Personal Data, Singapore – What & Why

*v2 – Dec 2019: added 4th Why.

What does Personal Data mean?

1. What is personal data?
Personal data refers to data, whether true or not, about an individual who can be identified from that data; or from that data and other information to which the organisation has or is likely to have access.

This includes unique identifiers (e.g. NRIC number, passport number); photographs or video images of an individual (e.g. CCTV images); as well as any set of data (e.g. name, age, address, telephone number, occupation, etc), which when taken together would be able to identify the individual. For example, Jack Lim, 36 years old, civil servant, lives at Blk 123 Bishan St 23.

Frequently Asked Questions. (updated 18 Nov 2019). http://www.ifaq.gov.sg/pdpc/apps/Fcd_faqmain.aspx?FAQ=70555. Personal Data Protection Commission (PDPC), Singapore.

Application of the Personal Data Protection Act
The PDPA covers personal data stored in electronic and non-electronic forms.

The data protection provisions in the PDPA (parts III to VI) generally do not apply to:

  • Any individual acting in a personal or domestic basis.
  • Any employee acting in the course of his or her employment with an organisation.
  • Any public agency or an organisation in the course of acting on behalf of a public agency in relation to the collection, use or disclosure of the personal data. You may wish to refer to the Personal Data Protection (Statutory Bodies) Notification 2013 for the list of specified public agencies.
  • Business contact information. This refers to an individual’s name, position name or title, business telephone number, business address, business electronic mail address or business fax number and any other similar information about the individual, not provided by the individual solely for his or her personal purposes.

These rules are intended to be the baseline law which operates as part of the law of Singapore. It does not supersede existing statutes, such as the Banking Act and Insurance Act but will work in conjunction with them and the common law.

Overview. (7 Aug 2018). https://www.pdpc.gov.sg/Legislation-and-Guidelines/Personal-Data-Protection-Act-Overview. PDPC, Singapore. 

Why does it matter?

1. Reputational Damage

2. Legal Costs

3. Moral Obligation to take proper care of others’ information e.g. to prevent identity fraud, hacking etc.

4. Better data management, for instance removing unneeded information and organisation, would improve understanding of customer needs and help promote targeted marketing for future income

Consider the below judgments published online by the PDPC; they stretch across diverse sectors in Singapore:

04 Nov 2019
Breach of the Protection Obligation by Tan Tock Seng Hospital
A warning was issued to Tan Tock Seng Hospital for failing to put in place reasonable security arrangements to prevent the unauthorised disclosure of personal data of its patients. 85 Notification letters to patients to reschedule appointments were sent to wrong addresses.

04 Nov 2019
Breach of the Protection Obligation by Ninja Logistics
Directions, including a financial penalty of $90,000, were imposed on Ninja Logistics for failing to put in place reasonable security arrangements to protect customers’ data in relation to the Tracking Function Page on the Ninja Logistics website. This resulted in customers’ data on the website to be accessible by the public.

04 Nov 2019
Breach of the Protection Obligation by Singtel
A financial penalty of $25,000 was imposed on Singtel for failing to put in place reasonable security arrangements to protect the personal data of users on its My Singtel mobile application.

10 Oct 2019
Breach of the Protection and Accountability Obligations by Advance Home Tutors
A financial penalty of $1,000 was imposed on Advance Home Tutors for failing to put in place reasonable security arrangements to protect the personal data collected from its tutors and for not developing and implementing data protection policies and practices necessary to ensure its compliance with PDPA.

10 Oct 2019
Breach of the Protection Obligation by Barnacles
A warning was issued to Barnacles Pte. Ltd. for failing to put in place reasonable measures to protect the personal data of individuals who had made dining reservations via its website; and retaining such personal data when it no longer had any legal or business purpose to retain it. As a result, the personal data of 149 individuals were accessible over the Internet.

10 Oct 2019
Breach of the Consent and Notification Obligations by Amicus Solutions and a Financial Consultant
Amicus Solutions and a financial consultant were issued directions, including to pay financial penalties of $48,000 and $10,000 respectively, for breaches of the PDPA. Amicus Solutions failed to notify and obtain consent for the disclosure of individuals’ personal data that it sold to the financial consultant who used such personal data for telemarketing purposes.

06 Sep 2019
Breach of the Accountability Obligation by Executive Link Services
A financial penalty of $5,000 was imposed on Executive Link Services for breaches of the PDPA. The organisation failed to appoint a data protection officer and did not have written policies and practices necessary to ensure its compliance with the PDPA.

06 Sep 2019
Breach of the Protection, Retention and Accountability Obligations by O2 Advertising
Directions, including a financial penalty of $10,000, were imposed on O2 Advertising for breaches of the PDPA. The organisation failed to put in place reasonable measures to protect individuals’ personal data collected from an advertising campaign and did not cease retention of such data when it was no longer required. The organisation was also directed to appoint a data protection officer and put in place data protection policies and practices.

For the latest refer to Data Protection Enforcement Cases on the PDPC website.

Related

Skeleton for Cyber/Data Security SOP

*Version 2 – added inputs from Chapter 1 and 5 of Allison Cerra’s The Cybersecurity Playbook. (2019). Wiley, New Jersey, US.

To begin, note that both aspects overlap but distinctions remain. Data found on a cloud drive or electronic medium comes under cyber and data security while data in hardcopy remains under data security.

SOP (Standard operating procedure) and/or policies can be implemented for different functions and complemented by a general one. And yes, review these SOPs/policies regularly!

General / Data Protection Officer (DPO) / Cyber Security Officer (CSO)

  • DPOs and CSOs should keep abreast of threats or legal judgments
    • In Singapore, this comes from the Personal Data Protection Commission (PDPC) and Singapore Computer Emergency Response Team (SingCERT)
    • Thereafter, they could disseminate selected judgments or trends on a quarterly basis.
    • The cyber threat alerts should be shared as soon as possible to prevent attacks.
    • Generally, DPOs and CSOs should undergo training and/or read up book/magazines on their areas as well. Role modelling is vital!
  • The definition of data, based on local laws, must be defined and shared within the organisation; like judgments these could be communicated from time to time to reinforce a data secure culture.
  • There should be a vision of what a secure cyber/data landscape looks like.
  • Dependent on senior management support, audits and enforcement would be executed accordingly.
  • Actionable tasks
    • regular changing of secure password e.g. yearly
    • immediate deletion of password reset emails
    • securing passwords e.g. writing them on paper and locking them up, usage of password manager
    • reminding all to ensure emails/accounts are logged off when they leave their workstations or at the end of the day
    • using thumbdrives/flashdrives with encryption
    • encouraging separate thumbdrives/flashdrives for work and personal use
    • encouraging regular virus and malware scans (boot-up: which could detect threats concealed when the computer is running, whole system, specific/targeted e.g. thumbdrives/flashdrives)
    • ensuring timely updates and patches of programmes
    • encrypting documents/data on IT platforms
    • regular backing up of documents/data
    • multiple factor authentication e.g. mobile phone one-time-password (OTP) and password to access email
    • establishing up to date cyber/data training programmes which may be tied to performance indicators
    • ensuring updated IT security systems/platforms
    • ensuring access hygiene (through IT, Legal, and Human Resources) i.e. removing those who no longer need to see/view/edit the data/system (including vendors/temporary staff); specific individuals should be designated to review access rights regularly
    • creating a safe whistleblower programme to pre-empt employees with malicious intent
    • giving reward/recognition to employees who contributed to data/cybersecurity [final 3 points from The Cybersecurity Playbook]

Hardcopy Data

Cyber or Online data

  • Time limits need to be set regarding how long data should be kept
    • An individual worker or officer should be assigned to dispose of it accordingly.

Notes

Cerra who works for McAfee, Inc. — a computer security software company, as a Senior Vice President. [According to Bloomberg, you can find the headquarters at 2821 Mission College Blvd Santa Clara, CA 95054 United States. It employs 6210 people. See – https://www.bloomberg.com/profile/person/17548903 (accessed 30 Nov 2019)]

Big Data – Case Studies

*Version 1 [I hope to add more examples soon]

Risk Assessment – Loans, Insurance, Fraud, and Marketing

Experian, a credit reference organisation, uses data to help others gauge repayment, insurance risks; prevent fraud and identity theft. It operates in the UK and US. Experian works with healthcare providers, insurers, banks, and used car buyers. They also use the data for marketing.

They utilise Mosaic. This classifies people into 67 types and 15 groups. Such groups include “urban cool” – high achievers who rent or own properties in ‘fashionable city locations’; “professional rewards” – seasoned professionals in rural/semi-rural regions living in financial ease; “global fusion” – young workers of diverse ethnicities staying in large city terraces.

To limit fraud, Experian tracks 282 characteristics of people: transaction amount, physical location, prior behavior etc.

They employ the Linux operating system centred on Hadoop to store the data. On top of this, they apply Apache Hive (to analyse the data) and Tableau to present the data in numbers and graphs (data visualisation).

Additional references

  • [Apache Hive is a distributed, fault-tolerant data warehouse system that enables analytics at a massive scale. A data warehouse provides a central store of information that can easily be analyzed to make informed, data driven decisions. Hive allows users to read, write, and manage petabytes of data using SQL.
    Hive is built on top of Apache Hadoop, which is an open-source framework used to efficiently store and process large datasets. As a result, Hive is closely integrated with Hadoop, and is designed to work quickly on petabytes of data. What makes Hive unique is the ability to query large datasets, leveraging Apache Tez or MapReduce, with a SQL-like interface.] What is Apache Hive? (accessed 9 Nov 2019). Amazon Web Services, Inc.
  • [The National Hunter database was set up by lenders in 1993 and is solely concerned with preventing fraud.] The secret database blacklisting borrowers. Nicole Blackmore. (15 Mar 2015). The Telegraph, UK.
  • ID criminals target less affluent, vulnerable groups. Scott Thompson. (4 Mar 2014). FStech. Perspective Publishing Limited, registered in England no 2876166.
  • ‘Lloyds made me a financial pariah for two years after wrongly putting me on a fraud register’. James Connington. (10 Jul 2016). The Telegraph, UK.
  • Identity fraud: CIFAS flags up best ways to protect yourself. Jill Papworth. (24 Feb 2012). The Guardian, UK.
  • Identity fraud. (accessed 9 Nov 2019). West Yorkshire Police, UK.
  • ‘I lost two job offers because of a mark on my file I didn’t even know about’: How a marker after a failed mortgage application left one jobseeker with ‘DO NOT EMPLOY’. Lee Boyce. (16 Feb 2018). This is Money. dmg media limited, Northcliffe House, 2 Derry Street, London W8 5TT.

Translating French – 5/9/2019 – France

Journal en français facile 05/09/2019 20h00 GMT. Radio France Internationale, France Médias Monde. Paris – Selection – News in Simple French.

Un non-lieu général dans l’affaire du crash du vol Rio-Paris AF447. 10 ans après l’accident qui a fait 228 morts, ni la compagnie Air France ni le constructeur Airbus ne seront donc poursuivis.

Le parquet avait demandé en juillet des poursuites contre la seule compagnie aérienne. Il n’a donc pas été suivi. Les associations de familles des victimes ont fait part de leur colère et vont faire appel.

***

A general dismissal in the case of the crash of flight Rio-Paris AF447. 10 years after the accident that killed 228 people, neither Air France nor the manufacturer Airbus will be prosecuted.

In July, the public prosecutor’s office had asked for proceedings against the airline alone. It was not followed through. The victims’ family associations have expressed their anger and will appeal.

(ordonnance de) non-lieu = no case to answer, no grounds for prosecution

Il a bénéficié d’un non-lieu. = Charges against him were dismissed.

Il y a eu non-lieu. = The case was dismissed.

Affaire = case

  • Le juge a déclaré l’affaire classée. = The judge declared the case closed.
  • La preuve du témoin a tranché l’affaire. = The evidence from the witness decided the case.

Ni … ni … = neither … nor …

  • Je n’aime ni les lentilles ni les épinards. = I like neither lentils nor spinach.
  • Elles ne sont venues ni l’une ni l’autre. = Neither of them came.
  • Il n’a rien dit ni fait.  = He hasn’t said or done anything.
  • Ni l’un ni l’autre n’est tout à fait innocent. = Neither (one) of them is completely innocent.

Donc (introduit une conséquence) = so

  • Cela ne tirera pas à conséquence. = This won’t have any repercussions / will be of no consequence.
  • Voilà donc la solution. = So there’s the solution.
  • Il faudra donc envisager une autre solution. = We should therefore think of another solution.
  • Il est très bien introduit dans ce milieu. = He’s well established in these circles.

poursuivis = prosecuted (adjective / plural)

Parquet = public prosecutor’s department

Le parquet a mené une enquête sur les accusations de fraude. = The prosecutors conducted an investigation into the fraud accusations.

déposer une plainte auprès du parquet = to lodge a complaint with the public prosecutor

faire la part belle à quelqu’un = to give somebody a good deal

faire part de quelque chose à quelqu’un = to announce something to somebody, to inform somebody of something

faire-part = announcement

passer sa colère sur quelqu’un = to take out one’s bad temper on somebody

avec colère = angrily, in anger

se mettre en colère = to get angry

colère (d’un volcan) = wrath / fury of the volcano

colère (de la mer) = wrath / fury of the volcano of the sea

C’est un vrai volcan. = She’s likely to explode at any moment.

Related / Notes (Version One – 3 Oct 2019):

  • The translation comes from PONS GmbH, Stuttgart (modified 30%).
  • Other references inlcude Linguee, Larousse Bilingual Dictionary, and the Collins French-English Dictionary.
  • French – by translating – 6/2/2019 – Brazil
  • Monday, September 2, 2019, 6:30 AM IST. Rio-Paris crash relatives finger Airbus in new report. PTI. Free Press Journal. Mumbai, India. [“To the consternation of civil parties, prosecutors in July recommended dropping the case against Airbus despite demands from victims’ families that the aircraft manufacturer also be held accountable. Airbus and Air France had been charged with manslaughter in 2011.”]

Religion and Harmony – Singapore

The Bill’s aim was to ensure that followers of different religions exercise moderation and tolerance, not stoke enmity or hatred, as well keep separate religion from politics, he said.

Kevin Kwang. (31 Aug 2019). Explainer: What is Singapore’s Maintenance of Religious Harmony Act and is it still relevant today https://www.channelnewsasia.com/news/singapore/explainer-singapore-maintenance-of-religious-harmony-act-11857020. CNA. MediaCorp, Singapore.

…First, the drafters draw a distinction between private and public speech. Under Section 17F, if a religious leader is accused of inciting religious hatred or ill will, he would be able to defend himself by proving his message was meant only for an intimate gathering, and that he could not have anticipated that it would reach unintended audiences. Examples would include a religious leader’s sermon to friends gathered in his own residence or in a monastery…

The truth is, believers in private settings share all kinds of unsavoury thoughts about non-believers, including where they are destined to spend the afterlife. Such attitudes can certainly foster religious discrimination. But trying to police such speech would impose too heavy a toll on religious freedom. These are spheres that the Government cannot control without turning Singapore into a full-blown police state.

Second, the Government seems to acknowledge that the law must allow citizens space to discuss the role of religion in society. As a consequence, the proposed Section 17F builds in an important exception. It says you would not be found guilty of inciting hatred or ill will if you were actually engaged in a good-faith effort to warn society about those very dangers…

Third, and perhaps most importantly, the Government is modifying how it deals with the “wounding” of “religious feelings”…

Under the proposed law, if the state wants to punish an ordinary citizen for religious insult, it will not be enough to show that he has deliberately wounded another’s religious feelings – the low bar set by Section 298. It must also show that the insult or wounding “would threaten the public peace or public order”. This shifts the focus away from the subjective emotions of people who may be too easily offended, and towards the more objective criterion of public order.

Germany, whose Constitution is more concerned than probably any other Western democracy about human dignity, takes a similar approach to religious offence. The German Criminal Code criminalises the insult of racial or religious groups, but only if it is “in a manner capable of disturbing the public peace”.

The Singapore Government wants to retain Section 298’s lower threshold for speakers who are religious leaders: Under the MRHA’s new Section 17F, the prosecutor would not need to show a threat to public order. This is probably because religious leaders are more influential than random bloggers or Facebook commentators, for example. This distinction resembles model hate speech regulation, under which who speaks is at least as important as what is said…

  • Cherian George is professor of media studies and associate dean for research at Hong Kong Baptist University’s School of Communication.

Religious Harmony Act: Subtle, significant improvement in handling of religious insult
Source: Straits Times. Article Date: 11 Sep 2019. Author: Cherian George. Singapore Academy of Law.

Full versus Wholesale Banks – S’pore

Well simple things like discovering a difference really makes my day!

MAS = Monetary Authority of Singapore (Singapore’s central bank); SMEs = small and medium-sized enterprises.

The digital full-bank licence will allow licensees to provide a wide range of financial services and take deposits from retail customers. A digital wholesale bank licence will allow licensees to serve SMEs and other non-retail segments.

Singapore to issue up to five new licences to digital banks. Jamie Lee. (29 Jun 2019). The Business Times, Singapore.

Singapore’s central bank plans to issue up to five digital bank licences to suitable applicants, in a move that could deliver the biggest shake-up in two decades in a market dominated by local banks…

The central bank will also issue up to three digital wholesale bank licences which will be open to both local and foreign players.

Digital wholesale banks will not be allowed to take Singapore deposits from individuals, except for fixed deposits of at least S$250,000 and will be permitted to maintain deposit accounts for corporate and small and medium enterprises.

Singapore to allow virtual banks as part of a move to open up the market. (30 Jun 2019). Reuters via CNBC, US [ global headquarters in Englewood Cliffs, New Jersey]

See also:

The Banking Industry and the Major Players in Singapore. (no date / acessed 29 Jul 2019). GuideMeSingapore / Hawksford. 16 Raffles Quay, #32-03 Hong Leong Building, Singapore, 048581.

Business Diversification

In response to the announcement, gaming peripherals brand Razer’s chief strategy officer Limeng Lee said MAS was “forward-looking” in “opening up more financial options to consumers and businesses”. The announcement is timely as Razer has been growing its financial technology business in South-east Asia in recent months, he added. “We will definitely consider applying for the digital bank license and are keen to help spur innovation in Singapore’s financial sector,” Mr Lee said.

A Singtel spokesman said they are “open to exploring the feasibility of such an opportunity and will be reviewing the licensing conditions”.

Singapore to allow digital banks; MAS issuing up to 5 new licences: Tharman. (updated 29 Jun 2019). The Straits Times, Singapore.

The culture in Singapore seems to gravitate towards property investments whenever we have substantial excess cash.

SPH seems to have adopted this culture. It has built up a respectable property portfolio over past decades.

SPH (SGX:T39) – Is This The End for This Blue Chip Stock? Alvin Chow | Date: September 27, 2017. DrWealth. 71 Ayer Rajah Crescent #03-06, Singapore 139951.

The Edge Markets. (June 28, 2017). Why SPH needs to restructure itself. The Fifth Person.

3 Data Protection Judgments – Singapore

For learning and prevention: 3 case studies [v.2 – 1 Aug 2019]

The first government judgment and warning relates to the popular messaging app, WhatsApp. The second judgment and fine involves email. The final judgment and warning concerns website security.

2     One of the many preschools under the Organisation’s management is the Sparkletots @ Kampong Chai Chee centre (the “preschool”). In the course of the year, the preschool would organise various school trips, sometimes with the participation of the parents. In preparation for these trips, the preschool would collect the parents’ personal data (including NRIC numbers) to allow for verification of the parents’ identity on the day of the trip.

3     The present investigations arise from one such school trip. A few days before the trip was scheduled to take place, a teacher at the preschool sent a photograph of a consolidated attendance list to a “WhatsApp” chat group, reminding parents of the upcoming school trip. The attendance list contained personal data relating to the 15 students in that particular class and their parents, and included the contact numbers and NRIC numbers of five of the parents (the “Personal Data”). The “WhatsApp” chat group comprised… parents of students from that class.

4     The teacher who sent the photograph of the attendance list quickly deleted it after being alerted to the disclosure of personal data by one of the parents within the group chat. That same parent later lodged a complaint with the Personal Data Protection Commission (“PDPC”). The PDPC thereafter commenced investigations into the incident…

8     After a review of all the evidence obtained by PDPC during its investigation and for the reasons set out below, I am of the view that the Organisation had failed to make reasonable security arrangements to protect the personal data in its possession and control, and has thereby breached the Protection Obligation under section 24 of the PDPA. This breach is attributable primarily to the Organisation’s lack of specific policies or procedures in place to guide its employees on the use, handling and disclosure of personal data, especially in the context of communicating with parents…

16     To  its  credit, the  Organisation also  acted swiftly  to  address their inadequate  policies – a  response  which,  in my assessment,  carries  mitigating value. The following remedial actions taken by the Organisation have therefore been taken into account:

(a) Immediate suspension of all “WhatsApp” chat groups following the disclosure;

(b) Expedited the implementation of a set of “Social Media Policy / Whatsapp chat group rules” that was already under development when the breach occurred;

(c) Rolled out a suite of other policies across the Organisation including a “Document Retention Policy” and an “Information Security Policy”; and

(d) Undertook the development of a practical employee handbook and conducted refresher training for its employees.

17     Having considered all the relevant factors of the case, I am of the view that these remedial actions have sufficiently addressed the current gap in policies and practices relating to the handling of personal data by the Organisation’s employees. I have therefore decided to issue a warning to the Organisation for breaching its obligations under section 24 of the PDPA, without further directions or imposing a financial penalty.

PAP Community Foundation [2019] SGPDPC6 (CaseNoDP-1807-B2434). Personal Data Protection Commission. (23 Apr 2019). https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision—PAP-Community-Foundation—230419.pdf. Singapore.

2     On 27 November 2017, the Personal Data Protection Commission (the “Commission”) received notification from the Institute of Singapore Chartered Accountants (“ISCA”) that one of its employees inadvertently sent an email attaching a Microsoft Excel document containing personal data of 1,906 individuals (the “Excel File”) to an unintended recipient (the “Incident”)…

5     On or about 23 November 2017, as part of business operations, 2 ISCA employees (the “First Employee” and the “Second Employee”, collectively the “Employees”) were unable to open the Excel File (stored on ISCA’s internal shared drive) as it appeared to be corrupted. The Employees sought the assistance of ISCA’s IT department. Arising from this, ISCA’s IT Support Specialist sent an email to the System/Network Engineer from the ICT department to recover the Excel File from the backup server, and to send the recovered Excel File to the Employees.

6    On 24 November 2017, the System/Network Engineer created an email to send the recovered Excel File as an attachment to the Employees (the “Subject Email”). As the earlier email from the IT Support Specialist did not include the Employees in the addressee list, the System/Network Engineer had to specifically insert the Employees in the recipient section of the Subject Email. Due to the auto-complete feature in Microsoft Outlook’s email software, the System/Network Engineer inadvertently selected an accounts manager (the “Unintended Recipient”) 1 in a listed telecommunications service provider (“Telco”) instead of the First Employee as they both had the same first name. The Subject Email containing the Excel File was therefore sent to the IT Support Specialist, the Second Employee and the Unintended Recipient. The Excel File was not encrypted with a password…

18     The Commissioner found that ISCA failed to put in place reasonable security arrangements to protect the Subject Data in the Excel File during email transmission for the following reasons:

(a) The volume (1,906 members) and type (data with a higher expectation of confidentiality) of Subject Data in the Excel File warranted direct protection. In this regard, ISCA should have had a policy/SOP that applied to all employees requiring password based encryption for the Excel File in respect of both external and internal emails. This would be a reasonable security arrangement to protect the Subject Data against unauthorised access in the event the Subject Email was sent to any unintended recipient…

23     Having considered all the relevant factors of this case, the Commissioner hereby directs ISCA to do the following:

(a) Within 90 days from the date of the Commissioner’s directions, review its policies and security arrangements in respect of electronic transmission of documents containing personal data; and

(b) Pay  a  financial  penalty  of  S$6,000.00  within  30 days  from  the date of the Commissioner’s direction, failing which, interest at the rate specified in the Rules of Court3 in respect of judgment debts, shall accrue and be payable on the outstanding amount of the financial penalty until the financial penalty is paid in full.

Institute of Singapore Chartered Accountants [2018] SGPDPC 28. Personal Data Protection Commission. (13 Dec 2018). https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision—Institute-of-Singapore-Chartered-Accountants—131218.pdf. Singapore.

2     On 8 June 2018, the Personal Data Protection Commission (the “Commission”) received a complaint from an individual (the “Complainant”) in relation to the publication of personal data belonging to 50 individuals on the Organisation’s website, http://www.tutorcity.com.sg (the “Website”). Specifically, images of the educational certificates of tutors using the Website were found to be publicly accessible by Internet users (the “Incident”)…

7     As part of the Website’s features, tutors interested in using the Organisation’s matching service are given the option of voluntarily uploading up to three different educational certificates onto the Website. These certificates assisted the Organisation in matching the needs of the student in question to suitable tutors. These certificates were not intended to be made publicly accessible.

8     Notwithstanding this, all uploaded certificates were stored in the /Public_html/directory (the “Public Directory”) of the Website’s server within a sub-folder, Public_html\tutor\tutor_image (the “Image Directory”). Both directories were not secured with any form of access controls and were accessible by the public so long as the path to the relevant directory was known…

21     In the present case, I am advised that where documents containing personal data have to reside on web servers, folder or directory permissions and access controls are a common and direct way of preventing their unauthorised access by public users and web crawlers. Depending on its circumstances, the Organisation could therefore have implemented any of the following reasonable technical security measures to prevent its Image Directory from being indexed by web crawlers:

(a) First, the Organisation could have placed these documents in a folder of a non-public folder/directory. Access to such documents will then be controlled by the server’s administrator. While this may not be ideal in complex servers with multiple web applications—given that it may not be practicable for the server administrator to control access to all these files—this is not the case for the present Website.

(b) Second, the Organisation could have placed these documents in a folder of a non-public folder or directory, with access to these documents being through web applications on the server. This could be done through PHP scripts. To access the data in the documents, users would have to first log into the web application.

(c) Third, the Organisation could have placed these documents in a sub-folder within the Public Directory but control access to files by creating a .htaccess file within that sub-folder. This .htaccess file may specify the access restrictions (e.g. implement a password requirement or an IP address restriction). An index.html file  could  also  be  created  within  that  sub-folder  to  show  a  HTML page  with  no  content  or  a  denial  of  access. Any  unauthorised  user would  then  need  the  specific  URL  to  access  a document in  the  sub-folder. However, given that the Public Directory is the web root directory containing all  the  content  to  be  displayed  on  the  Website,  it  should  not  have  overly restrictive  access  rights.  This  may  pose  some  challenges  for organisations seeking  to  balance  access  restrictions  to  specific  documents  against  retaining accessibility to website content that is intended to be public…

27    I find on the facts above that the Organisation did not make reasonable security
arrangements to protect personal data in its possession or under its control against the risk of unauthorised access. The Organisation is therefore in breach of section 24 of the PDPA. I took into account the number of affected individuals, the type of personal data at risk of unauthorised access and the remedial action by the Organisation to prevent recurrence. I have decided to issue a warning to the Organisation for the breach of its obligation under section 24 of the PDPA as neither further directions nor a financial penalty is warranted in this case.

Tutor City [2019] SGPDPC 5 (Case No DP-1806-B2228). Personal Data Protection Commission. (23 Apr 2019). https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision—Tutor-City-230419.pdf. Singapore.

Related

…The absence of a second layer of basic checks “amounted to extremely weak internal work process controls (that) fell far short of the standard of protection required for such sensitive personal data”, said PDPC deputy commissioner Yeong Zee Kin in a decision paper issued on Wednesday…

In its advisory guidelines, PDPC had recommended that paper containing personal information be shredded into small pieces and not dumped in unsecured bins.

Similarly, personal data stored on electronic media such as computer hard disks, USB drives or DVDs must be erased using specialised software to avoid accidental data leaks.

Aviva fined $6,000 for data breach. Irene Tham. (Oct 13, 2017). https://www.straitstimes.com/tech/aviva-fined-6000-for-data-breach. The Straits Times. Singapore.

Aviva’s most recent offence involved four underwriting letters meant for four different people to a single person, all contained in one envelope. The letters contained client’s full names, addresses, policy details, and sums assured.

“[Aviva] failed to conduct a more thorough review of its internal departments… that are subject to the same vulnerabilities and risk similar failures as the prior incident,” PDPC said…

Meanwhile, AIG had printed a wrong fax number, which was actually that of Japanese products retailer Tokyu Hands, on 125 policy letters. PDPC said that AIG policyholders could have mistakenly sent their personal data to Tokyu Hands due to the misprint.

Singapore’s privacy watchdog fines three insurers for data breaches. Gabriel Olano. (5 May 2018). https://www.insurancebusinessmag.com/asia/news/breaking-news/singapores-privacy-watchdog-fines-three-insurers-for-data-breaches-99807.aspx. Insurance Business Asia.