Group warned over revealing data in blacklist

Its move to e-mail ex-employee's details to schools found unwarranted by commission

Jump Rope (Singapore), a non-profit group that promotes rope skipping in schools here, was issued a warning by the Personal Data Protection Commission (PDPC) for disclosing the identity and personal details of a blacklisted former employee to some 30 Singapore schools.

The commission found that an e-mail sent by Jump Rope's president which named and shamed the former employee was unwarranted as, among other things, the part-time instructor's employment relationship with Jump Rope had already been terminated.

Explaining its decision last week, the commission found Jump Rope had failed to obtain the consent of the instructor and its actions had gone " beyond what is reasonable in the circumstances", based on the provisions of the Personal Data Protection Act.

"It is not uncommon for employees to leave for various reasons, including for poor performance and breaches of codes of conduct," wrote PDPC Deputy Commissioner Yeong Zee Kin in a report which did not include the names of the parties involved.

The employee had been blacklisted for alleged unethical activities and had breached his job contract which led to the termination of the employment relationship.

But in November 2014, Jump Rope's president went one step further and e-mailed various government schools involved in the sport of jump rope of the blacklisting, mentioning the former instructor's name and identity card number.

The e-mail also stated that he was not suitable to coach in schools and revealed the name and identity card number of another individual.

Jump Rope's president explained the e-mail was meant to alert schools against engaging the wrong rope-skipping instructors.

Jump Rope said it had good intentions and claimed it had advised the schools against engaging the named persons "so as to avoid the teaching of wrong values to their pupils".

The commission was alerted to the case after the instructor had complained. Jump Rope was issued a warning for breach of the relevant obligations under the Personal Data Protection Act.

The case was one of three decision grounds issued last month by the PDPC. In one of the other two cases, a warning was issued to My Digital Lock, which sells digital locks and doors, for failing to make reasonable security arrangements to protect the personal data of a customer during its transfer to a desktop computer.

Separately, food caterer Smiling Orchid was fined $3,000 for failing to make reasonable security arrangements to prevent unauthorised access of its customers' personal data on its website. It was also ordered to conduct a security audit and patch all identified vulnerabilities on its website.

A version of this article appeared in the print edition of The Straits Times on December 01, 2016, with the headline 'Group warned over revealing data in blacklist'. Print Edition | Subscribe