First batch of personal data offenders slapped with fines, warnings

The Straits Times

ELEVEN organisations - among them household names Challenger Technologies, Metro, K BOX Entertainment Group and Singapore Computer Society - have been fined or warned for breaching data protection obligations under the Personal Data Protection Act (PDPA).

The enforcement actions were announced on Thursday by the Personal Data Protection Commission (PDPC), in its first round of decisions on personal data protection since the PDPA came into force in July 2014.

K Box was slapped with the largest financial penalty of S$50,000 for failing to put in place sufficient security measures to protect the personal data of 317,000 members, to have adequate data protection policies or to appoint a data protection officer. Information on its members was found to have been leaked and uploaded on public text storage site in September 2014.

Finantech Holdings, the IT vendor in charge of K Box's content management system, has been fined S$10,000. As K Box's data intermediary, Finantech did not "patch security vulnerabilities" in K Box's IT system which held customers' personal data. And the password used for its administrator account was "admin", described as a weak password by PDPC.

The Institution of Engineers Singapore has also been fined S$10,000 for not implementing adequate security measures, which led to the unauthorised disclosure in October 2014 of personal data - contact numbers, passwords etc. - of over 4,000 members. For a similar breach that affected more than 900 customers in September 2014, health supplements supplier Fei Fah Medical Manufacturing was penalised S$5,000.

Warnings were issued to six organisations for lapses in handling personal data, namely Challenger Technologies, its IT vendor Xirlynx Innovations, consumer home show organiser Full House Communications, Metro, Singapore Computer Society and YES Tuition Agency.

Universal Travel Corporation (UTC) has been "issued directions" by the PDPC to improve its personal data protection policies following wrongful disclosure of 37 tour customers' personal data to four individuals. The directions include having UTC inform the four individuals to not disclose the data to third parties, and send their employees for PDPA training.

The PDPC said on Thursday that it considered the "severity" of non-compliance of the cases to determine the type of enforcement action taken, such as whether the organisation had taken reasonable measures to prevent the data breach, the number of individuals affected or may be affected, and the manner in which the organisation responded to the breach.

PDPC chairman Leong Keng Thai said: "The enforcement actions taken are not to deter the use of personal data for business competitiveness. We recognise that data is essential for innovation in today's economy."

He added that the key was to treat personal data as any other "commercially sensitive or valuable" information.

The PDPC has received 667 complaints to-date, of which 34 per cent were resolved through investigations and facilitation between the respective organisations and individuals, and 58 per cent were closed.

John Yong, a senior vice-president at cybersecurity firm Quann, told The Business Times that organisations ought to be aware of their obligations towards safeguarding their clients' personal data, with or without the PDPA. "This is to prove and to provide confidence that the firm can ensure client data is not misused or abused."

Challenger, which was issued a warning by the PDPC for its IT vendor's failure to prevent unauthorised disclosure of its members' personal data while sending out e-mail, said that it had taken immediate steps to remedy the error. These include terminating the vendor's services, and hiring Straits Interactive to review its business processes where personal data may come into play.

Said a PDPC spokesman: "Data protection legislation is increasingly seen as a basic in an economy's legal framework. The lack of a data protection regime potentially hinders the flow of information across borders, and disadvantages Singapore businesses in the global economy."

This article was first published on April 22, 2016.
Get The Business Times for more stories.