skip to Main Content
BY THE SINGAPOREAN DATA PROTECTION AUTHORITY: New Decisions Of The Commission Of The 14th Of Januray 2021

BY THE SINGAPOREAN DATA PROTECTION AUTHORITY: new decisions of the Commission of the 14th of Januray 2021

This post is also available in: Italiano Español

The Personal Data Protection Commission (PDPC) publishes decisions relating to organisations that are found to have contravened the data protection provisions under the Personal Data Protection Act (PDPA). These decisions provide valuable insights and lessons so that organisations can implement measures to prevent similar occurrences. They also serve to remind individuals and organisations of their respective rights and obligations under the PDPA. In the longer term, the publication of cases aims to promote accountability among organisations to build and strengthen consumer trust and confidence.

The PDPC also takes a proactive approach in assisting organisations to comply with the PDPA. Apart from conducting outreach activities and issuing advisory guidelines, PDPC has also developed a suite of practical resources from competency development to capacity building.

Introduction

Organisations today collect, use and disclose personal data about individuals – where they are customers, employees or members. Practising good personal data management practices can increase business efficiency and effectiveness, boost customer confidence and enhance your organisation’s public image.

A typical data protection journey comprises three progressive stages:

  1. Awareness
  2. Compliance
  3. Accountability

Click on each stage to learn more about what you need to know and resources that you can use to support the implementation of data protection (DP) policies and processes for your organisation.

1) Building Awareness

Get to know the essentials of the Personal Data Protection Act (PDPA) such as the key terms and organisations’ obligations under the PDPA.

2) Kick-start your DP journey

Take the first step to kick-start the implementation of data protection policies and processes for your organisation using PDPC’s free-to-use resources such as sample clauses, templates, communication materials and tools.

3) Getting into Compliance

Learn about what you need to do for your organisation to ensure compliance with the PDPA and the security measures that you need to put in place to safeguard the personal data entrusted by your customers and employees.

4) Moving Towards Accountability

This guide explains the accountability principle in the context of personal data protection and how organisations may demonstrate accountability for personal data in their care. It is important for organisations to shift from a compliance-based approach to an accountability-based approach in managing personal data.

5) Capability Building

Find out more on the career pathway from entry-level data protection executives to regional data protection senior management roles, as well as the core competencies and proficiency required at each level to perform your job functions effectively in an organisation.

Most recent 25 decisions

Breach of the Protection Obligation by BLS International Services Singapore

Nature of Breach: Protection

Decision: Financial Penalty

A financial penalty of $5,000 was imposed on BLS International Services Singapore for failing to put in place reasonable security arrangements to prevent the unauthorised disclosure of the personal data of individuals who had submitted a booking for an appointment on its website.

Breach of the Protection Obligation by The Future of Cooking

Nature of Breach: Protection

Decision: Financial Penalty

A financial penalty of $9,000 was imposed on The Future of Cooking for failing to put in place reasonable security arrangements to prevent the unauthorised disclosure of its customers’ personal data on its website.

Decision - The Future of Cooking Pte Ltd 20112020 (003)

No Breach of the Transfer Limitation Obligation by Singapore Technologies Engineering

Nature of Breach: Transfer Limitation

Decision: Not in Breach

Singapore Technologies Engineering was found not in breach of the PDPA in relation to the transfer of the personal data of its Singapore-based employees to its subsidiaries based in United States.

Decision - ST Engineering Ltd - 16112020

Breach of the Protection Obligation by Water + Plants Lab

Nature of Breach: Protection

Decision: Warning

A warning was issued to Water + Plants Lab for failing to put in place reasonable security arrangements to protect the personal data of its employees. The incident resulted in the personal data being subjected to a ransomware attack.

Decision Water Plants Lab Pte Ltd 181120

Breach of the Protection Obligation by R.I.S.E Aerospace

Nature of Breach: Protection

Decision: Warning

A warning was issued to R.I.S.E Aerospace for failing to put in place reasonable security arrangements to protect the personal data of its employees from unauthorised disclosure. The incident resulted in the personal data being subjected to a ransomware attack.

Decision - RISE Aerospace Pte Ltd - 131120

Breach of Protection Obligation by Hello Travel

Nature of Breach: Protection

Decision: Financial Penalty

A financial penalty of $8,000 was imposed on Hello Travel for failing to put in place reasonable security arrangements to protect the personal data of its members from unauthorised disclosure.

Decision - Hello Travel Pte Ltd - 301020

Breach of the Accountability and Protection Obligations by Everlast Projects, Everlast Industries (S) and ELG Specialist

Nature of Breach: Accountability, Protection

Decision: Directions

Directions were imposed on Everlast Projects, Everlast Industries (S) and ELG Specialist for breaches of the PDPA. First, the organisations failed to put in place reasonable measures to protect their employees’ personal data. Second, they did not have written policies and practices necessary to ensure its compliance with the PDPA.

Decision - Everlast Projects and Others - 301020

Breach of the Protection Obligation by Novelship

Nature of Breach: Protection

Decision: Financial Penalty

A financial penalty of $4,000 was imposed on Novelship for failing to put in place reasonable security arrangements to protect the personal data collected from its sellers from unauthorised access on its website.

Decision - Novelship Pte Ltd - 22072020

Breach of the Protection and Retention Limitation Obligations by Worksmartly

Nature of Breach: Protection, Retention Limitation

Decision: Financial Penalty

A financial penalty of $5,000 was imposed on Worksmartly for breaches of the PDPA. First, the Organisation failed to put in place reasonable security arrangements to protect the personal data of its client’s employees. Second, it was also found to be retaining personal data which was no longer necessary for legal or business purposes.

Decision - Worksmartly Pte Ltd - 17092020

Breach of the Protection and Retention Limitation Obligations by Times Software, Breach of the Protection Obligation by Dentons and TMF

Nature of Breach: Protection, Retention Limitation

Decision: Financial Penalty

A financial penalty of $20,000 was imposed on Times Software, a data intermediary, for: (i) failing to make reasonable security arrangements to prevent the unauthorised disclosure of personal data belonging to the employees of its clients; and (ii) retaining personal data which was no longer necessary for legal or business purposes.

Separately, Dentons and TMF were each issued a warning for failing to put in place reasonable security arrangements with Times Software to prevent unauthorised disclosure of the personal data belonging to their employees.

Decision - Times and Others - 18062020

Breach of the Protection Obligation by Secur Solutions Group

Nature of Breach: Protection

Decision: Financial Penalty

A financial penalty of $120,000 was imposed on Secur Solutions Group for failing to put in place reasonable security arrangements to protect a database containing the personal data of blood donors from being publicly accessible online.

Decision - Secur Solutions Group Pte Ltd - 30032020

Breach of the Consent and Accountability Obligations by Majestic Debt Recovery

Nature of Breach: Protection, Accountability

Decision: Directions, Financial Penalty

Directions, including a financial penalty of $7,500 were imposed on Majestic Debt Recovery for failing to obtain consent from its debtors to record the debt collection process. Majestic Debt Recovery also did not obtain consent to upload the recordings onto its Facebook Page. Additionally, Majestic Debt Recovery did not have written policies and practices necessary to ensure its compliance with the PDPA.

Decision - Majestic Debt Recovery - 02032020

Breach of the Protection Obligation by Security Masters

Nature of Breach: Protection

Decision: Directions

Directions were issued to Security Masters for failing to put in place reasonable security arrangements to prevent the unauthorised access of building visitors’ mobile numbers. A security personnel contacted the visitors to request return of visitor passes and send them Chinese New Year greetings.

Decision - Security Masters Pte Ltd - 21072020

Breach of the Retention Limitation Obligation by Interauct!

Nature of Breach: Retention Limitation

Decision: Warning

A warning was issued to Interauct! for retaining personal data which was no longer necessary for legal or business purposes.

Decision - Interauct Pte Ltd - 04082020

Breach of the Protection Obligation by Chan Brothers Travel

Nature of Breach: Protection

Decision: Warning

A warning was issued to Chan Brothers Travel for failing to put in place reasonable security arrangements to protect the personal data of individuals on its website. The result was that the personal data of over 5,500 individuals were accessible through online web search engines.

Decision - Chan Brothers Travel Pte Ltd - 21072020

Breach of the Protection Obligation by Tanah Merah Country Club

Nature of Breach: Protection

Decision: Financial Penalty

A financial penalty of $4,000 was imposed on Tanah Merah Country Club for failing to put in place reasonable security arrangements to protect the personal data of individuals stored on its electronic direct mail (“EDM”) system. The common password for login to the EDM system was weak and had not been changed since 2010. There were also no arrangements in place to ensure and enforce password strength, expiry and protection.

An application for reconsideration was filed against the decision Re Tanah Merah Country Club. Upon review and careful consideration of the application, directions in the decision were varied.

Decision - Tanah Merah Country Club - 21072020 (1)

Breach of the Protection Obligation by Vimalakirti Buddhist Centre

Nature of Breach: Protection

Decision: Financial Penalty

A financial penalty of $5,000 was imposed on Vimalakirti Buddhist Centre for failing to put in place reasonable security arrangements to protect the personal data of its members and non-members from unauthorised disclosure. The incident resulted in the personal data being subjected to a ransomware attack.

Decision - Vimalakirti Buddhist Centre - 04092020

Breach of the Protection Obligation by Horizon Fast Ferry

Nature of Breach: Protection

Decision: Warning

A warning was issued to Horizon Fast Ferry for failing to put in place reasonable security arrangements to protect the personal data in the Organisation’s email account.

Decision - Horizon Fast Ferry Pte Ltd - 27082020

Breach of the Protection Obligation by MRI Diagnostics and Breach of the Accountability Obligation by Clarity Radiology

Nature of Breach: Protection

Decision: Warning

A warning was issued to MRI Diagnostics for failing to put in place reasonable security arrangements to prevent the unauthorised disclosure of personal data of approximately 4,099 individuals which were publicly available via the internet.

Directions were imposed on Clarity Radiology for failing to appoint a data protection officer and not having policies and practices necessary to comply with the PDPA.

Decision - MRI Diagnostics Pte Ltd and Other - 22072020

Breach of the Protection Obligation by COURTS

Nature of Breach: Protection

Decision: Financial Penalty

A financial penalty of $9,000 was imposed on COURTS for failing to put in place reasonable security arrangements to protect the personal data of its members from unauthorised disclosure on its website. Some members were able to gain access to personal data of another member via a link in an email sent by COURTS.

Decision - COURTS Singapore - 140820

Breach of the Protection Obligation by Singapore Medical Association

Nature of Breach: Protection

Decision: Warning

A warning was issued to the Singapore Medical Association for failing to put in place reasonable security arrangements to prevent the unauthorised access of 68 individuals’ personal data which were forwarded to an external email address without authorisation.

Decision - Singapore Medical Association - 21072020

Breach of the Protection Obligation by Civil Service Club

Nature of Breach: Protection

Decision: Financial Penalty

A financial penalty of $20,000 was imposed on Civil Service Club for failing to put in place reasonable security arrangements to protect its members’ personal data.  A web directory containing members’ profile photographs and their respective NRIC/FIN numbers was found to be publicly accessible.

Decision - Civil Service Club 01042020

Breach of the Protection Obligation by Grabcar

Nature of Breach: Protection

Decision: Financial Penalty, Directions

A financial penalty of $10,000 was imposed and a direction was issued to Grabcar for failing to put in place reasonable security arrangements to prevent the unauthorised access of GrabHitch drivers’ and passengers’ personal data via its mobile application.

Decision - Grabcar Pte Ltd - 24072020

No Breach of the Protection Obligation by Singtel

Nature of Breach:security

Decision: Not in breach

Singtel was found not in breach for failing to make reasonable security arrangements to prevent the unauthorised access of its customers’ personal data via the mySingtel mobile application.

Decision - Singapore Telecommunications Limited - 05082020

Breach of the Protection and Retention Limitation Obligations by Singapore Red Cross

Nature of Breach: Protection

Decision: Financial Penalty

A financial penalty of $5,000 was imposed on Singapore Red Cross for breaches of the PDPA. First, the Organisation failed to put in place reasonable security arrangements to protect the personal data of its blood donors. Second, it was also found to be retaining personal data which was no longer necessary for legal or business purposes.

Decision - Singapore Red Cross - 05052020

SOURCE: AUTORITA’ PER LA PROTEZIONE DEI DATI DI SINGAPORE – PDPC

Back To Top