16 December, 2017
In 2017, several cases in Singapore highlight how many companies from a variety of industries are still not properly safeguarding personal data.
All businesses should ensure that they are complying with their data protection obligations under the Personal Data Protection Act, as failing to do so could incur a penalty of up to S$1 million under section 29 of the Act.
Private Matter Disclosure
Executive Coach International Pte Ltd [2017] SGPDPC 3 was a case in which a senior member of an organisation (referred to in court as “Mr L”) disclosed in a WhatsApp chat group to more than 58 staff and volunteer trainees that his former personal assistant had a drug problem and issues with infidelity. The organisation claimed that it did not know or approve of Mr L’s collection and disclosure of the former assistant’s personal information and argued that it should not be responsible for the data protection breach. As Mr L had made the disclosure in the course of his employment, the Personal Data Protection Commission (PDPC) nevertheless held the organisation in breach.
Password Protection
Orchard Turn Developments Pte Ltd [2017] SGPDPC 12 involved an unknown perpetrator gaining unauthorised access to a server of the property manager of ION Orchard. The perpetrator obtained the list of subscribers to ION’s loyalty programme and sent out phishing emails promoting free ION+ Reward points, affecting 24,913 subscribers. The PDPC found that there was no evidence of hacking—access was obtained in a single attempt—and it was likely the perpetrator managed to get hold of a valid administrative account credential. The PDPC stressed the importance of proper password management policies. Furthermore, the PDPC found the organisation in breach for failing to ensure regular patching of its application and failing to conduct any vulnerability assessment.
Noncompliance
Social Metric Pte Ltd [2017] SGPDPC 17 pertained to a company which, as part of its social media marketing campaigns, created webpages containing personal data of its clients’ customers. It subsequently failed to remove those webpages from the internet after the social marketing campaign was over. Even though the webpages were created before the data protection provisions came into effect, upon the entry into force of the Act, the company had an obligation to take proactive steps to comply with the Act regarding the existing personal data held in their possession or control, as well as any new personal information they obtained.
The company had a standard operating procedure to dispose of personal data once the marketing campaign was over. However, this was not followed. Accordingly, the company bore the risk for whatever happened to the personal data. The PDPC held that oversight or forgetfulness was not an excuse. In assessing the breach and determining the directions to be imposed on Social Metric, the PDPC took into account the generally uncooperative conduct of the company throughout the investigation.
The case of Singapore Telecommunications Ltd; Tech Mahindra (Singapore) Pte Ltd [2017] SGPDPC 4 is another reminder that even if an organisation has policies in place, it should also monitor compliance with them. In this case, the MySingtel mobile application had a coding issue. This resulted in a single customer’s personal particulars replacing the personal particulars in the profiles of 2.78 million ONEPASS users’ accounts, out of which 2,518 users had viewed the affected customer’s NRIC through the MySingtel application. Tech Mahindra was engaged by Singtel to provide a range of support activities such as troubleshooting and application maintenance services. The PDPC found that Tech Mahindra did not adhere to its own standard operating procedures for a more senior member of the support team to review the database update script before execution and for employees to verify that the update was correct after execution. Accordingly, Tech Mahindra was found to have failed to make reasonable security arrangements to protect personal data of Singtel customers that it processed.
Public Access Exception
Despite the rigours of the Act, it does provide for exceptions. Personal data will not be protected if any member of the public can obtain the data with few or no restrictions. This is exemplified in Eceltec Property Management Pte Ltd; Management Corporation Strata Title Plan No 2956; Strata Land Property Consultants Pte Ltd [2017] SGPDPC 8. In that case, three management corporation strata titles (MCSTs) posted copies of the voter list containing names and unit numbers of residents, as well as the minutes of the annual general meetings on notice boards of the relevant condominiums. This amounted to disclosure of personal information. No consent of the residents had been obtained, and the MCSTs did not provide notice to the residents of the use of their personal data beforehand.
The PDPC found no breach because of an exception under section 13(b) of the Act. It provides that there shall be no disclosure unless authorised under any other written law. In this case, the Building Maintenance and Strata Management Act requires the MCST to put up a list of the names of persons entitled to vote at the general meeting on the notice board on the common property. It further requires that a copy of the minutes of a meeting of the council or executive committee to be displayed on the notice board within seven days after the meeting. Furthermore, the strata roll of a condominium is generally available to the public.
What the Act Requires
Finally, M Stars Movers & Logistics Specialist Pte Ltd [2017] SGPDPC 15, wherein a moving company posted a customer’s address in a Facebook comment and refused to remove it until told to do so by the PDPC, provides us all with timely reminders of some of the obligations under the Act:
An appropriate data protection policy should be drafted to ensure that it gives a clear understanding within the organisation of its obligations under the Act and sets general standards on the handling of personal data which staff are expected to adhere to.
In developing such policies, the framers have to focus upon the types of data that the organisation handles which may constitute personal data; the manner in and the purposes for which it collects, uses and discloses personal data; the parties to and the circumstances in which it discloses personal data; and the data protection standards under the Act.
A data protection policy is not the “be all and end all” of data protection. Specific practices, processes, procedures and real and effective measures need to be put in place by organisations.
Data protection officers ought to be appointed from the ranks of senior management. Recognition of the importance of data protection and the central role performed by a data protection officer has to come from the top of an organisation and ought to be part of the enterprise risk management frameworks. This would ensure that the board of directors and C-level executives are cognisant of the risks.
For further information, please contact:
Ho May Kim, Director, Duane Morris & Selvam
mkho@selvam.com.sg