News

Review of Recent PDPC Decisions - March 2020

Mar 31 2020 | by OrionW

Key Takeaways

From selected decisions of Singapore’s Personal Data Protection Commission (PDPC) issued in March 2020:

  1. Organisations must implement reasonable security arrangements to protect personal data.
  2. When engaging an agent or vendor to handle personal data, organisations must have a written agreement requiring the agent or vendor to comply with the PDPA and to implement practices that carry out these obligations.
  3. As emphasised in previous decisions, organisations must appoint a Data Privacy Officer (DPO) and implement data protection policies to meet their obligations under the PDPA.
  4. Proper training is a key component in an organisation’s PDPA compliance program.

Cases

  1. In the matter of Investigation under Section 50(1) of the Personal Data Protection Act 2012 (PDPA) of (1) Management Corporation Strata Plan No. 3593 (MC3593), (2) Edmund Tie & Company Property Management Services (ETCPM) and (3) New-E Security Pte Ltd (New-E)

A resident-owner requested for the closed-circuit television (CCTV) footage of the common premises of a condominium from a New-E Security Advisor.  The Security Advisor sent the footage to the resident-owner without permission or authority from MC3593 or its managing agent, ETCPM.

After hearing of the resident-owner’s request, MC3593 decided not to disclose the requested footage.  ETCPM then conveyed the decision to the Security Advisor.   However, neither MC3593 nor ETCPM were aware that the Security Advisor had already disclosed the CCTV footage to the resident-owner.  The CCTV footage was later found to have been uploaded to a popular social networking site.

Upon discovery of the Incident, MC3593 immediately took remedial actions.  It appointed a DPO and implemented its Personal Data Protection Policy and Standard Operating Procedure in compliance with the PDPA.  New-E also developed its own data protection policy and operation procedure on personal data protection for all its employees.

PDPC Decision

The PDPC found MC3593 to have breached the PDPA for failing to protect personal data, for failing to designate a DPO, and for failing to develop practices and policies that are necessary to implement the provisions of the PDPA.  MC3593 also admitted that it had not given any data protection instructions to either ETCPM or New-E in violation of its primary responsibility to ensure that its data intermediaries will comply with the provisions of the PDPA and implement practices that carry out these obligations.  The PDPC ordered MC3593 to pay a financial penalty of $5,000.

The PDPC also found New-E to be in breach of its obligation under the PDPA to protect personal data and ordered it to put into place a data protection policy and internal guidelines, including procedures for proper management and access control in respect of CCTV footage.

  1. In the matter of Investigation under Section 50(1) of the Personal Data Protection Act 2012 of (1) Management Corporation Strata Plan No. 4375 (MC4375), (2) Smart Property Management (Singapore) Pte Ltd (Smart Property) and (3) A Best Security Management Pte Ltd (A Best Security).

Similar to the first case, a Senior Security Supervisor of A Best Security shared CCTV footage of an accident in a mall’s car park lift lobby with several personnel of A Best Security and Smart Property who had requested the footage.  This was done without the approval and prior knowledge of MC4375.

The CCTV footage was posted in a video-sharing website and subsequently made available through various other websites.  

After discovering the Incident, MC4375 replaced Smart Property with a new managing agent and issued an internal memo to its employees specifying that there shall be no distribution of documents or media materials from the management office without prior approval from the management council of MC4375.

PDPC Decision

MC4375 was found to have breached the PDPA for failing to protect personal data when it did not provide any instructions to A Best Security or Smart Property in relation to requests for access to personal data, as well as the management of CCTV footage in general. In addition, the PDPC found that MC4375 did not develop or put in place any data protection policies as required by the PDPA.  While no financial penalty was imposed, the PDPC instructed MC4375 to develop and implement policies and reasonable security arrangements for the protection of personal data.  As part of its security arrangement, it was also tasked to conduct training to ensure its staff are aware of and will comply with the requirements of the PDPA.

A Best Security was found to have failed to adopt a written policy regarding the disclosure of personal data and CCTV footage.  The PDPC ordered A Best Security to develop and implement policies and reasonable security arrangements for the protection of personal data.

  1. In the matter of Investigation under Section 50(1) of the Personal Data Protection Act 2012 and SSA Group International Pte Ltd (SSA)

Around 53 individuals’ course registrations were publicly accessible via a webpage managed by SSA.  The information disclosed included course titles, sponsorship type, information on how the registrant knew about SSA and date of transaction. 

PDPC Decision

The PDPC found that SSA did not take reasonable action to protect the personal data, as there was no authentication mechanism to limit access to the webpage and there were no formal instructions provided to the developer of the webpage to protect its contents.  In addition, there was no security review of the webpage by SSA since its creation.

The PDPC found SSA to be in breach of its obligation to protect personal data under the PDPA.  The PDPC issued a warning to SSA after taking into consideration the remedial measures taken by the organisation, the type of personal data at risk, the inadvertent nature of the breach and the absence of a previous breach.  No further directions were given as SSA had already implemented corrective measures that addressed the gaps in its security arrangements.

Disclaimer: This article is for general information only and does not constitute legal advice.