Two businesses have been fined a total of S$13,000 for breaching Singapore’s data protection law.
The first decision involved a carpooling service operated by GrabCar through an app.
Twenty drivers had their accounts suspended for flouting usage rules for the platform. They were allowed to submit an appeal, by filling a Google form with their name, national registration identification card number, mobile number, vehicle licence number and appeal statement.
A GrabCar employee uploaded the completed Google form incorrectly, which allowed all of the drivers to view each other’s personal data on the form.
The commission’s findings were as follows:
- GrabCar failed to protect the personal data of its drivers, as it ought to have trained its employees on how to use Google forms properly.
- Regardless of whether it knew about or approved an employee’s act, an employer is automatically responsible for any contravention of Singapore’s data protection law, so long as that conduct was carried out in the course of employment.
- While business contact information is exempted, this only included the names and mobile numbers of the GrabCar drivers, but not their vehicle licence numbers and national registration identification numbers, since the latter were not means of contacting these drivers.
- The business contact information exemption did not apply at all to GrabHitch drivers, who were non-commercial private car owners who carpooled with people commuting along the same route.
- A penalty of S$6,000 was imposed.
The commission found that GrabCar did not have any policies or procedures to guide its employees on the use of Google forms nor did it provide any training. Given that the law imputes liability on employers for their employees’ contravening conduct, businesses should put in place robust data protection training and operational processes to ensure compliance.
In light of the recently issued guidelines restricting the use of national identification information in Singapore, businesses should also take active steps to minimise any collection and use of such sensitive personal data going forward.
Club the Chambers
In the second decision, a local area network gaming centre, pasted photocopies of the identity documents of 11 individuals who were banned from entry. These identity documents included a student’s pass, an employment pass and an army identity card.
Remarks on the reasons for banning these persons were also included on the notices, for instance, “caught for stealing iPhone” and “banned for surfing pornography”.
- The commission determined that the gaming centre clearly did not obtain consent for disclosing the personal data found in the notices.
- It also considered that the disclosure was for a purpose that a reasonable person would not consider as appropriate in the circumstances, and hence contravened section 18(a) of the Personal Data Protection Act.
- More specifically, although the intention may have been to enable the gaming centre staff to identify players banned from entry, publicly displaying the notices seemed to have more of a ‘name and shame’ objective rather than mere blacklisting.
- A penalty of S$7,000 was imposed.
While not explicitly discussed in the decision itself, the consent and purpose limitation obligations are separate and distinct. An organisation must always ensure that the purposes for which it may use personal data are what a reasonable person would consider as appropriate in the circumstances.
The commission also clarified that a failure to challenge or demand that the notices be removed was not unequivocal consent to them being displayed. Organisations should be cautious when trying to rely on deemed consent, and even if deemed consent were to apply, it would be good practice to document the necessary details of this so as to demonstrate compliance with relevant data protection obligations.