“Testing, Testing and more Testing...” - A study on PDPC Enforcement Cases
By: Josiah Poh (CIPM, CIPP/A, CIPT, CIPP/E, FIP), Senior Manager (Consultancy & Legal), Data Protection Officer, Straits Interactive Pte Ltd
After a couple of months’ hiatus, Singapore’s Personal Data Protection Commission published a total of eight enforcement decisions on their website. This article provides summaries of two enforcement decisions that resulted in the two highest financial penalties in this set of enforcement decisions and the learning points for all DPOs and privacy professionals to heed.
As the title of this article suggests, these two decisions set the expectations by the regulator on what organisations need to do when rolling out new information systems or solutions that involve the collection, usage, disclosure and storage of personal data.
MDIS Corporation Pte Ltd  SGPDPC 11
WHAT HAPPENED: PDPC acted upon two complaints in 2019 from an individual who did a vanity search of her NRIC that she was able to access an Excel spreadsheet containing personal data of course participants who had signed up for courses with MDIS Corporation. This spreadsheet contained personal data of 304 individuals such as name, NRIC, citizenship and email addresses. The spreadsheet was linked to an online form on MDIS’ website.