Out-Law / Your Daily Need-To-Know

Singapore data protection data gives insight on future enforcement, says expert

Out-Law News | 21 Apr 2016 | 2:52 pm | 1 min. read

Singapore's Personal Data Protection Commission (PDPC) has released details for the first time of the enforcement actions it has taken on data protection cases.

The information gives insight into how the Commission is likely to tackle future cases, said Singapore-based Bryan Tan of Pinsent Masons, the law firm behind Out-Law.com.

The PDPC gave details of nine cases where companies were fined or warned for failure to comply with the data protection provisions of the Personal Data Protection Act (PDPA).

The largest fines, of SIN$50,000 ($37,100) and SIN$10,000, were imposed on K Box Entertainment Group and its data intermediary Finantech Holdings for "failing to implement proper and adequate protective measures to secure its IT system", resulting in the unauthorised disclosure of the personal data of 317,000 K Box members, the PDPC said.

K Box failed to effectively manage its vendor, Finantech, to ensure that it undertook adequate measures to protect members’ personal data, the PDPC said.

K Box was also "issued directions and penalised for the absence of a data protection officer", the regulatory body said. K Box had admitted that it did not have a comprehensive privacy policy prior to 16 September 2014, the PDPC said.

"This is the first time the PDPC has released decisions on breaches other than of the Do Not Call provisions and the decisions indicate what approach it will take in future," Tan said.

"For instance, where vendors are involved, the vendors could be classified as intermediaries and subject to the protection obligations under the PDPA. Where the breach involves a significant number of data subjects and information of a sensitive nature, fines would be levied. We note, too, that the PDPC carried out enforcement action in terms of warnings where the breaches were less significant, such as not ensuring a computer screen with personal data was obscured from public view," Tan said.

"The K Box announcement also revealed that some organisations were not prepared for the PDPA which came into effect on 2 July 2014, to the extent of not even having a privacy policy available to the public," Tan said.