MCI response on Cases of Unauthorised Sale of Personal Data Investigated by PDPC

Parliament Sitting on 10 January 2022

QUESTION FOR WRITTEN ANSWER

45. Mr Melvin Yong Yik Chye: To ask the Minister for Communications and Information (a) in the past five years, how many cases of unauthorised sale of consumers’ personal data did the Personal Data Protection Commission investigate; and (b) of the investigated cases, how many were successfully prosecuted.

Answer:

1. Over the last five years, the Personal Data Protection Commission (PDPC) has investigated three cases of alleged data breaches involving unauthorised sales of personal data.

2. Out of these, two cases were found to be in breach of the Personal Data Protection Act (PDPA) for failing to notify and obtain consent from individuals before selling their personal data to third parties for telemarketing purposes. One of the cases involved a company, which was fined $48,000. The other involved an individual who was fined $6,000. Both were directed to cease their actions and rectify their data protection practices. A third case involving a company was investigated but no breach was found. The company was advised on how to improve its data collection practices and how to communicate its Privacy Policy to users more effectively.

3. PDPC takes a firm stance against the unauthorised sale of personal data, so as to safeguard against harms to the public, such as identity theft and unsolicited calls. Organisations purchasing contact lists must do their due diligence to ensure that the sale is authorised, and that the data is sufficiently accurate and updated for their purposes.