The breaches of the Personal Data Protection Act 2012 (PDPA) may actually be worse on the ground than what Mr Mohan Varadarajalu described in his letter (Firms bypassing data protection rules?; Nov 18).
I can cite only anecdotal evidence to back my claim.
I lodged an official complaint with the Personal Data Protection Commission (PDPC) against Aventis School of Management six months ago.
The PDPC's response was that the PDPA "requires organisations to seek individuals' consent to collect, use or disclose their personal data and inform them of the purposes... (and) to allow individuals to withdraw consent".
First, Aventis failed to seek my consent to use my personal data.
It obtained my e-mail address when I filled in a form on its website to download a free brochure. There was no indication on the intended usage of my personal data, so my implied consent was just for its collection or, at most, recording in the school's database.
Second, the school failed to inform me of the purpose of collecting the data, which was to subscribe me to its mailing list, thereby depriving me of the option of choosing what type of communication I wished to receive from it.
Third, it failed to allow me to withdraw consent, not only by ignoring my correspondence, but also by offering a bogus unsubscribe function - the e-mail senders simply kept changing, and finally even became external domains.
This leads to the last and most important point, that Aventis failed to seek my consent to disclose my personal data to third parties.
I explained all this to the PDPC. However, the PDPC downplayed it as nothing more than a request to unsubscribe, until I insisted that it take further action.
It has now been half a year since my complaint and the PDPC still has not informed me of the outcome as promised.
What hope is there for the public when the PDPC itself seems to neither support its Act nor believe in its own mission?