16 January, 2017
Trends
Since the Personal Data Protection Act (the Act) came into force on 2 July 2014, the Personal Data Protection Commission (the Commission) has published a number of enforcement decisions taken against twenty two organisations for breaching various obligations under the Act. Enforcement actions have been taken against companies in a range of industries, including the food and beverage sector, insurance companies, societies and IT service providers. The Commission issued warnings and financial penalties ranging from S$500 to S$ 50,000, the highest of which was imposed on a karaoke chain for failing to implement sufficient security measures to protect the personal data of 317,000 members. This newsletter highlights key enforcement decisions of the Commission in 2016.
Nature of Breach
A. Breach of the Protection Obligation
The majority of the enforcement decisions relate to companies failing to put in place reasonable security arrangements to protect personal data. Section 24 of the Act requires an organisation to "protection personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks" (the Protection Obligation).
The largest financial penalty of S$ 50,000 was imposed on K Box Entertainment Group Pte Ltd (K Box)1, a karaoke chain, for breaching the Protection Obligation which resulted in a list containing the personal data of 317,000 members being leaked online. Investigations revealed that K Box did not make reasonable security arrangements to protect the personal data. For example, K Box did not enforce its password policy, which allowed an unauthorised individual to gain access to the personal data. In addition, K Box did not effectively manage its data intermediary, Finantech Holdings Pte Ltd (Finantech), to ensure compliance with the Protection Obligation. It had failed to inform or emphasise to Finantech its Protection Obligation. The contract between K Box and Finantech also did not include any contractual clauses that required Finantech to comply with a standard of data protection that is at least comparable to industry standards.
Other decisions concerned security measures that had been hacked into or a leak of personal data through corporate websites. An example is Metro Pte Ltd2, which neglected to address the security issues and vulnerabilities reported in a IT security audit that was conducted after two hacking incidents of its corporate website. In the decisions against GMM Technoworld Pte Ltd3, ABR Holdings Limited4 and Full House Communications Pte Ltd5, the companies were found to have implemented inappropriate security systems on its websites which allowed the public to inadvertently access the personal data of its members or participants.
In the decision of Cellar Door Pte Ltd (Cellar Door) and Global Interactive Works Pte. Ltd. (GIW)6, Cellar Door had engaged GIW as a data intermediary and transferred personal data to GIW. The Commission made a distinction between possession and control of personal data and held that a party which had control over personal data but did not possess the data would nevertheless be obliged to comply with the Protection Obligation. The Commission found that Cellar Door remained in control of the personal data even though it was transferred to GIW. Although Cellar Door no longer had direct possession of the personal data as it was held in GIW's servers, Cellar Door still had to comply with Section 24 of the PDPA.
B. Liability of Data Intermediary
data intermediary that processes personal data on behalf of another organisation is obligated under the Act to put in place reasonable security arrangements to protect the personal data. It is important to define at the outset whether the organisation processing the personal data is a data intermediary. This is often defined in a written contract between the organisation and data intermediary which sets out each organisation's responsibilities and liabilities. In the case involving K Box, summarised above, the Commission found that Finantech was a data intermediary of K Box notwithstanding that the "contracts" were in fact quotations which were confirmed and accepted by K Box. Finantech was fined S$ 10,000 for failing to (1) put in place security measures to adequately protect the personal data in K Box's database; and (2) advise K Box of its security vulnerabilities.
Toh-Shi Printing Singapore Pte Ltd (Toh-Shi)7, a data intermediary, engaged by Aviva Ltd (Aviva) and Central Depository (Pte) Limited (Central Depository), was found on two separate occasions to have breached the Protection Obligation. Toh-Shi Printing provided mail out and data printing services of correspondences for Aviva and Central Depository. In both incidents, incorrect statements were sent to individuals with the account information of other account holders due to an error in the data sorting process. The Commission imposed a financial penalty of S$ 25,000 and S$ 5,000 against Toh-Shi Printing for its breaches as a data intermediary for Aviva and Central Depository respectively.
C. Consent Obligation
Section 13 of the PDPA prohibits organisations from collecting, using or disclosing an individual’s personal data unless the individual gives, or is deemed to have given, his consent for the collection, use or disclosure of his personal data (the Consent Obligation).
In the decision of YESTUITION AGENCY (YESTUITION)8, the NRIC numbers and images of thirty individuals who registered to be tutors with YESTUITION were published on its website. YESTUITION represented to the Commission that tutors who submitted their personal data on a form via the website had provided either express or deemed consent to the collection, use, and disclosure of their personal data by YESTUITION for the purposes of providing the tutors with tuition matching services.
The Commission disagreed and found that YESTUITION had not obtained the tutors' consent for the images and NRIC numbers to be published on its website. In addition, such disclosure ran counter to the terms of YESTUITION's privacy policy, which stated consent would be obtained prior to the disclosure of personal information.
The Commission issued a warning against YESTUITION instead of a financial penalty as it considered that YESTUITION took proactive steps to restrict access to the website once it was made aware of the issue and that YESTUITION had been cooperative and forthcoming in its responses to the Commission.
D. Purpose Limitation Obligation
Organisations are obligated to collect, use and disclose personal data for only the purposes: (1) that a reasonable person would consider appropriate in the circumstances (i.e. Section 18 of the PDPA); and (2) that the individual has been informed of by the organisation and has consented to such purposes (i.e. Sections 13, 14, 15 and 20 of the PDPA) (the Purpose Limitation Obligation).
In the case of AIA Singapore Private Limited (AIA)9, the Commission clarified that the obligation under Section 18 of the PDPA is an independent obligation that organisations would need to comply with even if it had obtained the informed consent from the relevant individual for the collection, use or disclosure of his or her personal data. This is an important aspect of the PDPA as it effectively addresses excesses in the collection, use or disclosure of personal data under broadly-worded consent clauses.
AIA had disclosed an individual’s bank account details to a chiropractic practice in relation to the individual’s claim under an insurance policy. AIA had provided this information in the course of seeking a medical report from the chiropractic practice that would support the individual's claim. The individual had signed documents containing broadly-worded consent clauses and it was arguable that he had agreed to AIA disclosing his personal data for such purposes based on some of these documents.
Notwithstanding this, the Commission found that there was a breach of Section 18 of the PDPA, as the disclosure of bank account details to the chiropractic practice was not "for a purpose that a reasonable person would consider appropriate in the circumstances". The disclosure of bank account details was not relevant or necessary to AIA's request for a medical report from the chiropractic practice. The bank account details are necessary for the purpose of AIA effecting payment to the individual, but not relevant to the chiropractic practices' production of the medical report. The section of the claim form where bank account details were provided also stated that the details were for “direct crediting of claim”. Consequently, the Commission issued a warning against AIA.
E. Openness Obligation
The Act requires organisations to develop and implement policies and practices that are necessary for the organisation to meet its obligations under the Act and to make information about their data protection policies and practices available (the Openness Obligation). The Commission found Fu Kwee Kitchen Catering Services (Fu Kwee Kitchen)10 to be in breach of the Openness Obligation pursuant to Sections 11 and 12 of the Act in failing to implement personal data protection policies and to appoint a data protection officer. Fu Kwee Kitchen was fined S$ 3,000 in failing to comply with the Openness Obligation and Protection Obligation and the Commission issued various directions for the company to comply with Sections 11 and 12 of the Act.
F. Exceptions to Disclosure of Personal Data Without Consent
Three decisions have clarified the extent to which exceptions to disclosing personal data without consent under specific circumstances may apply.
In the decision of Universal Travel Corporation Pte Ltd (UTC)11, UTC disclosed the entire list of passengers containing personal data to certain individuals for the purpose of the individuals making a claim on a travel insurance policy. UTC argued that the disclosure was necessary for a purpose which was in the interests of the individual, and consent could not be obtained in a timely manner. The Commission disagreed and clarified that “interests of the individual” only referred to the interests of the data subject in question. UTC disclosing the entire list of passengers containing personal data for the purpose of only certain individuals making a claim against the travel insurance policy was not in the interests of all the passengers.
In the case of My Digital Lock Pte. Ltd. (MDL)12, the director had posted screenshots on his Facebook page of WhatsApp messages exchanged between an individual and him which contained personal data of the individual. The messages were in connection with a dispute about defects in MDL’s product. Both parties were already engaged in legal proceedings regarding remarks allegedly made by the individual concerning MDL’s product and business.
MDL sought to rely on the exception that disclosure of personal data without consent was necessary for the investigations and proceedings. However the Commission disagreed that the disclosure was “necessary” as MDL had failed to show that disclosure needed to be made on Facebook and/or to the director’s contacts on Facebook. The files could have been transferred directly to the lawyers without disclosure to other third parties.
In a third case, the Commission considered in Jump Rope (Singapore)13 whether the disclosure of personal data was "what a reasonable person would consider appropriate in the circumstances". Jump Rope society had emailed various schools of its blacklisting of the complainant as he had allegedly breached his employment contract and code of conduct.
In the absence of evidence that the complainant's conduct had put Jump Rope's reputation or potential clients at risk, the disclosure of personal data was not appropriate or reasonable. Accordingly, the Commission found that the actions of Jump Rope had gone beyond what was reasonable in the circumstances and issued a warning against Jump Rope.
Impact on Organisations
In light of the recent enforcement decisions, organisations controlling personal data, as well as data intermediaries should ensure they have in place robust data privacy policies and appropriate service agreements. It is also important that employees are aware of these data privacy policies and undergo data privacy training to mitigate any potential breaches of the Act.
The increasing enforcement actions taken by the Commission demonstrate its serious approach towards non-compliance with the Act and its willingness to enforce the Act. The Commission has wide enforcement powers for breaches of the Act, including the power to conduct investigations, issue warnings, and impose financial penalties of up to S$ 1 million. The cost of dealing with a complaint or investigation conducted by the Commission and the negative reputation to the organisation are also consequences of non-compliance with the Act.
1 K Box Entertainment Group Pte. Ltd. and Finantech Holdings Pte. Ltd. [2016] SGPDPC 1
2 Metro Pte Ltd [2016] SGPDPC 7
3 GMM Technoworld Pte. Ltd. [2016] SGPDPC 18
4 ABR Holdings Limited [2016] SGPDPC 16
5 Full House Communications Pte Ltd [2016] SGPDPC 8
6 The Cellar Door Pte Ltd and Global Interactive Works Pte. Ltd. [2016] SGPDPC 22
7 Aviva Ltd and Toh-Shi Printing Singapore Pte Ltd [2016] SGPDPC
8 YESTUITION AGENCY [2016] SGPDPC 5
9 AIA Singapore Private Limited [2016] SGPDPC 10
10 Fu Kwee Kitchen Catering Services, Pixart Pte. Ltd. [2016] SGPDPC 14
11 Universal Travel Corporation Pte Ltd [2016] SGPDPC 4
12 My Digital Lock Pte. Ltd. [2016] SGPDPC 20
13 Jump Rope (Singapore) [2016] SGPDPC 21
For further information, please contact:
Ken Chia, Principal, Baker & McKenzie.Wong & Leow
ken.chia@bakermckenzie.com