A recent decision of the Personal Data Protection Commission (“PDPC”) demonstrates the importance of implementing internal data protection measures to comply with the Personal Data Protection Act (“the Act”).
The PDPC investigated after local media reported that iCompare.sg (“the Portal”) had data that had been put up on the Dark Web.
The Portal was created and operated by Stylez Pte Ltd (“Stylez”), an online marketing company. In July 2016, Stylez created a testing database (“the Database”) containing data from the Portal, to test a new function for the Portal. The Database, housed on a cloud server leased from a storage service provider (the “Server”), contained records of Stylez customers from 2009 to 2016. Sometime before December 2019, personal data of customers including their name, e-mail address, and phone number was accessed and exfiltrated from the Database.
The PDPC found that Stylez breached its data protection obligations under the Act, and cited three ways the data within the Database was insufficiently protected. Firstly, the Database was stored in a publicly accessible directory in the Server without any access controls; this resulted in the Database being crawled and indexed by search engines. Secondly, the password to the IT administrator’s account was stored in his own e-mail account in clear-text, and there was no limit to the number of unsuccessful login attempts that could be made. Thirdly, the data in the Server was not encrypted for a period of over 2 ½ years; the PDPC stressed that personal data should not be left unsecured for extended periods of time.
The PDPC also found that Stylez breached its accountability obligations under the Act. While Stylez communicated its external data protection policy to external parties, it did not have any internal practices to implement such a policy. The PDPC deemed the policy as “effectively an empty promise” to the customers and prospective customers of Stylez.
Finally, the PDPC found that Stylez breached its retention limitation obligations under the Act. The Act mandates an organisation to cease retaining data that can identify an individual if the purpose of collection no longer exists, and if no business or legal reason for retention exists. The PDPC noted that business analysis does not require retention of data that could identify individuals. If Stylez wished to retain the data, then Stylez could have aggregated or anonymised the data to take it outside the scope of the Act.
In light of the above, Stylez was subjected to a S$37,500 financial penalty on 04 August 2021, and a direction was given to it to implement internal data protection measures to conform to its obligations under the Act.
