As a mobile app and website development company, a common question that potential clients in Singapore ask us is in relation to the Personal Data Protection Act (PDPA).
If they build a mobile app or website that collects Personal Data of their clients, how can they “ensure” that they are in compliance with the PDPA?
To get more precise guidance on what companies should do to adhere to the PDPA, it is useful to go through actual decisions made by the Personal Data Protection Council. Helpfully, they are provided here .
What follows is a summary of recent PDPA decisions and some observations we draw from them, which could be useful for our clients as well as ourselves!
A gigantic disclaimer here is that we are not lawyers, and therefore the following is simply our interpretation and cannot be considered authoritative.
Summary Table of Recent Decisions
|Summary of Case
|Penalty / Clause
|06 Jul 2017
|Breach of Protection Obligation by Orchard Turn Developments
|Financial penalty of S$15,000 / Section 24 of the PDPA
|29 Jun 2017
|Breach of Protection Obligation by Eagle Eye Security Management Services
|Warning was issued to Eagle Eye Security Management Services and MCST 3696 of Prive EC / Section 24 of the PDPA
|20 Jun 2017
|Breach of Protection Obligation by DataPost
|Financial penalty of $3,000 was imposed on DataPost, as a data intermediary / Section 24 of the PDPA
|20 Jun 2017
|Breach of Protection Obligation by Hazel Florist & Gifts
|Warning was issued to Hazel Florist & Gifts / Section 24 of the PDPA
|12 Jun 2017
|No Breach of Consent and Notification Obligations by MCST and Managing Agents of Condominiums
There have been 34 decisions provided by the PDPC with the earliest case in 16 July 2014.
Out of the 34 decisions, for 2 cases, the PDPC determined that there was no breach of the PDPA. Warnings were issued for 13 cases and Directions issued for 4 other cases. Fines ranging from S$500/- to S$50,000/- were imposed for the remaining cases.
The highest financial penalty imposed so far has been S$50,000/- on K-Box Entertainment group in April 2016. Note, however, that Section 29 of the PDPA empowers the PDPC to impose fines of up to S$1 million.
Observation 1: Breaches are mostly based on Section 24 of the PDPA
Section 24 of the PDPA states “24. An organisation shall protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.”
This suggests that we should focus in our PDPA efforts to make “reasonable security arrangements”. The obvious question is “what constitutes ‘reasonable security arrangements’?”. No system is un-hackable. So what does the PDPC consider “reasonable security arrangements”? The cases above give us some guidance.
Observation 2: Password Protection Policies are Crucial
In the most recent decision with regard to Orchard Turn Developments, the PDPC stated:
“22. The Commission also identified other issues concerning the security of the members’ personal data. Foremost of them is the absence of policies or practices to safeguard the admin account passwords” (Emphasis added)
An in-house password policy to, amongst others,
- Limit admin account password access; and
- Regularly change admin account passwords
seems like something the PDPC looks out for first and foremost as part of “reasonable security arrangements”.
In this case, the cause of the PDPA breach was a direct result of a perpetrator using a valid admin account password. No amount of server-side security can prevent such breaches.
Observation 3: Limit Copies of Sensitive Personal Data
In this case, the commission also noted
“14. As described above in paragraphs 4 to 5, the Organisation did not purge the personal data from the EDM server that were being transferred every day from the LMS server to the EDM server. After the emails had been sent out, the personal data of the subscribers were not deleted from the EDM server. The effect of this practice was that some of the personal data of the Organisation’s members could be found in two different places – the LMS server and EDM server.” (Emphasis added)
The Commission regarded this as a practice which increased the risk of PDPA breaches. Understanding in which server(s) personal data is stored is therefore important for any system administrator, and taking efforts to reduce the number of copies is considered a positive step to reduce the risk of PDPA breaches.
Observation 4: Vulnerability Assessments are Regarded a Positive Step
In the same case, the commission noted
“Second, the Organisation did not conduct any vulnerability assessment to detect if there were any vulnerabilities in the system prior to its roll out.”
Clearly, engaging a third-party provider (other than the system developer) to conduct a vulnerability or penetration test helps lower security risks. However, these tests are not cheap. In our experience, businesses would weigh the size of their system, the amount and sensitivity of personal data being collected and stored against the costs of conducting such a test.
This leads to our next observation.
Observation 5: The PDPC Considers the Extent and Impact of Breaches as Mitigation Factors
In the case with respect to DataPost, DataPost was fined only S$3000/-. The decision states
“20. However, the Commission also notes the following mitigating factors:
- The scale of the breach was small. Only personal data belonging to two individuals was disclosed to a single recipient;
- There was no evidence to suggest that the data breach caused and actual loss or damage to any person”
This suggests that data protection measures should be commensurate with the amount and sensitivity of data collected by the organisation. Larger organizations with hold larger amounts of data might consider more extensive measures such as more frequent vulnerability tests.
Observation 6: Obtaining Consent is an Important Concept Within the PDPA
In the case with respect to MCST and Managing Agents of Condominiums, the Commission noted:
“As part of the Consent Obligation, section 13 of the PDPA requires that prior consent be obtained by an organisation in order to collect, use or disclose personal data about an individual.”
Therefore, owners of mobile apps and websites should display the Privacy or Data Protection Policy prominently within the mobile app or website and obtain the appropriate consents. Unfortunately, as non-lawyers, we cannot advise on the content of the Privacy or Data Protection Policy. A Google search of “PDPA” will bring up numerous samples of such policies.
Observation 7: It is a Myth that the Server Needs to be in Singapore
With regard to server arrangements, we have heard several times from potential clients that to comply with PDPA, servers need to be located in Singapore.
We believe that this is a myth (and are ready to stand corrected if there are other views on this).
Whilst it is difficult to prove the negative, we cannot find any decision by the PDPC which states that (1) cloud servers pose greater vulnerability than in-house servers OR (2) servers should be located in Singapore. Indeed the location of the server does not seem to play a part in any of the decisions.
We believe that the key question relates to the actual vulnerability of the server, rather than where it is located. Most high quality cloud server providers have strict access policies to the servers. On the other-hand, an in-house server located in Singapore but in an unsecure area would be highly vulnerable to access breaches.
Hope the observations are useful for anyone looking to develop a mobile app or website in Singapore. PDPA is indeed something to consider, but should not be an overly onerous consideration.
Brought to you by the RobustTechHouse team.
Also published on Medium.