The Personal Data Protection Commission (PDPC) has taken enforcement actions against several organisations for breaching their data protection obligations under the Personal Data Protection Act (PDPA). Five organizations were issued directions (four of which included financial penalties), while six others were issued warnings.
The PDPC considered the severity of non-compliance of the cases in determining the type of enforcement actions taken. Some of the factors include:
a) Whether the organization had taken reasonable measures to prevent the data breach;
b) Whether the organization took steps to identify weaknesses of its system and effectiveness of any remedial actions taken thereafter;
c) Whether the organization had data protection policies and processes in place;
d) The number of individuals who were affected;
e) The time taken to remedy the breach once it was known;
f) The type of personal data involved;
g) The manner in which the organization responded to the breach; and
h) The circumstances of the breach.
The PDPC imposed a financial penalty of $50,000 on K Box Entertainment Group Pte Ltd (K Box), a karaoke chain, for not putting in place sufficient security measures to protect the personal data of 317,000 members, for inadequate data protection policies and the absence of a Data Protection Officer (DPO).
The PDPC imposed a financial penalty of $10,000 on Finantech Holdings Pte Ltd, the IT vendor in charge of K Box’s content management system (as K Box’s data intermediary).
For failing to put in place adequate security measures to protect personal data in its possession that affected 4,000 members, the PDPC imposed a financial penalty of $10,000 on the Institution of Engineers, Singapore. For a similar breach that affected more than 900 customers, a financial penalty of $5,000 was imposed on Fei Fah Medical Manufacturing Pte Ltd, a health supplements supplier.
For unauthorized disclosure of 37 customers’ personal data to four individuals, the PDPC issued directions to Universal Travel Corporation Pte Ltd, a tour agency, to enhance its personal data protection policies.
The PDPC also issued warnings to six organizations for lapses in handling personal data: Challenger Technologies Ltd, an IT retailer, as well as its IT vendor, Xirlynx Innovations; Full House Communications Pte Ltd, a consumer home show organizer; Metro Pte Ltd, a retailer; Singapore Computer Society, an infocomm and digital media professional society; and Yestuition Agency, a tuition agency.
The PDPC may also accept an undertaking that commits the organization to a particular course of action to improve its compliance with the PDPA. For example, an undertaking may be considered when the organisation is able to achieve the desired level of compliance to the PDPA in a prompt manner without requiring the PDPC to conduct a full investigation.
In the case of Xiaomi Singapore Pte Ltd (Xiaomi), the organization provided an undertaking to improve its compliance after the PDPC raised concerns about its practice of signing users up to its cloud messaging services by default, without notification. Separately, PDPC found a complaint lodged against Xiaomi for disclosing personal data to third-party marketers without consent to be unsubstantiated.
Since the PDPA came into full effect in July 2014, the PDPC has received 667 complaints. 92% of these complaints were resolved through investigation and facilitation between the respective organizations and individuals. Common complaints include the collection, use and disclosure of personal data without notification or consent, as well as the disclosure of personal data through lack of protection by these organizations.
Leong Keng Thai, Chairman, PDPC, said, “The enforcement actions taken are not to deter the use of personal data for business competitiveness. We recognize that data is essential for innovation in today’s economy. The key is to use it responsibly and take appropriate actions to protect it. Both the organization and its data intermediary, such as IT vendors that provide systems and data management solutions to businesses, are expected to exercise due care and implement adequate security measures.”