fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

What every organization should know about the purpose limitation obligation

purpose limitation obligation
Every organization should observe the purpose limitation obligation to avoid facing a hefty fine.

What every organization should know about the purpose limitation obligation

The Personal Data Protection Act of 2012 (PDPA) governs organizations’ collection, use, and disclosure of individuals’ personal data in a way that recognizes both the right of individuals to protect their personal data and the need of organizations to collect, use, and disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances.

Apart from the duties imposed on organizations by the PDPA, the Personal Data Protection Commission (PDPC), the data protection authority, has generally pushed for a culture of accountability. For example, in 2019, the PDPC developed the Data Protection Trustmark Certification, a voluntary enterprise-wide certification program for organizations to demonstrate accountable data protection procedures.

The PDPA recently underwent its first comprehensive revision since its enactment in 2012, as part of the Personal Data Protection (Amendment) Bill 2020, which was passed on November 2, 2020, and formally enacted as the Personal Data Protection (Amendment) Act of 2020. The majority of the Amendment Act’s provisions took effect on February 1, 2021. Most notably, a mandatory data breach notification regime was implemented, which requires organizations that experience a data breach to notify the PDPC and impacted persons of the data breach unless an exception applies.

To avoid any ramifications from the PDPC, Organizations should always keep in mind the PDPA guidelines, which includes the Purpose Limitation Obligation.

PDPA’s Purpose Limitation Obligation 

The obligation of organizations to collect, use and disclose personal data for the limited purposes specified in section 18 of the PDPA is referred to in these Guidelines as the Purpose Limitation Obligation. 

Under Section 18 of the PDPA, it limits the purposes and extent to which an organization may collect, use, or disclose personal data. Specifically, section 18 provides that an organization may collect, use or disclose personal data about an individual only for purposes: 

a) that a reasonable person would consider appropriate in the circumstances; and 

b) where applicable, that the individual has been informed of by the organization (pursuant to the Notification Obligation). 

The primary goal of the Purpose Limitation Obligation is to ensure that organizations only collect, use, and disclose personal data relevant to the goals and that they do so for legitimate purposes to fulfill their obligations. Purpose limitation obligations are in line with notification obligations in that they limit the purposes for which personal data may be collected, used, or disclosed to those that have been communicated in writing to the individuals involved in accordance with notification obligations (where applicable).

When determining the reasonableness of an objective for the purposes of Section 18 (and as specified in that section), the question is whether a reasonable person would consider it appropriate in the circumstances. Therefore, the specific circumstances surrounding the collection, use, and disclosure must be taken into account when determining whether the purpose of such collection, use, or disclosure is legitimate. It is unreasonable for a reasonable person to view an objective that violates the law or is damaging to the one being pursued to be appropriate.

Also Read: Understanding the mandatory data breach notification of Singapore

The obligation of organizations to collect, use and disclose personal data for the limited purposes is referred as the Purpose Limitation Obligation. 

Breach of Purpose Limitation Obligations by Neo Yong Xiang

The recent incident involving Neo Yong Xiang underscores the importance of exercising the Purpose Limitation Obligation. After breaching the Purpose Limitation Obligation, Neo Yong Xiang was made to pay a whopping S$21,000 fine. 

Between January 2020 and November 2020, there were 3,636 Do Not Call (DNC) complaints from persons who received specified messages even though their telephone numbers were registered with the DNC register. Further analysis revealed that 1,379 of the messages were sent from 98 SIM cards registered at Yoshi Mobile (YM).  

When consumers purchased pre-paid SIM cards from a Geylang Road mobile phone shop, they had no idea their personal information would be utilized to register more SIM cards for illicit sale. Regrettably, this was the case for at least 78 persons who acquired pre-paid M1 SIM cards from Mr. Neo Yong Xiang (“NYX”), the sole proprietor of Yoshi Mobile (“YM”). 

The Commission’s investigations established that NYX abused the sim card registration procedure by using customers’ personal information without their consent to register for multiple pre-paid M1 SIM cards that the consumers had not intended to purchase.

NYX acknowledged throughout the investigation that he registered the illicit SIM cards with the intent of selling them to gain additional money. NYX believed that he earned around $15,000 in three years of selling such unlawful SIM cards to unknown walk-in customers.

Personal data obtained and used by NYX to register illicit SIM cards include, but are not limited to, the following: 78 people’ personal data (used to register 94 SIM cards): 

  • (a) the customers’ names; 
  • (b) the customers’ addresses; and 
  • (c) the customers’ NRIC numbers and/or work permit numbers. 

The Commission’s investigations established that NYX abused the sim card registration procedure by using customers’ personal information without their consent to register for multiple pre-paid M1 SIM cards that the consumers had not intended to purchase.

On the facts of this case, NYX breached both the Consent Obligation and the Purpose Limitation obligation by using his customers’ personal data to register the illicit SIM cards for sale to anonymous buyers beyond the reasonable purpose and without the affected people’s consent. With this, the organization was made to pay a whopping S$21,000. 

What we can get from this case is the importance of making sure that Organizations only collect, use, or disclose personal data of individuals for a purpose that a reasonable person would consider appropriate and applicable. As based on how the case was decided, when the Purpose Obligation was not complied with, a hefty fine can be imposed to the Organization.

With this, it is a must that Organizations collect, use, or disclose personal data of individuals based on the Purpose Limitation obligation or else face a whopping fine.

Also Read: Guarding against common types of data breaches in Singapore

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us