pdpc_decisions_version_detail (view)
4 rows where nature = "Protection, Retention Limitation"
This data as json, CSV (advanced)
Suggested facets: date, timestamp, decision, _commit_at (date), date (date), timestamp (date), tags (array), _changed_columns (array)
| _commit_at | _commit_hash | _id | _item | _version | _commit | description | tags | date | pdf-url | nature | title | url | timestamp | pdf-content | decision | _item_full_hash | _changed_columns |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 78 | 78 | 1 | 952 | A financial penalty of $5,000 was imposed on Worksmartly for breaches of the PDPA. First, the Organisation failed to put in place reasonable security arrangements to protect the personal data of its client’s employees. Second, it was also found to be retaining personal data which was no longer necessary for legal or business purposes. | [
"Protection",
"Retention Limitation",
"Financial Penalty",
"Admin and Support Services",
"Database",
"Public access",
"Retention"
] |
2020-11-24 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision----Worksmartly-Pte-Ltd---17092020.pdf | Protection, Retention Limitation | Breach of the Protection and Retention Limitation Obligations by Worksmartly | https://www.pdpc.gov.sg/all-commissions-decisions/2020/11/breach-of-the-protection-and-retention-limitation-obligations-by-worksmartly | 2020-11-24 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-2004-B6162 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Worksmartly Pte. Ltd. SUMMARY OF THE DECISION 1. On 2 April 2020, Roche Singapore Pte Ltd (“Roche”) informed the Personal Data Protection Commission (the “Commission”) of a data security incident involving its former vendor, Worksmartly Pte. Ltd. (the “Organisation”). Roche had detected an unauthorised disclosure of their employees’ data on GitHub repository (“GitHub”) on 3 March 2020 (the “Incident”). 2. The Organisation subsequently requested for this matter to be handled under the Commission’s expedited decision procedure. In this regard, the Organisation voluntarily provided and unequivocally admitted to the facts set out in this decision. It also admitted that it was in breach of sections 24 and 25 of the Personal Data Protection Act (the “PDPA”). Background 3. The Organisation was engaged by Roche in 2017 to provide finance and payroll processing services. In order for the Organisation to provide the said services, Roche handed over its employees’ personal data to the Organisation. The contract between the parties was subsequently terminated, and the Organisation’s last day of service was 31 December 2018. The Incident 4. On or around 28 February 2020, one of the Organisation’s employees uploaded a file on the Organisation’s GitHub account (the “File”). When doing so, the employee changed the setting of the GitHub account from “private” to “public” under the mistaken belief that the File would only be accessible to other members of the Organisation. In fact, the change in setting had resulted in the File being accessible to the public. 5. The File contained the personal data of 308 individuals, which comprised Roche’s current and former employees (the “Employees”), and their dependents (the “Dependents”). The personal data included: a. For the Employees: name, NRIC/FIN/Passport number, address, date of birth, race, citizenship, employee I… | Financial Penalty | 583ab7758251c5c2e5fe07f3e5f542c582089f9d | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 79 | 79 | 1 | 952 | A financial penalty of $20,000 was imposed on Times Software, a data intermediary, for: (i) failing to make reasonable security arrangements to prevent the unauthorised disclosure of personal data belonging to the employees of its clients; and (ii) retaining personal data which was no longer necessary for legal or business purposes. Separately, Dentons and TMF were each issued a warning for failing to put in place reasonable security arrangements with Times Software to prevent unauthorised disclosure of the personal data belonging to their employees. | [
"Protection",
"Retention Limitation",
"Financial Penalty",
"Legal",
"Data Intermediary",
"Functionality",
"Software"
] |
2020-11-24 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Times-and-Others---18062020.pdf | Protection, Retention Limitation | Breach of the Protection and Retention Limitation Obligations by Times Software, Breach of the Protection Obligation by Dentons and TMF | https://www.pdpc.gov.sg/all-commissions-decisions/2020/11/breach-of-the-protection-and-retention-limitation-obligations-by-times-software-breach-of-the-protection-obligation-by-dentons-and-tmf | 2020-11-24 | PERSONAL DATA PROTECTION COMMISSION [2020] SGPDPC 18 Case Nos.: DP-1802-B1719, DP-1802-B1744, DP-1803-B1834, DP-1804-B1942, DP-1804-B1943 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And (1) Times Software Pte Ltd (2) Dentons Rodyk & Davidson LLP (3) Liberty Specialty Markets Singapore Pte Limited (4) Red Hat Asia Pacific Pte Ltd (5) TMF Singapore H Pte Ltd … Organisations DECISION Times Software Pte Ltd & Ors [2020] SGPDPC 18 Tan Kiat How, Commissioner — Case Nos. DP-1802-B1719, DP-1802-B1744, DP1803-B1834, DP-1804-B1942, DP-1804-B1943 18 June 2020 Introduction 1 Times Software Pte Ltd (“Times”) is an information technology services vendor that provides various services to its clients. Between January and February 2018, three organisations which directly or indirectly used Times’ services became aware that the personal data of some their current and former employees (the “Employee Data”) had been exposed online from Times’ servers and could be found using the Google search engine (the “Incident”). These three organisations were Dentons Rodyk & Davidson LLP (“Dentons”), Red Hat Asia Pacific Pte Ltd (“Red Hat”) and Liberty Specialty Markets Singapore Pte Limited (“LIU”). Each of these organisations submitted a data breach notification to the Personal Data Protection Commission (the “Commission”) after the Incident. The Facts The Relationship between the Parties and how Times had obtained the Employee Data 2 Dentons had, since 2001, engaged Times to use a payroll software application developed by Times (the “Payroll Software”). The Payroll Software was hosted internally on Dentons’ servers. In or around November 2015, Dentons commissioned the development of a new functionality of the Payroll Software which would enable 1 Times Software Pte Ltd & Ors 2020 SGPDPC [18] Dentons to create customised employee reports. Dentons provided their Employee Data to Times to test this functionality. 3 In December 2015 and February 2016, Red Hat and LIU respective… | Financial Penalty | 976a574a38eb0225fbf7a43d418a4b5c6717efc8 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 119 | 119 | 1 | 952 | A financial penalty of $34,000 was imposed on Globalsign.in for failing to put in place reasonable security arrangements to protect the personal data supplied by its clients. Globalsign.in, which sends mass marketing emails on behalf of its clients to their respective customers, was also found to be holding personal data which was no longer necessary for legal or business purposes. | [
"Protection",
"Retention Limitation",
"Financial Penalty"
] |
2020-01-09 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision--MSIG-Insurance-Singapore-Pte-Ltd--191119.pdf | Protection, Retention Limitation | Breach of the Protection and Retention Obligations by Globalsign.in Pte Ltd | https://www.pdpc.gov.sg/all-commissions-decisions/2020/01/breach-of-the-protection-and-retention-obligations-by-globalsignin-pte-ltd | 2020-01-09 | PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC 43 Case Nos. DP-1708-B1066; DP-1708-B1086 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And (1) (2) MSIG Insurance (Singapore) Pte Ltd Globalsign.in Pte Ltd …Organisation(s) DECISION Re MSIG Insurance (Singapore) and another [2019] SGPDPC 43 (1) MSIG Insurance (Singapore) Pte Ltd (2) Globalsign.in Pte Ltd [2019] SGPDPC 43 Mr Tan Kiat How, Commissioner – Case Nos. DP-1708-B1066; DP-1708-B1086 19 November 2019 Introduction and Material Facts 1. MSIG Insurance (Singapore) Pte Ltd (“MSIG”) notified the Personal Data Protection Commission (the “Commission”) on 22 August 2017 that the mass emailing system of its service provider, Globalsign.in Pte Ltd’s (“GSI”), had been accessed without authorisation and used to send spam emails (the “Incident”) to 149,172 email addresses which belonged to MSIG’s customers (“Impacted Customers”). 2. GSI runs and hosts an email marketing platform known as “Global2Mail Online Marketing Web Application” (the “G2M” platform). GSI uses the G2M platform to send mass marketing emails to email addresses supplied by its clients. 3. MSIG, an insurance provider, had engaged GSI to send marketing emails to its customers via the G2M platform. For this purpose, MSIG and GSI had entered into an agreement dated 1 October 2013. An addendum to the said agreement was entered into on 16 May 2014 to take into consideration the obligations of both organisations under the Personal Data Protection Act 2012 (the “PDPA”). GSI’s services were renewed by MSIG, with MSIG and GSI entering into a new agreement on 1 August 2017 (the “Agreements”). 4. MSIG provided GSI with a list of email addresses of its customers each time an email marketing campaign was launched. For some of the email addresses, MSIG also provided the first and last names to GSI and these would be captured in the G2M platform. According to MSIG, the email addresses and names (where applicable) provided to GSI were password-protected… | Financial Penalty | 4c9d4905f641206cd304485dcb39659ee42e32db | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
| 2023-10-01T11:02:10+08:00 | fbd32491db44d3d0c97aa12a99cefd61ec954264 | 202 | 202 | 1 | 952 | A financial penalty of $18,000 and directions were issued to Social Metric for leaving the personal data exposed to the world wide web via unprotected URL links; and failure to remove personal data of its clients’ customers from its website when they no longer served a legal or business purpose. | [
"Protection",
"Retention Limitation",
"Financial Penalty",
"Directions",
"Information and Communications"
] |
2017-11-27 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision-Social-Metric-271117.pdf | Protection, Retention Limitation | Breach of Protection and Retention Obligations by Social Metric | https://www.pdpc.gov.sg/all-commissions-decisions/2017/11/breach-of-protection-and-retention-obligations-by-social-metric | 2017-11-27 | PERSONAL DATA PROTECTION COMMISSION [2017] SGPDPC 17 Case No DP-160-A712; DP-1604-A713 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Social Metric Pte Ltd … Organisation DECISION Social Metric Pte Ltd [2017] SGPDPC 17 Tan Kiat How, Commissioner — Case No DP-160-A712; DP-1604-A713 27 November 2017. Background 1 This case involves a company which, as part of its social media marketing campaigns conducted for and on behalf of its clients, created webpages containing the personal data of its clients’ customers; and subsequently failed to remove those webpages from the world wide web, even after the social media marketing campaigns were over. 2 A complaint was made to the Personal Data Protection Commission (“PDPC”) regarding the unauthorised disclosure of personal data on these webpages on the world wide web. The Commissioner undertook an investigation into the matter, and the Commissioner sets out his findings and decision on the matter below. Material Facts and Documents 3 Social Metric is a digital marketing agency that provides social media marketing services. As part of these services, Social Metric would collect personal data of its clients’ customers for various purposes, for example, as a form of customer engagement, or to analyse the customer demographics, amongst other things. Social Metric Pte Ltd 4 [2017] SGPDPC 17 For the webpages in question, Social Metric had created nine webpages (the “Webpages”) for various social media contests that Social Metric conducted for and on behalf of its clients. These Webpages were found on Social Metric’s website at https://www.socialmetric.com (the “Website”). The Webpages consisted of tables that listed out various particulars of individuals. They were created for internal administrative and client use. 5 The personal data in these nine Webpages included individuals’ names; email addresses; contact numbers; employers; occupations; date and time of registration; and other miscellaneous information … | Financial Penalty, Directions | 6e83d465218b035d98cbe2c84b157f8aa0698ca3 | [
"pdf-content",
"timestamp",
"decision",
"pdf-url",
"tags",
"nature",
"url",
"title",
"date",
"description"
] |
Advanced export
JSON shape: default, array, newline-delimited
CREATE VIEW pdpc_decisions_version_detail AS select
commits.commit_at as _commit_at,
commits.hash as _commit_hash,
pdpc_decisions_version.*,
(
select json_group_array(name) from columns
where id in (
select column from pdpc_decisions_changed
where item_version = pdpc_decisions_version._id
)
) as _changed_columns
from pdpc_decisions_version
join commits on commits.id = pdpc_decisions_version._commit;