New Singapore Personal Data Protection Regulator’s Decisions and Undertakings on 17 April 2023
-
Legal Development 2023年4月18日 2023年4月18日
-
亚太地区
-
数据保护与隐私权
The Singapore Personal Data Protection Commission (“PDPC”) published its latest enforcement decisions and voluntary undertakings yesterday (17 April 2023).
In total, there were 2 enforcement decisions (Tai Shin Fatt case and OrangeTee case) and 1 voluntary undertaking (Tat Hong Heavyequipment case) published.
In this client update, we summarise the decisions and undertakings and present our key takeaways.
Key takeaways:
There are several key takeaways from these recent decisions and undertaking:
- The Tai Shin Fatt case is the first published enforcement decision on the PDPA’s Section 48B Prohibition involving a ‘dictionary attack’ (see the table below for the definition of a ‘dictionary attack’). This prohibition was introduced as part of the 2020 amendments to the PDPA and came into effect on 1 February 2021.
- In the Tai Shin Fatt case, the Singapore Civil Defence Force (“SCDF”) emergency line had received an influx of marketing calls because of the actions of the individual in question. In issuing its decision, the PDPC noted the importance of keeping the SCDF emergency line open and unobstructed. Nevertheless, it’s interesting to note the PDPC’s statement that the making of automated marketing calls to the SCDF was not itself relevant to the individual’s breach of the Section 48B Prohibition – the issue was with the method used to generate the telephone numbers in question, and the individual’s role in authorising the marketing calls (see the table below for the application of the Section 48B Prohibition to the facts). Hence, in sending unsolicited commercial messages (which if done correctly, would constitute legitimate direct marketing), one must take extra precaution to avoid the indiscriminate manner by which recipient telephone numbers may be generated and targeted by automated means.
- In the OrangeTee case, the PDPC held that it did not consider the names and property transaction amounts as highly sensitive in nature as this information is, to a certain extent, already in the public domain. For instance, a member of the public can look up such information through a land titles search on the Singapore Land Authority website (for names), or a search on the Urban Redevelopment Authority website for caveats lodged (for property transaction amounts). Hence this information is ‘publicly available’, as defined in section 2(1) of the PDPA.
- Parts of the remediation plan in the Tat hong Heavyequipment case were redacted for confidentiality. Where a decision contains personal data or information that is treated as confidential under the PDPA, the PDPC may redact such data and information from the published decision. A person, when providing any information to the PDPC, may identify information that the person claims to be confidential information; such a claim must be supported by a written statement giving reasons why the information is confidential.
Name of Decision / Undertaking |
Summary of Incident |
Type of Potential Breach of the PDPA
|
Complaint / Self-reported |
Number of affected individuals; Types of personal data affected |
Outcome |
||||||||||
Tai Shin Fatt (the “Individual”)
|
Breach of the PDPA’s prohibition on use of dictionary attacks (“Section 48B Prohibition”) A warning was issued to the Individual for using dictionary attack methods to generate telephone numbers which were then used for telemarketing purposes, resulting in the breach of section 48B of the PDPA.
|
Breach of obligation under Section 48B Prohibition
|
Complaint by a third party |
|
|
||||||||||
OrangeTee & Tie Pte Ltd |
Personal Data breach OrangeTee was the subject of an unauthorised access to its IT network. An organisation identified as “ALTDOS” claimed to have carried out the unauthorised access.
|
Protection Obligation
The PDPC held that OrangeTee had not put in place reasonable security arrangements to protect users’ personal data in its possession or under its control. This was because (i) there was a lack of sufficiently robust processes in the form of a security assessment of the risk from using and storing ‘live’ personal data in a testing environment; and (ii) OrangeTee had not conducted reasonable periodic security reviews for its servers.
|
Self-reported |
256,583 individuals
Personal data affected included:
|
|
||||||||||
Tat Hong Heavyequipment (Pte.) Ltd. |
Personal Data Breach
Tat Hong Heavyequipment suffered a ransomware attack that affected 43 virtual machines, 4 physical servers, 3 employees’ PC and the network attached storage.
The threat actor had likely gained access to the organisation’s network by exploiting an open Microsoft Remote Open Desktop protocol to a User Acceptance Test (UAT) Server.
|
Protection Obligation
|
Self-reported |
3,377 individuals
Personal data affected:
|
|
To discuss what this latest development in data protection enforcement decisions and undertakings may mean to you, please reach out to the author below:
结束