september 2016 welcome message - drewnapier.com updates/29... · kwee ) and pixart pte. ltd....
TRANSCRIPT
SEPTEMBER 2016
This newsletter is intended to provide general information and may not be reproduced or transmitted in any form or by any means without the prior written approval of Drew & Napier LLC. It is not intended to be a comprehensive study of the subjects covered, nor is it intended to provide legal advice. Specific advice should be sought about your specific circumstances. Drew & Napier has made all reasonable efforts to ensure the information is accurate as of 27 September 2016.
WELCOME MESSAGE
The Drew & Napier Telecommunications, Media and Technology Practice Group is pleased to present the latest issue of our Data Protection Quarterly Update. In this Quarterly Update, we will highlight the need-to-know data protection law developments in Singapore, and in key jurisdictions around the world. In this issue, we summarise several new guides published by the Personal Data Protection Commission (PDPC) and look at the reasons behind the PDPC taking action against six entities and an individual for breaching Data Protection obligations. In addition, several jurisdictions have made noteworthy developments in the area of data protection that provide guidance for regulators and businesses in managing data protection obligations. We hope that this new publication will be useful to you, as you navigate the increasingly complex regulatory landscape in data protection law. We welcome your feedback and questions on any of the data protection news and articles featured in this Quarterly Update, as well as any suggestions you may have on topics to be covered in the future. For more details on the Drew & Napier Telecommunications, Media and Technology Practice Group, please visit: http://www.drewnapier.com/Our-Expertise/Telecommunications,-Media-Technology.
IN THE NEWS SINGAPORE PDPC takes action against six
entities and an individual for
breaching data protection
obligations
Between June and September 2016, PDPC announced that it had taken enforcement actions against six organisations and an individual, for breaching their data protection obligations under
In this issue
Welcome Message 1 In The News: – Singapore 1
– Vietnam 14
– Hong Kong 15
– China 16
– European Union 17
Annex: 21 Case Summaries
2
the Personal Data Protection Act (PDPA). They are as follows: (a) AIA Singapore Pte. Ltd. (AIA ) (22 June
2016); (b) Toh-Shi Printing Singapore Pte. Ltd. (Toh-
Shi ) (21 July 2016 and 21 September 2016); (c) Spear Security Force Pte. Ltd. (Spear
Security Force ) (25 July 2016); (d) Chua Yong Boon Justin (CYBJ ) (12 August
2016); (e) Fu Kwee Kitchen Catering Services (Fu
Kwee ) and Pixart Pte. Ltd. (Pixart ) (21 September 2016); and
(f) ABR Holdings Limited (ABR Holdings ) (23
September 2016). Six organisations, namely AIA, Toh-Shi, Spear Security Force, Fu Kwee, Pixart and ABR Holdings were found to be in breach of their data protection obligations under the PDPA. Spear Security Force In the case of Spear Security Force, the PDPC received a complaint from a resident (Resident ) of a condominium premise (Condominium ), in relation to certain lapses by Spear Security Force’s employees in safeguarding the visitor log book. Spear Security Force was appointed by the Management Corporation Strata Title of the Condominium to provide security services. The Resident had observed that the security guards under Spear Security Force’s supervision had left the visitor log book open and unattended on a table near the guard post at the entrance of the Condominium. After the PDPC had concluded its investigations into the matter, Spear Security Force received a warning from the PDPC. The PDPC took into account the following factors in making its determination: (a) There was no evidence suggesting that the
visitors’ personal data had actually been exposed to unauthorised third parties due to lapses by Spear Security Force.
(b) Spear Security Force had taken reasonably
adequate steps to remedy the lapses during
the course of the investigations. In particular, the PDPC noted that the following remedial actions had been taken by Spear Security Force following the complaint:
(i) Spear Security Force had briefed its
security guards on the PDPA and put in place certain protective measures such as keeping the log book in the guard post at all times and performing visitor registration there.
(ii) Spear Security Force had also instructed
its security guards not to disclose the visitor details to any third parties besides the Managing Agent and the Operations Manager of the Condominium.
(iii) The security guards were also required to
surrender the log book before going for breaks; handing and taking over of the log book between the security supervisors at shift changeovers; and keeping the log book within sight of the security camera.
(iv) Spear Security Force also required
security supervisors on duty to remind the security guards prior to every shift on the confidentiality of the visitors’ personal data in the log book.
(v) Action could also be taken against the
security guards for non-compliance with the Spear Security Force’s instructions, ranging from progressive warnings to the dismissal of employment.
Toh-Shi In the Toh-Shi case, however, a financial penalty of S$5,000 was imposed on Toh-Shi. The facts of the case are as stated below. On 11 June 2015, the Central Depository Pte Limited (CDP) reported to the PDPC of an incident of a data breach involving its customers’ personal data. In summary, six CDP account holders had received the CDP account statements for the month of May 2015 containing other CDP account holders’ information. Toh-Shi is the external vendor of CDP engaged to print CDP account statements on CDP’s behalf. In the contract between Toh-Shi and CDP, Toh-Shi was required to protect the confidentiality of CDP account holders’ personal data, as well as to put in place certain measures to protect such data.
3
Singapore Exchange Limited conducted its own internal investigation and found that the data breach incident occurred due to a misalignment of the pages during the sorting process which led to errors in the compilation of multi-page CDP statements such that the first page of the statement of one account holder was compiled with the second and subsequent pages of another account holder. Toh-Shi’s Print System Operator (PSO) initially spotted and marked out the erroneous pages, who subsequently informed the Fan Fold Operator (FFO) of these markings. The FFO was supposed to discard the erroneous statements but instead despatched the erroneous statements for postage instead. This led to the erroneous statements being mailed to the account holders. Based on SGX’s own internal investigation, 92 out of the 195 affected CDP account holders had received the second page belonging to another account holder containing one or more of the following information: (a) name, address and account number; (b) securities holdings; (c) transaction summary; and/or (d) payment summary. The remaining 103 affected CDP account holders received the second page containing account information of another account holder and general CDP information, with no details on securities holdings, transactions or payments. As Toh-Shi was responsible for managing the entire process of merging account statement data with the correct statement document template and printing the final account statement, Toh-Shi was found to be carrying out “processing” of personal data on behalf of CDP, and accordingly was considered a data intermediary of CDP as defined in the PDPA. Pursuant to section 4(2) and 4(3) of the PDPA, both CDP and Toh-Shi were obliged under section 24 of the PDPA to ensure that there are reasonable security arrangements to protect the personal data of CDP’s account holders. Based on the PDPC’s investigation into the matter, CDP had complied with its obligations under section 24 of the PDPA. In particular, CDP had in place an agreement obliging Toh-Shi to take the necessary actions and precautionary measures to
protect the CDP account holders’ personal data during the printing process. It was also noted that CDP had in place processes for the secure transfer of personal data between CDP and Toh-Shi. As such, the PDPC did not find CDP in breach of section 24 of the PDPA. However, the PDPC noted that the cause of the breach was due to error(s) made by the staff of Toh-Shi during the printing process. Hence, the breach occurred as a result of inadequate operational processes in place to ensure that the letters and personal data were sent to the correct recipient. The human error in this case (specifically, the PSO having to manually check and mark out the CDP statements) could have been avoided by putting in place processes or technology solutions that could minimise human error. Following the data breach incident, Toh-Shi had taken steps to improve on the security of the system by implementing: (a) additional layers of checks by a Supervisor,
Quality Controller and the Manager; (b) a barcode system; and (c) a technology solution to automate the
reconciliation of the printed statements to prevent repeat of the incident.
In the PDPC’s view, if there were a better system of checks in place, the data breach incident could have been prevented. Given the above, the PDPC directed that a financial penalty of $5,000 to be imposed on Toh-Shi. Aviva Ltd and Toh-Shi
In a similar turn of events, on 9 March 2016, Aviva Ltd (Aviva ) reported a data breach incident to the PDPC involving the disclosure of personal data belonging to Aviva policyholders under the Aviva Public Officers Group Insurance Scheme (POGIS). The two respondents in this matter were Aviva and Toh-Shi. Toh-Shi provides mail out and data printing services for Aviva in respect of its annual premium statements. As a result of an error in the sorting process, Toh-Shi wrongly sent out erroneous annual premium statements (Erroneous Statements ) to over 7000 of Aviva’s POGIS policy-holders (Affected POGIS Policyholders ), caused primarily by the existence of an incomplete selection of the policyholders’ account information in the raw data, when Toh-Shi
4
sorted the data further. These Erroneous Statements contained the following information of another POGIS policy-holder: (a) the name(s) of the other policy-holder’s
dependant(s);
(b) the sum assured under the other policy-holder’s policy;
(c) the premium amount under the other policy-holder’s policy; and
(d) the type of coverage under the other policy- holder’s policy.
In reaching its decision, the PDPC considered the following issues: (a) Firstly, the type of obligations that Aviva and
Toh-Shi owed each other under the PDPA in respect of the personal data of the Affected POGIS Policyholders.
(b) Secondly, whether Aviva complied with its obligation under section 24 of the PDPA in respect of the data breach incident.
(c) Lastly, whether Toh-Shi complied with its obligation under section 24 of the PDPA in respect of the data breach incident.
In respect of (a), the PDPC held that Toh-Shi acted as a data intermediary of Aviva as it had effectively engaged in the “processing” of personal data on Aviva’s behalf, as per the definition in section 2(1) of the PDPA. As such, both Aviva and Toh-Shi were under an obligation to make reasonable security arrangements to protect the personal data of the Aviva policyholders. On whether Aviva had complied with its obligation under section 24 of the PDPA, the PDPC held that Aviva had made reasonable security arrangements to protect the personal data in its possession or under its control, and thus had discharged its Protection Obligation under section 24 of the PDPA. Specifically, Aviva had stipulated in the Toh-Shi Service Agreement that Toh-Shi had to put in place adequate measures to safeguard the confidentiality of the Aviva policyholders. Apart from that, Aviva had engaged in a sufficient level of due diligence to assure itself that Toh-Shi was capable of complying with the PDPA, and had itself played no direct part in the data breach.
Lastly, the PDPC took the view that Toh-Shi did not undertake reasonable security measures to protect the personal data it processed on behalf of Aviva and thus failed to discharge its Protection Obligation under section 24 of the PDPA. According to the PDPC, the error in the further sorting process could have been avoided if: (a) Toh-Shi had provided samples to Aviva for
further verification after sorting; and
(b) Toh-Shi had conducted quality control sample checks on the further sorted data against the original source data from Aviva.
In imposing a financial penalty of $25,000 on Toh-Shi, the PDPC took into account the following considerations: (a) A significant number of individuals were
affected by the data breach.
(b) The personal data disclosed in the data breach was of a sensitive nature, and included the names of the policyholder’s beneficiaries, and the extent of coverage of the policy.
(c) Toh-Shi had recently committed a similar breach of section 24 of the PDPA.
(d) The data breach could have been avoided had Toh-Shi followed its established Standard Operating Procedure.
(e) Prompt notice was given to the PDPC of the data breach incident.
(f) Toh-Shi assisted with investigations and took prompt corrective actions.
AIA In the next enforcement decision, AIA was found to be in breach of section 18 of the PDPA. The complainant holds an insurance policy with AIA. When signing up for the policy with AIA, the complainant had provided personal data in his application form, including, his name, address, NRIC number, contact details, occupation and various other personal particulars (Personal Particulars ). In the declaration portion of the form, the complainant agreed to AIA, among other things:
5
(a) Releasing to any medical source or insurance office any relevant information concerning the complainant at any time.
(b) Using and/or disclosing any information to
independent third parties with regard to any matters pertaining to the application/policy.
Thereafter, the complainant made a claim for insurance under the policy with AIA. The complainant had to fill in an Accident & Hospitalisation Claim Form (A&H Form ) to be submitted to AIA. In the A&H Form, the complainant had to provide, among other things, his policy details, his personal particulars, and his bank account information “for direct crediting of claims”. For the bank account information, the complainant provided the name of the bank, branch of the bank, the bank account number and the account holder’s name (Bank Account Details ). In the authorisation and declaration portion of the A&H Form, the complainant agreed, among other things, to AIA disclosing the personal data of the complainant for purposes described in the “AIA Personal Data Policy”. The AIA Personal Data Policy (Policy ) sets out the following consent provision: (a) The persons who may be provided with the
insured’s personal data were “medical sources and insurance organisations”.
(b) The types of personal data that may be
collected, used or disclosed, included the insured’s NRIC or passport numbers, contact details, addresses, date of birth, occupation, photographs, marital status and “financial information such as income, bank account numbers, CPF statements, bank statements”.
(c) The purposes for which personal data may
be collected, used or disclosed were to “assess, process, administer, implement and effect the requests or transactions” or “assessing, processing, settling, authenticating and investigating claims”.
Pursuant to the complainant’s claim, AIA had communicated with the complainant’s chiropractor, Chiropractic First CFG (TP) Pte Ltd (CFG), to obtain further medical information about the complainant. In its communication, AIA disclosed pages 1 and 3 of the A&H Form to CFG, which disclosed, among other things, the complainant’s Bank Account Details.
The PDPC decided to issue a warning to AIA after taking into account the following considerations: (a) The disclosure was limited to a single third
party, CFG, and the personal data, which the unauthorised disclosure was made, although of a sensitive financial nature, was limited to a single data set, i.e. the Bank Account Details.
(b) The disclosure had been under
circumstances in which CFG knew that the personal data disclosed was to be treated confidentially.
(c) There was no evidence of actual loss or
damage suffered by the complainant from the disclosure made.
(d) AIA had undertaken an immediate review of
its processes in relation to the disclosure of personal data to parties following the incident.
CYBJ We turn now to the next recent enforcement decision by the PDPC. The complainant, his wife, and Ms C are tenants of a landed property. For the purposes of entering into the tenancy with the landlord, the complainant and his wife had previously provided their names and NRIC numbers (amongst other personal data) to a property agent of the landlord, CYBJ. CYBJ was registered as a salesperson with Global Property Strategic Alliance Pte Ltd (GPS). CYBJ’s engagement as a salesperson with GPS was governed by a “Salesperson Agreement”. A dispute arose between Ms C and the complainant and his wife over the usage of common space within the rented premises, and an argument had apparently ensued between the parties. CYBJ was not present during the argument. However, Ms C had informed him of the argument, and also requested CYBJ to provide her with the names and NRIC numbers of the complainant and his wife so as to hold the complainant “responsible” in the event that the complainant had publicised the photos that were apparently taken in the course of the argument. CYBJ took this to mean that Ms C was prepared to lodge a police report over the matter, and proceeded to provide Ms C with their full names and NRIC numbers.
6
In response to the PDPC’s queries on this matter, CYBJ referred to sections 2 and 4(1) of the PDPA, and took the view that he was acting in a “personal or domestic capacity” in the matter, since his actions were unrelated to real estate matters. He also took the view that his “intervention” in the matter was justified in the circumstances. In coming to its decision to impose a financial penalty, the PDPC took into account the following factors: (a) Registered salespersons are likely to receive
or obtain a considerable amount of personal data of various individuals during the course of their work and it is imperative that they ensure that the personal data is sufficiently well protected.
(b) The personal data of two persons was
disclosed to a third party without consent or authority.
(c) Given the circumstances in which the
personal data was disclosed, despite knowing or potentially being aware of the implications and repercussions of the disclosure, CYBJ still proceeded to disclose the personal data without obtaining consent.
In deciding that the amount of penalty should be set at the lower end of the spectrum, the PDPC took into account the following considerations: (a) The disclosure had been made to a single
individual and it appears to be done on a one-off instance.
(b) There was no proof of the impact on the
complainant’s employment or the risk of damage or loss in relation to the personal data that was disclosed.
Comfort Transportation Pte Ltd and CitiCab Pte Ltd In the next enforcement decision, Comfort Transportation Pte Ltd and CitiCab Pte Ltd were not found to be in breach of their obligations under the PDPA. In August 2014, the PDPC received two complaints against the respondents, Comfort Transportation Pte Ltd and CitiCab Pte Ltd, for divulging their personal mobile phone numbers to customers who had made taxi bookings with them via their mobile application. The complainants alleged that their mobile numbers constituted personal data protected under the PDPA, and
disclosure of such data without consent constituted a breach of the PDPA. Specifically, the mobile phone numbers that were disclosed were retrieved from the Hirer Application form and/or New Relief Application Form (Application Forms ), which are typically submitted by new drivers for the hire of a taxi. Notably, at the time of collection, the mobile application had not yet been in operation and therefore, consent could not have been given. However, the respondents had twice, in 2013 and 2014, released joint circulars informing their taxi drivers of the system of releasing the mobile phone numbers of drivers. Moreover, whenever there was a successful bid for a booking, the drivers’ in-vehical mobile data terminal (MDT) would flash a note stating that the driver’s personal mobile number will be released to the passenger for “ease of communication”. Upon concluding investigations, the PDPC concluded that the respondents had not contravened the PDPA and decided not to take further action on the complaints made. In this regard, the PDPC observed that the nature of relationship between the complainants and the respondents is key in determining if the mobile phone numbers are afforded protection under the PDPA. In this case, the taxi drivers were independent hirers and not employees of the respondents. This was due to the following reasons: (a) The business of a taxi driver is recognised not
as an employment, but as a business, under 2(1) of the Business Registration Act (Cap.32).
(b) The Taxi Hiring Agreement and terms and conditions issued by the respondents refer to the taxi drivers as “hirers”.
(c) The taxi fare was not collected on behalf or paid to the respondents, but paid to and kept by the complainants in toto.
Against this backdrop, the PDPC concluded that the taxi service provided by the taxi drivers constituted a “business” under section 2(1) of the PDPA. The PDPC further concluded that the mobile phone numbers were, at the material time, divulged and used as business telephone numbers and thus constitute business contact information of the taxi drivers. Accordingly, mobile phone numbers used for/related to the business
7
can constitute “business contact information” and hence was not subjected to Parts III to IV of the PDPA. In support of this, the PDPC gave the following reasons and considerations: (a) The mobile phone numbers of the
complainants were collected via the application forms submitted when they applied to hire a taxi, indicating that the relationship between the complainants and the respondents was of a commercial nature.
(b) Since September 2013, the mobile phone numbers were used for the purpose of the complainants business as taxi drivers – as an avenue for passengers to contact them for advance bookings. The complainants were specifically informed of this through the joint circulars, and drivers would also receive a prompt on the MDT that their mobile numbers would be released to passengers. None of the complainants had objected to this practice.
(c) From July 2014, the practice of disclosing the
complainants mobile phone numbers to passengers for advance bookings was applied to current bookings. It was a reasonable extension as the means of direct communication between taxi driver and passenger.
(d) The availability of a direct means of
communications between driver and passenger with a booking is to be expected, given the nature of the commercial relationship between complainants and respondents.
In the PDPC’s view, it was clear that the mobile phone numbers were in the nature of business contact information and thus not subjected to Parts III to IV of the PDPA. The PDPC thus found no contravention of the PDPA and decided to take no further action on the complaints. ABR Holdings On 18 March 2014, the PDPC received a complaint against the respondent, ABR Holdings. ABR Holdings is the operator of the Swensen’s chain of restaurants and runs The Swensen’s Kids’ Club, a membership programme for children between the age of 4 and 12 (the Programme ). Each member is assigned an 8-digit membership number. The Programme is supported by the
Swensen’s Kids Club website (the Website ), whereby one can access the account associated with the membership of the Programme by entering the 8- digit membership number. The Complainant alleged that one could access a Swensen’s Kids Club member’s name and date of birth data by entering a random 8 digit number as a simulated membership number or a simulated unique Identification Number (UIN), e.g. NRIC/BC number with a valid check digit) to access the membership account. At the time of the complaint, the provisions in the PDPA relating to the protection of personal data were not in force. Subsequently, on 15 July 2014, the complainant submitted a further complaint of the same nature. Upon investigation, the PDPC confirmed that a member account could be accessed by entering a random number sequence simulating a valid membership number, or by entering a valid UIN in the form of a birth certificate number. No further password or authentication in any other form was required in order to gain access. Access to a member account provided the details about a member: (a) Name;
(b) Date of Birth (DOB); (c) Redemption status of Kids’ Club Sundaes and
“stamps”; (d) Number of “stamps” accumulated; and (e) Membership expiry date. On 5 August 2014, the PDPC notified ABR Holdings of the further complaint raised. On the same day, ABR Holdings removed the display of the member’s name and DOB on the Website, such that when the account is accessed, the only details available would be the redemption status, the number of stamps accumulated and the membership expiry date of the account holder. According to the PDPC, the issue at hand was whether the ABR Holdings had breached section 24 of the PDPA during the period between 15 July 2014 and 5 August 2014, when the personal data of members of the Swensen’s Kid’s Club could be obtained by entering a random number sequence simulating a valid membership number or by entering a valid UIN in the form of a birth certificate number on the Website.
8
In assessing whether ABR Holdings had complied with section 24 of the PDPA, which requires an organisation to protect personal data by taking reasonable steps, the PDPC had regard to the following factors: (a) The personal data that could be accessed
from the website included the name and date of birth of members of the Swensen’s Kids Club. Such data constitutes “personal data” under the PDPA.
(b) ABR Holdings had control over the personal
data accessible on the Website.
(c) ABR Holding’s use of membership number and UIN numbers did not constitute a sufficient security arrangement for the personal data in its possession or under its control. This was because:
(i) The membership numbers under The
Swensen’s Kids’ Club were issued sequentially, allowing for the easy deduction of another member’s membership number;
(ii) UIN numbers could be easily generate via tools online; and
(iii) Unauthorised access to the member’s
personal data was easily accessible and could be obtained once a generated UIN or membership number coincided with an assigned membership.
In this regard, the PDPC found ABR Holdings had not undertaken reasonable security arrangements to protect personal data in its possession or under its control and thus was in breach of section 24 of the PDPA. In deciding to impose a warning instead of a direction to take remedial action or pay a financial penalty, the PDPC took into account the following factors: (a) ABR Holdings was given early notice of the
potential infringement and had plenty of time to correct its action.
(b) The infringement took place within first month that the PDPA took effect.
(c) The personal data disclosed did not extend
beyond the member’s name and date of birth.
(d) ABR Holdings was quick to remedy the breach when notified by the PDPC a second time on 5 August.
Fu Kwee and Pixart In this case, the PDPC imposed a financial penalty of $3,000 and $1,000 on Fu Kwee and its data intermediary, Pixart, for failing to take adequate protective measures to prevent unauthorised access of its customers’ personal data under the PDPA. The facts of the case are as stated below. Fu Kwee runs a food and beverage catering service in Singapore. On 30 September 2014, the PDPC received a complaint against Fu Kwee in respect of an alleged data breach involving its customer’s personal data. In summary, a customer of Fu Kwee stated that she could gain access to another customer’s order details and personal data by tweaking the numbers in the URL of Fu Kwee’s order preview webpage. This personal data included the customer’s name, postal address and personal contact number. In this regard, Fu Kwee instructed Pixart, its IT vendor, to address this issue. Pixart employed a “one-time URL” solution, which allows a customer to view his or her own order, after which the URL automatically lapses after 20 minutes. The following issues were considered by the PDPC: (a) The first issue was whether Fu Kwee had
breached the obligation under section 24 of the PDPA (the Protection Obligation ).
(b) The second issue was whether Fu Kwee had breached the obligation under sections 11 and 12 of the PDPA (the Openness Obligation ), specifically, sections 11(3) and 12(a), for failure to appoint a Data Protection Officer (DPO) and put in place privacy policies and practices, in contravention of those sections of the PDPA.
(c) The third issue was whether Pixart was a data
intermediary of Fu Kwee. (d) The final issue was whether Pixart had
breached the Protection Obligation. In respect of issue (a), the PDPC held that Fu Kwee failed to make reasonable security arrangements to protect customers’ personal data
9
and was in breach of section 24, for the following reasons: (i) Fu Kwee’s website did not require password
access, which could have helped to protect its customers’ personal data.
(ii) The order preview URLs were predictable to the extent that any customer could easily alter the URL in order to access the order details and personal data of other customers.
(iii) Fu Kwee failed to instruct Pixart to put in
place security measures to protect its customers’ personal data even after the data protection obligations in the PDPA came into effect.
(iv) There were no access controls to Fu Kwee’s
database of customers’ personal data, leaving it vulnerable to unauthorised access.
In respect of the second issue, on whether Fu Kwee had breached its obligation under sections 11 and 12 of the PDPA, the PDPC found that since Fu Kwee had not implemented any personal data protection policies for the collection, use or disclosure of personal data, nor appointed a DPO, it had breached the Openness Obligation. With regards the third issue, the PDPC held that Pixart was acting as a data intermediary of Fu Kwee, as it had processed personal data of Fu Kwee’s customers, in relation to the hosting, support and maintenance of the online ordering system and Fu Kwee’s corporate website, and had done so on behalf of Fu Kwee. Finally, in respect of the last issue, the PDPC noted that Pixart did not put in reasonable measures to protect the personal data that it was processing for and on behalf of Fu Kwee, and thus had not discharged its Protection Obligation under the PDPA. In light of this, the PDPC issued the following directions under section 29 of the PDPA: In respect of Fu Kwee: (a) Fu Kwee was ordered to pay a financial
penalty of $3,000. (b) Fu Kwee was ordered to train all its
employees handling personal data on the obligations under the PDPA by sending them to a training course.
(c) Fu Kwee was ordered to conduct a security audit of their catering website, and furnish the PDPC with a corresponding report.
(d) Fu Kwee was ordered to take steps to appoint a DPO and to develop and implement polies and practices that are necessary for Fu Kwee to comply fully with its obligations under the PDPA, and to provide the PDPC with a compliance status update within 30 days from the date of the PDPC’s direction.
In respect of Pixart: Pixart was ordered to pay a financial penalty of S$1,000. Please refer to the annex for summaries of each enforcement decision. PDPC issues Guide to Building Websites for Small and Medium Enterprises (SMEs) On 20 July 2016, the PDPC issued its Guide to Building Websites for SMEs (Building Websites Guide ). The Building Websites Guide aims to help SMEs understand the common protection measures they are required to undertake when setting up websites that collect or store personal data, and the considerations to be taken when outsourcing such works to information technology (IT) vendors. The Building Websites Guide states that when setting up a website, organisations ought to take into account certain key considerations including: (a) features and functions of the website; (b) types of personal data that will be collected; (c) the extent of security required; (d) where the website will be hosted; (e) whether the development of the website will
be outsourced; and (f) maintenance and the resiliency of the
website. Organisations are required to ensure that the protection of the personal data and security of the website are key considerations at each stage of the website’s life cycle.
10
The Building Websites Guide also provides some guidance on the following issues: (a) outsourcing:
(i) negotiating IT vendor’s responsibilities; and
(ii) confidentiality;
(b) security policies and processes:
(i) risk management; (ii) security configuration management; (iii) security testing; (iv) personal data inventory; and (v) incident management;
(c) security design:
(i) access control; (ii) audit log; (iii) server and network security; and (iv) website programming;
(d) PDPA obligations. The Building Websites Guide also encourages organisations and IT vendors to make references to other resources (e.g. Advisory Guidelines on Key Concepts in the PDPA and Advisory Guidelines on the PDPA for Selected Topics), which are listed in the Building Websites Guide. PDPC issues Guide on Data Protection Clauses for Agreements relating to the Processing of Personal Data On 20 July 2016, the PDPC issued its Guide on Data Protection Clauses for Agreements relating to the Processing of Personal Data (Data Protection Clauses Guide ). As an organisation may engage another organisation to provide services relating to the processing of personal data, the Data Protection Clauses Guide provides
sample data protection clauses that customers may include in the written agreements setting out the services provided by the contractors and the parties’ obligations. The Data Protection Clauses Guide states that the customer organisation will be liable for any act or omission of the contractor in the course of processing personal data on behalf of the customer, where such act or omission amounts to a breach of the PDPA. Therefore, customers should ensure that their written agreements with the contractors impose sufficient obligations on the latter in order to ensure the customer’s own compliance with the PDPA. The sample clauses and their corresponding explanatory notes provided by the Data Protection Clauses Guide include the following: (a) definitions; and (b) handling and protection of personal data:
(i) compliance with the PDPA; (ii) process, use and disclosure; (iii) transfer of personal data outside
Singapore; (iv) security measures; (v) access to personal data; (vi) accuracy and correction of personal
data; (vii) retention of personal data; (viii) notification of breach; and
(ix) indemnity.
However, the sample clauses provided by the PDPC are for illustrative purposes only, and organisations should seek professional legal advice if they are uncertain of their legal position or obligations under the law, or require assistance with the drafting of any written agreements (including the use of the sample clauses). In this regard, it should not be assumed that using the sample clauses would mean compliance with the PDPA or other law.
11
PDPC issues Guide to Disposal of Personal Data on Physical Medium On 20 July 2016, the PDPC issued its Guide to Disposal of Personal Data on Physical Medium (Physical Medium Disposal Guide ). The Physical Medium Disposal Guide is directed at persons responsible for data protection within an organisation, in particular for persons handling and disposing personal data stored or captured on a physical medium. With a focus on personal data stored on paper, and shredding being used as a disposal method, the Physical Medium Disposal Guide seeks to provide: (a) Information on common topics related to
disposal of personal data. (b) Good practices that organisations should
undertake in disposal of personal data. (c) Examples of common mistakes that
organisations and individuals may make in relation to the destruction of personal data.
(d) Information on considerations for outsourcing
disposal to third parties. Physical Disposal Measures In respect of Physical Disposal Measures, the Physical Medium Disposal Guide provides information relating to the importance of disposal, that is the overall process of transforming or destroying information in a way that renders it unreadable (for paper records) or irretrievable (for electronic records). It also identifies the potential data breaches that could arise as a result of incomplete disposal, such as: (a) Deleted electronic files or improperly
shredded paper may be restored (in full or partially).
(b) Uncontrolled disposal of paper without
destruction may lead to recovery of documents through ‘dumpster diving’.
The Physical Medium Disposal Guide also states that for personal data stored on physical documents and in paper form, the PDPC’s Advisory Guidelines on the Key Concepts in the PDPA advises organisations to ensure proper disposal of the documents that are no longer needed, through shredding or other appropriate
means. Such measures include incineration, shredding and pulping. As paper shredding is commonly used by organisations, the Physical Medium Disposal Guide provides guidance as to the different shredder specifications required depending on the category of information stored on the document. Paper shredders are typically categorised by levels, indicating the suitability of the shredder for certain types of information. Higher levels indicate a more thorough damage to the paper, expressed in the shape and size of resulting pieces. For example, reference is made to the DIN 66399 standard, which defines the 7 levels of security for different types of media. It is recommended that for personal data on paper, a P-3 cross cut shredder, which shreds paper into particle size of maximum 320mm, should be used. Shredding issues and practices As a complete data set is often considered more important, extra care will be taken during disposal. The Physical Medium Disposal Guide states that personal data is often neglected where: (a) It is only part of the whole data set. (b) There are mistakes in the fields. (c) It contains printing errors. The Physical Medium Disposal Guide also states that after an organisation decides to dispose paper documents, they are often perceived as ‘valueless’ and ‘unimportant’, leading to unsecured treatment or storage of documents. As such, these documents may end up being stored at poorly supervised and less frequented places, which increases the risk of misuse or misappropriation. Typical problems involving printouts containing personal data are identified in the Physical Medium Disposal Guide and to assist organisations in assessing their practices in disposal of personal data on documents, a checklist of good practices is available in Annex A of the Physical Medium Disposal Guide. Third Party Service Providers In the event that the disposal of paper documents is outsourced, the accountability and responsibility to ensure that the personal data on such paper documents is destroyed remains with the organisation. The Physical Medium Disposal
12
Guide provides a summary of points to consider when outsourcing: (a) The service provider’s overall processes and
protection during transport, storage, and actual destruction. The actual location of destruction may be more difficult to assess where the collection is done in Singapore, but actual destruction occurs at an overseas location.
(b) Assess whether containers are locked or
secured during transit, whether policies for accident and incident reporting are in place, and whether the shredding/incineration/ pulping facility has physical security in place.
(c) Keep records of collection and destruction
confirmation. Some service providers may even be certified or accredited, and may be able to provide a formal certificate of destruction.
(d) Collection (or handover) of waste items (e.g.
paper documents) should be supervised and documented; the waste items should not be stored unsecured for easy collection by the outsourced party.
(e) Intermediate storage locations should be
secured; e.g. due to over-capacity, items might need to be temporarily stored before they are destroyed.
(f) An officer of an appropriate level should
witness the actual destruction, or even follow the third party’s disposal vehicle, especially when sensitive personal data is involved.
It must be noted that the Physical Medium Disposal Guide does not offer an exhaustive list of disposal measures that organisations can adopt, nor does it replace or override any existing industry or sector standards, nor is it a position statement or legal advice by the PDPC. Organisations should also refer to other industry or professional literature on the topic. Organisations may also seek professional advice and services regarding disposal. PDPC updates the PDPA Advisory Guidelines On 15 July 2016, the PDPC published its updated Advisory Guidelines on Key Concepts in the PDPA (Key Concepts Guidelines ). These Guidelines
are not legally binding on the PDPC or any other person, but are intended to assist organisations in effectively meeting their obligations under the PDPA. Chapter 12 of the Key Concepts Guidelines on the Consent Obligation has been revised to provide further clarity on the withdrawal of consent requirements, including how organisations are to facilitate and effect withdrawal of consent requests. In this regard, section 16 of the PDPA provides that individuals may at any time withdraw any consent or deemed to have been given under the PDPA in respect of the collection, use or disclosure of their personal data for any purpose by an organisation. A number of requirements must be complied with by both the individual and organisation concerned, as follows: (a) The individual must give reasonable notice
of the withdrawal to the organisation (section 16(1) of the PDPA).
(b) On receipt of the notice, the organisation
must inform the individual of the likely consequences of withdrawing consent (section 16(2) of the PDPA).
(c) An organisation must not prohibit an
individual from withdrawing consent, although this does not affect any legal consequences arising from such withdrawal (section 16(3) of the PDPA).
(d) Upon withdrawal of consent, the
organisation must cease (and cause its data intermediaries and agents to cease) collecting, using or disclosing the personal data, as the case may be, unless the collection, use or disclosure of the personal data without consent is required or authorised under the PDPA or any other written law (section 16(4) of the PDPA).
Considerations for whether reasonable notice was given by the individual to withdraw consent include: (a) The amount of time needed to give effect to
the withdrawal of consent. (b) The manner in which notice was given. As a general rule of thumb, the PDPC considers that any withdrawal notice that is effected at least ten business days prior to the withdrawal would be sufficient to constitute “reasonable notice”.
13
To enable and facilitate withdrawal, organisations are advised to make an appropriate consent withdrawal policy that is clear and easily accessible to the individuals concerned, and should, for example: (a) Advise the individuals on the form and
manner to submit a notice to withdraw their consent for specific purposes.
(b) Indicate the person to whom, or the means
by which, the notice to withdraw consent should be submitted.
(c) Distinguish between purposes necessary and
optional to the provision of the products/services. Individuals must be allowed to withdraw consent for optional purposes without concurrently withdrawing consent for the necessary purposes.
Further, organisations should not have inflexible consent withdrawal policies that seek to restrict or prevent individuals from withdrawal consent in accordance with the PDPA. An organisation must not prohibit an individual from withdrawing his consent to the collection, use or disclosure of personal data about the individual himself. As an example, an organisation may not stipulate as a term of the contract that the individual cannot withdraw consent to the collection, use or disclosure of the individual’s personal data for the purposes of the contract. If an individual has withdrawn his earlier consent to the collection, use or disclosure of his personal data by an organisation, but subsequently provides fresh consent to the organisation, the organisation may then be allowed to collect, use or disclose his personal data within the scope of the fresh consent that was subsequently provided. Finally, the section on Do Not Call Provisions in the Key Concepts Guidelines has been incorporated into the Advisory Guidelines on the Do Not Call Provisions. PDPC updates the Advisory Guidelines on the Do Not Call Provisions On 15 July 2016, the PDPC published its updated Advisory Guidelines on the Do Not Call Provisions (DNC Guidelines ). The DNC Guidelines provide more elaboration on selected issues relating to the
Do Not Call provisions, which are set out in Part IX of the PDPA (DNC Provisions ). Revisions have been made to the DNC Guidelines to incorporate the section on Do Not Call Provisions from the Advisory Guidelines for Key Concepts. The relevant paragraphs in the updated DNC Guidelines are as follows: (a) Paragraph 1.7(b) on the duty to identify the
sender of a message. (b) Paragraph 3 on the meaning of “specified
message”. (c) Paragraph 4 on messages excluded from
the definition of a specified message. (d) Paragraph 4.15 on business to business
marketing messages. (e) Paragraph 6 on the duty to check the DNC
Register. (f) Paragraphs 7, 8 and 10 on obtaining
consent for sending messages to Singapore telephone numbers.
(g) Paragraph 16 on sending a specified
message to a Singapore telephone number.
(h) Paragraph 17 on the meaning of “sender”. (i) Paragraph 18 on excluded persons from
the scope of the DNC Provisions. (j) Paragraph 21 on locations of sender and
recipient. Monetary Authority of Singapore issues Guidelines on Outsourcing Risk Management On 27 July 2016, the Monetary Authority of Singapore (MAS) issued new Guidelines on Outsourcing Risk Management (Outsourcing Guidelines ) to financial institutions following extensive industry and public consultation. This set of Outsourcing Guidelines replaces the existing MAS Outsourcing Guidelines as well as circular on Information Technology Outsourcing. It builds on the existing guidelines to better capture evolving threats such as offshoring business models and heightened cyber risks.
14
The Outsourcing Guidelines set out the key elements expected of an institution’s operational risk management framework and includes guidelines on business continuity and outsourcing, including cloud services, which have been adopted by a growing number of financial institutions. The main changes to the Outsourcing Guidelines include: (a) Introduction of a new section on cloud
computing that sets out MAS’ stance on cloud computing.
(b) Removal of expectation for financial
institutions to pre-notify MAS of material outsourcing arrangements.
(c) Revision to the definition of “material
outsourcing arrangement” to include, under certain circumstance, an arrangement that involves customer information.
However, the Outsourcing Guidelines are not intended to be exhaustive and institutions should also take into account applicable industry standards, such as the Basel Committee on Banking Supervision’s “Principles for the Sound Management of Operational Risk” (June 2011), where appropriate. VIETNAM Vietnam passes new cyber security law On 19 November 2015, Vietnam’s new Law on Cyber-Information Security (LCIS) was passed, and the new took effect from 1 July 2016. The LCIS consolidates previous data security regulations that were scattered across various preceding legislation, such as the Law on Information Technology and Law on Telecommunication. The new law aims to regulate activities of information security in cyberspace and to protect both individuals and companies from criminal activities in the cyberspace. Acts prohibited by the LCIS include collecting, using, distributing and illegally trading personal data of others and taking advantage of defects in information systems security. The LCIS also places an obligation on intermediary service providers to put in place malware-filtering systems for the transmission or storage of information. It
also stipulates that organisations and individuals ought to reasonably stop the obstruction of information arising from their information infrastructure, and co-operate in dealing with the aftermath of cyber-attacks carried out via domestic or foreign information systems. It also advocates for organisations and individuals to work together with other associations in setting up training institutions which focus on cyber-information security training. Other obligations that the LCIS may impose on business operators in Vietnam include the following: (a) Organisations that own information are
required to organise the data in accordance to their levels of confidentiality and to put in place adequate protective systems.
(b) Organisations which collect information are
required to undergo annual assessments, and additional assessments if necessary.
(c) Organisations that own information systems
are required to rank their systems in accordance to their security levels from 1 to 5, with 5 being the most secure. The levels indicate the severity of the consequences resulting from a security breach, which could undermine social order and national security. Organisations are therefore obliged to put in place management systems and rules to enhance cyber-information security when managing, operating or using information systems.
(d) Organisations that own information systems
must manage security risks to information systems, ensure adequate protection of information systems, and take appropriate measures to comply with reporting requirements and cyber-security.
The LCIS also introduces new regulations for cyber-information security products and cyber-information security services. The provision of such services and transactions involving such products now require licensing, such as acquiring an import permit for cyber-information security products. The LCIS does not alter the existing prerequisite that production, trading or importation of civil cryptographic products require a license. However, it imposes new obligations relating to the use of civil ciphers. Organisations and
15
individuals using such products supplied by non-licensed organisations are required to declare the use to the Government Cipher Committee, with certain organisations (i.e. foreign consular offices) as exceptions. The new law reflects the government’s latest efforts in tightening the legal framework relating to cyber-security information. However, more clarification regarding the scope of the applicability of the LCIS may be required in due course, as this is currently rather broadly defined. HONG KONG Hong Kong’s Office of the Privacy Commissioner for Personal Data updates the Code of Practice on the Identity Card Number and other Personal Identifiers: Compliance Guide for Data Users In July 2016, Hong Kong’s Office of the Privacy Commissioner for Personal Data published a revised version of the Code of Practice on the Identity Card Number and other Personal Identifiers: Compliance Guide for Data Users (Compliance Guide ). The Compliance Guide aims to provide a step-by-step guide for data users in compliance to the Code of Practice on the Identity Card Number and other Personal Identifiers (Code ). The Code gives practical guidance to data users on the application of requirements of the Personal Data (Privacy) Ordinance to the collection, accuracy, retention, use and security of the Hong Kong Identity Card (HKID) numbers, copies of the HKID Card and other personal identifiers that uniquely identify individuals e.g. passport numbers, employee numbers, examination candidate numbers and patient numbers. Step-by-step Guide to Compliance with the Code As a starting point, the Compliance Guide defines the basic position of a data user as not having a right to compel an individual to provide a HKID Card number or copies of HKID Cards unless authorised by law. With regard to the collection of HKID Card numbers, the Compliance Guide sets out the steps that a data user ought to take as follows:
(a) Consider alternatives to collecting HKID Card numbers.
(b) Check whether the collection of HKID Card
numbers comes under one or other of the circumstances where this is permitted in the Code.
(c) Check whether the way HKID Card numbers
are collected ensures that they are truly the HKID Card numbers of the individuals providing them.
(d) Check that the use of the HKID Card
numbers is only for one or more of the purposes permitted by the Code.
(e) Check that the HKID Card numbers are not
publicly displayed or disclosed with the names of the HKID Card holders and that cards such as staff cards with HKID Card numbers printed on them are not issued.
(f) Check that records of HKID Card numbers
are not kept for longer than is necessary to fulfil the purpose for which they are collected.
In relation to copies of HKID Cards, the Compliance Guide similarly requires data users to: (a) Check whether the collection of copies of
HKID Cards comes under one or other of the circumstances where this is permitted in the Code.
(b) Make sure that the collection of copies of
HKID Cards does not come under one or other of the circumstances where it is specifically not permitted in the Code.
(c) Check whether the way copies of HKID
Cards are collected ensures that they are truly copies of the HKID Cards that are held by the individuals concerned.
(d) Check that the use of copies of HKID Cards
is only for one or more of the purposes permitted by the Code.
(e) Check that adequate security safeguards for
copies of HKID Cards held or transmitted are implemented.
For other personal identifiers, the requirements of the Code in relation to HKID Card numbers also generally apply. However, this does not apply to the collection or use of such other personal
16
identifiers for a purpose that is directly related to the functions and activities of the person who assigned the identifier to the individuals concerned. For example, an employee number may be collected and used for purposes directly related to the functions or activities of the employer that assigned it, such as managing employee records and the payment of employee salaries. Generally, a data user that assigns personal identifiers to individuals is expected to take all reasonably practicable steps to ensure the security of the collection system, including security measures to safeguard against the unauthorised assignment of the identifier or production of any document, e.g. the unauthorised production of a staff card with a false employee number printed on it. However, the Compliance Guide is issued only for general guidance and should not be relied upon when determining whether or not an act or practice complies with the Code. For a complete and definitive statement of the requirements of the Code, reference should be made to the Code itself. CHINA China issues the Administrative Rules on Information Services via Mobile Internet Applications On 28 June 2016, the Cyberspace Administration of China (CAC) issued the Administrative Rules on Information Services via Mobile Internet Applications (App Rules ), which came into effect on 1 August 2016. The App Rules aim to strengthen the regulations relating to the Mobile Internet Applications Market, protecting the rights and interests of parties concerned. The new obligations imposed on app providers include: (a) Identity verification and real-name
registration of app users. (b) Data protection relating to collection and
usage of personal data. App providers are required to inform app users about the purpose, means and scope within which personal data will be collected and used. App users’ consent must also be obtained because app providers can collect and use such personal data.
(c) Put in place mechanisms to review and manage information content, including penalties for publishing illegal information.
(d) Retain and report records of non-compliance. (e) Protect app users’ rights by obtaining their
consent before accessing their geographic locations, contacts, video and audio or if app providers wish to activate unnecessary services or to bundle unnecessary functions.
(f) Respect and protect other app providers’
intellectual property rights. Under the App Rules, app stores are required to: (a) Review app providers’ authenticity,
lawfulness etc. (b) Ensure app providers protect the app users’
information and that they explain any collection or use of their personal information to them.
(c) Ensure app providers do not publish illegal
information and that they respect and protect the intellectual property rights of other app providers.
(d) Take appropriate action against app
providers which breach their obligations under the App Rules.
The new rules are in line with the Chinese government’s efforts in tightening the regulatory control over mobile applications in response to several problems associated with improper usage of mobile applications. China publishes the Second Draft of the Cybersecurity Law for comment On 5 July 2016, the Standing Committee of the National People’s Congress of the People’s Republic of China published the full second draft of the Cybersecurity Law (draft law ), which was available for public comment until 4 August 2016. The Cybersecurity Law is aimed at tightening China’s network and national security, protecting the lawful rights of citizens, legal persons and organisations, and to promote healthy social and economic development in this increasingly information driven age. The draft law focuses on the construction, operation, maintenance and usage of networks, as well as network security
17
supervision and management within the mainland territory of China. Under the draft law, there are three key aspects, namely technology regulation, co-operation with authorities and data localisation. Technology Regulation Under Article 22, the draft law stipulates that critical network equipment and specialised network security products are required to be certified by a qualified establishment or meet the requirements of safety inspections. An official catalogue of critical network equipment and specialised network security products is expected to be formulated and released, in the hope of promoting reciprocal recognition of safety certifications and inspection results, so as to avoid duplicate certifications and inspections. Co-operation with authorities The draft law introduces new requirements for network operators to co-operate with the authorities, such as Article 20 requiring them to perform security protection duties according to the requirements of the state’s tiered network security protection system, which include network operators keeping network log records for six months. Article 21 also stipulates that network operators are to notify the authorities of any security defects discovered in their systems. Article 27 of the draft law also imposes duties on network operators in the provision of technical support and assistance to the public security organs’ and state security organs’ lawful activities in preserving national security and investigating crimes. Data Localisation Critical information infrastructure operators are subject to the data localisation obligation, whereby they are required to store personal data and other important business data collected within mainland China. If cross-border data transfers for collection and use is necessary for business requirements, security assessments will be conducted. Furthermore, critical information infrastructure operators are also subject to other duties, which are in addition to those imposed on network operators, such as security protection (Article 32), going through national security reviews (Article 33) and entering into security and confidentiality
agreements with the network product and service providers (Article 34). Other personal data-related proposals The draft law also emphasises that network operators are to abide by the principles of legality, propriety and necessity when collecting and using citizens’ personal information. They are also obliged to state the purposes, means and scope for collecting or using the personal information, and are also required to obtain the consent of the individual concerned (Article 40). Network operators are also prohibited from disclosing a user’s personal data to third parties, tampering with, or destroying the personal data gathered without the consent of the user, unless the data has been so processed such that the user is unidentifiable (Article 41). Network operators are therefore obliged to adopt technological measures to ensure the security of the citizens’ personal information and prevent the loss of such information. Despite the government’s attempts to strengthen the protection and security of critical information infrastructure and important data in China, business groups are concerned that the new rules will risk data security and isolate China from the wider digital economy. In August 2016, more than 40 business groups from the United States (U.S.), Europe and Asia, including the U.S. Chamber of Commerce and Confederation of European Business have urged China to revise its cybersecurity laws through a letter addressed to Premier Li Keqiang. EUROPEAN UNION Privacy Shield receives adequacy decision from the European Commission On 12 July 2016, the European Commission adopted an adequacy decision approving the EU – U.S. Privacy Shield. As a result, the Privacy Shield came into effect on 12 July 2016, replacing the International Safe Harbour Privacy Principles established in 2000. The Privacy Shield is a data-sharing agreement between the U.S. and the European Union (E.U.). It intends to provide stronger obligations on companies in the U.S. to protect the personal data of Europeans and stronger monitoring and
18
enforcement by the United States Department of Commerce and Federal Trade Commission, including through increased co-operation with European data protection authorities. Further, the Privacy Shield includes commitments by the U.S. that possible access by public authorities to personal data transferred under the new framework would be subject to clear conditions, limitations and oversight, thereby preventing generalised access. Europeans will also be able to raise any enquiry or complaint in this context with a dedicated new Ombudsman. Compliance with the Privacy Shield is a method for self-certification for US entities transferring data to the E.U. The effect of compliance with the Privacy Shield is to free restrictions on the transfer of data between the U.S. and E.U. Member States, as well as European Economic Area member countries. Currently, U.S. companies may self-certify annually with the U.S. Department of Commerce that they meet the Privacy Shield requirements and may do so from 1 August 2016. Moreover, European Data Protection Authorities have said that they will not challenge the decision for a year. Summary Report on Public Consultation for Review of E-Privacy Directive On 4 August 2016, the European Commission published a summary report on the public consultation on the evaluation and review of the Privacy and Electronic Communications Directive (2002/58/EC as amended) (ePrivacy Directive ). The ePrivacy Directive regulates issues such as spam, cookies, treatment of traffic data and the confidentiality of information. The public consultation on the review of the ePrivacy Directive took place between 12 April 2016 and 5 July 2016, with a full report to be published in autumn 2016. It is expected that into legislative proposals will be presented in 2016. The review of the ePrivacy Directive is one of the key initiatives proposed under the Digital Single Market Strategy. It aims to reinforce trust and security in digital services in the E.U. It also focuses on ensuring a high level of protection for citizens and a level playing field for all market players. The preliminary results are as follows:
(a) Special Privacy Rules for the Communications Sector
The majority of civil respondents (comprising citizens and civil organisations) are in favour of having special rules for the electronic communications sector, especially for traffic and location data, billing, calling and connected line identification, automatic call forwarding and directories. The general consensus of the industry respondents is that there is no need for specialised rules, although a minority see the need for rules on confidentiality and traffic data. Further, almost all public authorities agree that there is a need for specialised rules in all of the areas listed.
(b) Effectiveness of the Current Directive
The majority of civil respondents do not believe that the ePrivacy Directive has sufficiently ensured protection of privacy and confidentiality of communications, because of the limited scope and lack of enforcement, among other reasons. However, industry respondents and public authorities believe that the ePrivacy Directive has met its objectives.
(c) Inclusion of New Rules
The majority of civil respondents believe that the scope of the rules should be broadened to cover the so-called over-the-top service providers (OTT) when they offer communications services such as Voice over Internet Protocol or instant messaging. On the other hand, half of the industry respondents oppose such as extension, while most of the public authorities are in favour of the extension.
(d) National Authority
The majority of industry and civil respondents are of the opinion that a single national authority should be entrusted to enforce the rules, while half of the public bodies who responded to the consultation are not convinced that this is needed. For respondents who consider that one single authority should enforce ePrivacy rules, a majority, across all categories, find
19
that the national data protection authority is the best suited authority.
(e) Cookies
The majority of civil respondents and public authorities believe that information service providers should not have the right to prevent access to their services if users refuse the storing of identifiers, such as cookies, in their terminal equipment. Three quarters of industry on the other hand disagree with this statement.
(f) Opt-in or Opt-out for Direct Marketing Calls
All the respondent groups agree that Member States should not retain the possibility to choose between a prior consent (opt-in) and a right to object (opt-out) regime for direct marketing calls to citizens. While civil respondents and public authorities prefer an opt-in regime, the stakeholder groups are however split on which regime should apply. Most of the civil respondents and public authorities favour an opt-in regime whereas the majority of industry respondents favour an opt-out regime.
Article 29 Working Party Opinion on Publication of Personal Data for Public Sector On 8 June 2016, the Article 29 Working Party (Working Party ) released an opinion (Opinion ) in relation to the publication of personal data for transparency purposes in the public sector. The Working Party is an advisory body comprising of representatives from the national data protection authorities, the European Data Protection Supervisor and the European Commission. It provides advice to the European Commission on issues relating to data protection, and on European Community Law that relates to data protection matters. The aim of the Opinion is to provide practical guidance, recommendations and best practice examples for Member States’ legislators and competent institutions, on how they can ensure that the right to data protection is respected while at the same time balancing and satisfying the legitimate public interest in transparency, where legislative and political initiatives on these matters
require dissemination of information relating to a natural person. Of particular interest to public bodies is the Working Party’s guidance on how public sector bodies can satisfy the data protection principles of proportionality and data minimisation. Proportionality Principle The proportionality principle should be respected during each processing activity and especially at the stage of collection and any subsequent publication. There are two main areas where the proportionality principle is relevant, namely the exclusive non-public processing of personal data within the competent institutions and on-line publication of certain data. A selective approach to processing personal data should be taken, differentiating between different groups of people, cases and purposes and taking into account specific situations with regard to the content of the personal details being published. When determining whether obtaining and/or publishing personal data of the public sector subjects is necessary, one should take into account whether the affairs and/or transactions of the public sector subjects (financial, contractual or others) took place prior to them assuming their office, when they were private persons without a public mandate. When considering publication of personal data on-line, it is necessary to consider the potential risks of such a disclosure. Where extensive publication is envisaged, a privacy impact assessment is strongly recommended. It should also be considered whether there are alternative ways of providing some personal details, such as in summary or in collective form where individuals cannot be identified. It is appropriate to consider whether the nature and extent of the personal data being published may pose risks other than those related to data protection. For example, publishing personal data related to a data subject’s economic situation may make them vulnerable to criminals. Also, when publishing information related to public sector subjects’ contractual and/or similar relations, competent institutions should be aware that certain data could represent a secret (trade,
20
bank, professional or other). In these cases, it may be necessary to balance data protection rights, secrecy protection and the public interest in access to such information. Data Minimisation Principle A strict assessment of the necessity and proportionality of the processed data should take place (Article 6 of the Directive 95/46/EC and in the General Data Protection Regulation provisions). In this regard, the amount and type of processed personal data has to be clearly determined by an organisation. When personal data needs to be processed, such data must be adequate, relevant and not excessive for the specified purposes. Further, any information that is not necessary for achieving
such purposes should not be processed in any way. As on-line publication may not always be necessary to achieve the purpose of the processing in some cases, providing basic general information about a particular area of government or reporting details of public sector decisions and actions in the form of performance indicators may be sufficient. In-depth and more comprehensive data may be submitted to the competent oversight authorities, allowing, if necessary, on-line publication or the public availability of those data under the national rules on access to public documents.
21
ANNEX: CASE SUMMARIES
Organisations and what they do
Obligation breached under the
PDPA
Key facts
Decision
Directions issued
AIA Singapore Pte. Ltd. (AIA ) AIA is an insurance company.
Section 18 Following the complainant’s claim for insurance under the policy with AIA, AIA communicated with the complainant’s chiropractor to obtain further medical information about the complainant and disclosed, among other things, the complainant’s bank account details.
The PDPC found that AIA’s disclosure of bank account details was not for “a purpose that a reasonable person would consider appropriate in the circumstances” under section 18 of the PDPA as it was not relevant or necessary to the request or the medical report.
Warning issued.
Toh-Shi Printing Singapore Pte. Ltd. (Toh-Shi ) Toh-Shi provides printing services.
Section 24 Toh-Shi is the external vendor of the Central Depository Pte. Ltd. (CDP) in charge of printing the CDP account statements for CDP. The reported data breach incident involved six CDP account holders receiving CDP account statements containing account information of other account holders, resulting in an unauthorised disclosure of 195 individuals’ sensitive personal data.
The PDPC found that Toh-Shi failed to put in place adequate operational processes to ensure that the letters and personal data were sent to the correct recipient.
Financial penalty of S$5,000.
Spear Security Force Pte. Ltd. (Spear Security Force ) Spear Security Force provides security services.
Section 24 The complainant was a resident of the condominium whose Management Corporation Strata Title appointed Spear Security Force to provide security services.
The security guards under Spear Security Force’s supervision had left the visitor log book open and unattended on a table near the guard post at the condominium.
The PDPC found that Spear Security Force failed to put in place reasonable security arrangement to prevent the unauthorised access to the contents in the log book comprising personal data.
Warning issued.
22
Organisations and what they do
Obligation breached under the
PDPA
Key facts
Decision
Directions issued
Chua Yong Boon Justin (CYBJ )
Section 13 The complainant and his wife are tenants of a landed property and previously provided their names and NRIC numbers to CYBJ, the registered salesperson of the landlord.
A dispute arose between the complainant and another tenant, Ms C, of the same property.
Ms C requested CYBJ to provide her with the names and NRIC numbers of the complainant and his wife and CYBJ proceeded to do so.
The PDPC found that the personal data collected by CYBJ was collected for his “business” purposes, and CYBJ was therefore obliged to comply with the obligations under the PDPA. As CYBJ did not obtain the consent of the complainants for the disclosure of their personal data to Ms C, he was in breach of section 13 of the PDPA.
Financial penalty of S$500.
Comfort Transportation Pte Ltd and CitiCab Pte Ltd (the respondents )
The respondents provide taxi services.
Section 24 The complainants were taxi drivers who hired taxis from the respondents. They alleged that the respondents had contravened the PDPA by divulging their personal mobile phone numbers to customers who had made taxi bookings with them via their mobile application.
The PDPC found that the taxi service provided by the taxi drivers constituted a “business” under section 2(1) of the PDPA. Accordingly, mobile phone numbers used for/related to the business can constitute “business contact information” and hence not be subject to Parts III to IV ofthe PDPA.
No infringement.
ABR Holdings Limited (ABR Holdings ) ABR Holdings operates the Swensen’s chain of restaurants.
Section 24 The complainant alleged that one could access a Swensen’s Kids Club member’s name and date of birth data by entering a random 8 digit number as a simulated membership number or a simulated Unique Identification Number to access the membership account.
The PDPC found that ABR Holdings had not undertaken reasonable security arrangements to protect personal data in its possession or under its control and thus was in breach of section 24 of the PDPA.
Warning issued.
Fu Kwee Kitchen Catering Services (Fu Kwee ) and Pixart Pte. Ltd. (Pixart ) Fu Kwee runs a food
Section 24 (Fu Kwee and Pixart)
Sections 11 and 12 (Fu Kwee)
The complainants alleged that they could gain access to another customer’s order details and personal data by tweaking the numbers in the URL of Fu Kwee’s order preview webpage. This
The PDPC found that Fu Kwee failed to make reasonable security arrangements to protect customers’ personal data and thus was in breach of section 24. Fu Kwee was
In respect of Fu Kwee: • To pay a financial
penalty of $3,000. • To send its
employees on a
23
Organisations and what they do
Obligation breached under the
PDPA
Key facts
Decision
Directions issued
and beverage catering service, and Pixart provides IT services as its vendor.
personal data included the customer’s name, postal address and personal contact number.
also in breach of sections 11 and 12 as it had not implemented any personal data protection policies for the collection, use or disclosure of personal data, nor appointed a DPO. Pixart was a data intermediary of Fu Kwee and was in breach of section 24.
training course. • To conduct a
security audit of their catering website.
• To appoint a DPO
and implement policies necessary for Fu Kwee to comply fully with its obligations under the PDPA.
In respect of Pixart: • To pay a financial
penalty of S$1,000.
Aviva Ltd and Toh-Shi
Section 24 Toh-Shi provides mail out and data printing services for Aviva in respect of its annual premium statements. The reported data breach incident involved an unauthorised disclosure of 7,794 individuals’ sensitive personal data whereby Aviva Public Officers Group Insurance Scheme (POGIS) account holders received statements containing information of other account holders.
The PDPC found that Aviva had put in place adequate measures to safeguard the confidentiality of the Aviva policyholders and thus had discharged its Protection Obligation under section 24 of the PDPA. In contrast, Toh-Shi was found to be in breach of section 24 despite the presence of internal security measures and procedures to protect the personal data, as its staff had failed to comply with such measures.
Financial penalty of $25,000 imposed on Toh-Shi.
Copyright in this publication is owned by Drew & Napier LLC. This publication may not be reproduced or transmitted in any form or by any means, in whole or in part, without prior written approval. Drew & Napier LLC accepts no liability for, and does not guarantee the accuracy of information or opinion contained in this publication. This publication covers a wide range of topics and is not intended to be a comprehensive study of the subjects covered nor is it intended to provide legal advice. It should not be treated as a substitute for specific advice on specific situations.
24
The Drew & Napier Telecommunications, Media and Technology Team
For more information on the TMT Practice Group, please click here.
Lim Chong Kin •••• Director and Head of TMT Practice Group
Chong Kin practices corporate and commercial law with strong emphasis in the specialist areas of TMT law and competition law. He regularly advises on regulatory, licensing, competition and market access issues. Apart from his expertise in drafting “first-of-its-kind” competition legislation, Chong Kin also has broad experience in corporate and commercial transactions including mergers and acquisitions. He is widely regarded as a pioneer in competition practice in Singapore and the leading practitioner on TMT and regulatory work. Chong Kin has won plaudits for ‘good knowledge of the telecommunications industry and consistently excellent service’ (Asia Pacific Legal 500 ); and is cited to be ‘really exceptional - he has the pragmatism, he's plugged-in, and he gives solid, clear advice,’ (Chambers Asia 2016 : Standalone Band 1 for TMT); and has been endorsed for his excellence in regulatory work and competition matters: Practical Law Company’s Which Lawyer Survey 2011/2012; Who’s W ho Legal: TMT 2016 and the Who’s Who Legal: Competition 2015 . Asialaw Profiles notes: “He’s provided excellent client service and demonstrated depth of knowledge. Always responsive and available for ad hoc assistance.”
Tel: +65 6531 4110 •••• Fax: +65 6535 4864 •••• Email: [email protected]
Charmian Aw •••• Director
Charmian is a Director in Drew & Napier’s TMT Practice Group. She is frequently involved in advising companies on a wide range of corporate, commercial and regulatory issues in Singapore. Charmian has also been actively involved in assisting companies on Singapore data protection law compliance, including reviewing contractual agreements and policies, conducting trainings and audits, as well as advising on enforcement issues relating to security, access, monitoring, and data breaches. Charmian is “recommended for corporate-related TMT and data privacy work” by The Asia Pacific Legal 500 2016 , and a Leading Lawyer in Who’s Who Legal TMT 2016 . In 2015, she was listed as one of 40 bright legal minds and influential lawyers under the age of 40 by Asian Legal Business and Singapore Business Review
respectively. Charmian is a Certified Information Privacy Professional (Europe) (CIPP/E).
Tel: +65 6531 2235 •••• Fax: +65 6535 4864 •••• Email: [email protected]