On 21 April 2016, Singapore's Personal Data Protection Commission (PDPC) published its decisions (Click here to find out more.) of action taken against organisations in breach of provisions relating to the collection, use and disclosure of personal data under the Personal Data Protection Act 2012 (the PDPA). There were nine published decisions involving 11 organisations in total – four organisations were slapped with fines while the other seven were issued with warnings for failure to protect the consumers' personal data.
The provisions of the PDPA that were breached mainly related to the failure to implement adequate data protection measures by the organisations in question including failure to appoint a data protection officer, failure to update the software containing customer information and the use of weak passwords (such as those comprising only one letter in the alphabet).
The highest fine of S$50,000 was meted out to the operator of a chain of karaoke outlets for a data security breach involving unauthorised disclosure of over 317,000 individuals' personal data. The operator's IT vendor was also found guilty and fined S$10,000 despite being a third-party service provider (and therefore a data intermediary). While data intermediaries are partially exempted from the data protection obligations in the PDPA, this decision reiterates that data intermediaries are also responsible for complying with the provisions related to the protection and retention of personal data (including protecting the personal data that it was processing on behalf of the operator of the karaoke outlets).
From these decisions, it can be distilled that the PDPC will take into account the organisation's initial response to the breach and the level of co-operation throughout the investigations when deciding on the appropriate penalty. For example, the operator of the chain of karaoke outlets was found to be less than forthcoming in providing information during the investigations and provided bare facts in their responses – this was found to be an aggravating factor in deciding the penalty to be meted out.
On the same day that the above decisions were published, the PDPC also published the advisory guidelines (Click here for more information.) relating to the enforcement of the data protection provisions in the PDPA and regulations. The guidelines, although non-binding, indicate how in practice the PDPC proposes to handle complaints, reviews and investigations of breaches of data protection rules, and its approach to enforcement and sanctions. The guidelines indicate that the PDPC will take into account the time taken by the organisation alleged to be in breach to resolve a matter, whether the breach was intentional, repeated or ongoing, any obstruction or concealment of information, the failure to comply with previous warnings as well as the nature and volume of sensitive personal data held by the organisation.
These latest decisions, together with the new guidelines, serve as a reminder to organisations of the consequences of failing to comply with the PDPA. In addition, given the scale of the penalties that may be meted out, they serve to impress on all organisations the seriousness of the consequences of any breaches of PDPA obligations.
Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
