The June 2022 PDPC Incidents and Undertaking decision of the Personal Data Protection Commission (PDPC) have been published on PDPC’s official website. For this month, five (5) cases have been issued covering the financial penalty of Vhive, the warning issued to three financial advisers, the decisions being not in breach covering SLP Scotia and SLP International Property Consultants and Aman Group S.a.r.l and/or Amanresort International, and the Undertaking to be followed by SingHealth Polyclinics.
It should be noted that the Personal Data Protection Act (PDPA) aims to balance the organizations’ needs to use data for legitimate purposes with the protection of individuals’ personal information as it is tasked with the administration and enforcement.
In doing so, the decisions conducted by PDPC are published on their website, which is open to all who want to read the latest data security standards set by the PDPC. With this, for the better observance of organizations with such standards, it is their duty to be kept updated with the latest PDPC incident and undertakings.
Let’s have a look at the June 2022 cases with the latest cybersecurity updates to date.
June 9: Vhive’s breach of the Data Protection Obligations
Our first case of PDPC incidents and Undertaking involves Vhive. On March 26, 2021, the organization notified the PDPC of a ransomware attack that affected its customer database. With this Incident, approximately 186,281 individuals’ names, addresses, email addresses, telephone numbers, hashed passwords, and customer IDs were affected.
Upon investigation, it was revealed that the organization’s IT infrastructure had been outdated, with multiple vulnerabilities at the time of the Incident. It was also found out that the organization’s e-commerce server ran on an outdated webserver service.
This, along with an unpatched firewall, let the threat actor remotely run unauthorized code on the e-commerce server. This gave the threat actor backdoor access to the e-commerce server and launched the ransomware attack.
With this Incident, Vhive was made to pay a financial penalty of S$22,000 for breaching the data protection obligation and for failure to make reasonable security arrangements to ensure that its IT infrastructure is up to date and is kept secure and free from any access to bad actors.
What we can get from this case is the importance of making sure that your organization is up to date with the current security updates for your IT infrastructure. As bad actors are also upping up their tactics and techniques in infiltrating systems and databases, keeping an outdated service will lead you to be vulnerable to hacks that could potentially destroy the customer’s trust and your business.
June 9: A warning issued to three insurance financial advisers
Our next case involves Ngian Wen Hao Dennis, Chan Puay Hwa Melissa, and Winarto, where the PDPC issued a warning regarding their breach of the Consent and Notification Obligations. On September 7, 2021, the PDPC was notified of two incidents concerning these three individuals’ unauthorized disclosure and collection of personal data.
Between December 2017 and February 2019, Ngian Wen Hao Dennis (Dennis) was an Aviva Financial Advisers Pte Ltd (AFA) agent. Dennis contacted two insurance financial advisers, Melissa and Winarto, in March 2019 and August 2020, respectively, to offer a list of prospective clients as Dennis is leaving the insurance sector and is seeking a dependable agent to take over his clientele. Melissa and Winarto both reported that they paid $1,000 to Dennis for the aforementioned list.
The list contained approximately 1,000 clients’ names, mailing addresses, contact numbers, and the names of organizations underwriting the hospitalization plans bought by the clients. Dennis claims that he had contacted these clients to seek their consent or notified them of the disclosure of their personal data to other insurance financial advisers. However, none of them corroborated this claim.
The PDPA defines “organizations” to include individuals who collect, use or disclose personal data otherwise than in a personal or domestic capacity and is obliged to comply with the Data Protection Provisions. In this case, since the transactions of Dennis with Melissa and Winarto were for work and business purposes and they were not an employee of any organization, they are considered as an organization.
With Dennis, Melissa, and Winarto being considered as an organization, the PDPA applied to them. Since they breached the Consent and Notification Obligations, the general rule is they will be penalized by the PDPC.
However, in the case of Dennis, the PDPC decided only to give a warning given the financial status he is currently in. The Commission also considered his act of giving the full refund for the S$1000 given by Melissa and Winarto.
For Melissa and Winarto, the PDPC also issued a warning with respect to their breaches of the Consent and Notification Obligations. The PDPC took into account the fact that both Melissa and Winarto did not sell the personal data for profit, and neither of them used the personal data they obtained without consent from the individuals involved.
Aviva Financial Advisers Pte Ltd could not also be made liable due to the fact that Dennis was no longer their employee at the time of his transaction with Melissa and Winarto.
What we can get from this case is the importance of notifying and attaining consent from clients before their personal data may be disclosed, used, or collected. Failure to do so, the PDPC will not be hesitant to enforce a financial penalty.
June 2022 PDPC Incidents and Undertaking: No breach occurred
Our next case involves SLP Scotia and SLP International Property Consultants where the PDPC decided that they are not in breach of the Data Protection Obligation. Between 10 to July 14, 2020, the PDPC received four complaints against SLP International Property Consultants (SLPIPC) and its subsidiary SLP Scotia (SLPS). The complainants were property agents registered through SLPS.
As the Organizations were scheduled to merge on July 7, 2020, SLPIPC commenced the registration of SLPS salespeople as SLPIPC salespeople with the Council of Estate Agencies (CEA). Then, CEA sent the Complainants an email requesting that they either submit a salesman application to join SLPIPC or disregard the correspondence if they were not interested in registering with SLPIPC.
The Complainants alleged that: i. they had not consented to be contacted for such purposes, and ii. SLPS had improperly disclosed their personal data (including their NRIC number, date of birth, and home address) to SLPIPC, and SLPIPC had, in turn, improperly disclosed the data to CEA.
Upon investigation, it was found out that the Complainants had each, individually and separately, signed an agreement with SLPS (Associate’s Agreement) in which they had provided their consent for disclosure of their personal data in specific circumstances.
Consequently, it was determined that the sharing of the Complainants’ personal data by SLPS and the collection and disclosure of the same by SLPIPC as a related organization were consistent with the purposes for which the Complainants had consented under the Associate’s Agreement.
With this, the PDPA finds that the SLP Scotia and SLP International Property Consultants did not breach the Consent Obligation.
June 9: Aman Group S.a.r.l and/or Amanresort International Pte Ltd
Our next case involves Aman Group S.a.r.l and/or Amanresort International, where the PDPC decided that they are not in breach of the Data Protection Obligation. On December 5, 2020, the PDPC received a notification from SingCERT of a personal data breach involving Aman Group S.a.r.l (Aman Group) and/or Amanresort International Pte Ltd (Aman SG).
Their nine (9) systems in London and two systems in Singapore were compromised, and files containing personal data were exfiltrated and affected the personal data of approximately 2,500 individuals, which included their name, date of birth, address, and email address, phone number, and profession.
However, Aman SG is only a regional office. It did not hold the data protection role and was not in possession or control of the personal data on the 2 Singapore-based servers. With this, the PDPC held that Aman SG could not be held accountable for the Incident and cannot be said to be in breach of the Protection obligation under PDPA.
Cases not in breach: What we can get from these cases
We can get from these cases the importance of having a clear and concise contract detailing the role and responsibility of an organization that is handling personal data. Suppose the organization and its recipients had a contract that specifies the consent on how the personal data may be handled. In that case, the PDPC has no choice but to acknowledge such a contract, similar to the case of SLP Scotia and SLP International Property Consultants and the subject Associate’s Agreement.
We can also infer from these cases the fact that when an organization is only a branch of another and does not possess or control any personal data, that organization will not be made liable for any breach in the protection obligation. This is important to remember as it can exempt an organization from paying the hefty fines imposed by the PDPC.
June 2022 PDPC Incidents and Undertaking: SingHealth Polyclinics
Completing this month’s published decisions and undertakings is the case of SingHealth Polyclinics where the PDPC directed the SingHealth to undertake all necessary steps to carry out the actions specified by the PDPC.
This occurred because the organization informed PDPC that on April 21, 2021, its courier service provider, Vroom Vroom Office Services (Vroom), had lost a package. The misplaced package, which was scheduled for delivery to a bank, contained GIRO application forms submitted for processing by the organization.
Due to insufficient procedures to confirm package delivery completion with its courier service provider, the organization did not notice the loss immediately. The problem was not detected until three weeks later when the organization contacted the bank to inquire about the status of the GIRO applications.
The loss of the package compromised the personal information of 87 individuals, including their names, phone numbers, NRIC numbers, bank account numbers, and transaction payment limits.
As part of a remediation plan, SHP:
(a) conducted a process review and decided to use courier companies with real-time tracking for deliveries of packages containing confidential information;
(b) collaborated with relevant banking institutions to provide confirmation of receipt of any SHP parcel within the following business day; and
(c) implemented additional processes to reduce the risk of loss of hardcopy documents.
The Commission approved SHP’s commitment to enhance its compliance with the Personal Data Protection Act of 2012 after analyzing the circumstances of the case, including the corrective measures taken by SHP to strengthen its data protection policies. The agreement was inked on August 5, 2021.
The agreement stipulated that SHP must complete the implementation of its remedial plan by undertaking a process assessment and modifying its processes for managing GIRO applications. In addition, SHP would provide its workers with the required training and guarantee that they adhere to its revised policies.
SHP has since informed the Commission that its repair plan has been fully implemented. The Commission has conducted an investigation and decided that SHP has complied with the provisions of the Undertaking.