Download personal data protection digest PDF

Titlepersonal data protection digest
LanguageEnglish
File Size2.1 MB
Total Pages377
Table of Contents
                            00a Prelims (PDP Digest 2018)
00b Foreword_PDP Commissioner (PDP Digest 2018)
00c Contents (PDP Digest 2018)
01_Art_Some Lessons to be Learnt (Steve Tan)
02_Art_Breach Notifications Article (Bryan Tan)
03_Art_Protection of Sensitive Personal Data (Benjamin Wong)
04_Art_Relevance of Data Protection Competition Assessment (Lim Chong Kin)
05_Art_Interplay Between DP and Cybersecurity (Lanx Goh)
06_Art_Monopoly Rights vs Freedom Access (Trina Ha et al)
07_Art_Personal Data Customer Information Age Fintech (A Yap et al)
08_Art_Data Sharing (Jeffrey Lim et al)
09_Art_Protecting Consumers Personal Data in Digital World (Yip Man)
10_Art_Cloud Computing International Data Transfers (Jansen Aw)
11_Art_Reg of Biometric Data (Gilbert Leong et al)
12_GD_Singapore Telecommunications [2017] SGPDPC 4
13_GD_NUS [2017] SGPDPC 5
14_GD_Tiger Airways Singapore [2017] SGPDPC 6
15_GD_Furnituremart.sg [2017] SGPDPC 7
16_GD_Exceltec Property Management [2017] SGPDPC 8
17_GD_Hazel Florist n Gifts [2017] SGPDPC 9
18_GD_Data Post Pte Ltd [2017] SGPDPC 10
19_GD_MCST No 3696 [2017] SGPDPC 11
20_GD_Orchard Turn Developments [2017] SGPDPC 12
21_GD_Ang Rui Song [2017] SGPDPC 13
22_GD_Aviva Ltd [2017] SGPDPC 14
23_GD_M Stars Movers [2017] SGPDPC 15
24_GD_BHG Singapore [2017] SGPDPC 16
25_GD_Social Metric [2017] SGPDPC 17
26_GD_Credit Counselling [2017] SGPDPC 18
27_GD_ComGateway [2017] SGPDPC 19
28_GD_Sharon Assya Qadriyah Tang [2018] SGPDPC 1
29_GD_Jiwon Hair Salon [2018] SGPDPC 2
30_GD_My Digital Lock [2018] SGPDPC 3
31_CS_Re Soho TS
32_CS_Re SG Vehicles
33_CS_Re My Digital Lock
34_CS_Re Singapore Telecommunications
                        
Document Text Contents
Page 1

[2018] PDP Digest

MCI (P) 035/07/2018

P
E

R
SO

N
A

L D
A

TA
P

R
O

TE
C

TIO
N

D
IG

E
S

T


[2018] PD
P D

igest

PERSONAL DATA
PROTECTION DIGEST

Personal Data Protection Digest 2018_AP.indd 1 7/2/2018 4:17:12 PM

Page 2

PERSONAL DATA PROTECTION
DIGEST



Editor
Yeong Zee Kin

Deputy Editors
David N Alfred
Chen Su-Anne

Justin Blaze George

Editorial Assistant
Charis Seow











2018

Page 188

Decision of the
180 Personal Data Protection Commission [2018] PDP Digest

19 Overall, it is clear that the Organisation did not make reasonable
security arrangements for the protection of personal data:

(a) the Organisation’s data protection policy was formalised during
the month that the data breach occurred and could have been
formalised after the unauthorised disclosure took place;
(b) there was no evidence to show that steps had actually been taken
to implement such policy prior to the breach; and
(c) further, the Organisation admitted that its staff had no training
whatsoever regarding their data protection obligations.

At a more basic level, the Organisation did not seem to engage in the issue
of what it should do to protect personal data; it had simply relied on its
employees carrying out their jobs correctly

20 A further point must be made. Based on the Organisation’s
representations, it would appear that the Organisation is essentially relying
on its employees and staff carrying out their job functions correctly to say
that this is a form of data protection measure in and of itself. If the
employees and staff had printed and sent the correct invoice to the correct
recipient, there would not be any data protection issue to begin with.

21 In the Commission’s view, it is not enough for the Organisation to
simply rely on its staff and employees to carry out their duties correctly for
the protection of personal data. An organisation has certain obligations with
respect to personal data that it has collected and which it holds or has
control over. One such obligation is to put in place policies and measures to
protect the personal data and to prevent unauthorised use, disclosure or
alteration. Policies pertinent and adapted to the Organisation’s business and
processes ought to be crafted and disseminated to staff. Indeed, s 12(c) of
the PDPA imposes an obligation for such policies and practices to be
communicated to staff. An effective mode of communication is to provide
training to staff, whether in traditional classroom settings or through other
means such as online training.

22 Crucially, it is important for the management of a company to “buy-
in” to adopting good data protection practices for the company. It is from
this starting point – the management level – that the company’s policies
and practices be formulated with data protection in mind. From there, such
good data protection policies and practices can permeate down to and be
adopted at the staff level of the company. The Commission agrees with the

Page 189

[2018] PDP Digest Re Furnituremart.sg 181

observation made by the Australian Information Commissioner and Privacy
Commissioner of Canada in the joint investigation into Ashley Madison:5

Having documented security policies and procedures is a basic organizational
security safeguard, particularly for an organization holding significant
amounts of personal information. Making informational policies and
practices explicit provides clarity about expectations to facilitate consistency,
and helps to avoid gaps in security coverage. It also sends key signals to
employees about the importance placed on information security.
Furthermore, such security policies and processes need to be updated and
reviewed based on the evolving threat landscape, which would be very
challenging if they are not formalized in some manner.

23 The above position also stresses the importance of having documented
policies, as mentioned at [14] above.

24 It is also important that management actively supervises employees
and takes responsibility for creating a culture of security-awareness. As
observed by the Hong Kong Privacy Commissioner for Personal Data:6

With sound security policies and procedures in place, there is no guarantee
that they will be followed. In this regard, supervision and monitoring of the
implementation of the procedures are important.

25 Similarly, in its investigation into Monarch Beauty Supply,7 the Office
of the Alberta Privacy Commissioner found that the Store Manager and
District Manager of the organisation had not been diligent, as they had
simply assumed that employees would shred documents containing
customers’ credit and debit card information, in line with the organisation’s
policies. However, as management had not provided sufficient instruction


5 PIPEDA Report of Findings #2016-005: Joint investigation of Ashley Madison by

the Privacy Commissioner of Canada and the Australian Privacy Commissioner/
Acting Australian Information Commissioner <https://www.priv.gc.ca/en/opc-
actions-and-decisions/investigations/investigations-into-businesses/2016/pipeda-
2016-005/> at [65].

6 Investigation Report: Hong Kong Police Force’s Repeated Loss of Documents
Containing Personal Data (R13 – 0407) <https://www.pcpd.org.hk/english/
enforcement/commissioners_findings/investigation_reports/files/R13_0407_e.pdf>
at [38].

7 Order P2006-IR-003: Monarch Beauty Supply [a division of Beauty
Systems Group (Canada) Inc] <https://www.oipc.ab.ca/media/127842/P2006-
003IR.pdf> at [40(2)].

Page 376

368 Case Summary [2018] PDP Digest

10 During the course of investigation, the Organisation was unable to
provide the Commission with the relevant information and documents,
such as the Bill Run log files, as the Organisation had the practice of
retaining documents for a period of only three months before destroying
them. In this case, the Organisation would have known or ought to have
known that the circumstances pertaining to the Bill Run may be material to
the investigation, given that in its notification to the Commission of the
data breach on 11 February 2016 (just three days after the data breach
incident), it was able to inform the Commission that the fault mainly lay
with a particularly large Bill Run. Once the Organisation became aware that
the circumstances surrounding the Bill Run may be a material fact or issue
in the investigation, it ought to have taken steps to preserve the relevant
information and documents as evidence.

11 Upon any party being aware that there may be information or
documents that may be relevant to the Commission’s investigations, it
ought to take steps to preserve the relevant information or documents
as evidence.

Page 377

[2018] PDP Digest

MCI (P) 035/07/2018

P
E

R
SO

N
A

L D
A

TA
P

R
O

TE
C

TIO
N

D
IG

E
S

T


[2018] PD
P D

igest

PERSONAL DATA
PROTECTION DIGEST

Personal Data Protection Digest 2018_AP.indd 1 7/2/2018 4:17:12 PM

Similer Documents