1 May, 2016
Singapore’s privacy regulator, the Personal Data Protection Commission @PDPCA, handed down a slew of enforcement decisions on 21 April 2016 against more than 10 companies. These were the first enforcement decisions issued by the PDPC under the data protection provisions of the Personal Data Protection Act @PDPAA and they provide an insight into the enforcement approach and the level of penalties in store for businesses that find themselves on the wrong side of the PDPA. Directions were issued against five organisations (four of which had financial penalties imposed on them), while six organizations received formal warnings.
In particular, in the Decision involving K Box Entertainment is instructive of a number of common mistakes under the PDPA. K Box operated a chain of karaoke outlets in Singapore, and was responsible for a data breach which resulted in the publication of the personal data of more than 300,000 of its customers. The data was accessed by an unknown hacker who exploited vulnerabilities in the system. After conducting an extensive investigation, the PDPC imposed a penalty of S$50,000 on K Box for breach of the Protection and Openness Obligations under the PDPA.
In relation to its Protection Obligation, the PDPC found that K Box had failed to make reasonable security arrangements. It did not enforce its password policy and had weak control over unused accounts which continued to be operational. Its security practices were poor, in that, for example, it had allowed the sending of unencrypted emails containing a large volume of personal data and it also failed to manage its IT vendor to ensure that the vendor had measures in place to protect personal data.
In finding that K Box also breached the Openness Obligation, the PDPC noted that K Box had no Data Protection Officer, in breach of this requirement under the PDPA, and also did not have a comprehensive privacy policy in place. The IT vendor was found to be a data intermediary under the PDPA and therefore subject only to the Protection and Retention Obligations under the PDPA.
However, the IT vendor was itself found to be in breach of the Protection Obligation by virtue of its practices and received a separate penalty of S$10,000. The PDPC found that had the vendor advised K Box of its obligations and such advice was rejected the PDPC could have taken this into account in assessing the vendor’s culpability.
The Decision demonstrates the dangers involved in taking a careless approach to PDPA compliance. In this case, K Box did not put in place the basic compliance measures notwithstanding its handling of customer personal data.
Further, vendors who support companies that may not be interested in complying with the PDPA will have to themselves advise their clients of any gaps in security and recommend fixes. Clearly, a handsOoff attitude by vendors to obvious lapses in security will mean that they will also find themselves culpable under the law if a data breach occurs.
The penalties in the other cases ranged from S$5000 to S $10,000. However, given that these are the first Decisions, it is anticipated that future penalties are likely to be higher as companies will find it more difficult to justify their non-compliance.
For further information, please contact:
Joyce Tan, Partner, Joyce A Tan & Partners
