An Enforcement Decision was released on 27 November. The Singapore Personal Data Protection Commission handed out a financial penalty of $18,000 to a digital marketing agency which left the personal data of several hundred people (including children) freely accessible on the Internet. The case, whose history stretched to before the Personal Data Protection Act was in force, featured an uncooperative respondent.

Thing 1: Unprotected links continue to create problems#

Regrettably, notwithstanding the coming in force of the Personal Data Protection Act in Singapore in the last 3 years, there are still cases whereby organisations were found to leave personal data freely accessible on the internet on their own website. This is one of the most basic obligations under the Protection Obligation under the PDPA, and has attracted several financial penalties already.

It is pertinent for organisations to review their websites and remove or restrict access to such information. These mistakes usually happen when an organisation rushes to put websites into production without reviewing them for PDPA compliance, or when website owners (and the contractors who created them) have poor or limited understanding of PDPA compliance.

Thing 2: Data Pollution becomes a liability#

This appears to be the first case in my mind to clearly illustrate a breach of the Retention Limitation Obligation under the PDPA. Simply put, organisation should not continue to use or retain when (a) the purpose for which the personal data was collected is no longer served by retaining the data; and (b) retention is no longer necessary for legal or business purposes.

In this case, even though the data was collected prior to the coming force of the PDPA in 2014, the digital marketing agency still had to comply with the PDPA in the Protection and Retention Limitation Obligations.

The PDPC also noted, following the authorities in the UK and EU, that the digital marketing agency (which had first received such data as a data intermediary) morphed into an organisation when it retained data after the original purpose (to facilitate its clients’ marketing campaigns) were over. Although this had no direct impact in the case, an organisation has more obligations with respect to its personal data than an intermediary.

It appears that the digital marketing agency had forgotten about the personal data it was retaining. While much of the public focus on the PDPA is centered around the Consent and Protection Obligations, the Retention Limitation Obligation may become a new source of liability for organisation with this precedent. As such, collecting too much personal data would become a liability if there are no policies to get rid of them when there is no use for them.

Thing 3: Lack of Co-operation an Aggravating Factor#

Consistent with its lackadaisical approach towards protecting sensitive information, the digital marketing agency did not treat the PDPC seriously. Amongst PDPC’s complaints:

1. The agency did not take prompt remedial actions after being informed of the data breach by the PDPC;
2. The agency had, on more than on occasion, informed the PDPC that the personal data in question had been deleted when this was not the case;
3. Providing the PDPC with unhelpful and unsubstantiated claims in its response to investigations
4. Repeatedly missing the PDPC’s deadlines to reply.

The financial penalty imposed in this case was $18,000. It is useful to note that cases such as Re PropNex and Re JP Pepperdine, with similar data breaches but without the lack of co-operation highlighted, were fined $10,000. This case shows clearly how the PDPC would approach lack of co-operation as an aggravating factor in determining the financial penalty.