SINGAPORE - Personal information is still being improperly collected, used and disposed of, even though there is a new law to protect personal data.
Seventy organisations - especially those in retail, healthcare and property - are under investigation following complaints that they used e-mail addresses and other personal information for marketing purposes or collected identity card and other personal details without prior consent.
If found guilty under the Personal Data Protection Act, which came into effect last July, they can be fined up to $1 million.
Another 70 complaints against retailers, property companies and various other organisations were resolved after the authorities brought together the parties and complainants to discuss the matter.
The Personal Data Protection Commission (PDPC) which enforces the Act said no financial penalties were imposed in the cases resolved.
The investigations were conducted under the Act which has two pillars: the Do Not Call (DNC) Registry and personal data protection.
Much of the initial attention was focused on the DNC Registry which was implemented in January last year and lets people opt out of having telemarketing messages sent to their mobile phones.
The personal data protection part of the Act makes it necessary for organisations to take measures to protect names, IC and passport numbers, addresses and other personal data in their possession.
This is to prevent the unauthorised collection, use and disclosure of such information.
That means these organisations must ensure that such information is properly disposed of as well.
But a recent check by The Sunday Times in the Raffles Place area found that documents containing personal information are still being thrown out in the trash from offices in high-rise buildings there.
Among other things, The Sunday Times found photocopies of passports, resumes of various professionals and details of commissions paid to property agents.
Most of the documents had the names and logos of local and foreign banks and other companies, and they included reports on industrial projects in Japan and Indonesia and project progress reports.
All were marked confidential or strictly confidential.
There were also printouts of e-mail with addresses, names and telephone numbers. The documents were dated from 2013 to this year.
Access to the rubbish bins was easy. One karung guni man, who was seen sorting out the documents into neat piles, said he would sell them to recycling companies.
Corporate information does not come under the purview of the commission, which is concerned only with personal data protection.
When told of The Sunday Times' findings, PDPC chairman Leong Keng Thai said he was very concerned.
"Organisations are strongly advised to put in place processes to ensure the proper disposal of documents containing personal data," he said.
The commission has helped to raise awareness of the requirements of the new law by working with industry groups to run briefings, workshops and seminars.
So far, more than 18,000 people from over 3,400 organisations have attended these events.
Another 7,500 people have attended work-skills qualification courses or accessed e-learning courses on the Act's requirements.
In May, the commission will conduct a personal data protection seminar, called Securing Personal Data for a Competitive Edge, aimed at organisations and companies.
Guidelines on ways to keep personal data secure and manage data breaches will be issued later this year.
Sample templates will be provided for organisations to seek consent from individuals for the collection, use or disclosure of their personal data.