SINGAPORE - The Personal Data Protection Commission (PDPC) has warned two companies for breaching private data rules, following complaints made against them last year in two unrelated incidents.
In two separate grounds of decision released on Wednesday, both ground handling services firm Asia-Pacific Star (APS) and online furniture retailer furnituremart.sg were singled out by the privacy watchdog for their errant data protection policies.
APS had failed to dispose of a flight manifest containing passenger data properly, while furnituremart.sg had sent a customer an invoice with the details of another customer printed overleaf.
Both firms were found to have breached Section 24 of the Personal Data Protection Act (PDPA).
In the APS case, the PDPC received a complaint made last July against the company, which is a subsidiary of ground-handling firm Sats. An APS employee had discarded a partially-printed passenger name list for a Tiger Airways flight into a rubbish bin in a gate hold room in Changi Airport.
This room is accessible to passengers and airport staff. The flight manifest contained personal data such as passengers' names, booking reference number, destination and flight number.
Someone who had access to passenger names and booking numbers could have entered them into the Tigerair booking management portal and obtained other personal data such as passport number, home address and the last four digits of the credit card used to pay for the flight.
APS said in the report that it had put in place security arrangements and that this was an isolated incident that occurred as a result of a lapse by an APS employee.
As a result, the commission is asking APS to review its procedure for proper disposal of personal data, introduce data protection policies that are targeted at the services performed by its staff, and to include a staff refresher training on data protection.
Furnituremart.sg was also asked to review its data protection process, after it was discovered that an invoice meant for disposal was re-used as printing paper.
This resulted in an invoice sent to a customer with the details of another customer printed on the other side of the page.
A PDPC investigation found that there were no proper procedures in place for data protection. The firm did not give its employees training in data protection and did not have a written policy on the protection of personal data.
As such, the PDPC also tasked the company to develop proper procedures on data protection policy and to conduct proper staff training to be aware of, and comply with, PDPA requirements when handling personal data.