Singapore’s PDPC Takes Action Against 11 Firms For Data Privacy Breaches
April 22, 2016
This morning, Channel News Asia reported the imposition of a S$50,000 fine on popular Singapore karaoke chain, K Box Entertainment Group, for not having sufficient security measures to protect the personal data of 317,000 members.
Specifically, it was found that K Box failed to:
- Update security patches to ensure its IT system security was sufficiently robust,
- Assign a Data Protection Officer to develop or implement data protection policies, and
- Impose strong control over access to personal data.
A further financial penalty of S$10,000 was imposed on the IT vendor in charge of K Box’s content management system, Finantech Holdings, for failing to implement proper and adequate protective measures for the personal data in the system it had built and managed for K Box.
Other organisations that faced penalties or received warnings from the Personal Data Protection Commission of Singapore include: Institution of Engineers, Singapore and health supplements supplier, Fei Fah Medical Manufacturing. Challenger Technologies, Metro, Xirlynx Innovations, Full House Communications, Singapore Computer Society and Yes Tuition Agency.
Introduced in 2012, the Personal Data Protection Act (PDPA) of Singapore mandates that organisations must:
- Clearly inform the individual the purpose(s) for which personal data will be collected, used or disclosed and obtain his/her consent,
- Implement a formal process for the withdrawal of consent by individuals in respect of the collection, use or disclosure of their personal data,
- Limit the use of personal data collected to only purposes that you have obtained consent for,
- Make reasonable effort to verify that the personal data kept are accurate and complete (i) prior to any use to make a decision that affects the individual or (ii) prior to disclosure; and
- Designated one or more individuals (who may be referred to as Data Protection Officers) to be responsible for ensuring that the data protection policies and practices of your organisation are in compliance with the PDPA.
Source: Personal Data Protection Commission Singapore, 2015 (read more)
Personal data in this case includes but are not limited to the following:
- Full name
- NRIC or FIN number
- Passport number
- Photograph or video image of an individual
- Mobile telephone number
- Personal email address
- DNA profile
- Name and residential address
- Name and residential telephone number
PDPC Chairman Leong Keng Thai said the most common issue with the breaches has a lot to do with the adoption of inappropriate IT practices. The PDPC recognises that data plays a vital role in helping organisations innovate in today’s economy, and encourages the use of data in a responsible manner – just as you would handle commercially valuable information.
Singapore law requires that organisations must comply with the PDPA when collecting, using or disclosing personal data.
Does your organisation have a Data Protection Policy in place?
Find out how creating one can be easy, fast and affordable with Dragon Law’s web app:
Start a free trial
No minimum commitment, no credit card required.