In two recent decisions issued by the Personal Data Protection Commission (‘PDPC’), investigations were carried out under Section 50(1) of the Personal Data Protection Act 2012 (‘PDPA’) and financial penalties were imposed on the errant entities. The circumstances which lead to this step by the PDPC are set out below:

1. O2 Advertising Pte. Ltd., [2019] SGPDPC 32

An individual found that when he carried out searches on the internet [using his name and National Registration Identification Card (‘NRIC’) number] on the search engine Google®, the search results included a URL link to a database maintained by O2 Advertising Pte. Ltd. (‘O2’). The database contained the personal data of numerous individuals including that of the said individual. The said individual then lodged a complaint with the PDPC.

O2 provides advertising and marketing services in Singapore, and had collected personal data of individuals during an advertising campaign conducted on behalf of one of its clients. The database (which contained data in relation to about 403 affected individuals) was indeed exposed to unauthorized access through the said URL. In addition, any individual with knowledge of navigating the root directory could possibly gain access to another database which contained personal data of about 1,165 affected individuals.

After their investigations, the PDPC held that O2 had breached Sections 11(3), 12, 24 and 25 of the PDPA, for failing to appoint a designated officer and to draw up appropriate policies governing compliance with the PDPA, as well as for failing to protect personal data under its control. Accordingly, the PDPC directed O2 to:

Pay a financial penalty of $10,000;

Appoint an individual responsible for ensuring O2’s compliance with the PDPA;

Develop and implement policies and practices that are necessary for O2 to meet its obligations under the PDPA; and

Inform the PDPC of the completion of each of the above directions within the stipulated timeframe.

2. Executive Link Services Pte. Ltd., [2019] SGPDPC 30

Executive Link Services Pte. Ltd (“ELS”), an employment agency, reported a data breach to the PDPC concerning the unintended disclosure of personal data of individuals that were stored on its server.  The breach happened during a test period when ELS implemented remote access for its staff to access internal files stored on its server. 

The PDPC investigated the incident and determined that the said organisation had breached its obligations under Sections 11(3) and 12 for failing to appoint a designated officer and to draw up appropriate policies governing compliance with the PDPA.

However, the PDPC took into consideration that ELS took immediate steps to close the remote access on the same day as it discovered the breach, came forward to self-report and took further remedial steps including shutting down the server permanently and replacing with a new server, appointing a cyber security firm to conduct a network vulnerability assessment on its server, as well as appointing a personal data officer and drawing up policies and providing training to its staff on handling personal data, and directed the organisation to pay a financial penalty of $5,000.

 

A version of this article first appeared in the GALA Passle. For more information, visit http://blog.galalaw.com/.