Singapore’s Personal Data Protection Commission recently found that the Singapore Taekwondo Federation violated Singapore’s Personal Data Protection Act (PDPA) by failing to protect minors’ personal data on its website.  The PDPA was enacted in 2012 to “govern the collection, use and disclosure of personal data by organisations in a manner that recognizes both the right of individuals to protect their personal data and the need of organisations to collect, use or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances.”

The federation promotes, supports, and develops taekwondo-related activities and programs in Singapore.  On May 30, 2017, a public complaint was lodged against the Commission alleging the unauthorized disclosure of National Registration Identity Card (NRIC) numbers of 782 students who participated in the 2017 Annual Inter-School Taekwondo Championships.  The taekwondo federation had been posting the names and schools of student participants on its website since 2015.  The NRIC numbers were contained in minimized hidden columns within PDF versions of Excel spreadsheets.  Though the columns were not immediately visible, the complainant was able to view the NRIC numbers by copying and pasting the information into another document.

During the Commission’s investigation, the federation acknowledged its process of receiving encrypted Excel spreadsheets containing students’ personal information, rearranging the information and hiding the NRIC numbers, and converting the spreadsheets into PDF form.  The federation admitted that it was not aware of its data protection obligations under the PDPA and had not appointed a data protection officer or implemented a personal data protection policy.

On June 22, 2018, the Commission found that the federation did not take “sufficient steps towards protecting the personal data in its possession” or “prevent the unauthorised disclosure of the personal data.”  The Commission stated that the NRIC numbers constitute “a data attribute that is assigned to an individual for the purposes of identifying the individual and, on its own, identifies an individual.”  Moreover, the Commission noted the greater sensitivities and additional safeguards pertaining to the NRIC numbers in this situation because they belonged to minors less than 21 years old.  The Commission stated that the federation should have at the very least “ensured that its staff in charge of creating, processing and converting the Excel spreadsheets were given proper and regular training to equip them with the knowledge” to correctly convert the spreadsheets into PDF documents while properly protecting the personal data.

As penalty for this disclosure, the federation is required to pay a $30,000 fine, appoint a data protection officer, and establish a data protection policy pursuant to the PDPA.