The Singapore Personal Data Protection Commission (“PDPC”) released on 15 November 2017 a new decision. A professional moving services organisation (“the Mover”) had responded to a complaint on its Facebook and posted the Complainant’s name and residential address in its response.
In response to the PDPC, the Mover claimed it was not aware of the Singapore Personal Data Protection Act (“PDPA”). The PDPC found that there was a breach of the PDPA and directed the Mover to appoint a DPO and develop a data protection policy and internal guidelines within 30 and 60 days respectively.
Thing 1: Awareness among staff remains key#
The Decision leaves out several details about the Mover’s situation, but my experience of professional movers in Singapore is that several run a tight ship and are not able to spare resources on someone to keep updated on laws and compliance. It is not surprising that such an organisation would make a straightforward mistake such as posting personal details on a Facebook post.
Raising awareness among staff would go far in avoiding such a mistake. The PDPC took the opportunity in this Decision to reiterate the importance of having personal data protection policies and appointing a Data Protection Officer (“DPO”). It concludes that “it is clear that regardless of the size of the organisation, the DPO plays a vital role in building a robust data protection framework to ensure the organisation’s compliance with its obligations under the PDPA.”
While the appointment of a DPO and instituting data protection policies is essential, _practice _is the true measure of data protection in an organisation. Simply stated, whoever is in charge of the Facebook account does not need to check with his DPO in order to find out that posting personal details of their customers on Facebook is a no-no, because he already knows that answer.
Especially for small organisations, dutifully complying with the appointment of DPOs and creating policies is a good start (and will probably mitigate any trouble with the PDPC), but it is not enough to avoid falling afoul of the PDPA.
In order for the DPO to perform his duties, it is a given that the DPO has to be well versed in the PDPA. In this regard, the Decision is a missed opportunity to inform small organisations how they could effectively comply with the PDPA, for example, sending the appointed DPO for training, outsourcing the DPO, or even going through the PDPC’s website. Once the DPO in the organisation is fully equipped to perform his role, compliance with the PDPA follows.
Thing 2: Going easy?#
As stated above, the decision concluded with directions issued to a Mover. This should be contrasted with _Re Executive Coach International Pte. Ltd _ SGPDPC 3, in which a director disclosed sensitive personal information regarding a disgruntled ex-employee to the organisation’s chat group , and the PDPC issued a warning in that case together with directions (“Executive Coach“).
Given the fact that this is also a breach of the PDPA where the disclosure was limited, it is not clear why a similar warning was not issued in this case. The unfortunate impression is that the only wrong committed by the Mover was to not appoint a DPO or have data protection policies. Or even worse, that ignorance is mitigating when the personal data disclosed is limited. The PDPC should consider some consistency in dealing with cases in which it decides not to issue a financial penalty.
Thing 3: Another case of using the PDPA as retaliation?#
While not as obvious as Executive Coach, I would consider this case as another illustration of using the PDPA as a tactic to get an organisation into trouble with the authorities. It should be noted that this arose from a customer complaint on a Facebook, and escalated when the Mover posted the personal details of the complainant on Facebook.
Organisations should note the following features of a PDPC investigation that makes using the PDPA as an attractive tactic for retaliation:
- Lawyers aren’t involved in making a complaint. It’s as easy as writing an email.
- There are no legal costs so there aren’t any real repercussions in being wrong.
- If the object is to create trouble for the organisation, the PDPC will investigate and follow through. (In this case, it appears that investigations have gone on for nearly a year now)
- If the object is to shame the organisation, the complainant’s details are kept private, while the organisation’s deeds are brought out in public view (and are still reported regularly in local newspapers)
Of course, the effectiveness of such a tactic depends on an effective complaint. There are several ways for an organisation to blunt them, chief of which is to comply with the PDPA in all material aspects. The time and effort expended on dealing with PDPA breaches is often easily avoided in such cases.