For the first time since the Personal Data Protection Act (PDPA) came into force on 2 July 2014, the Personal Data Protection Commission (PDPC) of Singapore has published details of the enforcement actions that it has taken against organizations for breaching the provisions of the PDPA.
On 21 April, the PDPC published details of data protection enforcement actions taken against eleven organizations for breaching the provisions of the PDPA. The breaches generally involved the failure by organizations to implement proper and adequate protective measures or to make reasonable security arrangements to prevent the unauthorized disclosure of personal data. Financial penalties ranging from S$5,000 to S$50,000 were imposed on five organizations, while warnings were issued to the other organizations for less serious breaches.
The largest financial penalty of S$50,000 was imposed on K Box Entertainment Group Pte. Ltd., the operator of a chain of karaoke outlets in Singapore, for failing to implement proper and adequate protective measures to secure its IT system, which resulted in the unauthorised disclosure of the personal data of 317,000 of its members. Finantech Holdings Pte. Ltd., which had been engaged by K Box to develop and maintain its content management system, was also fined S$10,000 on a similar basis despite merely performing the function of a third-party service provider. While data intermediaries are partially exempted from the data protection obligations in the PDPA, this case reiterates that data intermediaries are also responsible for complying with the data protection provisions related to the protection and retention of personal data.
On the same day, the PDPC also issued the Advisory Guidelines on Enforcement of the Data Protection Provisions to provide guidance on the manner in which PDPC will interpret the provisions of the PDPA as they relate to enforcement.