Several organisations in Singapore have been fined and issued warnings for breaching the country's Personal Data Protection Act (PDPA), including local IT retail chain Challenger Technologies and Chinese handset maker Xiaomi.
The Personal Data Protection Commission (PDPC) said Thursday that it had imposed financial penalties of various amounts to four organisations, which had failed to implement adequate security measures to safeguard the personal data of its customers.
Singapore's PDPA was tabled in 2012 following years of deliberation and came into full effect in July 2014. The act does not apply to the public sector, including government ministries and agencies.
K Box Entertainment Group was fined S$50,000 for its failure to put in place adequate data protection policies and security safeguards as well as not having a data protection officer. The local karaoke chain has a membership of 317,000. Its IT vendor, Finantech Holdings, which was responsible for managing its content management system, also was fined S$10,000.
K Box in September 2014 suffered a data leak when its database was breached by a hacker group, The Knowns, which affected various customer information including e-mail addresses, contact numbers, birth dates, and membership details.
The Institution of Engineers in Singapore as well as Fei Fah Medical Manufacturing were fined S$10,000 and S$5,000, respectively, for their failure to implement sufficient security measures to safeguard the data of their members and customers.
The PDPC issued directives and warnings to seven other organisations, which would need to improve their data protection policies and measures. Challenger was warned about lapses in its handling of personal data, as was retail chain Metro and tuition agency Yestuition Agency. IT vendor Xirlynx Innovations and IT industry group Singapore Computer Society also were found to have less than adequate data management practices.
Tour agency Universal Travel Corporation was issued a directive for unauthorised disclosure of personal data belonging to 37 customers.
Xiaomi's Singapore outfit was instructed to improve its compliance after the PDPC determined the Chinese handset maker had signed up customers for its cloud messaging services by default and without notifying users. Another complaint lodged against Xiaomi for disclosing personal data to third-party marketers without consent was dismissed after the PDPC found the claim to be unsubstantiated.
In deciding on the necessary enforcement actions, the commission said it assessed the severity of non-compliance such as whether the organisations had taken reasonable measures to prevent the data breach and whether they had data protection policies and processes in place. The number of individuals affected as well as time taken to rectify the data breach after it had been identified also were taken into consideration.
PDPC Chairman Leong Keng Thai said: "The enforcement actions taken are not to deter the use of personal data for business competitiveness [as] we recognise that data is essential for innovation in today's economy. The key is to use it responsibly and take appropriate actions to protect it.
"Both the organisation and its data intermediary, such as IT vendors that provide systems and data management solutions to businesses, are expected to exercise due care and implement adequate security measures," Leong explained.
Since the act came into effect, the commission had received 667 compliances, of which 92 percent were resolved through investigation and facilitation between the organisations and individuals.
在新加坡的一些机构已经发出警告,罚款,违反了该国个人数据保护法(PDPA),包括本地IT零售连锁的挑战者的技术和中国手机制造商小米。
个人数据保护委员会(PDPC)星期四表示,它已经实行经济处罚各达四组织,它未能实现足够的安全措施来保障客户的个人资料。
新加坡的PDPA被搁置在以下2012年的酝酿和全面生效于七月2014。该法不适用于公共部门,包括政府部门和机构。
娱乐集团被罚款50000美元,因其未能将足够的数据保护政策和安全保障措施,以及没有一个数据保护官员。当地的卡拉链拥有会员317000。它的供应商,finantech控股,并负责管理其内容管理系统,还被罚款10000美元。
九月2014 K盒遭受数据泄露时,其数据库被黑客组的已知,从而影响各种客户信息包括电子邮件地址,电话号码,出生日期,和会员的细节。
该机构在新加坡的工程师以及飞Fah医药制造被罚款10000美元和5000美元,分别为他们的失败来实现足够的安全措施来保障他们的会员和客户的数据。
PDPC发出指令,并警告其他七个组织,这就需要提高他们的数据保护政策和措施。挑战者被警告在其个人数据处理的失误,如零售连锁地铁和学费yestuition代理机构。IT供应商xirlynx创新和IT产业集团新加坡计算机协会也被发现有不适当的数据管理实践。
旅行社普遍的旅游公司发布了未经授权的披露个人资料属于客户指令37。
小米的新加坡装奉命提高合规后的PDPC确定中国的手机制造商已经签署了云消息服务默认情况下客户不通知用户。另一个对小米投诉披露个人数据的第三方营销人员未经同意后发现不PDPC索赔驳回。
在决定采取必要的执法行动时,委员会说,它对不遵守情况的严重程度进行了评估,例如,该组织是否采取了合理措施,防止数据泄露,以及是否有数据保护政策和程序。的个人受影响的人数以及时间,以纠正数据泄露后,它已被确定也被考虑。
PDPC董事长Leong坑泰说:“采取执法行动不妨碍企业竞争力[个人资料]我们认识到,使用的数据是在今天的经济中创新的本质。关键是要负责任地使用它,并采取适当的行动来保护它。
“无论是组织及其数据的中介,如它的供应商,为企业提供系统和数据管理解决方案,将以应有的谨慎和实施适当的安全措施,”Leong解释。
由于法案生效,委员会已经收到了667个申报,其中百分之92是通过组织和个人之间的调查和推动解决。
(转载:www.idcew.com)