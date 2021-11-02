Singapore's privacy watchdog has collected more than $2.68 million in fines from 104 entities found to have breached the Personal Data Protection Act (PDPA) over the past six years since the first fines were given in April 2016.

Checks by The Straits Times found that the number of entities found in breach of the PDPA, and the amount of fines issued to them, appear to have fallen since they peaked in 2019.

But experts said this could just be the tip of the iceberg as Singapore's privacy watchdog the Personal Data Protection Commission (PDPC) did not take enforcement action when Singapore went into Covid-19 semi lockdown last year.

The PDPC has also taken into account the exceptional challenges faced by businesses amid the pandemic, and ensured that the financial penalties imposed would not cause undue hardship on organisations.

The PDPA, fully enforced since July 2014, aims to protect consumers' personal data from being collected, used and shared without their consent.

Rule breakers now face a maximum fine of $1 million, or 10 per cent of the organisation's annual turnover in Singapore, whichever is higher.

About 68 per cent of the total number of incidents recorded from April 2016 to October this year involved a breach of the entities' data protection obligations.

This means they failed to implement reasonable security arrangements to protect the data in their possession and prevent unauthorised access, collection, use, disclosure or similar risks.

For example, some organisations held their users' data on servers that were protected with weak passwords, or failed to terminate the user accounts of staff who had resigned.

A number of restaurants and malls allowed users to access their membership or order information with just a serial number. These numbers were issued sequentially, which meant users could easily access other users' information by entering a random number instead of their own.

About 14.2 per cent of the incidents from April 2016 to October this year involved breaches of the openness or accountability obligation.

This refers to the need for organisations to have proper data protection policies, practices and complaints processes, and to designate a data protection officer.

A further 7.3 per cent involved breaches of the consent obligation, including allowing individuals to withdraw consent for data collected.

The remaining 10.6 per cent involved breaches of various other obligations such as limits imposed on data retention.

The highest annual fines were recorded in 2019.

This is even after discounting the SingHealth cyber attack in 2019, which involved the theft of personal data belonging to 1.5 million patients, including their names, NRIC numbers, addresses and other information.

SingHealth and the Integrated Health Information Systems - the IT provider for Singapore's public healthcare sector - were fined a combined $1 million.

A further $630,000 in fines was collected from 34 other entities in 2019.

Comparatively, 26 entities were fined $425,500 in total last year, and $235,000 in total this year.

However, this apparent fall in PDPA violations could be due to "distortions" caused by the Covid-19 pandemic and not a genuine decrease in incidents, said Mr Kevin Shepherdson, chief executive of data protection solutions provider Straits Interactive.

In particular, Singapore entered it circuit breaker period from April to June last year, during which the PDPC did not take any enforcement action.

There could be a backlog of cases as well as under-reporting of breaches following the mass shift to working from home last year, said Mr Shepherdson.

"When you do that, you're not really ready and you might not be as conscious of data protection and cyber-security issues as you should be," he said.

For instance, some companies were known to have made use of less secure platforms or free online services to handle their customers' data.

Also, many more people fell prey to scams making use of social engineering or phishing attacks over the last few years.

Social engineering refers to attempts by malicious parties to manipulate someone's actions, such as by tricking them into divulging their passwords by pretending to be a trusted party.

Another reason for the apparent drop in fines collected could be that the PDPC takes into account factors such as the companies' financial circumstances when issuing fines.

In one case this year, it ordered a human resource and management consultancy company to pay a $90,000 fine after private reports containing the personal information of the company's clients were found to be accessible on its website through public search engines.

The fine was later reduced to $30,000, with the company's financial circumstances and the owner's personal circumstances considered in mitigation.

"The exceptional challenges faced by businesses amid the current Covid-19 pandemic have been taken into account, bearing in mind that financial penalties imposed should not be crushing or cause undue hardship on organisations," the PDPC said.

"Although a lower financial penalty has been imposed in this case, this is exceptional and should not be taken as setting any precedent for future cases."