On November 28, 2018, Singapore’s Personal Data Protection Commission (commission) issued its grounds of decision against Big Bubble Centre (respondent), a sole-proprietorship in the scuba-diving business.

The facts of the case were as follows:

  • The complainant was an individual who had worked for the respondent and claimed that he was not paid wages for such work. He resigned and decided to take some diving equipment, which he claims to have paid for.
  • The respondent refuted the complainant’s claim, and instead asserted that the complainant had owed it money for participating in and logging dives organized by the respondent for the purposes of obtaining his PADI Dive Master Certification. Further, it alleged that the complainant had stolen its diving equipment as well as the respondent’s documents.
  • The complainant in turn claimed that the respondent had sent text messages to some of its customers informing them about the respondent’s allegations against the complainant.
  • The complainant himself wrote a Facebook post detailing his angst with the respondent and its owner. In that same post, he also warned other divers from joining the respondent.
  • The respondent posted two Facebook posts of its own, detailing the money that was allegedly owed to it by the complainant, and disclosed the following personal data in these posts:
    1. the complainant’s name, national registration identity card number, date of birth, passport number and expiry date, mobile phone number, email address, residential address; and
    2. the complainant’s female friend’s name and residential address, as well as the make of her car.

The commission’s findings were as follows:

  • There was a breach of the consent obligation under the Personal Data Protection Act 2012 (PDPA) by the respondent, insofar as it had disclosed the personal data of the complainant and his female friend without their consent.
  • There was no conceivable justification for the respondent to disclose the personal data of the complainant and his female friend on its Facebook posts. While it is hardly surprising that one might try and use personal data in a “heat of the moment” post on social media, such conduct is unacceptable from a PDPA compliance perspective.

Taking into account that the posts were removed and that the respondent had indicated a willingness to comply with the PDPA in future, the commission merely issued the respondent with a warning without the imposition of any financial penalty.

Key takeaways

  • An organization must exercise caution when posting content on any social media account. Prior to posting any personal data of individuals, such as their personal particulars or photographs, an organization should ensure that it has obtained all necessary consents from the relevant individuals to do so, unless an exception to consent clearly applies under the PDPA.
  • Organizations should also consider adopting social media acceptable use policies to ensure that their employees comply with, among other things, applicable data protection requirements, when using such platforms.