SINGAPORE: The Singapore Taekwondo Federation has been fined S$30,000 after the NRIC numbers of 782 minors were disclosed via PDF documents on its website.
The issue was discovered on May 19 last year when a complainant came across PDF documents with the names and schools of students participating in the 2017 Annual Inter-School Taekwondo Championships, according to the decision published by the Personal Data Protection Commission.
The NRIC numbers were not "immediately visible to the complainant" in the PDF documents, as they were set out in columns which were minimised, said the decision.
However when the complainant copied and pasted the PDF documents' contents to another document, he was able to see the NRIC numbers of the students.
He then went on to inform the taekwondo federation of this, but did not receive a response and so lodged a complaint with the Personal Data Protection Commission.
HOW IT HAPPENED
According to the decision, the federation would first receive an encrypted Excel spreadsheet with the personal data of students intending to participate in the championships from the Ministry of Education.
After receiving this, the federation's head of the tournament department would then rearrange the students' data into programme lists and bout sheets using Microsoft Excel.
The tournament head said he would "hide" the students' NRIC numbers before converting the spreadsheets into PDF documents.
"Thereafter, I will send the new Excel spreadsheet with the names, schools, programme list and hidden NRIC numbers to [redacted] who will then convert it into a PDF list for uploading onto (the federation's) website," the decision quoted the tournament head as saying.
"She also has been doing this since 2015 but she does not know that I simply hide the NRIC numbers."
In its investigations, officers from the commission copied the PDF documents from the federation's website to a new Microsoft Word document, and found that the columns which were not visible on the PDFs did appear when copied onto the Word document.
However when the commission tried to replicate the data disclosure by creating a new spreadsheet and replicating the process, it found that "hidden" contents were not revealed when copied to a separate Microsoft Word or Excel document.
"Subsequently, the officers of the commission discovered that this issue would only occur if the columns were minimised instead," said the decision.
"Based on the foregoing, the commissioner finds that the columns in the Excel spreadsheet prepared by the tournament head were not hidden but merely minimised."
FEDERATION "NOT AWARE" OF PDPA
The taekwondo federation also admitted that it was not aware of the Personal Data Protection Act 2012 (PDPA) and so had not appointed a data protection officer or any policies necessary to meet its obligations.
However this lack of awareness was "not a legitimate defence", said the decision.
In addition, the decision highlighted the fact that the federation's mistake of not realising the NRIC numbers were in minimised columns in the PDFs could be "quite easily repeated".
"Any person could simply copy the contents of the PDF documents and paste it onto another document, thereby resulting in further unauthorised disclosures of the students’ personal data," said the decision.
"Such potential impact and harm cannot be ignored, especially when it involves the NRIC numbers of 782 students who were also minors, and whose personal data would thus be considered to be more sensitive in nature."
FEDERATION CAUSED "QUITE SOME DELAYS" TO INVESTIGATION
In addition, the federation had also "caused quite some delays in the investigation process", said the decision.
It only responded to the commission's notice to require production of documents and information after two months and multiple reminders, and only after the federation's president was copied into one of these email reminders.
Taking all this into consideration, the federation was fined S$30,000.
It was also directed to appoint a data protection officer within 30 days, to develop and implement policies necessary to meet its PDPA obligations within 30 days, and to inform the commission of the completion of each direction within a week of its implementation.