The SingHealth debacle broke the records and put data protection front and center for many Singaporeans. It was the mother of all data breaches here. We now have a reference point to view all data breaches.

If there was one very obvious lesson for data protection professionals in Singapore, it will be to do as much as possible to prevent data breaches. None of this however, is really news:

• Most of PDPC’s enforcement actions have largely arisen from data breaches. Unlike some authorities in the region, the PDPC does not really exercise its own investigation powers.
• The PDPC has been really active — it has produced over 94 decisions in the last few years. All this appears to be aimed at building itself as a thought leader in data protection. We now have enough “jurisprudence” to analyse the jurisprudential basis of an organisation’s liability in a data breach.

If you expected the PDPC to go slow after dealing with the mother of all data breaches, you might be in for a rude shock. The PDPC has released 20 decisions since SingHealth. This is at least the same pace as it has been going over the last few years.

In fact, two recent decisions in July should raise some alarm bells for data protection officers.

Spize Concepts [2019] SGPDPC 22#

This is a familiar story. Poor password policy exposes 148 customer’s data on the internet. The penalty raises eyebrows though — $20,000!

It’s hard not to speculate that this penalty was aggravated by the lack of a data protection officer and data protection policies. The helplessness of Spize Concepts was very much on display as it could not explain what steps it had taken to care about data protection or even what had happened.

Even though the organisation took steps to comply, it was still required to report on the implementation of data protection policies in 1 week.

AgcDesign [2019] SGPDPC 23#

This one is a strange one. The PDPC received complaints of unsolicited marketing materials from an interior designer firm. Turns out, all this was kosher. The source was from publicly available information from a register of land transfers.

The investigation took a more menancing turn when the PDPC discovered that the firm did not have a data protection officer or data protection policies. The firm was fined $5,000. No trifling sum considering a warning was previously possible.

There aren’t any details on what exactly does no data protection policy actually mean, but I reckon the phone call went like this:

PDPC: Hi. We are the Personal Data Protection Commission. We would like to speak to your data protection officer please.

Organisation: Harr?!

PDPC: OK. Do you know what data protection is? Does your employer tell you what to do about data protection?

Organisation: Harr?!

And that’s all folks.

Conclusion#

Data breaches were an obvious source of liability. Having no data protection officer or data protection policies is another obvious source of liability. The PDPC is prepared to stake out a new source of obvious liability. Organisations should appoint a data protection officer, and data protection officers have to implement clear policies. No more Harrs.