17 May, 2016
.jpg)
Background
It has been almost two years since the Personal Data Protection Act 2012 (“PDPA”) came into effect on 2 July 2014. During this period, no enforcement decision had been issued for personal data protection breaches under the PDPA. That changed today, 21 April 2016, when an enforcement blitz by the PDPC culminated in 9 enforcement decisions issued against 11 different parties (collectively, “the Respondents”).
By and large, almost all the enforcement actions by the PDPC against the Respondents had arisen as a result of complaints or information received from the public. As should be self-evident, all relevant organisations under the purview of the Personal Data Protection Commission (“PDPC”) are regulated to the same extent under the PDPA. The PDPC has emphasized that it takes a very serious view of any instance of non-compliance with the PDPA.
Some discernible trends observed from the grounds of decision in all 9 cases are set out as follows:
– (1) Organisation size and industry does not matter if you collect, use and/or process personal data
The Respondents came from a wide and diverse spectrum of industries, and range from small-and-medium enterprises to larger companies which are household names in Singapore. They include:
Industry
Name
Retail
Metro Pte Ltd
Challenger Technologies Limited (“Challenger”)
Entertainment
K Box Entertainment Group Pte Ltd (“K Box”)
Travel
Universal Travel Corporation Pte Ltd
Medical and Health Supplement
Fei Fah Medical Manufacturing Pte Ltd
Tutor matching services
YesTuition Agency
IT services
Xirlynx Innovations
Finantech Holdings Pte Ltd
Advertising and Events Management
Full House Communications Pte Ltd
Professional associations and societies
Singapore Computer Society (“SCS”)
Institution of Engineers Singapore
The common thread in all these cases is that the Respondents had businesses that are data-rich, which involved either a large customer database, or a large membership database.
(2) Security is an Important Issue
In the grounds of decision of the 9 cases, there was an overwhelming emphasis on the obligations of organisations and data intermediaries to ensure reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks relating to personal data in their possession or under their control (“Protection Obligation”).
Of the 9 decisions, 7 involved a failure by the relevant Respondent to adequately observe the Protection Obligation, whether by collecting and using personal data itself, or as a data intermediary that processes personal data for and on behalf of an organisation.
Common weaknesses that were identified in these cases included:
- Failing to enforce password policy and/or the use of weak passwords;
- Failing to remove unused user accounts, which could facilitate hacking;
- Failing to use up to date software and/or patch weaknesses, especially commonly known
- vulnerabilities, in existing software;
- Failing to conduct security audits of the organisation’s database and system; and
- Transmitting large volumes of personal data over the Internet without password-protection or encryption.
(3) Importance of exercising care and control when using data intermediaries to process personal
data
The decisions concerning K Box and Challenger respectively illustrated that organisations collecting personal data cannot delegate their duty to comply with the Protection Obligation by outsourcing the protection and security measures to third party IT vendors.
In particular, the PDPC flagged in clear terms the importance of imposing on data intermediaries, particularly IT service providers, an enforceable obligation to undertake adequate measures to protect personal data of the organisation, which includes providing a standard of protection that is at least comparable to industry standards.
(4) Voluntary data breach notification is a mitigating factor
There appears to be is a silver lining at least in one of the decisions, namely that involving Singapore Computer Society.
The PDPC only issued a warning to SCS without any financial penalty, and in the grounds of decision, made explicit reference to, amongst others, the fact that the SCS voluntarily informed the PDPC of the breach upon discovering an inadvertent disclosure of personal data. In addition, the SCS also took prompt remedial action and also co-operated with the PDPC in its investigations.
Something for the future
The sheer number of enforcement decisions issued in a single day indicates that the PDPC views compliance with the data protection obligations under the PDPA very seriously.
It would appear that even having a system and/or policy in place for complying with the obligations under the PDPA is, without proper and vigilant execution, insufficient. The directions from the PDPC suggest that many of the Respondents would need to operationalise their privacy policy in compliance with the PDPA, which will include ensuring that their employees are well-trained and equipped to fulfil the policy requirements.
The importance of security and protection of the data cannot be overemphasised. A substantial number of the Respondents’ failings have been due to the inability to satisfy the Protection Obligation, and the decisions serve as a useful reminder for all organisations and data intermediaries of the need to review existing security measures to maintain their relevance and sufficiency
rizwi.wun@rhtlawtaylorwessing.com
