20 July 2018
A | A
    Print
  

Data protection, privacy & security feed-image   

S'pore Taekwondo Federation fined $30,000 for data leak

Straits Times
10 Jul 2018
Irene Tham

Privacy watchdog reminds all organisations to treat data of those under 21 with extra care

The Singapore Taekwondo Federation has been fined $30,000 by Singapore's privacy watchdog for inadvertently disclosing the personal data of 782 students online.

This is the second leak involving the personal data of minors here by a private organisation in the last two years, prompting the Personal Data Protection Commission (PDPC) to remind all organisations that the data of those under 21 years old must be treated with extra care.

"(The) potential impact and harm cannot be ignored, especially when it involves the NRIC numbers of 782 students who were also minors, and whose personal data would thus be considered to be more sensitive in nature," said Singapore's privacy commissioner Tan Kiat How in issuing the fine.

Experts said that such exposure would allow marketers to profile and engage children, who may not have the know-how or judgment required to handle the engagements.

Children can also be easily tracked online these days as they have access to mobile devices and wearables, amplifying the risks of their exposure.

Therefore, the PDPC requires organisations to place "additional safeguards" to protect the personal data of minors. The obligations kicked in with the full enforcement of Singapore's Personal Data Protection Act (PDPA) in July 2014.

The Singapore Taekwondo Federation failed to provide such safeguards.

A list containing the names, NRIC numbers and schools of the participants of the 2017 Inter-School Taekwondo Championships was not password-protected, and the organisation also did not appoint a data protection officer.

When a staff member mistakenly used the "minimise" function on a Microsoft Excel spreadsheet instead of the "hide" feature, the data became visible to others when copied and pasted to another document.

The federation has since been directed to appoint a data protection officer by this month.

The federation did not respond by press time.

In September 2016, the PDPC issued a warning to ABR Holdings when its Swensen's Kids Club website revealed children's names and dates of birth after entering their membership numbers.

Two other known breaches of minors' personal data here were committed by public organisations, which are exempted from the PDPA. Leaked NRIC numbers of hundreds of Xinmin Secondary School students were discovered in September last year, and Henry Park Primary School exposed the personal data of more than 1,900 of its pupils in March 2015.


MORE SENSITIVE

(The) potential impact and harm cannot be ignored, especially when it involves the NRIC numbers of 782 students who were also minors, and whose personal data would thus be considered to be more sensitive in nature.

MR TAN KIAT HOW, Singapore's privacy commissioner, on imposing the fine on the Singapore Taekwondo Federation.

Source: Straits Times © Singapore Press Holdings Ltd. Permission required for reproduction.