The hits keep on coming: string of penalties issued for Personal Data Protection law breaches


An administrative error by the Singapore Accountancy Commission (SAC) has led to the unauthorised disclosure of personal data of 6,541 people. SAC is a statutory body under the Ministry of Finance of the Singapore Government.

Past and current candidates for the Singapore Chartered Accountant Qualification, staff of accredited training organisations and other administrative personnel have had their personal information, including their contact details and examination results, disclosed by accident, without their consent, in breach of the Personal Data Protection Act (PDPA).

Leaked personal information puts individuals at a high risk of identity theft and becoming victim to fraud. Singapore’s privacy and data protection regulator, the Personal Data Protection Commission (PDPC), has the power to impose significant penalties on entities who breach the standards for collecting, using and securing personal data. It is currently investigating the SAC incidents.

The PDPC recently reported that the total amount of data privacy breach fines had hit a new annual high – more than the cumulative amount for the past three years. And the penalties continue to fly hard and fast.

Earlier this month, it was revealed that the PDPC had fined delivery start-up operator Ninja Logistics $90,000 for a breach affecting up to 1.26 million individuals’ data.

A complaint made to the PDPC in 2018 led to an investigation into a feature on Ninja Logistics’ online delivery tracking function which, when manipulated, could reveal the names, addresses and signatures of customers whose parcel delivery statuses had been “completed”.

The PDPC imposed the fine although there was no evidence that any actual harm had resulted from the personal data being made available in this way. Crucially, the PDPC found it “inexcusable” that Ninja Logistics had not taken adequate measures to secure the personal data in its possession.

Singtel was also revealed to have been fined $25,000 for a design flaw in its My Singtel mobile app that left personal data of up to 330,000 subscribers, including customers’ names, billing addresses, billing account numbers, mobile phone numbers and customer service plan information, at risk of exposure to malicious actors. Again, the regulator did not need evidence of actual third-party collection, or damage or harm suffered as a result of any unauthorised disclosure, to levy the fine – it was enough that Singtel had failed to meet its data security obligations during the relevant period.

Singtel has claimed that the app’s security had since been strengthened with improved data encryption and new standards.

GRC Solutions offers off-the-shelf and bespoke privacy and data protection compliance training for businesses in Singapore. Our courses include the PDPA, the EU General Data Protection Regulation (GDPR), California Privacy and more. Contact us today for more information.