Singapore Privacy Regulator Reminds That Paper Needs Privacy Too


Singapore’s privacy commissioner closed out May by sanctioning two companies for failing to take reasonable security measures to protect the personal data of their customers in extremely low tech ways not always associated with privacy violations these days.

The Singapore Personal Data Protection Commission issued enforcement measures on a furniture store and an Asia-Pacific Star Private Ltd. (APS), contracted by Tiger Airways Singapore Pte Ltd., a budget airline based in Singapore that operates in Southeast Asia, for mishandling paper receipts that contained customer personal information.

Both companies were found to have violated section 24 of the Personal Data Protection Act of 2012, which places on organizations an obligation to make reasonable security arrangements to protect the personal data in its possession or under its control and to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal or similar risks.

An APS employee contracted to Tiger Airways disposed of a partially printed flight manifest that contained a passenger’s name, booking reference number, and other flight-related information that could have been used to retrieve the passenger’s passport number, address, and last four digits of his credit card number.

The PDPC said that APS’s parent company had sufficient privacy policies in place, but that APS failed to “contextualize” its privacy policies and training, meaning that it didn’t apply the policies in place to the particular setting of the airport operations that some of its employees were working. 

The company “should have provided customized training and regulator refresher training” for employee that regularly handle personal data.

The furniture company case involved a customer who received an invoice with another customer’s surname, home address, telephone number, and email address printed on the backside. The PDPC found that the organization, rather than having actual privacy policies in place, merely relied on employees to carry “out their job functions correctly to say that this is a form of data protection measure in and of itself.”

Both companies escaped fines, but were order to review their privacy policies, develop new procedures to implement the policies, and conduct staff training.

To keep up with the constantly evolving world of privacy and security sign up for the Bloomberg BNA Privacy and Security Update.