2 firms warned over customer data lapses

One had carelessly disposed of flight list, the other had reused invoice for printing

An employee of ground-handling services firm Asia-Pacific Star threw a partially printed passenger list for a Tigerair flight into a bin in a room at Changi Airport that was accessible to passengers and airport staff. Furnituremart.sg sent an invoice
An employee of ground-handling services firm Asia-Pacific Star threw a partially printed passenger list for a Tigerair flight into a bin in a room at Changi Airport that was accessible to passengers and airport staff. ST FILE PHOTO
An employee of ground-handling services firm Asia-Pacific Star threw a partially printed passenger list for a Tigerair flight into a bin in a room at Changi Airport that was accessible to passengers and airport staff. Furnituremart.sg sent an invoice
Furnituremart.sg sent an invoice to a customer that had another customer's details on the other side of the page. PHOTO: SCREENSHOT/FURNITUREMART.SG

The Personal Data Protection Commission (PDPC) has warned two companies for breaching private data rules, following complaints made against them last year in two unrelated incidents.

In separate grounds of decision released on Wednesday, ground-handling services firm Asia-Pacific Star (APS) and online furniture retailer furnituremart.sg were singled out by the privacy watchdog for their errant data-protection policies.

Both firms were found to have breached Section 24 of the Personal Data Protection Act (PDPA).

Last July, the PDPC received a complaint against APS, a subsidiary of ground-handling firm Sats. An APS employee had discarded a partially printed passenger name list for a Tigerair flight into a rubbish bin in a gate-hold room at Changi Airport.

The PDPC said the room was accessible to passengers and airport staff. The flight manifest contained personal data such as passenger names and booking reference numbers.

Someone with access to passenger names and booking numbers could have entered them into the Tigerair booking management portal and obtained other personal data such as passport numbers, home addresses and the last four digits of the credit cards used to pay for the flight.

APS has since "put in place security arrangements" and that this was an "isolated incident that occurred as a result of a lapse by an APS employee", said PDPC.

The PDPC is also asking APS to review its procedure for proper disposal of personal data, to introduce data-protection policies that are targeted at the services performed by its staff, and to include staff refresher training on data protection.

Furnituremart.sg was also asked to review its data-protection process after it was discovered that an invoice meant for disposal was reused as printing paper.

An invoice sent to a customer last November included details of another customer printed on the other side of the page.

The commission found that there were no proper procedures in place for data protection. Employees were not trained in data protection and there was no written policy on the protection of personal data.

The PDPC tasked the company to develop proper procedures on data protection, and to conduct proper training for staff to be aware of and to comply with PDPA requirements when handling personal data.

The commission did not state deadlines for these changes to be implemented.

In April, it imposed a 120-day deadline on the National University of Singapore to ensure that all its students in leadership roles are trained in personal data protection, after personal details of attendees of a freshmen orientation camp were shared online.

Join ST's WhatsApp Channel and get the latest news and must-reads.

A version of this article appeared in the print edition of The Straits Times on June 03, 2017, with the headline 2 firms warned over customer data lapses. Subscribe