | Directions | a460c9f6da7d242e2c26bf56c9b5bc6bd47df7e7 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 22 | 22 | 1 | 952 | Directions were issued to Budgetcars to put in place appropriate contractual provisions, conduct a security audit of its technical and administrative arrangements for the security and maintenance of its website and rectify any security gaps identified in the audit report. This is pursuant to a data breach incident where personal data could be accessed by changing a few digits of the tracking ID. | [
"Protection",
"Directions",
"Transport and Storage"
] |
2022-08-11 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Budgetcars-Pte-Ltd---06072022.pdf | Protection | Breach of the Protection Obligation by Budgetcars | https://www.pdpc.gov.sg/all-commissions-decisions/2022/07/breach-of-the-protection-obligation-by-budgetcars | 2022-08-11 | PERSONAL DATA PROTECTION COMMISSION [2022] SGPDPCS 13 Case No. DP-2108-B8798 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Budgetcars Pte. Ltd. SUMMARY OF THE DECISION 1. On 25 August 2021, the Personal Data Protection Commission (the “Commission”) received a complaint that the delivery tracking function (the “Tracking Function Page”) on the website of Budgetcars Pte Ltd (the “Organisation”) could be used to gain access to the personal data belonging to another individual. By changing a few digits of a Tracking ID, the complainant could access the personal data of another individual (the “Incident”). 2. The Organisation is a logistics company delivering parcels to customers (“Customers”) on behalf of retailers (“Retailers”). 3. The personal data of 44,357 individuals had been at risk of unauthorised access. The datasets comprised name, address, contact number and photographs of their signatures. 4. The Tracking Function Page was set up in December 2020 to allow Retailers and Customers to (i) keep track of the delivery status of their parcels; and (ii) confirm the identity of individuals to collect parcels on their behalf (where applicable). The Tracking IDs were generated by Retailers and comprised either sequential or nonsequential numbers. Although generated by Retailers, the Organisation adopted the Tracking IDs for use on its own Tracking Function Page that allowed their customers to track their deliveries, which would disclose personal data listed above. The Protection Obligation therefore required the Organisation to ensure that there were reasonable access controls in its use of the Tracking IDs for giving access to an individual’s personal data. 5. The risk of unauthorised access to personal data from altering numerical references, both sequential and non-sequential, have featured in the published decisions of the Commission in Re Fu Kwee Kitchen Catering Services [2016] SGPDPC 14, and more recently, in Re Ninja Logistics Pte. Ltd. [2019] SGPDPC… | Directions | f58b11a86b70faf2534d0dbe08ee7f22ddbeaeb9 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 23 | 23 | 1 | 952 | Directions were issued to Crawfort to conduct a security audit of its technical and administrative arrangements for its AWS S3 environment and rectify any security gaps identified in the audit report. This is pursuant to a data breach incident where Crawfort's customer database were offered for sale in the dark web. | [
"Protection",
"Directions",
"Finance and Insurance"
] |
2022-07-14 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Crawfort-Pte-Ltd---070622.pdf | Protection | Breach of the Protection Obligation by Crawfort | https://www.pdpc.gov.sg/all-commissions-decisions/2022/07/breach-of-the-protection-obligation-by-crawfort | 2022-07-14 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-2106-B8446 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Crawfort Pte. Ltd. SUMMARY OF THE DECISION 1. On 9 June 2021, Crawfort Pte. Ltd. (the “Organisation”) notified the Personal Data Protection Commission (the “Commission”) of the sale of the Organisation’s customer data on the dark web (the “Incident”). 2. The personal data of 5,421 customers were affected. The datasets affected comprised NRIC images (front and back), PDF copies of loan contract (containing all the information in the NRIC, age, email address, contact number and loan amount) and PDF copies of income document (payslip, CPF statements or IRAS Notice of Assessment). 1 3. The Organisation engaged external cyber security teams to investigate the Incident. The investigation identified an opened S3 server port in the Organisation’s AWS environment as the cause of the Incident. 4. The Organisation explained that it had opened the S3 server port for one week during a data migration exercise sometime on or about 15 April 2020 for business continuity purposes. On 3 April 2020, the Singapore government had announced that the country will enter into a Circuit Breaker to contain the spread of COVID-19. All non-essential workplaces, including the Organisation, had to be closed from 7 April 2020. In order to continue its business, the Organisation had to pivot its operations so as to allow its staff to work from home and its customers to make loan applications remotely. Within a very short period, the Organisation had to carry out the data migration exercise and as a result, overlooked conducting a risk assessment prior to conducting the data migration exercise. 5. The opened S3 server port connected directly to the S3 server hosting the S3 buckets, which contained the affected personal data. The open remote port enabled attempts to connect to the Organisation’s AWS environment from the internet. Furthermore, the S3 bucket containing the affected p… | Directions | e2755a8249f833e1c234b8532991f2dc6896ee30 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 37 | 37 | 1 | 952 | Directions were issued to ACL Construction (S) for breach of the PDPA in relation to failure to appoint a data protection officer and no policies and practices in place to comply with the PDPA. | [
"Accountability",
"Directions",
"Construction",
"No DPO"
] |
2022-04-21 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision--ACL-Construction-S-Pte-Ltd--030222.pdf | Accountability | Breach of Accountability Obligation by ACL Construction (S) | https://www.pdpc.gov.sg/all-commissions-decisions/2022/03/breach-of-accountability-obligation-by-acl-construction | 2022-04-21 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-2107-B8598 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And ACL Construction (S) Pte Ltd SUMMARY OF THE DECISION 1. On 2 June 2021, the Personal Data Protection Commission (the “Commission”) was notified that data from ACL Construction (S) Pte Ltd (the “Organisation”), a company that provides pre-fabricated structures, structural steel products and construction services, was being offered for sale on the darkweb by one “Prometheus” (the “Incident”). 2. Investigations revealed that a few days ago, three ACL staff - a designer and two sales executives had experienced difficulties when they tried to log in to access their files. Thereafter, the ACL staff discovered that the files had been encrypted. The Organisation then sought external IT support. 3. The Organisation informed the Commission that the affected files contained the following data related to their projects: (i) Quotation folder – quotations (to clients and from suppliers), delivery orders, invoices and other supporting documents; (ii) Common folder – project document and photographs; and Page 1 of 3 (iii) Drawing folder – CAD drawings. 4. Our investigations revealed that the affected files contained the names of the Organisation’s customers, the relevant liaison person, their business contact number(s) and/or business email(s). As the names, business contact numbers and business emails were not provided by the individuals concerned for a personal purpose, they would constitute “business contact information” as defined under the Personal Data Protection Act (“PDPA”), and fall outside the scope of the Act by virtue of section 4(5) of the PDPA. Accordingly, while the Organisation may have suffered a data breach, no personal data was in fact affected. 5. This finding alone would have brought the matter to a close. However, in the course of our investigations, the Commission found out that the Organisation had failed to designate one or more individuals,… | Directions | e5d93d363b4513ab709353939decc81ce04eb8a1 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 49 | 49 | 1 | 952 | Directions were issued to J & R Bossini Fashion for breaches of the PDPA in relation to the transfer of Singapore-based individuals’ personal data to its parent company in Hong Kong and the protection of its employees’ personal data stored in its servers in Singapore. | [
"Protection",
"Transfer Limitation",
"Directions",
"Wholesale and Retail Trade"
] |
2021-10-14 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---J--R-Bossini-Fashion-Pte-Ltd---18082021.pdf | Protection, Transfer Limitation | Breach of the Protection and Transfer Limitation Obligations by J & R Bossini Fashion | https://www.pdpc.gov.sg/all-commissions-decisions/2021/10/breach-of-the-protection-and-transfer-limitation-obligations-by-j-r-bossini-fashion | 2021-10-14 | PERSONAL DATA PROTECTION COMMISSION [2021] SGPDPC 9 Case No. DP-2006-B6440 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And J & R Bossini Fashion Pte Ltd … Organisation DECISION J & R Bossini Fashion Pte Ltd [2021] SGPDPC 9 Yeong Zee Kin, Deputy Commissioner — Case No. DP-2006-B6440 18 August 2021 Introduction 1 On 13 June 2020, J & R Bossini Fashion Pte Ltd (“the Organisation”) notified the Personal Data Protection Commission (“the Commission”) of a ransomware attack which had affected the IT systems of the Organisation’s group of companies on or around 27 May 2020 (“the Incident”). The Commission commenced investigations to determine whether the circumstances relating to the Incident disclosed any breaches by the Organisation of the Personal Data Protection Act 2012 (“PDPA”). Facts of the Case 2 The Organisation is a company incorporated in Singapore, and a subsidiary of Bossini International Holdings Limited, a company listed on the Stock Exchange of Hong Kong (“Bossini Holdings”). Bossini Holdings and its subsidiaries (“the Group”) are in the business of garment retail and brand franchising. 3 The Group’s IT systems and infrastructure across different regions (including Singapore) are centrally managed by Bossini Holdings from Hong Kong. While most of the Group’s production servers are located in Hong Kong, at the material time, the Organisation maintained two servers and various workstations for its staff in Singapore which were connected to the Group’s network in Hong Kong by way of a virtual private network (“VPN”). 2 Personal data collected by the Organisation 4 Sometime prior to 2017, the Organisation collected personal data from customers and prospective customers in Singapore for the purposes of administering a customer loyalty programme. The personal data collected comprised of each individual’s: (a) Name; (b) NRIC number, (c) Phone number, (d) Email address, (e) Residential address, (f) Date of birth; and (g) Gende… | Directions | 0705137f0dd7129af2528c049cc49cf5edda8502 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 56 | 56 | 1 | 952 | Directions were issued to NUInternational Singapore and Newcastle Research and Innovation Institute for breach of the PDPA in relation to the transfer of Singapore-based individuals’ personal data to their ultimate parent company in the United Kingdom and related company in Malaysia. | [
"Transfer Limitation",
"Directions",
"Education",
"Ransomware",
"Consent"
] |
2021-09-21 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---NUI-and-NewRIIS--23062021.pdf | Transfer Limitation | Breach of the Transfer Limitation Obligation by NUInternational Singapore and Newcastle Research and Innovation Institute | https://www.pdpc.gov.sg/all-commissions-decisions/2021/09/breach-of-the-transfer-limitation-obligation-by-nuinternational-singapore-and-newcastle-research-and-innovation-institute | 2021-09-21 | PERSONAL DATA PROTECTION COMMISSION [2021] SGPDPC 5 Case No. DP-2009-B7011 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And (1) NUInternational Singapore Pte Ltd (2) Newcastle Research and Innovation Institute Pte Ltd … Organisations DECISION (1) NUInternational Singapore Pte Ltd; (2) Newcastle Research and Innovation Institute Pte Ltd [2021] SGPDPC 5 Yeong Zee Kin, Deputy Commissioner — Case No. DP-2009-B7011 23 June 2021 Introduction 1 On 17 September 2020 and 13 November 2020, the Personal Data Protection Commission (the “Commission”) was notified of a ransomware attack relating to Newcastle Research and Innovation Institute Pte Ltd and NUInternational Singapore Pte Ltd (collectively known as the “Organisations”) in Singapore (the “Incident”). Facts of the case 2 The ransomware infected, on or around 30 August 2020, (a) a database in the United Kingdom, managed by the ultimate parent company of the Organisations (containing 1,083 records of Singapore-based individuals); and (b) a database in Malaysia, hosted by a related company of the Organisations (containing 194 records of Singapore-based individuals). These records containing personal data of the Singapore-based individuals were previously transferred from the Organisations to the ultimate parent company in the United Kingdom and the related company in Malaysia respectively. The Singapore-based individuals were a mix of staff members, undergraduates and/or post-graduate students of the Organisations. Their 2 personal data (comprising names and user account identifications) were exfiltrated by the threat actor. Findings and Basis for Determination 3 Section 26(1) of the PDPA stipulates that an organisation shall not transfer any personal data to a country or territory outside Singapore except in accordance with the requirements prescribed under the PDPA to ensure that organisations provide a standard of protection to personal data so transferred that is comparable to the protection un… | Directions | 3b598c8a7be71e58fadf5f81e6bf2476ad13c791 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 66 | 66 | 1 | 952 | Chapel of Christ the Redeemer failed to put in place reasonable measures to protect its members' personal data. Further, it did not have written policies and practices necessary to comply with the PDPA. | [
"Accountability",
"Protection",
"Directions",
"Others",
"No Policy",
"Access control",
"Indexing"
] |
2021-04-15 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Chapel-of-Christ-the-Redeemer---290121.pdf | Accountability, Protection | Breach of the Protection and Accountability Obligations by Chapel of Christ the Redeemer | https://www.pdpc.gov.sg/all-commissions-decisions/2021/04/breach-of-the-protection-and-accountability-obligations-by-chapel-of-christ-the-redeemer | 2021-04-15 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-2010-B7132 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Chapel of Christ the Redeemer SUMMARY OF THE DECISION 1. On 6 October 2020, Chapel of Christ the Redeemer (the “Organisation”) informed the Personal Data Protection Commission (the “Commission”) that a file (the “File”) containing personal data of 815 members’ name, NRIC, address, date of birth, marital status, email address, mobile and residential phone number was inadvertently disclosed online. 2. Investigations revealed that a staff had accidentally uploaded the File (which was supposed to be an internal document) onto the sub-directory on 24 November 2019. The Organisation only discovered the matter on 8 September 2020 when a member of the Organisation performed a Google search of another member’s name and found a Google search result of the File. 3. The Organisation admitted that there were no access controls to the sub-directory prior to the incident as the sub-directory was intended to be accessible to public. As a result, the File was indexed by search engines and showed up in online search results. The Organisation also admitted that at the time of the incident, the Organisation had not developed any internal policies and practices to ensure compliance with the Personal Data Protection Act 2012 (the “PDPA”). In particular, there was no system of checks for the uploading of files on the Organisation’s website. 4. Fortuitously, it appeared that the access to the File was minimal – based on Google Analytics Report, save for the Organisation’s member who discovered the File on the internet on 8 September 2020, there was only one other access to the File on 9 December 2019, and the access only lasted for approximately 1 minute. 5. Following the incident, the Organisation disabled the search engine indexing to the subdirectory, password-protected all files with members’ data, and implemented a weekly check of all files uploaded onto the websi… | Directions | 3af9997c53409121b23cd38f9ec106f784e3648c | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 76 | 76 | 1 | 952 | Directions were imposed on Everlast Projects, Everlast Industries (S) and ELG Specialist for breaches of the PDPA. First, the organisations failed to put in place reasonable measures to protect their employees’ personal data. Second, they did not have written policies and practices necessary to ensure its compliance with the PDPA. | [
"Accountability",
"Protection",
"Directions",
"Construction",
"No Policy",
"Ransomware"
] |
2020-12-18 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Everlast-Projects-and-Others---301020.pdf | Accountability, Protection | Breach of the Accountability and Protection Obligations by Everlast Projects, Everlast Industries (S) and ELG Specialist | https://www.pdpc.gov.sg/all-commissions-decisions/2020/12/breach-of-the-accountability-and-protection-obligations-by-everlast-projects | 2020-12-18 | PERSONAL DATA PROTECTION COMMISSION [2020] SGPDPC 20 Case No. DP-1908-B4369 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And (1) Everlast Projects Pte Ltd (2) Everlast Industries (S) Pte Ltd (3) ELG Specialist Pte Ltd … Organisations DECISION Everlast Projects Pte Ltd & Others [2020] SGPDPC 20 Everlast Projects Pte Ltd & Others [2020] SGPDPC 20 Yeong Zee Kin, Deputy Commissioner — Case No. DP-1908-B4369 30 October 2020 Introduction 1 On 29 September 2019, Everlast Projects Pte Ltd (“EPPL”) notified the Personal Data Protection Commission (“Commission”) that its server (“Server”) had been hacked and all the files within it were encrypted by ransomware sometime in August 2019 (the “Incident”). Facts of the Case 2 EPPL, Everlast Industries (S) Pte Ltd (“EIPL”) and ELG Specialist Pte Ltd (“ESPL”) (collectively, the “Organisations”) specialise in the supply and installation of architectural metal works, glass and aluminium products. The Organisations are owned by the same shareholder, managed by the same directors, and operate from common premises. Two of the Organisations also have a common name, “Everlast”. The Organisations operated like a group of companies and centralised their payroll processing, such that the human resources (“HR”) department of EPPL was in charge of processing payrolls of not only its own employees, but also the employees of EIPL and ESPL. The Organisations’ employees’ personal data were stored in the Server, which was owned and maintained by EPPL. 3 On 10 August 2019, EPPL discovered the Incident. EPPL had both an onsite physical backup and a secondary cloud backup of the contents of the Server. The physical backup was affected by the ransomware and rendered unusable. A total of 384 individuals were affected by the Incident (the “Affected Employees”): 2 Everlast Projects Pte Ltd & Others [2020] SGPDPC 20 Name of Organisation Number of employees affected EPPL 141 EIPL 239 ESPL 4 Total number of individuals 384 4 T… | Directions | 6bf33286d1c3d26557836242297e0273d9b08921 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 82 | 82 | 1 | 952 | Directions were issued to Security Masters for failing to put in place reasonable security arrangements to prevent the unauthorised access of building visitors’ mobile numbers. A security personnel contacted the visitors to request return of visitor passes and send them Chinese New Year greetings. | [
"Protection",
"Directions",
"Others",
"Text messages",
"Mobile numbers",
"Protection"
] |
2020-10-16 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Security-Masters-Pte-Ltd---21072020.pdf | Protection | Breach of the Protection Obligation by Security Masters | https://www.pdpc.gov.sg/all-commissions-decisions/2020/10/breach-of-the-protection-obligation-by-security-masters | 2020-10-16 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-2002- B5875 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Security Masters Pte Ltd SUMMARY OF THE DECISION 1. On 17 February 2020, Security Masters Pte Ltd (the “Organisation”) notified the Personal Data Protection Commission (the “Commission”) that a security employee had used the mobile phone numbers of eight building visitors to contact them to request their return of visitor passes and send them Chinese New Year greetings. 2. Investigation found that the Organisation did not put in place any standard operating procedure or guidelines for the retrieval and use of visitors’ personal data prior to the incident. This gap in security arrangements allowed the incident to occur. 3. The Deputy Commissioner for Personal Data Protection therefore found that the Organisation did not adopt reasonable steps to protect personal data in its possession or under its control against risk of unauthorised access. The Organisation was in breach of the Protection Obligation under section 24 of the Personal Data Protection Act 2012. 4. Following the incident, the Organisation restricted access to personal data to senior personnel and required all security personnel to sign an undertaking not to contact visitors in their personal capacity. However, structured training is needed to help its security personnel understand the importance of protecting the personal data they handled daily in their duties, such as National Registration Identification Card numbers, photographs and closed-circuit television footage. 5. On the above consideration, the Deputy Commissioner for Personal Data Protection hereby directs the Organisation to: a) Within 60 days from the date of the direction, revise its training curriculum to ensure that its security personnel understand i. the rationale for personal data protection; ii. the importance of consent and authorisation in the handling of personal data; and iii. the circumstances in which… | Directions | e24e6989567857bec320cd7ad6365fd535330a52 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 105 | 105 | 1 | 952 | Both MCST 4375 and A Best Security Management failed to put in place reasonable security arrangements to prevent the unauthorised disclosure of CCTV footage of an individual injured by a falling glass door at Alexandra Central Mall. MCST 4375 also failed to put in place policies and practices necessary for the organisation to comply with the PDPA. | [
"Protection",
"Accountability",
"Directions"
] |
2020-03-19 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/MCST-4375-and-Others---Decision---03022020.pdf | Protection, Accountability | Breach of the Protection and Accountability Obligations by MCST 4375 and Breach of the Protection Obligation by A Best Security Management | https://www.pdpc.gov.sg/all-commissions-decisions/2020/03/breach-of-the-protection-and-accountability-obligations-by-mcst-4375-and-breach-of-the-protection-obligation-by-a-best-security-management | 2020-03-19 | PERSONAL DATA PROTECTION COMMISSION [2020] SGPDPC 4 Case No. DP-1903-B3437 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And (1) Management Corporation Strata Title Plan No. 4375 (2) Smart Property Management (Singapore) Pte Ltd (3) A Best Security Management Pte Ltd … Organisations DECISION Management Corporation Strata Title Plan No. 4375 & Others [2020] SGPDPC 4 Yeong Zee Kin, Deputy Commissioner — Case No DP-1903-B3437 3 February 2020 Introduction 1 In late February 2019, a woman was injured when a glass door fell on her at the premises of Management Corporation Strata Title Plan No. 4375 (“MCST 4375”), also known as Alexandra Central Mall (the “Mall”). The Personal Data Protection Commission (the “Commission”) subsequently became aware that closed-circuit television (“CCTV”) footage showing the glass door falling on the woman was disclosed on the Internet (the “Incident”). Facts of the Case 2 At the time of the incident, MCST 4375 had appointed Smart Property Management (Singapore) Pte Ltd (“SPMS”) as its managing agent and A Best Security Management Pte Ltd (“ABSM”) to provide security services at the Mall. These appointments took effect from 1 July 2018 and 1 June 2018 respectively. SPMS’ scope of work as managing agent included supervising service providers such as ABSM to ensure it carried out its duties properly. 3 On 24 February 2019, the senior security supervisor from ABSM (the “SSS”) who was on duty at the Mall’s Fire Control Centre, saw a glass door fall on a woman at Level 4 of the Mall’s car park lift lobby (the “Accident”) through Management Corporation Strata Title Plan No. 4375 & Others [2020] SGPDPC 4 the CCTV monitors. The SSS immediately called for an ambulance and notified MCST 4375’s Property Officer and ABSM’s Operations Manager of the Accident. Shortly thereafter, MCST 4375’s Property Officer asked the SSS to send her a copy of CCTV footage of the Accident. In response to this request, the SSS replayed the portion of t… | Directions | c9534d20c08d9b7217ff8dd7e875c02139ab7e2a | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 106 | 106 | 1 | 952 | Directions were imposed on Henry Park Primary School Parents’ Association for breaches of the PDPA. First, the organisation failed to put in place reasonable measures to protect its members’ personal data. Second, it did not appoint a data protection officer. Lastly, it did not have written policies and practices necessary to ensure its compliance with the PDPA. | [
"Protection",
"Accountability",
"Directions"
] |
2020-02-11 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---HPPA.pdf | Protection, Accountability | Breach of the Protection and Accountability Obligations by Henry Park Primary School Parents' Association | https://www.pdpc.gov.sg/all-commissions-decisions/2020/02/breach-of-the-protection-and-accountability-obligations-by-henry-park-primary-school-parents-association | 2020-02-11 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-1903-B3531 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Henry Park Primary School Parents’ Association SUMMARY OF THE DECISION 1. Henry Park Primary School Parents’ Association (the “Organisation”) is a registered society whose membership comprised parent volunteers. To register as members of the Organisation, individuals provided to the Organisation their names, contact numbers, name of child and the child’s class in Henry Park Primary School (the “Personal Data Set”). The Organisation had a website at https://hppa.org.sg (the “Website”) where members could view their own account particulars upon logging in using their assigned user ID and password. 2. On 15 March 2019, the Personal Data Protection Commission (“the Commission”) received a complaint. The complainant informed that when she performed a Google search using her name, she found a search result of a webpage of the Website which disclosed her personal data (the “Incident”). 3. The Personal Data Sets of registered members were never intended to be disclosed online. The Website had been developed by a parent volunteer using the WordPress content management system. 4. The Organisation had conducted tests to verify that members who logged in to the Website could view their own account particulars. The Organisation also verified that account particulars could not be viewed when accessing the Website as a public user. Nevertheless, the Personal Data Set was crawled, indexed and searchable by Google. This points to a weakness in access control that had not been picked up by these rudimentary tests. 5. Security testing such as vulnerability scans would have identified the access control issue. The Organisation failed to conduct adequate security testing before launching the Website. On the above facts, the Commission found that the Organisation did not put in place reasonable security arrangements to protect the Personal Data Sets. 6. The Commission also… | Directions | 79c294efa7335db9a6489bfae8e1c1eedccbf23b | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 120 | 120 | 1 | 952 | Saturday Club was found in breach of the PDPA for failing to put in place written policies and practices necessary to ensure its compliance with the PDPA. Saturday Club was directed to put in place a data protection policy to comply with the provisions of the PDPA and to conduct training to ensure its employees are aware of and comply with the requirements of the PDPA. | [
"Accountability",
"Directions"
] |
2019-12-05 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Summary-Decision---Saturday-Club.pdf | Accountability | Breach of the Accountability Obligation by Saturday Club | https://www.pdpc.gov.sg/all-commissions-decisions/2019/12/breach-of-the-accountability-obligation-by-saturday-club | 2019-12-05 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-1906-B4109 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Saturday Club Pte Ltd SUMMARY OF THE DECISION 1. Upon investigation into a suspected data breach, it was found that Saturday Club Pte Ltd (the “Organisation”) had not developed any internal policies and practices that are necessary for it to meet its obligations under the Personal Data Protection Act 2012 (“PDPA”). In the circumstances, the Deputy Commissioner for Personal Data Protection found the Organisation in breach of section 12 of the PDPA and decided to issue the directions to the Organisation. | Directions | d047195a60d37294c9b55687dc7b54978590b389 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 122 | 122 | 1 | 952 | Global Outsource Solutions was found in breach of the PDPA for failing to put in place reasonable security arrangements to protect the personal data collected by its website and for failing to develop and implement data protection policies. This resulted in the disclosure of personal data of customers on the organisation’s online warranty registration portal. Global Outsource Solutions was directed to develop and implement policies for data protection and staff training in data protection, and to put all employees handling personal data through such training. | [
"Protection",
"Accountability",
"Directions"
] |
2019-12-05 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Summary-Decision---Global-Outsource.pdf | Protection, Accountability | Breach of the Protection and Accountability Obligations by Global Outsource Solutions | https://www.pdpc.gov.sg/all-commissions-decisions/2019/12/breach-of-the-protection-and-accountability-obligations-by-global-outsource-solutions | 2019-12-05 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-1809-B2767 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Global Outsource Solutions Pte. Ltd. SUMMARY OF THE DECISION 1. Global Outsource Solutions Pte. Ltd. (the “Organisation”) provided warranties for products purchased by its clients’ customers. To be eligible for this warranty, customers registered their purchases with the Organisation via the Organisation’s website at http://www.globaloutsourceasia.com (the “Website”). The Organisation collected various personal data from such customers for this purpose, including personal information such as their name, email address, mailing address and contact number, and details of the customers’ purchases such as the name of the product purchased, the purchase date, the name of the retailer and the location of the physical store where the product was purchased (collectively, the “Personal Data”). 2. The Personal Data Protection Commission (“the Commission”) received a complaint on 23 September 2018 that the complainant could access the Personal Data of another individual when viewing a warranty registration summary page on the Website (the “Incident”). 3. The Organisation admitted to the occurrence of the Incident but was unable to identify the cause of the Incident. The Commission found that the Organisation had not provided any security requirements to the vendor it had engaged sometime in 2013 to develop the Website. Consequently, it had not reviewed the Website’s security arrangements or conducted any security testing on the Website. In the circumstances, the Organisation had not implemented reasonable security arrangements to protect the personal data collected by the Website (including but not limited to the Personal Data disclosed in the Incident) and is therefore in breach of section 24 of the PDPA. 4. The Commission also found that the Organisation did not have any internal data protection policies for its employees in relation to the handling of perso… | Directions | ab0971aeb10525bfdeea3bf683966ddd8fc40f11 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 131 | 131 | 1 | 952 | iClick was found in breach of the PDPA for failing to put in place written policies and practices necessary to ensure its compliance with the PDPA. iClick was directed to put in place a data protection policy to comply with the provisions of the PDPA; to develop a training programme for its employees and require them to attend the training. | [
"Accountability",
"Directions",
"Information and Communications"
] |
2019-11-04 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Summary-Decision---iClick-Media.pdf | Accountability | Breach of the Accountability Obligation by iClick Media | https://www.pdpc.gov.sg/all-commissions-decisions/2019/11/breach-of-the-accountability-obligation-by-iclick-media | 2019-11-04 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-1901-B3254 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And iClick Media Pte. Ltd. SUMMARY OF THE DECISION 1. Following a complaint against EU Holidays Pte Ltd, (“EU Holidays”), the Personal Data Protection Commission conducted an investigation to determine whether EU Holidays had contravened the Personal Data Protection Act 2012 (the “PDPA”). In the course of investigations, it was found that EU Holiday’s IT vendor, iClick Media Pte Ltd (the “Organisation”), had not developed any internal policies and practices that are necessary for it to meet its obligations under the PDPA. In the circumstances, the Deputy Commissioner for Personal Data Protection found the Organisation in breach of section 12 of the PDPA and decided to direct the Organisation to, within 60 days: 2. Put in place a data protection policy, including written internal policies, to comply with the provisions of the PDPA; 3. Develop a training programme for the Organisation’s employees in respect of their obligations under the PDPA when handling personal data and require all employees to attend such training; and 4. By no later than 7 days after the above actions have been carried out, the Organisation shall, in addition, submit to the Commission a written update. | Directions | bf9f246a0db6172bb647c44e87dcaa6e5793dce4 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 143 | 143 | 1 | 952 | Directions were issued to Avant Logistic Service for failing to make reasonable security arrangements to prevent the unauthorised disclosure of customers' personal data. The lapses resulted in personal data of customers being disclosed by an employee. | [
"Protection",
"Directions",
"Wholesale and Retail Trade"
] |
2019-08-02 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Avant-Logistic-Service-Pte-Ltd---300719.pdf | Protection | Breach of the Protection Obligation by Avant Logistic Service | https://www.pdpc.gov.sg/all-commissions-decisions/2019/08/breach-of-the-protection-obligation-by-avant-logistic-service | 2019-08-02 | PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC 28 Case No DP-1802-B1709 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Avant Logistic Service Pte. Ltd. … Organisation DECISION Avant Logistic Service Pte. Ltd. [2019] SGPDPC 28 Yeong Zee Kin, Deputy Commissioner — Case No DP-1802-B1709 30 July 2019 Background 1 On 25 November 2017, a customer of Ezbuy Holdings Ltd. (“Ezbuy”) made a complaint to the Personal Data Protection Commission (the “Commission”) alleging that her personal data had been disclosed to another customer of Ezbuy without her consent by an employee of Avant Logistic Service Pte. Ltd. (the “Organisation”). The facts of this case are as follows. 2 Ezbuy provides an online e-commerce platform that allows its customers to shop for items from various online retailers and platforms around the world. It engaged the Organisation to provide delivery services in Singapore. The Organisation is an affiliate of Ezbuy and its delivery personnel are required to adhere to Ezbuy’s Privacy Policy and the terms and conditions in Ezbuy’s Employee Handbook and Ezbuy’s Delivery and Collection Standard Operation Procedure (“SOP”). 3 When a customer ordered an item through Ezbuy’s platform, they would be offered two modes of delivery, (i) delivery to a designated collection point 1 Avant Logistic Service Pte. Ltd. [2019] SGPDPC 28 (referred to by Ezbuy as “self-collection”), or (ii) delivery to the customer’s address. If the customer opted for self-collection, the customer would proceed to the designated collection point at a specified time. The delivery personnel there would verify their identity using their Ezbuy user ID or their mobile number registered with Ezbuy and then hand over the package with their item. 4 On 9 November 2017, the complainant scheduled to self-collect a package that she ordered from Ezbuy at a collection point in Bishan at around 6.30 p.m. One of the Organisation’s employees (referred to in this Decision as “OA”), was a… | Directions | 080f1f19619de2e97b442d076d6b4f4a81f71d57 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 150 | 150 | 1 | 952 | Directions were issued to SME Motor for failing to make reasonable security arrangements to prevent the unauthorised disclosure of individuals’ personal data. The lapses resulted in personal data of other customers being disclosed on the reverse side of an invoice document. | [
"Protection",
"Directions",
"Others",
"Auto Repair and servicing",
"Car"
] |
2019-07-04 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision---SME-Motor-Pte-Ltd---040719.pdf | Protection | Breach of the Protection Obligation by SME Motor | https://www.pdpc.gov.sg/all-commissions-decisions/2019/07/breach-of-the-protection-obligation-by-sme-motor | 2019-07-04 | PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC 21 Case No DP-1901-B3318 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And SME Motor Pte. Ltd. … Organisation DECISION 1 SME Motor Pte. Ltd. [2019] SGPDPC 21 Yeong Zee Kin, Deputy Commissioner — Case No DP-1901-B3318 4 July 2019 Background 1 On 31 January 2019, the Personal Data Protection Commission (the “Commission”) received a complaint from an individual (the “Complainant”) in relation to the disclosure of other individuals’ personal data that had been printed on the reverse side of an invoice issued to the Complainant by SME Motor Pte. Ltd. (the “Organisation”). Material Facts 2 The facts of this case and circumstances leading to the breach bear some resemblance to the cases of Re SLF Green Maid Agency [2018] SGPDPC 27 and Re Furnituremart.sg [2017] SGPDPC 7. 3 The Organisation is in the business of auto repair and servicing. In an effort to be environmentally friendly, the Organisation had a practice of re-using scrap or unwanted paper documents by printing other documents on the reverse side. 4 The Complainant met with a car accident and brought her vehicle to the Organisation’s workshop for repair. The Complainant subsequently discovered 1 [2019] SGPDPC 21 SME Motor Pte. Ltd. that the Organisation had printed her workshop repair invoice on a piece of paper that contained the personal data of two other individuals (the “Personal Data”) on the reverse side. On 31 January 2019, the Complainant lodged a complaint with the Commission in relation to the disclosure of the Personal Data. 5 The Personal Data disclosed to the Complainant included the following: (a) the first individual’s name, National Registration Identification Card (“NRIC”) number, and insurance policy number; and (b) the second individual’s name, insurance policy number, and claim number. Findings and Basis for Determination 6 The issue that arises in this case for determination is whether the Organisation had complied … | Directions | 8817cb0bc39f451aa5b8c5d679937e87fcd26cf9 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 157 | 157 | 1 | 952 | Directions were issued to GrabCar for failing to put in place reasonable security arrangements for GrabHitch drivers to protect the personal data of passengers that used GrabHitch services. Personal data of some GrabHitch passengers were disclosed by GrabHitch drivers without consent on social media. | [
"Protection",
"Directions",
"Transport and Storage",
"PHV",
"Private Hire Vehicle"
] |
2019-06-11 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision--Grabcar-Pte-Ltd-GrabHitch--110619.pdf | Protection | Breach of Protection Obligation by GrabCar | https://www.pdpc.gov.sg/all-commissions-decisions/2019/06/breach-of-protection-obligation-by-grabcar-directions | 2019-06-11 | PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC 14 Case Nos DP-1702-B0508/DP-1703-B0613 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Grabcar Pte. Ltd. [UEN 201427085E] … Organisation ________________________________________________________ DECISION ________________________________________________________ Grabcar Pte. Ltd. [2019] SGPDPC 14 Grabcar Pte. Ltd. [2019] SGPDPC 14 Yeong Zee Kin, Deputy Commissioner – Case Nos DP-1702-B0508/DP-1703B0613 11 June 2019 Introduction and facts of the cases 1 This decision addresses, in the main, the obligations of an online ride- sharing platform and drivers who use the platform to provide carpool rides to passengers. Grabcar Pte Ltd (the “Organisation”) operates an online platform through the Grab mobile application (the “Grab App”) which enables individuals to book taxis or private cars for transportation services. The Grab App also provides a carpooling option, referred to in the app as “GrabHitch”. GrabHitch matches a passenger with a driver who is willing to give a lift to the passenger on the way to the driver’s destination in return for a fee. The Organisation states on its website,1 “GrabHitch is a social carpooling platform powered by everyday, non-commercial drivers giving you a lift along the way to cover petrol costs.”2 2 This decision relates to separate complaints by two passengers (the “Complainants”) who used GrabHitch to book carpool rides. The carpool rides were provided by two different drivers (the “Drivers”) on separate occasions. 1 www.grab.com/sg/hitch/ The Organisation’s website also states that GrabHitch is provided in compliance with the Road Traffic (Car Pools) (Exemption) Order 2015. 2 2 Grabcar Pte. Ltd. [2019] SGPDPC 14 Nevertheless, the two complaints are dealt with together in this decision as they both relate to similar issues, in particular, to the issue of disclosure of passengers’ personal data without consent by GrabHitch drivers. 3 The substance of each compla… | Directions | b13cfd3e762e67fa7f3823843de7d5cae693b203 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 173 | 173 | 1 | 952 | Directions were issued to SLF Green Maid Agency for failing to make reasonable security arrangements to prevent the unauthorised disclosure of individuals’ personal data. | [
"Protection",
"Directions",
"Others",
"domestic helper"
] |
2018-12-13 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision---Green-Maid-Agency---131218.pdf | Protection | Breach of Protection Obligation by SLF Green Maid Agency | https://www.pdpc.gov.sg/all-commissions-decisions/2018/12/breach-of-protection-obligation-by-slf-green-maid-agency | 2018-12-13 | PERSONAL DATA PROTECTION COMMISSION [2018] SGPDPC 27 Case No DP-1806-B2265 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And SLF Green Maid Agency … Organisation DECISION SLF Green Maid Agency [2018] SGPDPC 27 SLF Green Maid Agency [2018] SGPDPC 27 Yeong Zee Kin, Deputy Commissioner — Case No DP-1806-B2265 13 December 2018 1 This case arose out of the common practice of reusing scrap or discarded paper where the reverse side of the paper can still be used. This is highly commendable and environmentally-friendly, but organisations must take care to ensure that there is no personal data on the scrap or discarded paper set aside for such re-use. An employee of SLF Green Maid Agency (the “Organisation”) wrote information for the Complainant on a piece of paper which contained personal data of other individuals on the reverse side and gave the paper to the Complainant. This happened on two separate occasions. The key issue is whether this disclosure of personal data by the Organisation amounts to a breach of section 24 of the Personal Data Protection Act 2012 (“PDPA”). Material Facts 2 On 8 April 2018, the Complainant visited the Organisation’s office to enquire about engaging a foreign domestic worker. An employee of the Organisation assisted her and over the course of these enquiries, the employee handed the Complainant some paper on which he wrote information related to her query. The Complainant discovered that the reverse side of the paper contained personal data of other individuals. The Complainant informed the employee that the paper that was used should not have been given to the Complainant. 3 On 24 April 2018, the Complainant returned to the Organisation’s office and was served by the same employee. Again, over the course of the queries, she was provided information hand written on used paper. Similarly, the reverse side of the paper contained personal data of other individuals. 4 Over the two occasions, the following personal data was disclos… | Directions | db40f6c2dd8921428c1fe911f5570123eecd69e8 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 181 | 181 | 1 | 952 | Directions were issued to Singapore Cricket Association for failing to make reasonable security arrangements to prevent unauthorised disclosure of individuals’ personal data on its website, and for failing to put in place data protection policies. | [
"Protection",
"Accountability",
"Directions",
"Arts, Entertainment and Recreation"
] |
2018-08-21 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds_of_Decision_Singapore_Cricket_Association_and_Ors_210818.pdf | Protection, Accountability | Breach of Protection Obligation by Singapore Cricket Association | https://www.pdpc.gov.sg/all-commissions-decisions/2018/08/breach-of-protection-obligation-by-singapore-cricket-association | 2018-08-21 | PERSONAL DATA PROTECTION COMMISSION [2018] SGPDPC [19] Case No DP-1704-B0707 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And (1) Singapore Cricket Association (UEN No. S65SS0010H) (2) Massive Infinity Pte Ltd (UEN No. 201131950M) … Organisations DECISION Singapore Cricket Association & Ors [2018] SGPDPC 19 Singapore Cricket Association & Ors. [2018] SGPDPC [19] Yeong Zee Kin, Deputy Commissioner — Case No DP-1704-B0707 21 August 2018 1 This case concerns the unauthorised disclosure of the personal data of cricket players on the Singapore Cricket Association’s (“SCA”) websites (the “Incident”). On 20 April 2017, the Personal Data Protection Commission (the “Commission”) received a complaint regarding the unauthorised disclosure of personal data on the player profile pages on the SCA’s websites and commenced its investigations thereafter. The Deputy Commissioner’s findings and grounds of decision based on the investigations carried out in this matter are set out below. 2 The SCA is the official governing body of the sport of cricket in Singapore. It administers various cricket leagues in Singapore with more than 100 cricket clubs participating across several league divisions. The SCA owns the rights to the domain name www.singaporecricket.org (the “First Domain”), which has served as the SCA’s official website since August 2007 (“Website”). The SCA also owns the rights to the domain name, www.cricketsingapore.com (“Second Domain”). Both domains were accessible to the public and the hosting of both domains were set up and managed by the SCA or on its instructions. 3 All clubs and their players are required to register with the SCA in order to participate in any of the SCA leagues. To register new players, clubs are required to submit the following player personal data through the registration form on the SCA’s Website:1 1 (a) Player name; (b) Player photograph; Clubs were also required to provide information such as the season, league, divis… | Directions | 25d5268ed669c201d4b55ce4d00b7442bfa8671e | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 184 | 184 | 1 | 952 | Directions were issued to Flight Raja Travels for failing to make reasonable security arrangements to prevent unauthorised disclosure of individuals’ personal data on its online travel booking system. | [
"Protection",
"Directions",
"Accommodation and F&B"
] |
2018-06-11 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds_of_Decision_Flight_Raja_Travels_Singapore_110618.pdf | Protection | Breach of Protection Obligation by Flight Raja Travels | https://www.pdpc.gov.sg/all-commissions-decisions/2018/06/breach-of-protection-obligation-by-flight-raja-travels | 2018-06-11 | PERSONAL DATA PROTECTION COMMISSION Case No DP-1705-B0730 [2018] SGPDPC [16] In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Flight Raja Travels Singapore Pte. Ltd. … Organisation DECISION Flight Raja Travels Singapore Pte. Ltd. [2018] SGPDPC [16] Mr. Yeong Zee Kin, Deputy Commissioner — Case No DP-1705-B0730 11 June 2018 1 This complaint concerns a user of Flight Raja Travels Singapore Pte. Ltd’s (the “Organisation”) online travel booking system (the “Booking System”). While using the Booking System, the user was able to access information of other users (the “Incident”). 2 What happened was that after the user resumed his session after time- out, the Booking System showed him 45 sets of booking records. The booking records accessed by the user contained the personal data of 72 other individuals. This included name, passport number, booking ID, flight details (including the flight number, departing/ arrival date, time and airport), booking date, amount paid, and flight inclusions. 3 Investigations were commenced under section 50 of the Personal Data 4 Up to December 2016, the Booking System was accessed through Protection Act 2012 (the “PDPA”). The material facts of the case are as follows. browser login via the Organisation’s website. The Organisation then introduced a new application (the “New Mobile App”). The New Mobile App enabled access through mobile devices without login. It recognised the mobile device IDs of registered users stored as part of their account information. Flight Raja Travels Singapore Pte. Ltd. 5 [2018] SGPDPC 16 Proper change management would have included full system integration testing of the New Mobile App with the Booking System to detect any unintended effects from the changes. However, two unintended effects went undetected. They affected non-registered users who had just completed a booking via the Booking System through a browser, and had been registered by the Booking System as new users (“Newly Registere… | Directions | 4eac4f70563516f75e6e287250e8238d4776bb2e | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 185 | 185 | 1 | 952 | Spring College International failed to notify and obtain consent from the parents of young students before disclosing online the students’ personal data for marketing purposes. Directions were issued to Spring College International. | [
"Consent",
"Purpose Limitation",
"Notification",
"Directions",
"Education"
] |
2018-05-24 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds_of_Decision_Spring_College_International_240518.pdf | Consent, Purpose Limitation, Notification | Breach of Consent and Purpose Limitation Obligations by Spring College International | https://www.pdpc.gov.sg/all-commissions-decisions/2018/05/breach-of-consent-and-purpose-limitation-obligations-by-spring-college-international | 2018-05-24 | PERSONAL DATA PROTECTION COMMISSION [2018] SGPDPC 15 Case No DP-1705-B0799 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Spring College International Pte. Ltd. … Organisation DECISION Spring College International Pte. Ltd. Mr Yeong Zee Kin, Deputy Commissioner — Case No DP-1705-B0799 24 May 2018 Background 1 This matter involves a private educational institution that posted information about its students, including their names and photographs, on a public social media page, in order to promote its courses. The Organisation operates a private educational institution, known as “Spring College International Pte. Ltd.” (“SCI”), that offers various academic courses to students of varying ages and levels. A complaint was made to the Personal Data Protection Commission (“PDPC”) regarding the unauthorised disclosure of a student’s personal data on the Organisation’s Facebook page. The complaint was made by the student’s parent (“the Complainant”). 2 The Commissioner’s findings and grounds of decision, based on the investigations carried out in this matter, are set out below. Material Facts 3 Since September 2010, the Organisation has maintained a Facebook page which is accessible to the general public, titled “Spring College International”. In December 2015, the Complainant enrolled her son (“Individual A”) as a student in SCI. Sometime thereafter, the Spring College International Pte. Ltd. [2018] SGPDPC 15 Complainant came across a post on the Organisation’s Facebook page, dated 24 April 2016 (“Post A”). The post contained the following text: Application for Supplementary Admissions Exercise for International Students 1 We are pleased to inform you that your application for admission to a secondary school through the Supplementary Admissions Exercise for International Students is successful. The results of your application are as follows: … 4 Post A further set out the following information about Individual A: full name; partially masked passport num… | Directions | ab610ebd87a5e51bcfa08294b0f5948e87401467 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 192 | 192 | 1 | 952 | Directions were issued to Habitat for Humanity Singapore for breaches of the PDPA. The organisation did not make reasonable security arrangements to prevent unauthorised disclosure of its volunteers’ personal data, failed to put in place data protection policies, and omitted to communicate data protection policies and practices to its staff. | [
"Accountability",
"Protection",
"Directions",
"Social Service"
] |
2018-05-03 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds_of_Decision_Habitat_for_Humanity_Singapore_030518.pdf | Accountability, Protection | Breach of Openness and Protection Obligations by Habitat for Humanity Singapore | https://www.pdpc.gov.sg/all-commissions-decisions/2018/05/breach-of-openness-and-protection-obligations-by-habitat-for-humanity-singapore | 2018-05-03 | PERSONAL DATA PROTECTION COMMISSION [2018] SGPDPC 9 Case No DP-1707-B0971 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Habitat for Humanity Singapore Ltd … Organisation DECISION Habitat for Humanity Singapore Ltd [2018] SGPDPC 9 Yeong Zee Kin, Deputy Commissioner — Case No DP-1707-B0971 3 May 2018 Background 1 On 20 July 2017, the Organisation sent out an email to 32 of its volunteers with a PDF attachment comprising a batch of community involvement programme (“CIP”) letters (the “CIP Letters”) acknowledging the participation of each volunteer at an event organised by the Organisation (the “Incident”). The Personal Data Protection Commission (the “PDPC”) was informed of the Incident on 22 July 2017 and commenced its investigations thereafter. I set out below my findings and grounds of decision based on the investigations carried out in this matter. Material Facts 2 The Organisation is a registered charity under the National Council of Social Services, which objectives include seeking to eliminate poverty housing worldwide by providing decent and affordable housing. In furtherance of its objectives, the Organisation organises community involvement programmes, where volunteers can participate in activities such as mass clean-up events. After such events, the Organisation would generally send out a CIP letter to acknowledge and verify each individual volunteer’s participation. Habitat for Humanity Singapore Ltd 3 [2018] SGPDPC 9 The Incident involved the disclosure of a batch of CIP Letters in an email (the “Email”) that was prepared by a manager (the “Manager”) in the Organisation. The CIP Letters were created using the mail merge function in Microsoft Word which would fill in a CIP letter template with the names and NRIC numbers of the volunteers. This created a single Microsoft Word document containing the CIP Letters for all the volunteers, which the Manager then converted from Microsoft Word to PDF format. The Manager then sent the PDF contai… | Directions | 2f49f6f980fa80609521241128a33eb6a528f5a9 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 198 | 198 | 1 | 952 | Directions were issued to Jiwon Hair Salon, Next@Ion, Next Hairdressing and Initia for failing to put in place data protection policies to comply with the provisions of the PDPA. | [
"Accountability",
"Directions",
"Others"
] |
2018-01-23 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/GroundsofDecisionJiwonNextIonNextHairdressingInitia23012018.pdf | Accountability | Breach of Openness Obligation by 4 Hair Salons | https://www.pdpc.gov.sg/all-commissions-decisions/2018/01/breach-of-openness-obligation-by-4-hair-salons | 2018-01-23 | PERSONAL DATA PROTECTION COMMISSION Case No DP-1612-B0431 [2018] SGPDPC [2] In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And 1. Jiwon Hair Salon Pte. Ltd. 2. Next@Ion Pte. Ltd. 3. Next Hairdressing Pte. Ltd. 3. Initia Pte. Ltd. DECISION … Organisations Jiwon Hair Salon Pte. Ltd. & Ors. [2018] SGPDPC [2] Mr. Yeong Zee Kin, Deputy Commissioner — Case No DP-1612-B0431 23 January 2018 Background 1 This case highlights that while the Personal Data Protection Act (“PDPA”) seeks to balance the protection of individuals’ personal data with the need for organisations to use and share that personal data, compliance with the PDPA also serves to ensure that an organisation keeps data which is of significant commercial importance to it protected and out of the reach of its competitors. Material Facts 2 This case was triggered by, unusually, a complaint from one of the Organisations, Jiwon Hair Salon Pte Ltd (“Jiwon”). Jiwon alleged that a former employee (“Employee K”) had misappropriated the names and contact numbers (collectively referred to as the “Personal Data”) of its customers by surreptitiously accessing its customer management system (“CMS”). 3 An investigation was conducted into Jiwon’s complaint and into the following Organisations which Employee K had worked at after leaving Jiwon to determine if indeed Employee K was using the Personal Data from Jiwon’s CMS: Jiwon Hair Salon Pte. Ltd. & Ors. S/N Organisation 1. 2 Jiwon Next@Ion Pte Ltd 9 April 2014 3. Next Hairdressing Pte Ltd 1 Dec 2016 4. 4 [2018] SGPDPC 2 Initia Pte Ltd Start of employment 10 August 2016 13 Jan 2017 End of employment 15 August 2016 30 November 2016 16 Dec 2016 - In the meantime, Jiwon had instituted an action against Employee K in the State Courts arising out of the facts set out in the complaint and, according to Jiwon, an out-of-court settlement had been entered into. During the investigations, it became clear that none of the Organisations had… | Directions | 22dc817cc5a859cce0bf1f96066bd7470c408c03 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 203 | 203 | 1 | 952 | Directions were issued to M Stars Movers for disclosure of a customer's personal data via social media without consent, failure to appoint a Data Protection Officer, and failure to institute policies and practices that are necessary for the organisation to meet the obligations imposed under the PDPA. | [
"Accountability",
"Consent",
"Directions",
"Transport and Storage"
] |
2017-11-15 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/grounds-of-decision---m-stars-movers---151117.pdf | Accountability, Consent | Breach of Consent and Openness Obligations by M Stars Movers | https://www.pdpc.gov.sg/all-commissions-decisions/2017/11/breach-of-consent-and-openness-obligations-by-m-stars-movers | 2017-11-15 | PERSONAL DATA PROTECTION COMMISSION [2017] SGPDPC 15 Case No DP-1612-B0418 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And M Stars Movers & Logistics Specialist Pte Ltd … Organisation GROUNDS OF DECISION M Stars Movers & Logistics Specialist Pte Ltd [2017] SGPDPC 15 Yeong Zee Kin, Deputy Commissioner— Case No DP-1612-B0418 15 November 2017 Background 1 This case highlights the risks that organisations face when they fail to develop and implement policies, practices and procedures to protect personal data when communicating with its customers or other individuals through social media. 2 In this matter, a customer (the “Complainant”) of the Organisation, which provides professional moving services, alleged that the Organisation had disclosed her personal data on its Facebook page without her consent. 3 The findings and grounds of decision based on the investigations carried out in this matter are set out below. Material Facts 4 Sometime in December 2016, the Complainant engaged the Organisation’s professional moving services. The Complainant voluntarily provided her name, mobile number and residential addresses (i.e. the addresses where the items were to be picked up and delivered to) to the Organisation to provide the services. M Stars Movers & Logistics Specialist Pte Ltd 5 [2017] SGPDPC 15 Dissatisfied with the allegedly unsatisfactory services provided by the Organisation, the Complainant left a negative review in a public post on the Organisation’s Facebook page. Amongst other things, there was a disagreement as to when the Organisation was required to return the S$100 deposit to the Complainant. 6 The Organisation publicly responded to the Complainant’s review in the comment section of the Complainant’s post on its Facebook page. In its response, the Organisation identified the Complainant by her English name and surname (“name”) and residential address (collectively referred to as the “Personal Data”) and informed the Complainant tha… | Directions | 76b2216f9b21cb552235144f0c76b8706503cf1a | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 212 | 212 | 1 | 952 | Directions were issued to Asia-Pacific Star, as a data intermediary, for failing to make reasonable security arrangements to prevent the disclosure of the personal data of Tiger Airways Singapore's passengers. | [
"Protection",
"Directions",
"Others"
] |
2017-05-31 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/grounds-of-decision---tigerair-sats-aps-310517.pdf | Protection | Breach of Protection Obligation by Asia-Pacific Star | https://www.pdpc.gov.sg/all-commissions-decisions/2017/05/breach-of-protection-obligation-by-asia-pacific-star | 2017-05-31 | DECISION OF THE PERSONAL DATA PROTECTION COMMISSION Case Number: DP-1607-B0129 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And (1) Tiger Airways Singapore Pte Ltd (UEN No. 200312665W) (2) SATS Ltd (UEN No. 197201770G) (3) Asia-Pacific Star Private Limited (UEN No. 199705514Z) … Organisations Decision Citation: [2017] SGPDPC 6 GROUNDS OF DECISION 31 May 2017 A. INTRODUCTION 1. On 27 July 2016, the Personal Data Protection Commission received a complaint that the passenger name list for Tiger Airways Singapore Pte Ltd (“Tigerair”) flight TR2466 (“Flight Manifest”) had been improperly disposed in a rubbish bin in the gate hold room at Changi Airport. The complainant alleged that the Flight Manifest could have been retrieved by anyone in the vicinity. 2. The Commission undertook an investigation into the matter and sets out its findings and grounds of decision below. B. MATERIAL FACTS 3. Tigerair is a low cost carrier. SATS Ltd (“SATS”) is an aviation ground handling service provider. SATS was engaged by Tigerair to provide ground handling services. In accordance with the terms of the ground handling services contract between SATS and Tigerair (“Ground Handling Services Contract”), SATS was responsible for the provision of the services by its subsidiaries as if it had been provided by SATS itself. Page 1 of 8 4. Asia-Pacific Star Private Limited (“APS”) is a wholly-owned subsidiary of SATS. SATS sub-contracted the provision of ground handling services for Tigerair to APS pursuant to a Services Agreement dated 11 June 2014 (“Services Agreement”). 5. Under the Services Agreement, APS was responsible for managing the boarding process, reconciling passenger numbers and verifying travel documents at the boarding gate. Among other things, APS was required to print a copy of the Flight Manifest at the boarding gate for the cabin crew to take on board the flight and submit to the immigration authority at the arrival destination. 6. On 26 July 2016, an… | Directions | b32d291037e42478607d82bf4e86cf61437ede0d | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 213 | 213 | 1 | 952 | Directions were issued to Furnituremart for failing to make reasonable security arrangements to prevent the disclosure of the personal data of a customer. | [
"Protection",
"Directions",
"Wholesale and Retail Trade"
] |
2017-05-31 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/grounds-of-decision---furnituremart-(310517).pdf | Protection | Breach of Protection Obligation by Furnituremart | https://www.pdpc.gov.sg/all-commissions-decisions/2017/05/breach-of-protection-obligation-by-furnituremart | 2017-05-31 | DECISION OF THE PERSONAL DATA PROTECTION COMMISSION Case Number: DP-1611-B0319 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Furnituremart.sg (UEN 53169430E) … Organisation Decision Citation: [2017] SGPDPC 7 GROUNDS OF DECISION 31 May 2017 1. This is a case involving an organisation which had issued to its customer (the Complainant) an invoice which had a separate invoice (“second invoice”) containing personal data of another customer printed on the reverse side. In this regard, the other customer’s personal data was disclosed to the Complainant, comprising of the following information of the other customer: a. Customer’s surname; b. Home address; c. Delivery address; d. Telephone number; and e. E-mail address. 2. The Complainant made a complaint to the Personal Data Protection Commission (the “Commission”) on 7 November 2016 of the disclosure that was made, and the Commission conducted an investigation into the matter. It now sets out its findings of its investigations below. A. MATERIAL FACTS AND DOCUMENTS 3. The Organisation is in the business of trading furniture, bedding, and other domestic products. Page 1 of 7 4. Whenever it issues its invoices, the Organisation’s procedure is to make three copies of every invoice: The first for the Organisation’s filing, the second for the customer, and the third for the customer to sign and return to the Organisation on delivery of the goods. 5. According to the Organisation, all signed copies of invoices are supposed to be returned to its office, and subsequently destroyed by its staff on a daily basis. 6. In this case, however, the returned invoice was put in a printer feed tray, and re-used as printing paper for the complainant’s invoice. 7. In support of the foregoing, the Organisation provided the Commission with a document entitled, “Policies and internal guideline [sic] for the protection of personal data of customers as at November 2016”. The document provided for, amongst other things, (a) a… | Directions | 36a64b44f404c931de5370578f034bc3b5e25f6c | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 214 | 214 | 1 | 952 | Directions were issued to the National University of Singapore for failing to make reasonable security arrangements to prevent the disclosure of the personal data of some of its students. | [
"Protection",
"Directions",
"Education",
"NUS"
] |
2017-04-26 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/grounds-of-decision---national-university-of-singapore---260417.pdf | Protection | Breach of Protection Obligation by the National University of Singapore | https://www.pdpc.gov.sg/all-commissions-decisions/2017/04/breach-of-protection-obligation-by-the-national-university-of-singapore | 2017-04-26 | DECISION OF THE PERSONAL DATA PROTECTION COMMISSION Case Number: DP-1605-B0028 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And National University of Singapore ... Organisation Decision Citation: [2017] SGPDPC 5 GROUNDS OF DECISION 26 April 2017 1. A student of the Organisation had complained to the Personal Data Protection Commission (the “Commission”) that a URL link that was being circulated for the Organisation’s orientation camp had disclosed (without authorisation) the personal data of student volunteers from the College of Alice and Peter Tan (“CAPT”). CAPT is a residential college of the Organisation. 2. It was found that by following the URL link, one could access an online Excel spreadsheet containing the full names, mobile numbers, matriculation numbers, shirt sizes, dietary preferences, dates of birth, dormitory room numbers, and email addresses (the “personal data set”) of approximately 143 student volunteers. The student matriculation number is a unique student identification number issued by the Organisation. The matriculation number to a student is, in a limited sense, like an NRIC number to a Singapore citizen and permanent resident, in that it is required for various school activities, such as accessing online library resources, or for the submission of examination scripts. 3. Based on the complaint that was made, the Commission proceeded to investigate into an alleged breach by the Organisation of the protection obligation under Section 24 of the Personal Data Protection Act 2012 (“PDPA”). The following sets out the Commission’s findings following its investigations into the matter. Page 1 of 10 A. MATERIAL FACTS AND DOCUMENTS 4. The CAPT Freshman Orientation Camp (“FOC”) is an annual event organised by student volunteers from CAPT for the freshmen matriculating into the Organisation. The FOC in the present case was for the year 2016. 5. The Organisation had designated several student leaders to take the responsibility for organis… | Directions | dafeb9f9b760642c9a5c2ba2036a18117c600223 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 232 | 232 | 1 | 952 | Directions were issued to Universal Travel Corporation for disclosing a passenger list, consisting of 37 customers' personal data, to four of its customers without consent. The organisation was also penalised for its lack of data protection policies. | [
"Consent",
"Purpose Limitation",
"Notification",
"Directions",
"Others"
] |
2016-04-21 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/grounds-of-decision---universal-travel-corporation-(210416).pdf | Consent, Purpose Limitation, Notification | Breach of Consent and Other Obligations by Universal Travel Corporation | https://www.pdpc.gov.sg/all-commissions-decisions/2016/04/breach-of-consent-and-other-obligations-by-universal-travel-corporation | 2016-04-21 | DECISION OF THE PERSONAL DATA PROTECTION COMMISSION Case Number: DP-1508-A496 UNIVERSAL TRAVEL CORPORATION PTE LTD (UEN. 197302113R) ... Respondent Decision Citation: [2016] SGPDPC 4 GROUNDS OF DECISION 20 April 2016 A. BACKGROUND 1. The Personal Data Protection Commission (“Commission”) received a complaint from a credible source concerning the alleged disclosure by the Respondent of personal data of 37 customers (the “passenger list”) in early March 2015 to certain individual(s) who participated in the 12 Days Legend of the Balkans Tour from 17 February 2015 to 28 February 2015 (“Balkans Tour”). 2. In the premises, the Commission decided to carry out an investigation into the matter. The Commission’s findings are set out below. B. MATERIAL FACTS AND DOCUMENTS 3. Sometime in or around late February 2015, four of the customers of the Balkans Tour requested the Respondent to furnish formal documentation confirming the cancellation of their transit flight to Sofia on 18 February 2015 (TK1027/18FEB15 ISTANBUL-SOFIA) (“formal confirmation”) to process their insurance claims. 4. The Respondent therefore requested from Turkish Airline written confirmation of the flight cancellation and the affected passenger list. 5. Sometime in early March 2015, the Respondent sent the formal confirmation together with the letter from Turkish Airline and the passenger list by email to four of the customers of the Balkans Tour. The passenger list that was sent contained the name, nationality, date of birth, passport number, passport expiry date and passenger name record (a record in the database of a computer reservation system (CRS) that contains the itinerary for a passenger, or a group of passengers travelling together) of all 37 of the passengers/customers that were on the Balkans Tour. The passengers’ details were not masked or redacted when it was sent by the Respondent. It is not disputed that the passengers’ details constituted personal data under the control of the Respondent at the material time. 6. In the R… | Directions | 5a0ff182bd0082f840e509fc39079487ae98fb3a | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-12-14T14:54:52+00:00 | 0e20feac9c1e16c30580baa727a897e3bfcf8791 | 483 | 243 | 1 | 958 | Directions were issued to Tipros for failing to use or disclose personal data about an individual only for purposes that a reasonable person would consider appropriate. | [
"Consent",
"Notification",
"Purpose Limitation",
"Directions",
"Others"
] |
14 Dec 2023 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/GD_TIPROS_080623.pdf | Consent, Notification, Purpose Limitation | Breach of the Purpose Limitation Obligation by Tipros | https://www.pdpc.gov.sg/all-commissions-decisions/2023/12/breach-of-the-purpose-limitation-obligation-by-tipros | 2023-12-14 | PERSONAL DATA PROTECTION COMMISSION [2023] SGPDPC 7 Case No. DP-2207-C0019 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Tipros … Organisation DECISION Page 1 of 8 Tipros Yeong Zee Kin, Deputy Commissioner — Case No. DP-2207-C0019 8 June 2023 Introduction 1. On 21 July 2022, the Personal Data Protection Commission (the “Commission”) received a complaint that Tipros (the “Organisation”), a sole proprietorship in the wholesale of and repair of electrical appliances, had unreasonably disclosed the personal data of the complainant when responding to the complainant’s review on the Organisation’s Google reviews page (the “Incident”). 2. The Commission commenced investigations to determine the Organisation’s compliance with the Personal Data Protection Act 2012 (“PDPA”) and for suspected breaches of the same. Facts of the Case 3. The complainant had engaged the Organisation to repair a refrigerator. Following the repairs made, the complainant gave a “1-star” review on a Google reviews page “24hr fridge refrigerator #1 Quick repair service Trusted in Singapore”, which has since been renamed “Tipros.sg”. 4. The Organisation promptly responded to the complainant’s review. What is problematic was that the Organisation included the complainant’s personal data, including the complainant’s residential address and mobile number in their Page 2 of 8 response. The complainant filed a complaint with the Commission as the complainant was of the view that there was no reason for the Organisation to disclose her personal data in the course of responding to the review she left on the Organisation’s Google reviews page. 5. Apart from the Organisation’s response to the complainant’s review, the Commission found 13 other responses on the Organisation’s Google reviews page which disclosed, in a similar fashion, the personal data of other customers who had given reviews. Our Investigations 6. The Commission commenced investigations. In the course of investigations, it was … | Directions | acd36e3274c5e29fe0627b24b99136461cdd6c47 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
Advanced export
JSON shape: default, array, newline-delimited
CREATE VIEW pdpc_decisions_version_detail AS select
commits.commit_at as _commit_at,
commits.hash as _commit_hash,
pdpc_decisions_version.*,
(
select json_group_array(name) from columns
where id in (
select column from pdpc_decisions_changed
where item_version = pdpc_decisions_version._id
)
) as _changed_columns
from pdpc_decisions_version
join commits on commits.id = pdpc_decisions_version._commit;