pdpc_decisions_version_detail (view)
7 rows where nature = "Accountability, Protection"
This data as json, CSV (advanced)
Suggested facets: decision, _commit_at (date), date (date), timestamp (date), tags (array), _changed_columns (array)
| _commit_at | _commit_hash | _id | _item | _version | _commit | description | tags | date | pdf-url | nature | title | url | timestamp | pdf-content | decision | _item_full_hash | _changed_columns |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 33 | 33 | 1 | 952 | A financial penalty of $12,500 was imposed on PINC for failing to put in place reasonable security arrangements to protect the personal data in its possession. Directions were also issued to PINC to develop and implement internal data protection policies and practices to comply with the PDPA and to ensure no copies of database were stored on employees' personal computers. | [
"Accountability",
"Protection",
"Financial Penalty",
"Directions",
"Wholesale and Retail Trade",
"No Policy"
] |
2022-05-19 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---PINC-Interactive-Pte-Ltd---04022022.pdf | Accountability, Protection | Breach of the Accountability and Protection Obligations by PINC Interactive | https://www.pdpc.gov.sg/all-commissions-decisions/2022/05/breach-of-the-accountability-and-protection-obligations-by-pinc-interactive | 2022-05-19 | PERSONAL DATA PROTECTION COMMISSION [2022] SGPDPC 1 Case No. DP-2002-B5827 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And PINC Interactive Pte. Ltd. … Organisation DECISION Page 1 of 9 PINC Interactive Pte. Ltd. [2022] SGPDPC 1 Lew Chuen Hong, Commissioner — Case No. DP-2002-B5827 4 February 2022 Introduction 1 On 2 February 2020, the Personal Data Protection Commission (“the Commission”) received feedback about a Twitter post dated 31 January 2020 which revealed that the personal data of users of www.pincstyle.com had been exposed. The tweet included a snapshot of the data (“the Incident”). The Commission commenced investigations into the Incident thereafter. Facts of the Case 2 The website www.pincstyle.com was created and managed by PINC Interactive Pte. Ltd. (“the Organisation”) at the material time. Investigations revealed that sometime in October 2019, a database comprising 252,813 records was accessed and exfiltrated from the Organisation’s staging servers (the “Staging Database”). The Staging Database is a synthetic database containing personal data of 3,916 actual users, while the remaining 248,897 records were fake or “dummy” data modelled after the real data. The synthetic database was used to facilitate development and testing on the staging servers. The personal data from the 3,916 actual users that were exposed in the Incident included the name, username, email address, contact number (for some users) and a password hash. For completeness, the 3,916 user records in the Staging Database is equivalent to 1.6% of the Organisation’s total database of 252,813 user records. Page 2 of 9 3 Investigations revealed two likely causes of the Incident. First, the developers, who are the Organisation’s employees, had retained a copy of the Staging Database on their own personal devices, and the database was exfiltrated when the developers’ computers were compromised. The Organisation stated that while they had instructed the developers to use … | Financial Penalty, Directions | d2cda7ac80cc4638223955ef382304ee06a36b98 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 66 | 66 | 1 | 952 | Chapel of Christ the Redeemer failed to put in place reasonable measures to protect its members' personal data. Further, it did not have written policies and practices necessary to comply with the PDPA. | [
"Accountability",
"Protection",
"Directions",
"Others",
"No Policy",
"Access control",
"Indexing"
] |
2021-04-15 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Chapel-of-Christ-the-Redeemer---290121.pdf | Accountability, Protection | Breach of the Protection and Accountability Obligations by Chapel of Christ the Redeemer | https://www.pdpc.gov.sg/all-commissions-decisions/2021/04/breach-of-the-protection-and-accountability-obligations-by-chapel-of-christ-the-redeemer | 2021-04-15 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-2010-B7132 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Chapel of Christ the Redeemer SUMMARY OF THE DECISION 1. On 6 October 2020, Chapel of Christ the Redeemer (the “Organisation”) informed the Personal Data Protection Commission (the “Commission”) that a file (the “File”) containing personal data of 815 members’ name, NRIC, address, date of birth, marital status, email address, mobile and residential phone number was inadvertently disclosed online. 2. Investigations revealed that a staff had accidentally uploaded the File (which was supposed to be an internal document) onto the sub-directory on 24 November 2019. The Organisation only discovered the matter on 8 September 2020 when a member of the Organisation performed a Google search of another member’s name and found a Google search result of the File. 3. The Organisation admitted that there were no access controls to the sub-directory prior to the incident as the sub-directory was intended to be accessible to public. As a result, the File was indexed by search engines and showed up in online search results. The Organisation also admitted that at the time of the incident, the Organisation had not developed any internal policies and practices to ensure compliance with the Personal Data Protection Act 2012 (the “PDPA”). In particular, there was no system of checks for the uploading of files on the Organisation’s website. 4. Fortuitously, it appeared that the access to the File was minimal – based on Google Analytics Report, save for the Organisation’s member who discovered the File on the internet on 8 September 2020, there was only one other access to the File on 9 December 2019, and the access only lasted for approximately 1 minute. 5. Following the incident, the Organisation disabled the search engine indexing to the subdirectory, password-protected all files with members’ data, and implemented a weekly check of all files uploaded onto the websi… | Directions | 3af9997c53409121b23cd38f9ec106f784e3648c | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 68 | 68 | 1 | 952 | Jigyasa was found in breach of the PDPA. First, Jigyasa failed to put in place reasonable measures to protect employee assessment reports on its website. Second, it did not appoint a data protection officer. Lastly, it did not have written policies and practices necessary to ensure its compliance with the PDPA. An application for reconsideration was filed against the decision in Re Jigyasa [2020] SGPDPC 9. Upon review and careful consideration of the application, directions in the decision were varied in the Reconsideration Decision and a financial penalty of $30,000 was imposed on Jigyasa. | [
"Accountability",
"Protection",
"Financial Penalty",
"Professional",
"Scientific and Technical",
"No Policy",
"No DPO",
"Public access",
"No pre-launch testing"
] |
2021-03-11 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Jigyasa---30032020.pdf | Accountability, Protection | Breach of the Protection and Accountability Obligations by Jigyasa | https://www.pdpc.gov.sg/all-commissions-decisions/2021/03/breach-of-the-protection-and-accountability-obligations-by-jigyasa | 2021-03-11 | PERSONAL DATA PROTECTION COMMISSION [2020] SGPDPC 9 Case No DP-1707-B0922 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Jigyasa (UEN: 52948595L) … Organisation DECISION 1 Jigyasa [2020] SGPDPC 9 Tan Kiat How, Commissioner — Case No DP-1707-B0922 30 March 2020 Introduction 1 This case concerns the unauthorised disclosure of employee assessment reports, such as 360 Feedback Reports and evaluation reports (collectively, the “Reports”), on the website (“Website”) of Jigyasa (the “Organisation”), a human resource and management consultancy business. Material Facts 2 The Organisation is a business operated by a sole proprietor with one part-time employee. The Reports were generated based on survey results collected by the Organisation via its web application (the “Web Application”) and stored in a folder on the server which hosted the Web Application. Reports documented 360 degree feedback on employees of the Organisation’s clients, based on evaluation by their subordinates, supervisors and/or peers. The feedback included character qualities, for example whether they were considered fair, honest, reliable and trusted, demonstrated professional behaviour at all times or had good technical knowledge. Each of these character qualities was given an average rating from a scale of 1 to 10, with 9-10 being an exceptional strength and 1-2 being below expectations. These Reports comprehensively set out such information for each named individual employee of the Organisation’s clients. There is also a section which provides verbatim comments from respondents (e.g. “handle more complex responsibilities”, “slower support”). Some of the Reports also included individual employees’ qualities, such as leadership, integrity, decision-making, initiative, and professional disposition, ranked against their colleagues. 2 3 On 10 July 2017, the Personal Data Protection Commission (the “Commission”) received complaints from 3 individuals (the “Complainants”) alleging that w… | Financial Penalty | 6a21009555c09878fe1f590900953bc8f01d5acf | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 76 | 76 | 1 | 952 | Directions were imposed on Everlast Projects, Everlast Industries (S) and ELG Specialist for breaches of the PDPA. First, the organisations failed to put in place reasonable measures to protect their employees’ personal data. Second, they did not have written policies and practices necessary to ensure its compliance with the PDPA. | [
"Accountability",
"Protection",
"Directions",
"Construction",
"No Policy",
"Ransomware"
] |
2020-12-18 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Everlast-Projects-and-Others---301020.pdf | Accountability, Protection | Breach of the Accountability and Protection Obligations by Everlast Projects, Everlast Industries (S) and ELG Specialist | https://www.pdpc.gov.sg/all-commissions-decisions/2020/12/breach-of-the-accountability-and-protection-obligations-by-everlast-projects | 2020-12-18 | PERSONAL DATA PROTECTION COMMISSION [2020] SGPDPC 20 Case No. DP-1908-B4369 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And (1) Everlast Projects Pte Ltd (2) Everlast Industries (S) Pte Ltd (3) ELG Specialist Pte Ltd … Organisations DECISION Everlast Projects Pte Ltd & Others [2020] SGPDPC 20 Everlast Projects Pte Ltd & Others [2020] SGPDPC 20 Yeong Zee Kin, Deputy Commissioner — Case No. DP-1908-B4369 30 October 2020 Introduction 1 On 29 September 2019, Everlast Projects Pte Ltd (“EPPL”) notified the Personal Data Protection Commission (“Commission”) that its server (“Server”) had been hacked and all the files within it were encrypted by ransomware sometime in August 2019 (the “Incident”). Facts of the Case 2 EPPL, Everlast Industries (S) Pte Ltd (“EIPL”) and ELG Specialist Pte Ltd (“ESPL”) (collectively, the “Organisations”) specialise in the supply and installation of architectural metal works, glass and aluminium products. The Organisations are owned by the same shareholder, managed by the same directors, and operate from common premises. Two of the Organisations also have a common name, “Everlast”. The Organisations operated like a group of companies and centralised their payroll processing, such that the human resources (“HR”) department of EPPL was in charge of processing payrolls of not only its own employees, but also the employees of EIPL and ESPL. The Organisations’ employees’ personal data were stored in the Server, which was owned and maintained by EPPL. 3 On 10 August 2019, EPPL discovered the Incident. EPPL had both an onsite physical backup and a secondary cloud backup of the contents of the Server. The physical backup was affected by the ransomware and rendered unusable. A total of 384 individuals were affected by the Incident (the “Affected Employees”): 2 Everlast Projects Pte Ltd & Others [2020] SGPDPC 20 Name of Organisation Number of employees affected EPPL 141 EIPL 239 ESPL 4 Total number of individuals 384 4 T… | Directions | 6bf33286d1c3d26557836242297e0273d9b08921 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 155 | 155 | 1 | 952 | A financial penalty of $33,000 was imposed on DS Human Resource for breaches of the PDPA. The organisation failed to put in place data protection policies. It also did not make reasonable security arrangements to prevent the unauthorised disclosure of the personal data of job applicants. | [
"Accountability",
"Protection",
"Financial Penalty",
"Employment",
"Accommodation and F&B",
"HR",
"Jobs"
] |
2019-06-13 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision---DS-Human-Resource---130619.pdf | Accountability, Protection | Breach of the Openness and Protection Obligations by DS Human Resource | https://www.pdpc.gov.sg/all-commissions-decisions/2019/06/breach-of-the-openness-and-protection-obligations-by-ds-human-resource | 2019-06-13 | PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC 16 Case No DP-1802-B1756 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And DS Human Resource Pte. Ltd. … Organisation DECISION DS Human Resource Pte. Ltd. [2019] SGPDPC 16 Tan Kiat How, Commissioner — Case No DP-1802-B1756 13 June 2019. Background 1 Open source software is increasing in popularity and prevalence. This case illustrates the risks to companies in using default settings of open source software without any assessment of the security features. On 25 February 2018, DS Human Resource Pte. Ltd. (“DSHR”) informed the Personal Data Protection Commission (the “Commission”) of a data breach involving unauthorised access and deletion of its database by a hacker. Following an investigation into the matter, the Commissioner found DSHR in breach of sections 12 and 24 of Personal Data Protection Act 2012 (“PDPA”). Material Facts 2 DSHR specialises in the outsourcing of part-time staff to the food and beverage industry in Singapore. Individuals interested in applying for a parttime job would enter their personal data into DSHR’s mobile application. The personal data collected by DSHR’s mobile application was stored on MongoDB database, an open source database software used by DSHR since April 2017 (“Database”). DS Human Resource Pte. Ltd. 3 [2019] SGPDPC 16 The Database is hosted on Amazon Web Services (“AWS”) server. The source code used by DSHR to perform specific functions on the Database was stored in Github, an online code repository. The administration of DSHR’s Database was handled mainly by DSHR’s director. At the material time, the Database stored personal data of approximately 2,100 individuals, including: (a) Name; (b) NRIC Number; (c) Date of Birth; (d) Gender; (e) Emergency Contact; (f) Bank Account Details; (g) Work Experience; (h) Educational Qualification; and (i) Image of front and back of NRIC. (collectively, “DSHR’s Data”) 4 On 24 February 2018, DSHR discovered una… | Financial Penalty | bfa125f8a297fb6c613081fe6e35c98b3cd9a4bc | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 164 | 164 | 1 | 952 | A financial penalty of $8,000 was imposed and directions were issued to Matthew Chiong Partnership for breaches of the PDPA. The organisation did not make reasonable security arrangements to prevent the unauthorised disclosure of its clients’ personal data and failed to put in place data protection policies to comply with the provisions of the PDPA. | [
"Accountability",
"Protection",
"Financial Penalty",
"Legal",
"Law Firm"
] |
2019-06-03 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision---Matthew-Chiong-Partnership-030619.pdf | Accountability, Protection | Breach of the Openness and Protection Obligations by Matthew Chiong Partnership | https://www.pdpc.gov.sg/all-commissions-decisions/2019/06/breach-of-the-openness-and-protection-obligations-by-matthew-chiong-partnership | 2019-06-03 | PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC [7] Case No DP-1709-B1138 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Matthew Chiong Partnership … Organisation DECISION Matthew Chiong Partnership [2019] SGPDPC [7] Tan Kiat How, Commissioner — Case No DP-1709-B1138 3 June 2019 Background 1 An administrative staff of Matthew Chiong Partnership (the “Organisation”) mistakenly sent out email correspondences meant for a client (the “Complainant”) to an incorrect email address on two separate occasions. Additionally, a third email correspondence was mistakenly sent by the Managing Partner and Data Protection Officer of the Organisation (the “Managing Partner”) to the Complainant with an attachment which mistakenly contained the names of two other clients of the Organisation. The Commissioner found the Organisation to be in breach of its Protection Obligation and Openness Obligation under the Personal Data Protection Act 2012 (“PDPA”). The Commissioner’s findings and grounds of decisions are set out below. Material Facts 2 The Organisation is a Singapore-registered law firm which provides estate planning services and handles property transactions for its clients. 3 On 28 August 2017, an administrative staff from the Organisation sent an email (“Email 1”) to two individuals informing them that the legal Matthew Chiong Partnership [2019] SGPDPC 7 documents for their property refinancing had been prepared and were ready for signature. One of the email addresses was incorrect as the administrative staff made an error in the email address – as an example and only for illustration purposes, by typing AAA@yahoo.com instead of ZAAA@yahoo.com. The incorrect email address was a valid email address as the Complainant had sent a test email to that email address after Email 1 was sent and did not receive a mail delivery failed message. This mistake was identified by the sister of the Complainant ("Sister"), one of the intended recipients, who informed the Co… | Financial Penalty | 30f9d65dadfb6fbd9263c5c5f68b5faccfb0e878 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 192 | 192 | 1 | 952 | Directions were issued to Habitat for Humanity Singapore for breaches of the PDPA. The organisation did not make reasonable security arrangements to prevent unauthorised disclosure of its volunteers’ personal data, failed to put in place data protection policies, and omitted to communicate data protection policies and practices to its staff. | [
"Accountability",
"Protection",
"Directions",
"Social Service"
] |
2018-05-03 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds_of_Decision_Habitat_for_Humanity_Singapore_030518.pdf | Accountability, Protection | Breach of Openness and Protection Obligations by Habitat for Humanity Singapore | https://www.pdpc.gov.sg/all-commissions-decisions/2018/05/breach-of-openness-and-protection-obligations-by-habitat-for-humanity-singapore | 2018-05-03 | PERSONAL DATA PROTECTION COMMISSION [2018] SGPDPC 9 Case No DP-1707-B0971 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Habitat for Humanity Singapore Ltd … Organisation DECISION Habitat for Humanity Singapore Ltd [2018] SGPDPC 9 Yeong Zee Kin, Deputy Commissioner — Case No DP-1707-B0971 3 May 2018 Background 1 On 20 July 2017, the Organisation sent out an email to 32 of its volunteers with a PDF attachment comprising a batch of community involvement programme (“CIP”) letters (the “CIP Letters”) acknowledging the participation of each volunteer at an event organised by the Organisation (the “Incident”). The Personal Data Protection Commission (the “PDPC”) was informed of the Incident on 22 July 2017 and commenced its investigations thereafter. I set out below my findings and grounds of decision based on the investigations carried out in this matter. Material Facts 2 The Organisation is a registered charity under the National Council of Social Services, which objectives include seeking to eliminate poverty housing worldwide by providing decent and affordable housing. In furtherance of its objectives, the Organisation organises community involvement programmes, where volunteers can participate in activities such as mass clean-up events. After such events, the Organisation would generally send out a CIP letter to acknowledge and verify each individual volunteer’s participation. Habitat for Humanity Singapore Ltd 3 [2018] SGPDPC 9 The Incident involved the disclosure of a batch of CIP Letters in an email (the “Email”) that was prepared by a manager (the “Manager”) in the Organisation. The CIP Letters were created using the mail merge function in Microsoft Word which would fill in a CIP letter template with the names and NRIC numbers of the volunteers. This created a single Microsoft Word document containing the CIP Letters for all the volunteers, which the Manager then converted from Microsoft Word to PDF format. The Manager then sent the PDF contai… | Directions | 2f49f6f980fa80609521241128a33eb6a528f5a9 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
Advanced export
JSON shape: default, array, newline-delimited
CREATE VIEW pdpc_decisions_version_detail AS select
commits.commit_at as _commit_at,
commits.hash as _commit_hash,
pdpc_decisions_version.*,
(
select json_group_array(name) from columns
where id in (
select column from pdpc_decisions_changed
where item_version = pdpc_decisions_version._id
)
) as _changed_columns
from pdpc_decisions_version
join commits on commits.id = pdpc_decisions_version._commit;