March 29, 2020

March 29, 2020

Subscribe to Latest Legal News and Analysis

March 28, 2020

Subscribe to Latest Legal News and Analysis

March 27, 2020

Subscribe to Latest Legal News and Analysis

March 26, 2020

Subscribe to Latest Legal News and Analysis

Singapore Taekwondo Federation Fined by Personal Data Protection Commission for Unauthorized Disclosure of Minors’ Information

Singapore’s Personal Data Protection Commission recently found that the Singapore Taekwondo Federation violated Singapore’s Personal Data Protection Act (PDPA) by failing to protect minors’ personal data on its website.  The PDPA was enacted in 2012 to “govern the collection, use and disclosure of personal data by organisations in a manner that recognizes both the right of individuals to protect their personal data and the need of organisations to collect, use or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances.”

The federation promotes, supports, and develops taekwondo-related activities and programs in Singapore.  On May 30, 2017, a public complaint was lodged against the Commission alleging the unauthorized disclosure of National Registration Identity Card (NRIC) numbers of 782 students who participated in the 2017 Annual Inter-School Taekwondo Championships.  The taekwondo federation had been posting the names and schools of student participants on its website since 2015.  The NRIC numbers were contained in minimized hidden columns within PDF versions of Excel spreadsheets.  Though the columns were not immediately visible, the complainant was able to view the NRIC numbers by copying and pasting the information into another document.

During the Commission’s investigation, the federation acknowledged its process of receiving encrypted Excel spreadsheets containing students’ personal information, rearranging the information and hiding the NRIC numbers, and converting the spreadsheets into PDF form.  The federation admitted that it was not aware of its data protection obligations under the PDPA and had not appointed a data protection officer or implemented a personal data protection policy.

On June 22, 2018, the Commission found that the federation did not take “sufficient steps towards protecting the personal data in its possession” or “prevent the unauthorised disclosure of the personal data.”  The Commission stated that the NRIC numbers constitute “a data attribute that is assigned to an individual for the purposes of identifying the individual and, on its own, identifies an individual.”  Moreover, the Commission noted the greater sensitivities and additional safeguards pertaining to the NRIC numbers in this situation because they belonged to minors less than 21 years old.  The Commission stated that the federation should have at the very least “ensured that its staff in charge of creating, processing and converting the Excel spreadsheets were given proper and regular training to equip them with the knowledge” to correctly convert the spreadsheets into PDF documents while properly protecting the personal data.

As penalty for this disclosure, the federation is required to pay a $30,000 fine, appoint a data protection officer, and establish a data protection policy pursuant to the PDPA.

© 2020 Faegre Drinker Biddle & Reath LLP. All Rights Reserved.


About this Author

Yodi Hailemariam, Drinker Biddle Law Firm, Washington DC, Cybersecurity Law Attorney

Yodi S. Hailemariam focuses her practice on U.S. and cross-border information governance, data privacy, cybersecurity, electronic discovery, legal analytics and the Internet of Things. Yodi has experience in a wide range of industries, including health care, pharmaceuticals and life sciences, intellectual property, insurance and financial services.

A frequent author, speaker and panelist on “all things data,” Yodi advises companies regarding electronic discovery in complex civil litigations, white collar defense, and corporate...