'Data monger' fined $6k by privacy watchdog for selling personal data without notification or consent

SINGAPORE - Singapore's privacy watchdog has taken the first "data monger" here to task for breaching the Personal Data Protection Act (PDPA) since the law fully kicked in on July 2, 2014.

A data monger is someone who makes money from dealing in other people's personal data such as phone and NRIC numbers.

The Personal Data Protection Commission (PDPC) fined former telemarketer Sharon Assya Qadriyah Tang $6,000 on Jan 11 for selling personal data without notifying the individuals involved or obtaining their consent.

Tang started buying leads containing people's names, NRIC numbers, mobile numbers and annual income ranges sometime in 2012. It was meant to help her meet her sales targets as a telemarketer.

She paid between 20 and 30 cents to unknown sellers for each lead which contains the details of one person. It is not known if those who sold Tang the leads had obtained the personal data legitimately.

Even if the leads were obtained legitimately, consent from the involved individuals is required by law for a new purpose or for disclosure to another party. Tang had not obtained such consent or notified them before she resold the leads.

Her last purchase was in June 2014, by which time she had accumulated about 30,990 leads stored in Microsoft Excel spreadsheets.

From 2012 through February last year (2017), she resold the database for up to 10 times more - for between 5 cents to 20 cents per lead. Moonlighting earned her a profit of $5,000.

The PDPC said that Tang "had used means to obscure her identity when she was selling the leads, which is indicative of a guilty conscience and of a premeditated and deliberate contravention of the PDPA".

The PDPC added: "The profiteering from the sales of personal data by organisations at the expense of consumer or individuals is the very kind of activity which the PDPA seeks to curb, and hence, must be severely dealt with."

The exact penalty was determined to adequately reflect the seriousness of the breach without imposing "a crushing burden" on Tang as she and her husband were earning modest salaries and had a child to support, PDPC said.

Tang also admitted to the wrongdoing and fully cooperated with the PDPC's investigations.

Some of the industry methods for mining personal data include contests, lucky draws, seminars and surveys. But when stricter privacy rules kick in this year (2018), consumers will be able to refuse to hand over their NRIC details. Instead, the onus will be on providers to use other methods to identify consumers.

The PDPC has fined 22 organisations - one of them twice - a total of $216,500 over the past two years for security breaches that exposed the personal details of Singaporeans. Another 23 organisations have been censured for their shortcomings to date.