Singapore has taken its first action against data protection violations since legislation came into force in 2014. The enforcement decisions, along with newly issued guidance, give insight into the expectations and intentions of the Personal Data Protection Commission (PDPC).
Information about nine Data Protection Enforcement Cases was published on the PDPC website. The PDPC issued warnings and directions to seven organizations and imposed fines on four.
The largest case involved the data of 317,000 individuals who were members of K Box, a karaoke chain. K Box was fined $37,000, and its IT vendor/Data Intermediary was fined $7,500 for the breach.
Singapore law defines a "data intermediary" role, which is essentially a data processor, and which is also responsible for compliance, and liable for failure.
Several of the cases involved consent, indicating the PDPC intends to enforce consent as well as protection. One breach of consent was by a travel company that disclosed a passenger list, consisting of 37 customers' personal data. That was the smallest case, but others involved as few as 214 persons, and 900 persons.
The PDPC stated that enforcement actions were based on a number of considerations, including cooperation with the PDPC's investigation, whether data protection policies were defined and implemented, and if the organization had a Data Protection Officer, as required.
The newly published Advisory Guidelines on Enforcement of Data Protection Provisions spelled out mitigating and aggravating factors that affect the disposition of cases. Repeat violations, negligence, and obstruction lead to harsher penalties.
The other two fines imposed were for failing to implement proper and adequate protective measures to secure IT systems, resulting in unauthorised disclosure of personal data.
Read more at -