In one of this year’s heaviest penalties imposed by Singapore’s Personal Data Protection Commission (PDPC), popular karaoke chain K Box Entertainment Group was fined S$50,000 for not putting in place sufficient security measures to protect the personal data of 317,000 members.
Based on a report by Channel News Asia, it was specifically found that K Box had failed to:
- Update security patches to ensure its IT system security was sufficiently robust,
- Assign a Data Protection Officer to develop or implement data protection policies, and
- Impose strong control over access to personal data.
A further financial penalty of S$10,000 was imposed on the IT vendor in charge of K Box’s content management system, Finantech Holdings, for failing to implement proper and adequate protective measures for the personal data in the system it had built and managed for K Box.
Other organisations that faced penalties or received warnings from the Personal Data Protection Commission of Singapore include: Institution of Engineers, Singapore and health supplements supplier, Fei Fah Medical Manufacturing. Challenger Technologies, Metro, Xirlynx Innovations, Full House Communications, Singapore Computer Society and Yes Tuition Agency.
Introduced in 2012, the Personal Data Protection Act (PDPA) of Singapore mandates that organisations must:
- Clearly inform the individual the purpose(s) for which personal data will be collected, used or disclosed and obtain his/her consent,
- Implement a formal process for the withdrawal of consent by individuals in respect of the collection, use or disclosure of their personal data,
- Limit the use of personal data collected to only purposes that you have obtained consent for,
- Make reasonable effort to verify that the personal data kept are accurate and complete (i) prior to any use to make a decision that affects the individual or (ii) prior to disclosure; and
- Designated one or more individuals (who may be referred to as Data Protection Officers) to be responsible for ensuring that the data protection policies and practices of your organisation are in compliance with the PDPA (Source: PDPC, 2015)
Personal data in this case includes but are not limited to the following:
- Full name
- NRIC or FIN number
- Passport number
- Photograph or video image of an individual
- Mobile telephone number
- Personal email address
- DNA profile
- Name and residential address
PDPC Chairman Leong Keng Thai said the most common issue with the breaches has a lot to do with the adoption of inappropriate IT practices. The PDPC recognises that data plays a vital role in helping organisations innovate in today’s economy and encourages the use of data in a responsible manner.
Singapore law requires that organisations must comply with the PDPA when collecting, using or disclosing personal data.
This is a guest article written by Dragon Law, first published on the Dragon Law blog and updated in August 2016 to reflect accurate information about the PDPA.
Dragon Law is the trusted platform to manage law online.
Founded in Hong Kong in 2013, our mission is to transform the way businesses meet their legal needs. Our simple question-and-answer interface gathers key insights about your business, and generates highly-customised contracts that address your specific needs. We give business owners the know-how and confidence to create even the most complex legal documents from start to finish.
Experience the new face of business law. Start a no-obligation free trial today.