On 21 April 2016, Singapore's Personal Data Protection
Commission (PDPC) published its decisions (Click here to find out
more.) of action taken against organisations in breach of
provisions relating to the collection, use and disclosure of
personal data under the Personal Data Protection Act 2012 (the
PDPA). There were nine published decisions involving 11
organisations in total – four organisations were slapped with
fines while the other seven were issued with warnings for failure
to protect the consumers' personal data.
The provisions of the PDPA that were breached mainly related to
the failure to implement adequate data protection measures by the
organisations in question including failure to appoint a data
protection officer, failure to update the software containing
customer information and the use of weak passwords (such as those
comprising only one letter in the alphabet).
The highest fine of S$50,000 was meted out to the operator of a
chain of karaoke outlets for a data security breach involving
unauthorised disclosure of over 317,000 individuals' personal
data. The operator's IT vendor was also found guilty and fined
S$10,000 despite being a third-party service provider (and
therefore a data intermediary). While data intermediaries are
partially exempted from the data protection obligations in the
PDPA, this decision reiterates that data intermediaries are also
responsible for complying with the provisions related to the
protection and retention of personal data (including protecting the
personal data that it was processing on behalf of the operator of
the karaoke outlets).
From these decisions, it can be distilled that the PDPC will
take into account the organisation's initial response to the
breach and the level of co-operation throughout the investigations
when deciding on the appropriate penalty. For example, the operator
of the chain of karaoke outlets was found to be less than
forthcoming in providing information during the investigations and
provided bare facts in their responses – this was found to be
an aggravating factor in deciding the penalty to be meted out.
On the same day that the above decisions were published, the
PDPC also published the advisory guidelines (Click
here for more information.) relating to the enforcement of the
data protection provisions in the PDPA and regulations. The
guidelines, although non-binding, indicate how in practice the PDPC
proposes to handle complaints, reviews and investigations of
breaches of data protection rules, and its approach to enforcement
and sanctions. The guidelines indicate that the PDPC will take into
account the time taken by the organisation alleged to be in breach
to resolve a matter, whether the breach was intentional, repeated
or ongoing, any obstruction or concealment of information, the
failure to comply with previous warnings as well as the nature and
volume of sensitive personal data held by the organisation.
These latest decisions, together with the new guidelines, serve
as a reminder to organisations of the consequences of failing to
comply with the PDPA. In addition, given the scale of the penalties
that may be meted out, they serve to impress on all organisations
the seriousness of the consequences of any breaches of PDPA
Dentons is the world's first polycentric global law firm. A
top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm
is committed to challenging the status quo in delivering consistent
and uncompromising quality and value in new and inventive ways.
Driven to provide clients a competitive edge, and connected to the
communities where its clients want to do business, Dentons knows
that understanding local cultures is crucial to successfully
completing a deal, resolving a dispute or solving a business
challenge. Now the world's largest law firm, Dentons'
global team builds agile, tailored solutions to meet the local,
national and global needs of private and public clients of any size
in more than 125 locations serving 50-plus countries.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Budget 2017 is out! In his recent Budget speech, Finance Minister Heng Swee Keat announced numerous initiatives to assist SMEs with adopting digital technologies and accessing intellectual property (IP) rights. Through these initiatives, companies may now obtain the support they need in order to tap on the digital economy and improve productivity.
However, when acquiring and using digital technologies and IP rights, there are various legal and commercial issues that companies have to be aware of. For example, what are the key legal issues to consider when dealing with technology vendors? What are the important contracts and documents that you should have? Should you bargain or negotiate terms with a vendor? Is it safe to agree to everything that a vendor wants?
Join our Dentons Rodyk Intellectual Property & Technology Senior Partners Gilbert Leong, Woon-Chooi YEW and their colleagues, as they address the above topics and help you to navigate the complexities that may lie ahead.
Dentons partner Lisa Oberg will co-chair the Cutting-Edge Issues in Asbestos Litigation Conference, which will be held March 6–7 at the Beverly Wilshire Hotel in Beverly Hills, CA. The conference will address some of the most relevant emerging trends in asbestos litigation.
Please mark your calendar and join us in our New York office on February 15, from 3 to 6:30 p.m. for a global cross-border M&A seminar featuring two separate panel discussions followed by a cocktail reception. The first panel will discuss the prospects for global M&A under a new US administration with perspectives from our colleagues in Latin America as well as US industry experts. The second panel will review the impact of Chinese investments on a global stage featuring both US and China decision makers.
With the increase in usage of technology in businesses, the ease of doing business has undoubtedly gone up, but this also presents certain concerns including the protection of personal information and data.
Section 43A of the Information Technology Act, 2000 addresses the penalties for non-compliance by a recipient of Protected Data under the I.T. Rules.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).