E-briefing: Singapore’s Data Protection Update for Q1 2020

E-briefing: Singapore’s Data Protection Update for Q1 2020
14 Apr 2020

Recent Developments in Enforcement

Data breach risks are serious and are happening more often than one may think. In Q1 2020 alone, the Personal Data Protection Commission (the “PDPC”) had heard a total of 17 data breach cases. Fines were handed down by the PDPC in majority of these cases, totalling S$161,000, with warnings and/or directions imposed on the remaining cases. These data breaches stemmed from the organisations’ failure to:

  • Put in place reasonable security arrangements for the protection of personal data;
  • Develop and/or implement data protection policies and proper practices in the treatment of personal data;
  • Conduct data protection training for employees; and/or
  • Appoint relevant personnel to ensure compliance with the Personal Data Protection Act (the “PDPA”).

These failings resulted in data exposure, unintended spam/mass emails, ransomware attacks and hacking, leading to the unauthorised disclosure of individuals’ data.

In two recent cases, the PDPC found that two management corporations and their security service providers had violated the PDPA. In both cases, the employees of the security service providers had disseminated extracts of closed-circuit television (“CCTV”) footages of identifiable individuals using their smartphones. Copies of the extracts subsequently made their way onto the internet. In both cases, the PDPC found that the management corporations did not put in place written agreements with clauses requiring their security service providers to comply with the relevant data protection provisions under the PDPA, or provide them with instructions on the access of personal data and the management of CCTV footages.

COVID-19 Advisory issued by the PDPC

In response to the recent COVID-19 situation, the PDPC has issued an advisory on the collection, use and disclosure of personal data of visitors of organisations for COVID-19 contact tracing and other response measures in the event of an emergency. For such purposes and within the specified parameters highlighted by PDPC, certain personal data (e.g. NRIC, FIN, passport and any other identification numbers) may now be collected, used and disclosed without obtaining the individual’s consent, if doing so is necessary to respond to an emergency that threatens the life, health or safety of the individual.

As highlighted in our previous e-briefing titled “Guide on the Collection, Use and Disclosure of NRIC and other National Identification Numbers”, organisations are generally not allowed to collect, use and disclose the NRIC and other national identification numbers of individuals.

Summary of Developments

To keep you updated in the ever-evolving data environment, we have compiled in the table below a summary of the above recent developments, steps and measures advanced by the PDPC in Singapore.

Development

Summary

Date

Links

Globalsign.in Pte Ltd was fined for data breach

Globalsign.in Pte Ltd (“Globalsign.in”), an email marketing service provider, was fined by the PDPC for SGD 34,000 when its mass emailing system was accessed without authorisation in August 2017 and abused to send spam emails to 149,172 email addresses which belonged to its client’s customers. The PDPC found that Globalsign.in had failed to put in place reasonable security arrangement to prevent the cyber-attack and the company had also failed to remove personal data which was no longer necessary for legal or business purposes.

9 January 2020

PDPC Decision

SAFRA National Service Association was fined for data breach

SAFRA National Service Association (“SAFRA”) was fined by the PDPC for SGD 10,000 for failing to put in place proper work processes for the sending of mass emails. An employee of the organisation had sent out emails attaching an Excel spreadsheet containing personal data of certain members of the organisation’s shooting club to other members. 

 

SAFRA was also directed to review its internal processes, and to put in place process safeguards and written internal standard operating procedures to protect the personal data of its members.

9 January 2020

PDPC Decision

National Healthcare Group Pte Ltd was fined for data exposure

National Healthcare Group Pte Ltd was fined by the PDPC for SGD 6,000 for failing to put in place reasonable security arrangements to protect a list containing the personal data of partner doctors and members of the public from being publicly accessible online.

9 January 2020

PDPC Decision

PeopleSearch Pte Ltd was fined for data breach

PeopleSearch Pte Ltd (“PeopleSearch”) was fined by the PDPC for SGD 5,000 for failing to put in place reasonable security arrangements to protect the personal data of its clients. This resulted in PeopleSearch suffering a ransomware attack. 

9 January 2020

PDPC Decision

Society of Tourist Guides (Singapore) was fined for data exposure

Society of Tourist Guides (Singapore) was fined by the PDPC for SGD 20,000 for leaving its members’ data exposed on its website, failing to appoint a data protection officer and failing to have in place written policies and practices necessary to ensure its compliance with the PDPA.

9 January 2020

PDPC Decision

Creative Technology Ltd was fined for data breach

Creative Technology Ltd was fined by the PDPC for SGD 15,000 when its online support forum (the “Forum”) was hacked sometime in mid-2018 resulting in the unauthorised disclosure of personal data of users of the Forum.

9 January 2020

PDPC Decision

L’Oréal Singapore Pte Ltd received a warning for data exposure

L’Oréal Singapore Pte Ltd received a warning from the PDPC for exposing the personal data of seven individuals to the risk of unauthorised disclosure as a result of the company’s failure to ensure appropriate testing of its website or make other security arrangements to protect personal data.

9 January 2020

PDPC Decision

Singapore Telecommunications Limited was fined for data exposure

Singapore Telecommunications Limited was fined by the PDPC for SGD 9,000 when it exposed the personal data of 750 of its subscribers to the risk of access by other subscribers.

11 February 2020

PDPC Decision

SCAL Academy Pte Ltd was fined for data exposure

SCAL Academy Pte Ltd, a company which provides courses, seminars and workshops, was fined by the PDPC for SGD 15,000 for the exposure of personal data of its registrants. The personal data of the registrants were publicly accessible when an online search was done.

11 February 2020

PDPC Decision

SPH Magazines Pte Ltd was fined for data breach

SPH Magazines Pte Ltd was fined by the PDPC for SGD 26,000 when the account of a senior moderator of its HardwareZone forum site (the “Forum”) had been accessed by an unknown hacker who used the senior moderator’s credentials to retrieve personal data of members of the Forum.

11 February 2020

PDPC Decision

Royal Caribbean Cruises (Asia) Pte Ltd was fined for data breach

Royal Caribbean Cruises (Asia) Pte Ltd was fined by the PDPC for SGD 16,000 for failing to put in place reasonable security measures to protect the personal data stored in the company’s receipt system. The company’s failure resulted in its receipt system to suffer a ransomware attack affecting the personal data of about 6,000 customers.

11 February 2020

PDPC Decision

NTUC Income Insurance Co-Operative Limited received a warning for data exposure

NTUC Income Insurance Co-Operative Limited was given a warning by the PDPC for failing to put in place reasonable security arrangements to prevent the unauthorised disclosure of personal data to users making enquiries through its website. 123 users received automated acknowledgement emails attached with files containing personal data belonging to 17 individuals.

11 February 2020

PDPC Decision

AXA Insurance Pte Ltd received a warning for data breach

AXA Insurance Pte Ltd was given a warning by the PDPC for sending an email containing the personal data of 87 individuals to an unintended recipient.

11 February 2020

PDPC Decision

Directions were imposed on Henry Park Primary School Parents’ Association for data exposure

Henry Park Primary School Parents’ Association (“Association”) had exposed the personal data of its parent volunteers. The personal data of parent volunteers were publicly accessible when an online search was done.

 

The Association was directed by the PDPC to appoint a data protection officer, develop and implement internal data protection and training policies, and to put all volunteers handling personal data through data protection training.

11 February 2020

PDPC Decision

Advisory on Collection of Personal Data for COVID-19 Contact Tracing

The PDPC issued an advisory on the collection, use and disclosure of personal data of visitors of organisations (including visitors’ national identification numbers) for COVID-19 contact tracing and other response measures in the event of an emergency.

13 February 2020

PDPC Advisory

Directions were imposed on Management Corporation Strata Title Plan No. 4375 and A Best Security Management for data breach

The PDPC found that Management Corporation Strata Title Plan No. 4375 (“MCST 4375”) and A Best Security Management (“ABSM”) had failed to put in place reasonable security arrangements to prevent the unauthorised disclosure of CCTV footage of an individual injured by a falling glass door at Alexandra Central Mall (the “CCTV Footage”). The copies of the CCTV Footage were uploaded onto the internet.

 

MCST 4375 was directed by the PDPC to implement policies necessary for the protection of personal data in its possession and/or under its control, put in place reasonable security arrangements for the protection of personal data, and conduct training to ensure that its staff are aware of and will comply with the requirements of the PDPA.

 

ABSM was directed by the PDPC to put in place reasonable security arrangements including policies necessary for the protection of personal data in its possession and/or under its control.

19 March 2020

PDPC Decision

Management Corporation Strata Title Plan No. 3593 was fined and directions were imposed on New-E Security Pte Ltd for data breach

The PDPC found that Management Corporation Strata Title Plan No. 3593 (“MCST 3593”) and New-E Security Pte Ltd (“New-E”) had failed to put in place reasonable security arrangements to prevent the unauthorised disclosure of CCTV footage of a common property at Marina Bay Residences (the “CCTV Footage”). The CCTV Footage had captured images of identifiable individuals who had passed through the common property.

 

For the violation of the PDPA, the PDPC imposed a fine of SGD 5,000 on MCST 3593 and New-E was directed to put in place a data protection policy and internal guidelines, including procedures for proper management and access control in respect of CCTV footage.

19 March 2020

PDPC Decision

SSA Group International Pte Ltd received a warning for data breach

SSA Group International Pte Ltd was given a warning by the PDPC for failing to put in place reasonable security arrangements to prevent the unauthorised access of 53 individuals’ course registration information which were publicly available via its webpage.

19 March 2020

PDPC Case

Memorandum of Understanding between the Personal Data Protection Commission and Office of the Australian Information Commissioner

A Memorandum of Understanding (the “MOU”) between the PDPC and the Office of the Australian Information Commissioner (the “OAIC”) was signed.

 

The MOU would also enable Singapore and Australia to develop compatible and interoperable data transfer mechanisms which will allow businesses operating in both countries to transfer personal data more seamlessly across borders with the assurance that they meet the requisite regulations.

25 March 2020

PDPC Press Release

 

Eversheds Harry Elias Cybersecurity, Privacy and Data Protection Practice Group

Eversheds Harry Elias regularly provides advice on and has extensive experience in advising and successfully representing multinational companies in Cybersecurity, Privacy and Data Protection. We acknowledge the contributions by Mr Leonard Saw, Law Trainee, in the preparation of this summary.

For further information, contact:

Francis Goh

Practice Lead Partner & Head of International Arbitration

Private Wealth Management

francisgoh@eversheds-harryelias.com

+65 6361 9835

K.K. Lim

Of Counsel

& Head, Cybersecurity, Privacy and Data Protection

kklim@eversheds-harryelias.com

+65 6361 9307

Valencia Soh

Associate

valenciasoh@eversheds-harryelias.com

+65 6361 9829

For more information, please contact our Business Development Manager, Ricky Soetikno at rickysoetikno@eversheds-harryelias.com