29 May 2023

Treatment of fictitious names and pseudonymous personal particulars under the Personal Data Protection Act 2012 (“PDPA”)

Background

On 24 December 2021, Fortytwo Pte. Ltd. (“Fortytwo”), an online furniture store, notified the Personal Data Protection Commission (“PDPC”) of malicious code injections on its website which led to the capturing of the email addresses and passwords of 6,241 individuals when they logged in to the website (the “Incident”). The names, credit card numbers, expiry dates and CVV/CVN numbers of another 98 individuals were also affected.

Issue

Fortytwo stated that it does not verify the names provided by users, and suggested that the impact of the Incident might be more limited as some of the users’ names may be incomplete, fictitious, or pseudonymous. Accordingly, the PDPC had to determine whether fictitious names or pseudonymous personal particulars form part of the personal data under the possession or control of Fortytwo.

The PDPC referred to Section 2(1) of the PDPA, which defines “personal data” to be data, whether true or not, about an individual who can be identified from that data; or from that data and other information to which the organisation has or is likely to have access. As such, the PDPC found that the PDPA caters for the situation where not every record of personal data that is under the possession or control of an organisation is verified. Accordingly, what matters is that the organisation, having collected the information, takes steps to comply with its obligations under the PDPA, such as to protect the personal data and to ensure its use in accordance with the purpose of its collection.

The PDPC contrasted the situation at hand to a situation when the organisation, as a data security or data management measure, applies pseudonymisation or anonymisation techniques on personal data that is in its possession or under its control. Where such techniques are applied, if the risk of reidentification is adequately addressed and managed, the resulting dataset may be treated as anonymised. The key difference is the intention of the organisation and its ability to direct and control the data processing activities required to achieve the resultant anonymised dataset.

The PDPC found that even if some customers had provided incomplete, fictitious or pseudonymous personal particulars or payment details, Fortytwo had collected personal data. The PDPC further stated that it did not matter that some of the customers may have provided inaccurate information to Fortytwo, and that Fortytwo’s obligations under the PDPA applies to the entire customer database.

To learn more, please read the PDPC’s decision here: https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/GD_FortyTwo070323.pdf.


IMPORTANT NOTICE: This memorandum is only intended as a guide and does not purport to be an exhaustive or conclusive discussion of the matters set out herein and should not be relied on as a substitute for definitive legal advice. Reference should always be made to the applicable statutes, the relevant subsidiary legislations and other applicable guidelines. This memorandum is not to be transmitted to any other person nor is it to be relied upon by any other person or for any other purpose or quoted or referred to in any public document or filed with any governmental or other authorities without our consent in writing. This memorandum is limited to the laws of Singapore. In issuing this memorandum, we do not assume any obligation to notify or inform you of any developments subsequent to its date that might render its contents untrue or inaccurate in whole or in part at such later time. If you would like to discuss the implications of these legal developments on your business or obtain advice, please do not hesitate to approach your usual contact at Insights Law LLC.

重要提示:本备忘录仅用于参考,并不视作对本文所载事项的详尽或结论性的讨论,且不应被依赖作为替代明确的法律意见。应参考所适用的法规、有关附属法例、及其他适用的原则。未经本所书面同意,本备忘录不得向任何其他人传送,任何人也不得就任何目的依赖本备忘录,并于任何公共文件引述或专署,或提交给任何政府或有关当局。本备忘录仅限于新加坡的法律。本所就这份备忘录的发行,对较后时间日期发生的任何进展导致本备忘录所呈现的全部或部分不实或不准确的内容不承担任何义务。如果您想了解这些法律发展对您业务的影响或咨询意见,请随时与您智诚法律(新加坡)的联系人联系。