pdpc_decisions_version_detail (view)
15 rows where nature = "Protection, Accountability"
This data as json, CSV (advanced)
Suggested facets: tags, date, timestamp, decision, _commit_at (date), date (date), timestamp (date), tags (array), _changed_columns (array)
| _commit_at | _commit_hash | _id | _item | _version | _commit | description | tags | date | pdf-url | nature | title | url | timestamp | pdf-content | decision | _item_full_hash | _changed_columns |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 43 | 43 | 1 | 952 | A financial penalty of $14,000 was imposed on Nature Society (Singapore) for breaches of the PDPA. First, the organisation failed to put in place reasonable measures to protect personal data on its website database. Second, it did not appoint a data protection officer. Lastly, it did not have written policies and practices necessary to comply with the PDPA. | [
"Protection",
"Accountability",
"Financial Penalty",
"Others"
] |
2022-01-14 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Summary-Decision---NSS---03122021.pdf | Protection, Accountability | Breach of the Protection and Accountability Obligations by Nature Society (Singapore) | https://www.pdpc.gov.sg/all-commissions-decisions/2021/12/breach-of-the-protection-and-accountability-obligations-by-nature-society | 2022-01-14 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-2011-B7351 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Nature Society (Singapore) SUMMARY OF THE DECISION 1. On 6 November 2020, the Personal Data Protection Commission (the “Commission”) received information of an online article reporting about hacked databases being made available for downloads on several hacking forums and Telegram channels. In the article, Nature Society (Singapore) (the "Organisation") was named as one of the affected Organisations (the “Incident”). 2. The personal data of 5,131 members and non-members who had created membership and user accounts on the Organisation’s website were affected in the Incident. The datasets affected comprised of names, usernames, passwords (encrypted), email addresses, telephone numbers, types of membership, gender, mailing addresses, dates of births, occupation, company and nationality. 1 3. Following the Incident, the Organisation engaged two IT professionals to carry out an investigation and analysis of the Organisation's website. The investigation and analysis revealed vulnerabilities in the Organisation's website and suspicious SQL injection activities prior to the Incident. The possible attack vector was identified as a SQL injection attack which led to personal data on the Organisation's website database being accessed and exfiltrated by unknown parties. 4. The Organisation took the following remedial measures after the Incident: (a) Edited the website to stop all online membership sign-ups/renewals and logins to the website; (b) Removed all members' and users' data from the website database; (c) Backed up the website database and kept all personal data offline; (d) Change all login passwords; (e) Notified all affected individuals of the Incident via email; (f) Appointed a Data Protection Officer ("DPO") (g) Developed and implemented a personal data policy; and (d) Engaging vendors to develop a new website to improve security. 5. In… | Financial Penalty | 50aef1ea4a6b3252366a112e13092602d7c8bd3b | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 59 | 59 | 1 | 952 | A financial penalty of $25,000 was imposed on Webcada for breaches of the PDPA. First, the organisation failed to put in place reasonable measures to protect personal data on its database servers. Second, it did not have written policies and practices necessary to ensure its compliance with the PDPA. | [
"Protection",
"Accountability",
"Financial Penalty",
"Information and Communications",
"Ransomware",
"IPMI",
"Database servers",
"No Written Policy"
] |
2021-06-10 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Webcada-Pte-Ltd-06052021.pdf | Protection, Accountability | Breach of the Protection and Accountability Obligation by Webcada | https://www.pdpc.gov.sg/all-commissions-decisions/2021/06/breach-of-the-protection-and-accountability-obligation-by-webcada | 2021-06-10 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-2009-B6931 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Webcada Pte Ltd SUMMARY OF THE DECISION 1. On 4 September 2020, Webcada Pte Ltd (the “Organisation”) notified the Personal Data Protection Commission (the “Commission”) that three of its database servers had been subjected to a ransomware attack on 29 August 2020 (the “Incident”). 2. The personal data of 522,722 individuals were affected in the Incident. The datasets affected comprised of the individuals’ names, phone numbers, dates of birth, addresses and order histories. 3. Following the Incident, the Organisation engaged an independent third-party consultant to investigate, review and assist in the implementation of additional data protection measures. 4. Investigations revealed that the ransomware had been uploaded onto the affected servers via the Intelligent Platform Management Interface ("IPMI"). The IPMI is a set of computer interface specifications used for remote monitoring and management of servers. There was no evidence of data exfiltration, and all affected data was restored from available back-ups. 5. The Organisation took the following remedial measures after the Incident: (a) IPMI was permanently disabled for all servers; (b) The public IP address of all servers was removed and all remote management access to the servers was configured to allow only trusted IP addresses; (c) End-point protection software with threat hunting capabilities was installed on all servers and computers within the Organisation; and (d) A written data protection policy was developed and implemented to comply with the provisions of the Personal Data Protection Act 2012 (the "PDPA"). 6. In its representations to the PDPC, the Organisation admitted to having breached the Accountability Obligation under section 12 and the Protection Obligation under section 24 of the PDPA, and requested for the matter to be dealt with in accordance with the PDPC’s Expedited Decisi… | Financial Penalty | a8330d4666d7631b3e448330fd698843754474f4 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 81 | 81 | 1 | 952 | Directions, including a financial penalty of $7,500 were imposed on Majestic Debt Recovery for failing to obtain consent from its debtors to record the debt collection process. Majestic Debt Recovery also did not obtain consent to upload the recordings onto its Facebook Page. Additionally, Majestic Debt Recovery did not have written policies and practices necessary to ensure its compliance with the PDPA. | [
"Protection",
"Accountability",
"Directions",
"Financial Penalty",
"Others",
"Consent",
"No DPO",
"No Policy"
] |
2020-11-24 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Majestic-Debt-Recovery---02032020.pdf | Protection, Accountability | Breach of the Consent and Accountability Obligations by Majestic Debt Recovery | https://www.pdpc.gov.sg/all-commissions-decisions/2020/11/breach-of-the-consent-and-accountability-obligations-by-majestic-debt-recovery | 2020-11-24 | PERSONAL DATA PROTECTION COMMISSION [2020] SGPDPC 7 Case No DP-1903-B3570 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Majestic Debt Recovery Pte Ltd … Organisation DECISION 1 Majestic Debt Recovery Pte Ltd [2020] SGPDPC 7 Yeong Zee Kin, Deputy Commissioner — Case No DP-1903-B3570 2 March 2020 Introduction 1 This case concerns a debt collection company’s posting of a video recording on social media as a tactic to shame a debtor. The recordings in question captured exchanges between the company’s representative and staff of the debtor company. Facts of the Case 2 Majestic Debt Recovery Pte Ltd (the “Organisation”) is a company in the business of collecting debts on the behalf of its clients. On 22 March 2019, the Personal Data Protection Commission (the “Commission”) received a complaint from the managing director (the “Complainant”) of a debtor company (the “Company”) stating that the Organisation had been engaged by the Company’s sub-contractor to recover debts from the Company. The Complainant stated that on or around 21 March 2019, the Organisation’s representatives (the “Representatives”) visited the Company’s premises to collect a debt on behalf of its client (the “Incident”). Not surprisingly, heated words were exchanged with the Company’s personnel when the Representatives attempted to recover the debt. The Representatives recorded video footage of the exchanges with the Company’s personnel, including the Complainant (the “Recording”), on a tablet device. The Complainant and the Company’s personnel could be identified from the images and audio captured by the Recording. According to the Complainant, he “protested against the taking of [the Recording and] posting it [on] social media but [the Representative] said he would do it”. The Representatives nonetheless took the Recording and subsequently posted it on the Organisation’s official public Facebook page (its “Facebook Page”). 2 3 During its investigation, the Commission found other… | Directions, Financial Penalty | 735c56aebf1838696565bb02754125b665e3d968 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 104 | 104 | 1 | 952 | Both MCST 3593 and New-E Security failed to put in place reasonable security arrangements to prevent the unauthorised disclosure of CCTV footage of a common property at Marina Bay Residences. MCST3593 also failed to appoint a data protection officer and put in place policies and practices necessary for the organisation to comply with the PDPA. | [
"Protection",
"Accountability",
"Financial Penalty",
"Directions"
] |
2020-03-19 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---MCST-3593-and-Others---02032020.pdf | Protection, Accountability | Breach of the Protection and Accountability Obligations by MCST 3593 and Breach of the Protection Obligation by New-E Security | https://www.pdpc.gov.sg/all-commissions-decisions/2020/03/breach-of-the-protection-and-accountability-obligations-by-mcst-3593-and-breach-of-the-protection-obligation-by-new-e-security | 2020-03-19 | PERSONAL DATA PROTECTION COMMISSION [2020] SGPDPC 6 Case No DP-1903-B3554 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And (1) Management Corporation Strata Title Plan No. 3593 (2) Edmund Tie & Company Property Management Services Pte Ltd (3) New-E Security Pte Ltd … Organisations DECISION 1 Management Corporation Strata Title Plan No. 3593 & Others [2020] SGPDPC 6 Yeong Zee Kin, Deputy Commissioner — Case No DP-1903-B3554 2 March 2020 Introduction 1 On 19 March 2019, Edmund Tie & Company Property Management Services Pte Ltd (“ETCPM”) on behalf of Management Corporation Strata Title Plan No. 3593 (“MCST 3593”) notified the Personal Data Protection Commission (the “Commission”) of unauthorised disclosure of closed-circuit television (“CCTV”) footage recorded at the premises of MCST 3593, known as Marina Bay Residences (the “Condominium”), by NewE Security Pte Ltd (“New-E”), a company providing security services at the Condominium, to an owner resident of a unit at the condominium (the “Incident”). Facts of the Case 2 MCST 3593 had appointed ETCPM as the managing agent of the Condominium since 2012. In November 2014, MCST 3593 had also engaged New-E to provide security services at the Condominium. ETCPM’s scope of work as managing agent included supervising New-E to ensure it carried out its duties properly. 3 On 1 February 2019, an owner resident of a unit at the Condominium (the “Resident”) approached the security supervisor on duty, who was an employee of New-E (the “Security Supervisor”), to request a copy of the CCTV footage of the Condominium’s lobby on 29 January 2019 between 9.00 pm to 9.30 pm (the “Requested CCTV Footage”). The Requested CCTV Footage had captured images of identifiable individuals who had passed through the common property during that period, and hence contained personal data of those individuals. The Security Supervisor proceeded to review the CCTV recordings and used his mobile phone to record a copy of the Requested CCTV Fo… | Financial Penalty, Directions | eeb49dfd4acb4b4db0e54f38d3c03d45e12085b1 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 105 | 105 | 1 | 952 | Both MCST 4375 and A Best Security Management failed to put in place reasonable security arrangements to prevent the unauthorised disclosure of CCTV footage of an individual injured by a falling glass door at Alexandra Central Mall. MCST 4375 also failed to put in place policies and practices necessary for the organisation to comply with the PDPA. | [
"Protection",
"Accountability",
"Directions"
] |
2020-03-19 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/MCST-4375-and-Others---Decision---03022020.pdf | Protection, Accountability | Breach of the Protection and Accountability Obligations by MCST 4375 and Breach of the Protection Obligation by A Best Security Management | https://www.pdpc.gov.sg/all-commissions-decisions/2020/03/breach-of-the-protection-and-accountability-obligations-by-mcst-4375-and-breach-of-the-protection-obligation-by-a-best-security-management | 2020-03-19 | PERSONAL DATA PROTECTION COMMISSION [2020] SGPDPC 4 Case No. DP-1903-B3437 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And (1) Management Corporation Strata Title Plan No. 4375 (2) Smart Property Management (Singapore) Pte Ltd (3) A Best Security Management Pte Ltd … Organisations DECISION Management Corporation Strata Title Plan No. 4375 & Others [2020] SGPDPC 4 Yeong Zee Kin, Deputy Commissioner — Case No DP-1903-B3437 3 February 2020 Introduction 1 In late February 2019, a woman was injured when a glass door fell on her at the premises of Management Corporation Strata Title Plan No. 4375 (“MCST 4375”), also known as Alexandra Central Mall (the “Mall”). The Personal Data Protection Commission (the “Commission”) subsequently became aware that closed-circuit television (“CCTV”) footage showing the glass door falling on the woman was disclosed on the Internet (the “Incident”). Facts of the Case 2 At the time of the incident, MCST 4375 had appointed Smart Property Management (Singapore) Pte Ltd (“SPMS”) as its managing agent and A Best Security Management Pte Ltd (“ABSM”) to provide security services at the Mall. These appointments took effect from 1 July 2018 and 1 June 2018 respectively. SPMS’ scope of work as managing agent included supervising service providers such as ABSM to ensure it carried out its duties properly. 3 On 24 February 2019, the senior security supervisor from ABSM (the “SSS”) who was on duty at the Mall’s Fire Control Centre, saw a glass door fall on a woman at Level 4 of the Mall’s car park lift lobby (the “Accident”) through Management Corporation Strata Title Plan No. 4375 & Others [2020] SGPDPC 4 the CCTV monitors. The SSS immediately called for an ambulance and notified MCST 4375’s Property Officer and ABSM’s Operations Manager of the Accident. Shortly thereafter, MCST 4375’s Property Officer asked the SSS to send her a copy of CCTV footage of the Accident. In response to this request, the SSS replayed the portion of t… | Directions | c9534d20c08d9b7217ff8dd7e875c02139ab7e2a | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 106 | 106 | 1 | 952 | Directions were imposed on Henry Park Primary School Parents’ Association for breaches of the PDPA. First, the organisation failed to put in place reasonable measures to protect its members’ personal data. Second, it did not appoint a data protection officer. Lastly, it did not have written policies and practices necessary to ensure its compliance with the PDPA. | [
"Protection",
"Accountability",
"Directions"
] |
2020-02-11 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---HPPA.pdf | Protection, Accountability | Breach of the Protection and Accountability Obligations by Henry Park Primary School Parents' Association | https://www.pdpc.gov.sg/all-commissions-decisions/2020/02/breach-of-the-protection-and-accountability-obligations-by-henry-park-primary-school-parents-association | 2020-02-11 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-1903-B3531 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Henry Park Primary School Parents’ Association SUMMARY OF THE DECISION 1. Henry Park Primary School Parents’ Association (the “Organisation”) is a registered society whose membership comprised parent volunteers. To register as members of the Organisation, individuals provided to the Organisation their names, contact numbers, name of child and the child’s class in Henry Park Primary School (the “Personal Data Set”). The Organisation had a website at https://hppa.org.sg (the “Website”) where members could view their own account particulars upon logging in using their assigned user ID and password. 2. On 15 March 2019, the Personal Data Protection Commission (“the Commission”) received a complaint. The complainant informed that when she performed a Google search using her name, she found a search result of a webpage of the Website which disclosed her personal data (the “Incident”). 3. The Personal Data Sets of registered members were never intended to be disclosed online. The Website had been developed by a parent volunteer using the WordPress content management system. 4. The Organisation had conducted tests to verify that members who logged in to the Website could view their own account particulars. The Organisation also verified that account particulars could not be viewed when accessing the Website as a public user. Nevertheless, the Personal Data Set was crawled, indexed and searchable by Google. This points to a weakness in access control that had not been picked up by these rudimentary tests. 5. Security testing such as vulnerability scans would have identified the access control issue. The Organisation failed to conduct adequate security testing before launching the Website. On the above facts, the Commission found that the Organisation did not put in place reasonable security arrangements to protect the Personal Data Sets. 6. The Commission also… | Directions | 79c294efa7335db9a6489bfae8e1c1eedccbf23b | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 115 | 115 | 1 | 952 | Directions, including a financial penalty of $20,000, were imposed on Society of Tourist Guides for breaches of the PDPA. First, the organisation failed to put in place reasonable measures to protect its members’ personal data. Second, it did not appoint a data protection officer. Lastly, it did not have written policies and practices necessary to ensure its compliance with the PDPA. | [
"Protection",
"Accountability",
"Directions",
"Financial Penalty"
] |
2020-01-09 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision--Society-of-Tourist-Guides-Singapore-261219.pdf | Protection, Accountability | Breach of the Protection and Accountability Obligations by Society of Tourist Guides | https://www.pdpc.gov.sg/all-commissions-decisions/2020/01/breach-of-the-protection-and-accountability-obligations-by-society-of-tourist-guides | 2020-01-09 | PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC 48 Case No. DP-1903-B3445 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Society of Tourist Guides (Singapore) … Organisation DECISION Society of Tourist Guides (Singapore) [2019] SGPDPC 48 Tan Kiat How, Commissioner — Case No. DP-1903-B3445 26 December 2019 Introduction 1 On 3 March 2019, the Personal Data Protection Commission (the “Commission”) received a complaint that personal data of individuals had apparently been exposed to unauthorised access and disclosure through links on the Society of Tourist Guides (Singapore)’s (the “Organisation”) website. Facts of the Case 2 The Organisation is a non-profit organisation that works with the Singapore Tourism Board (“STB”) to promote the professionalism of tourist guides as tourism ambassadors of Singapore. Tourist guides registered with STB may sign up as members of the Organisation (“Members”). In May 2018, the Organisation engaged a Vietnam-based IT company (the “Vendor”) to develop its website https://societyoftouristguides.org.sg (the “Website”). 3 One of the Organisation’s purposes for the Website was to collect personal data from its Members. Personal data was collected from Members through their respective user accounts on the Website and included their names, photographs, contact numbers, e-mail addresses and 2 a write-up of themselves (for example, with the type of services they provided) (“Profile Data”). Members could also upload images of their identification documents (e.g. NRIC, employment pass, driving and vocational licences) which contained various personal data (“ID Data”). 4 Members’ Profile Data were published on their respective public profile pages on the Website. This enabled members of the public to find and engage a Member with the necessary experience and expertise to provide services that he or she required. 5 As regards the ID Data, these were used by the Organisation for a few purposes. These included (i) applyin… | Directions, Financial Penalty | 00f2b94a482f683c070998c51833856ca9a1a01a | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 122 | 122 | 1 | 952 | Global Outsource Solutions was found in breach of the PDPA for failing to put in place reasonable security arrangements to protect the personal data collected by its website and for failing to develop and implement data protection policies. This resulted in the disclosure of personal data of customers on the organisation’s online warranty registration portal. Global Outsource Solutions was directed to develop and implement policies for data protection and staff training in data protection, and to put all employees handling personal data through such training. | [
"Protection",
"Accountability",
"Directions"
] |
2019-12-05 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Summary-Decision---Global-Outsource.pdf | Protection, Accountability | Breach of the Protection and Accountability Obligations by Global Outsource Solutions | https://www.pdpc.gov.sg/all-commissions-decisions/2019/12/breach-of-the-protection-and-accountability-obligations-by-global-outsource-solutions | 2019-12-05 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-1809-B2767 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Global Outsource Solutions Pte. Ltd. SUMMARY OF THE DECISION 1. Global Outsource Solutions Pte. Ltd. (the “Organisation”) provided warranties for products purchased by its clients’ customers. To be eligible for this warranty, customers registered their purchases with the Organisation via the Organisation’s website at http://www.globaloutsourceasia.com (the “Website”). The Organisation collected various personal data from such customers for this purpose, including personal information such as their name, email address, mailing address and contact number, and details of the customers’ purchases such as the name of the product purchased, the purchase date, the name of the retailer and the location of the physical store where the product was purchased (collectively, the “Personal Data”). 2. The Personal Data Protection Commission (“the Commission”) received a complaint on 23 September 2018 that the complainant could access the Personal Data of another individual when viewing a warranty registration summary page on the Website (the “Incident”). 3. The Organisation admitted to the occurrence of the Incident but was unable to identify the cause of the Incident. The Commission found that the Organisation had not provided any security requirements to the vendor it had engaged sometime in 2013 to develop the Website. Consequently, it had not reviewed the Website’s security arrangements or conducted any security testing on the Website. In the circumstances, the Organisation had not implemented reasonable security arrangements to protect the personal data collected by the Website (including but not limited to the Personal Data disclosed in the Incident) and is therefore in breach of section 24 of the PDPA. 4. The Commission also found that the Organisation did not have any internal data protection policies for its employees in relation to the handling of perso… | Directions | ab0971aeb10525bfdeea3bf683966ddd8fc40f11 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 124 | 124 | 1 | 952 | A financial penalty of $12,000 was imposed on The Travel Corporation (2011) for breaches of the PDPA. The Organisation failed to appoint a data protection officer and did not put in place reasonable security arrangements to protect its customers’ personal data stored in portable storage devices. | [
"Protection",
"Accountability",
"Financial Penalty"
] |
2019-12-05 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision---The-Travel-Corporation-2011-Pte-Ltd.pdf | Protection, Accountability | Breach of the Protection and Accountability Obligations by The Travel Corporation (2011) | https://www.pdpc.gov.sg/all-commissions-decisions/2019/12/breach-of-the-protection-and-accountability-obligations-by-the-travel-corporation-(2011) | 2019-12-05 | PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC 42 Case No. DP-1810-B2821 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And The Travel Corporation (2011) Pte. Ltd. … Organisation DECISION The Travel Corporation (2011) Pte. Ltd. [2019] SGPDPC 42 Tan Kiat How, Commissioner — Case No. DP-1810-B2821 19 November 2019 Introduction and Material Facts 1 The Travel Corporation (2011) Pte. Ltd. (the “Organisation”) offers travel packages both directly to Singapore customers and via third party travel agencies. On 1 October 2018, the Organisation notified the Personal Data Protection Commission (the “Commission”) regarding the loss of a portable hard disk (the “Hard Disk”) which contained unencrypted files with the personal data of the Organisation’s customers, employees and suppliers (the “Incident”). The facts and circumstances of the Incident are as follows. 2 On 25 July 2018, a new employee of the Organisation left the office with her laptop and the Hard Disk; and misplaced both these devices on her way home. She initially only informed the Organisation about the loss of the laptop and a police report was made on 31 July 2018. The misplaced laptop did not contain any personal data. She eventually informed the Organisation about the loss of the Hard Disk on 21 September 2018 and the Organisation made another police report that day. 2 3 The table below summarises the number of affected individuals and their corresponding types of personal data contained in the Hard Disk: S/N. Category Types of Personal Data in the Hard Disk 1. Name, Email Address, Phone Number, Date of Birth and Postal Address Customers Number of Individuals Affected 5,437 2. Same as item 1 plus Passport Number 21 3. Same as item 1 plus NRIC Number 242 4. Prospective Customers Same as item 1 11,000 5. Employees Name, Office Email Address and Office Phone Number 30 6. Suppliers Names, Company Address, Email Address, Mobile Number, Office Number 1,900 Total number of … | Financial Penalty | 673e8e9d7c2079f8018401c7ea6189c7ee37e666 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 132 | 132 | 1 | 952 | Directions, including a financial penalty of $15,000, were imposed on EU Holidays for breaches of the PDPA. The organisation failed to put in place reasonable measures to protect its customers’ personal data and did not have written policies and practices necessary to ensure its compliance with the PDPA. | [
"Protection",
"Accountability",
"Directions",
"Financial Penalty"
] |
2019-11-04 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision---EU-Holidays-Pte-Ltd.pdf | Protection, Accountability | Breach of the Protection and Accountability Obligations by EU Holidays | https://www.pdpc.gov.sg/all-commissions-decisions/2019/11/breach-of-the-protection-and-accountability-obligations-by-eu-holidays | 2019-11-04 | PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC 38 Case No DP-1901-B3254 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And EU Holidays Pte. Ltd. … Organisation DECISION 1 EU Holidays Pte. Ltd. [2019] SGPDPC 38 Tan Kiat How, Commissioner — Case No DP-1901-B3254 4 October 2019 Introduction 1 On 14 January 2019, the Personal Data Protection Commission (the “Commission”) received a complaint that personal data of EU Holidays Pte. Ltd.’s (the “Organisation”) customers was accessible through its website (the “Incident”). Facts of the Case 2 Pursuant to a Quotation of Services dated 16 May 2017 (“Contract”), the Organisation engaged an IT vendor (the “Vendor”) to develop a new website with e-commerce capabilities (the “Website”). One of the purposes of the Website was to allow the Organisation’s customers (“Customers”) to make online reservations for tour packages either directly or through the Organisation’s partner agents. Information relating to travel reservations received from Customers were stored in 2 web directories. For reservations made directly by Customers on the Website, the tax invoice generated would be stored in a web directory (“Web Directory 1”). As for reservations made through the Organisation’s partner agents on the Website, the tax invoice generated would be stored in another web directory (“Web Directory 2”). 3 The scope of work in the Contract did not specify any requirements with respect to the storage and protection of Customers’ personal data which was collected through the Website. The Website was launched on 9 December 2017. Since its launch, the Organisation has been managing the Website, with the Vendor’s role limited to maintenance and technical troubleshooting. 4 On or around 5 January 2019, a member of the public (“Complainant”) discovered copies of tax invoices containing Customers’ personal information while browsing for tour packages on the Website. The Complainant notified the Commission of the Incident on 14 Janua… | Directions, Financial Penalty | e42f8ca451f258f74f2ef56d5d97b02110634815 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 138 | 138 | 1 | 952 | A financial penalty of $1,000 was imposed on Advance Home Tutors for failing to put in place reasonable security arrangements to protect the personal data collected from its tutors and for not developing and implementing data protection policies and practices necessary to ensure its compliance with PDPA. | [
"Protection",
"Accountability",
"Financial Penalty",
"Education",
"Tuition"
] |
2019-10-10 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision---Advance-Home-Tutors.pdf | Protection, Accountability | Breach of the Protection and Accountability Obligations by Advance Home Tutors | https://www.pdpc.gov.sg/all-commissions-decisions/2019/10/breach-of-the-protection-and-accountability-obligations-by-advance-home-tutors | 2019-10-10 | PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC 35 Case No DP-1806-B2218 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Advance Home Tutors … Organisation DECISION Advance Home Tutors [2019] SGPDPC 35 Yeong Zee Kin, Deputy Commissioner — Case No DP-1806-B2218 12 September 2019 Facts of the Case 1 On 7 June 2018, the Personal Data Protection Commission (the “Commission”) received a complaint that personal data of many individuals had apparently been disclosed without authorisation on the Organisation’s website, www.advancetutors.com.sg (the “Website”). Upon investigation, the Commission found the following facts leading to this apparent unauthorised disclosure of personal data. 2 The Organisation is a sole proprietor who provides “matching services” through the Website between freelance tutors and prospective clients seeking tuition services. 3 In January 2017, the Organisation engaged a freelance web developer based in the Philippines (the “Developer”) to provide the following services: (a) to design and develop the Website; and (b) to migrate the existing databases and files of the Organisation’s old website to the Website. 1 Advance Home Tutors 4 [2019] SGPDPC 35 At that point in time, 834 freelance tutors had signed up with the Organisation and some of these tutors had chosen to upload their educational certificates to the Website’s server (the “Server”) via the Website. These certificates would be used by the Organisation to evaluate the suitability of the tutors for prospective jobs. In addition, copies of a tutor’s certificates were to be disclosed on the tutor’s public profile on the Website if the tutor consented to such disclosure. Out of the tutors who had uploaded educational certificates, a total of 152 tutors (the “Affected Individuals”) had not consented to disclosure of their educational certificates on their public profile. 5 The Developer subsequently migrated the educational certificates of the tutors who had uploa… | Financial Penalty | 6d5126ad62fbafa12fb94c50aff6b767e9edb84c | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 181 | 181 | 1 | 952 | Directions were issued to Singapore Cricket Association for failing to make reasonable security arrangements to prevent unauthorised disclosure of individuals’ personal data on its website, and for failing to put in place data protection policies. | [
"Protection",
"Accountability",
"Directions",
"Arts, Entertainment and Recreation"
] |
2018-08-21 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds_of_Decision_Singapore_Cricket_Association_and_Ors_210818.pdf | Protection, Accountability | Breach of Protection Obligation by Singapore Cricket Association | https://www.pdpc.gov.sg/all-commissions-decisions/2018/08/breach-of-protection-obligation-by-singapore-cricket-association | 2018-08-21 | PERSONAL DATA PROTECTION COMMISSION [2018] SGPDPC [19] Case No DP-1704-B0707 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And (1) Singapore Cricket Association (UEN No. S65SS0010H) (2) Massive Infinity Pte Ltd (UEN No. 201131950M) … Organisations DECISION Singapore Cricket Association & Ors [2018] SGPDPC 19 Singapore Cricket Association & Ors. [2018] SGPDPC [19] Yeong Zee Kin, Deputy Commissioner — Case No DP-1704-B0707 21 August 2018 1 This case concerns the unauthorised disclosure of the personal data of cricket players on the Singapore Cricket Association’s (“SCA”) websites (the “Incident”). On 20 April 2017, the Personal Data Protection Commission (the “Commission”) received a complaint regarding the unauthorised disclosure of personal data on the player profile pages on the SCA’s websites and commenced its investigations thereafter. The Deputy Commissioner’s findings and grounds of decision based on the investigations carried out in this matter are set out below. 2 The SCA is the official governing body of the sport of cricket in Singapore. It administers various cricket leagues in Singapore with more than 100 cricket clubs participating across several league divisions. The SCA owns the rights to the domain name www.singaporecricket.org (the “First Domain”), which has served as the SCA’s official website since August 2007 (“Website”). The SCA also owns the rights to the domain name, www.cricketsingapore.com (“Second Domain”). Both domains were accessible to the public and the hosting of both domains were set up and managed by the SCA or on its instructions. 3 All clubs and their players are required to register with the SCA in order to participate in any of the SCA leagues. To register new players, clubs are required to submit the following player personal data through the registration form on the SCA’s Website:1 1 (a) Player name; (b) Player photograph; Clubs were also required to provide information such as the season, league, divis… | Directions | 25d5268ed669c201d4b55ce4d00b7442bfa8671e | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 183 | 183 | 1 | 952 | A financial penalty of $30,000 was imposed on Singapore Taekwondo Federation for failing to make reasonable security arrangements to prevent the unauthorised disclosure of minors’ NRIC numbers on its website. Directions were also issued to the organisation to appoint a data protection officer and to put in place data protection policy. | [
"Protection",
"Accountability",
"Financial Penalty",
"Directions",
"Arts, Entertainment and Recreation"
] |
2018-06-22 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds_of_Decision_Singapore_Taekwondo_Federation_220618.pdf | Protection, Accountability | Breach of Protection Obligation by Singapore Taekwondo Federation | https://www.pdpc.gov.sg/all-commissions-decisions/2018/06/breach-of-protection-obligation-by-singapore-taekwondo-federation | 2018-06-22 | PERSONAL DATA PROTECTION COMMISSION [2018] SGPDPC 17 Case No DP-1705-B0810 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Singapore Taekwondo Federation … Organisation DECISION Singapore Taekwondo Federation [2018] SGPDPC 17 Tan Kiat How, Commissioner — Case No DP-1705-B0810 22 June 2018 Background 1 This matter involves the Singapore Taekwondo Federation (the “Organisation”), a society registered with the Registry of Societies that is responsible for promoting, supporting, and developing taekwondo-related programmes and activities in Singapore. 2 Since 2015, the Organisation has been posting, on an annual basis, PDF documents which contain the names and schools of students who are participants of the Annual Inter-School Taekwondo Championships (“Championships”) on the Organisation’s website which is accessible to the general public. It was represented by the Organisation that the purpose of uploading the PDF documents on its website was to enable students to verify their participation in the Championships. 3 On 30 May 2017, a complaint was lodged by a member of the public (“Complainant”) with the Personal Data Protection Commission (“Commission”), alleging that there was an unauthorised disclosure of the NRIC numbers of 782 students who were participants of the 2017 Championships. Whilst the NRIC numbers, within the PDF documents, were set out in columns that were minimised, and, hence, not immediately visible, Singapore Taekwondo Federation [2018] SGPDPC 17 there was an unauthorised disclosure of these NRIC numbers when the Complainant subsequently copied and pasted the contents of the PDF documents on to another document. 4 The Commissioner sets out below his findings and grounds of decision based on the investigations carried out in this matter. Material Facts 5 On 19 May 2017, the Complainant chanced upon the PDF documents on the Organisation’s website, which contained the names and schools of students who were participants o… | Financial Penalty, Directions | 94bdb127f92702f7e738acf0d5281fd6d086147b | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 226 | 226 | 1 | 952 | A financial penalty of $3,000 and $1,000 were imposed on Fu Kwee Kitchen Catering Services and its data intermediary, Pixart, respectively, for failing to implement proper and adequate protective measures to prevent unauthorised access of its customers’ personal data, whereby users could access other customers’ personal data by altering the URL of its order preview webpage. Fu Kwee was also issued directions to send employees for training, appoint a Data Protection Officer and conduct a security audit of its website. | [
"Protection",
"Accountability",
"Financial Penalty",
"Directions",
"Accommodation and F&B",
"Information and Communications",
"FU KWEE",
"PIXART"
] |
2016-09-21 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/grounds-of-decision---fu-kwee-and-pixart-(210916).pdf | Protection, Accountability | Breach of Data Protection and Other Obligations by Fu Kwee Kitchen Catering Services and Pixart | https://www.pdpc.gov.sg/all-commissions-decisions/2016/09/breach-of-data-protection-and-other-obligations-by-fu-kwee-kitchen-catering-services-and-pixart | 2016-09-21 | DECISION OF THE PERSONAL DATA PROTECTION COMMISSION Case Number: DP-1410-A163 (1) FU KWEE KITCHEN CATERING SERVICES (UEN No. 52824092K) (2) PIXART PTE. LTD. (UEN No. 201011239D) …Respondents Decision Citation: [2016] SGPDPC 14 GROUNDS OF DECISION 21 September 2016 Background 1. On 30 September 2014, the Personal Data Protection Commission (“Commission”) received a complaint against Fu Kwee Kitchen Catering Services (“Fu Kwee”) regarding an alleged data breach by Fu Kwee involving unauthorised access of Fu Kwee’s customers’ personal data. 2. The Commission commenced an investigation under section 50 of the Personal Data Protection Act 2012 (“PDPA”) to ascertain whether there had been a breach by Fu Kwee and/or Pixart Pte. Ltd. (“Pixart”) (the Respondents in this investigation) of their respective obligations under the PDPA. Material Facts and Documents Fu Kwee’s relationship with Pixart 3. Fu Kwee provides food and beverage catering services in Singapore. It owned and managed the following website at the material time of the complaint: http://www.fukweecatering.sg, where different customer orders could be viewed through at the following URLs http://www.fukweecatering.sg/fixmenu1preview.aspx?pid=[number]. 4. Pixart is an IT vendor engaged by Fu Kwee in 2010 to (a) develop an online ordering system for Fu Kwee and Fu Kwee’s corporate website, and (b) host, support and maintain the website. The PDPA came fully Page 1 of 10 into force on 2 July 2014, and as the contract between Fu Kwee and Pixart was only terminated sometime around April or May 2015, Pixart remained responsible for hosting, supporting and maintaining the website at the time of the alleged data breach incident in September 2014. Data breach incident 5. The Complainant stated that she was a customer of Fu Kwee, and alleged that she could retrieve another customer’s order details and personal data (specifically the customer’s name, postal address and personal contact number) by changing the numerals at the end of the URL of Fu Kwee’s order … | Financial Penalty, Directions | db94a5779e9ecd6a07c41892161ed40d87b027f0 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 237 | 237 | 1 | 952 | Financial penalties of $50,000 and $10,000 were imposed on K Box Entertainment Group (K Box) and its data intermediary, Finantech Holdings, for failing to implement proper and adequate protective measures to secure its IT system, resulting in unauthorised disclosure of the personal data of 317,000 K Box members. K Box was also issued directions and penalised for the absence of a Data Protection Officer. | [
"Protection",
"Accountability",
"Financial Penalty",
"Financial Penalty",
"Arts, Entertainment and Recreation",
"Information and Communications",
"KBOX",
"FINANTECH"
] |
2016-04-21 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/grounds-of-decision---k-box-entertainment-(210416).pdf | Protection, Accountability | Breach of Protection and Openness Obligations by K Box Entertainment Group and Finantech Holdings | https://www.pdpc.gov.sg/all-commissions-decisions/2016/04/breach-of-protection-and-openness-obligations-by-k-box-entertainment-group-and-finantech-holdings | 2016-04-21 | DECISION OF THE PERSONAL DATA PROTECTION COMMISSION Case Number: DP-1409-A100 (1) (2) K BOX ENTERTAINMENT GROUP PTE. LTD. FINANTECH HOLDINGS PTE. LTD. …Respondents Decision Citation: [2016] SGPDPC 1 GROUNDS OF DECISION 20 April 2016 Background 1. K Box Entertainment Group Pte. Ltd. (“K Box”) operates a chain of karaoke outlets in Singapore. Finantech Holdings Pte. Ltd. (“Finantech”) is a third party IT vendor, which is owned and managed by its sole director, [Redacted] (Replaced with Mr G). 2. On 16 September 2014, the website “The Real Singapore” (“TRS”) published a post which indicated that a list containing personal data of about “317,000” K Box members (the “List”) had been disclosed online at http://pastebin.com/bnVhn3mp (“pastebin.com”). 3. The List contained personal data which all customers who sign up for a K Box membership, both before and after 2 July 2014, are required to provide, namely: (a) (b) (c) (d) (e) (f) (g) (h) (i) 4. Name (as per NRIC); NRIC / Passport / FIN number; Mailing Address (Singapore only); Contact number; Email address; Gender; Nationality; Profession; and Date of birth. After receiving complaints from members of the public regarding the data breach, the Commission commenced an investigation under section 50 of the Personal Data Protection Act 2012 (“PDPA”) to ascertain whether 1 there had been a breach by K Box and/or Finantech of their respective obligations under the PDPA. Material Facts and Documents K Box’s relationship with Finantech 5. As at 16 September 2014, K Box had engaged Finantech through the “website revamp contract dated 2012” and the “webhosting and server management contract dated 2009” to develop K Box’s Content Management System (“CMS”) system from the ground up and to revamp, manage and host its website. What the parties referred to as “contracts” were actually quotations sent by Finantech to K Box for their confirmation and acceptance. K Box’s CMS stored and processed the personal data of its members. The CMS system also utilised FCKEditor – a s… | Financial Penalty, Financial Penalty | 0f17cc82606ea4b02faecc4e12ee601c188e3db7 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
Advanced export
JSON shape: default, array, newline-delimited
CREATE VIEW pdpc_decisions_version_detail AS select
commits.commit_at as _commit_at,
commits.hash as _commit_hash,
pdpc_decisions_version.*,
(
select json_group_array(name) from columns
where id in (
select column from pdpc_decisions_changed
where item_version = pdpc_decisions_version._id
)
) as _changed_columns
from pdpc_decisions_version
join commits on commits.id = pdpc_decisions_version._commit;