The Personal Data Protection Commission (PDPC) has warned two companies for breaching private data rules, following complaints made against them last year in two unrelated incidents.
In separate grounds of decision released on Wednesday, ground-handling services firm Asia-Pacific Star (APS) and online furniture retailer furnituremart.sg were singled out by the privacy watchdog for their errant data-protection policies.
Both firms were found to have breached Section 24 of the Personal Data Protection Act (PDPA).
Last July, the PDPC received a complaint against APS, a subsidiary of ground-handling firm Sats. An APS employee had discarded a partially printed passenger name list for a Tigerair flight into a rubbish bin in a gate-hold room at Changi Airport.
The PDPC said the room was accessible to passengers and airport staff. The flight manifest contained personal data such as passenger names and booking reference numbers.
Someone with access to passenger names and booking numbers could have entered them into the Tigerair booking management portal and obtained other personal data such as passport numbers, home addresses and the last four digits of the credit cards used to pay for the flight.
APS has since "put in place security arrangements" and that this was an "isolated incident that occurred as a result of a lapse by an APS employee", said PDPC.
The PDPC is also asking APS to review its procedure for proper disposal of personal data, to introduce data-protection policies that are targeted at the services performed by its staff, and to include staff refresher training on data protection.
Furnituremart.sg was also asked to review its data-protection process after it was discovered that an invoice meant for disposal was reused as printing paper.
An invoice sent to a customer last November included details of another customer printed on the other side of the page.
The commission found that there were no proper procedures in place for data protection. Employees were not trained in data protection and there was no written policy on the protection of personal data.
The PDPC tasked the company to develop proper procedures on data protection, and to conduct proper training for staff to be aware of and to comply with PDPA requirements when handling personal data.
The commission did not state deadlines for these changes to be implemented.
In April, it imposed a 120-day deadline on the National University of Singapore to ensure that all its students in leadership roles are trained in personal data protection, after personal details of attendees of a freshmen orientation camp were shared online.