'Data monger' gets $6,000 fine

Singapore's privacy watchdog has taken the first "data monger" here to task for breaching the Personal Data Protection Act (PDPA) since the law fully kicked in on July 2, 2014.

A data monger is someone who makes money from dealing in other people's personal data such as phone and NRIC numbers.

The Personal Data Protection Commission (PDPC) fined former telemarketer Sharon Assya Qadriyah Tang $6,000 on Jan 11 for selling personal data without notifying the individuals involved or obtaining their consent.

Tang started buying leads containing people's names, NRIC numbers, mobile phone numbers and annual income ranges some time in 2012. It was meant to help her meet her sales targets as a telemarketer.

She paid between 20 and 30 cents to unknown sellers for each lead, which contains the details of one person. It is not known if those who sold Tang the leads had obtained the personal data legitimately.

Even if the leads were obtained legitimately, consent from the individuals involved is required by law for a new purpose or for disclosure to another party. Tang had not obtained such consent nor did she notify them before she resold the leads.

Her last purchase was in June 2014, by which time she had accumulated about 30,990 leads stored in Microsoft Excel spreadsheets.

From 2012 to February last year, she resold the database repeatedly, up to 10 times, for between 5 cents and 20 cents per lead. This moonlighting earned her a profit of $5,000.

The PDPC said that Tang "had used means to obscure her identity when she was selling the leads, which is indicative of a guilty conscience and of a premeditated and deliberate contravention of the PDPA".

It added: "The profiteering from the sales of personal data by organisations at the expense of consumers or individuals is the very kind of activity which the PDPA seeks to curb, and hence, must be severely dealt with."

The exact penalty was determined to adequately reflect the seriousness of the breach without imposing "a crushing burden" on Tang as she and her husband were earning modest salaries and had a child to support, PDPC said.

Tang admitted to the wrongdoing and fully cooperated with the PDPC's investigations.

Some of the industry methods for mining personal data include contests, lucky draws, seminars and surveys. But when stricter privacy rules kick in this year, consumers will be able to refuse to hand over their NRIC details.

The PDPC has fined 22 organisations - one of them twice - a total of $216,500 over the past two years for security breaches that exposed the personal details of Singaporeans. Another 23 organisations have been censured for their shortcomings to date.