Case Details
- Citation: [2019] SGPDPC 35
- Court: Personal Data Protection Commission
- Date: 2019-09-12
- Judges: Yeong Zee Kin, Deputy Commissioner
- Plaintiff/Applicant: -
- Defendant/Respondent: Advance Home Tutors
- Legal Areas: Data protection – Protection obligation
- Statutes Referenced: Personal Data Protection Act 2012
- Cases Cited: [2018] SGPDPC 9, [2019] SGPDPC 35, [2019] SGPDPC 5
- Judgment Length: 14 pages, 3,206 words
Summary
In this case, the Personal Data Protection Commission (PDPC) found that Advance Home Tutors, a sole proprietor providing tutoring matching services, had breached its obligations under the Personal Data Protection Act 2012 (PDPA) by failing to implement reasonable security arrangements to protect the personal data of its tutors. The breach resulted in the unauthorized disclosure of the educational certificates and personal information of 152 tutors on the organization's website.
The PDPC determined that Advance Home Tutors failed to exercise proper oversight and control over the web developer it had engaged to design and develop its website, leading to security vulnerabilities that exposed the tutors' personal data. The organization was found liable for breaching its data protection obligations under the PDPA and was ordered to pay a financial penalty.
This case highlights the importance for organizations to take an active and diligent approach to data protection, even when outsourcing the development of their digital systems to third-party vendors. It underscores the need for clear contractual terms, ongoing monitoring, and comprehensive security testing to ensure the adequate safeguarding of personal data.
What Were the Facts of This Case?
Advance Home Tutors is a sole proprietor that provides "matching services" through its website, www.advancetutors.com.sg, connecting freelance tutors with prospective clients seeking tuition services. In January 2017, the organization engaged a freelance web developer based in the Philippines to design and develop the website, as well as migrate the existing databases and files from its old website.
At the time, 834 freelance tutors had signed up with Advance Home Tutors, and some of these tutors had chosen to upload their educational certificates to the website's server. These certificates were to be used by the organization to evaluate the suitability of the tutors for prospective jobs, and copies were to be disclosed on the tutor's public profile if the tutor consented.
However, the web developer subsequently migrated the educational certificates of 152 tutors (the "Affected Individuals") who had not consented to the disclosure of their certificates on their public profiles. The developer stored these certificates in an unsecured public directory on the website's server, which was accessible to the public via the internet and indexed by search engines. This resulted in the unauthorized disclosure of the Affected Individuals' personal data, including their names, NRIC numbers, educational institutions attended, and academic grades.
Advance Home Tutors admitted that it had not developed or implemented any data protection policies to ensure compliance with the PDPA. The organization also acknowledged that it lacked the technical expertise to properly assess and implement appropriate security measures to protect the personal data hosted on its website.
What Were the Key Legal Issues?
The key legal issue in this case was whether Advance Home Tutors had breached its obligations under Section 24 of the PDPA, which requires organizations to "protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal or similar risks."
Specifically, the PDPC had to determine whether Advance Home Tutors had put in place reasonable security arrangements to safeguard the personal data of the Affected Individuals that was hosted on the organization's website and server. This included assessing the steps taken by Advance Home Tutors to oversee and control the work of the web developer it had engaged to design and develop the website.
How Did the Court Analyse the Issues?
The PDPC noted that as Advance Home Tutors had engaged the web developer to provide services related to the website, the organization retained possession and control over the personal data hosted on the website. Therefore, the onus was on Advance Home Tutors to ensure that appropriate security arrangements were in place to protect this data.
The PDPC found that Advance Home Tutors had failed to take several key steps to fulfill its data protection obligations, including:
1. Failing to emphasize the need for personal data protection in its written contract with the web developer, and not discussing the developer's technical and non-technical processes for preventing data exposure.
2. Neglecting to test the website before it went live to ensure the developer had properly implemented the organization's instructions and that the website was sufficiently robust to guard against cybersecurity risks.
3. Admitting that it lacked the technical expertise to properly assess and implement appropriate security measures to protect the personal data.
The PDPC rejected Advance Home Tutors' argument that its verbal instructions to the web developer to "respect and protect the privacy and confidentiality of all the data" constituted a sufficient security measure, stating that the organization should have reviewed the actual security standards implemented and identified foreseeable risks.
The PDPC emphasized that the lack of knowledge about the PDPA or IT security expertise is not a valid defense against the failure to take sufficient steps to comply with the data protection obligations under the Act. The organization had access to resources, including the PDPC's own guidance, that it could have relied on to increase its understanding and ensure compliance.
What Was the Outcome?
Based on its findings, the PDPC determined that Advance Home Tutors had breached Section 24 of the PDPA by failing to implement reasonable security arrangements to protect the personal data of the Affected Individuals.
The PDPC ordered Advance Home Tutors to pay a financial penalty of S$6,000 for the breach. The organization was also required to cease retaining any educational certificates received from tutors and to develop a comprehensive data protection policy.
Why Does This Case Matter?
This case is significant for several reasons:
1. It reinforces the importance of organizations taking an active and diligent approach to data protection, even when outsourcing the development of digital systems to third-party vendors. Organizations cannot simply rely on verbal instructions or assume that their vendors will adequately protect personal data.
2. The case highlights the need for clear contractual terms, ongoing monitoring, and comprehensive security testing to ensure the effective safeguarding of personal data. Organizations must take proactive steps to understand and validate the security measures implemented by their vendors.
3. The decision underscores that a lack of technical expertise or knowledge about data protection regulations is not an excuse for failing to comply with the PDPA's requirements. Organizations have a responsibility to educate themselves and seek assistance if necessary to fulfill their data protection obligations.
4. The financial penalty imposed on Advance Home Tutors serves as a reminder to organizations of the potential consequences of data protection breaches and the need to take data security seriously. The PDPC has demonstrated its willingness to take enforcement action against organizations that fail to adequately protect personal data.
Overall, this case provides valuable guidance for organizations on the steps they must take to meet their data protection obligations under the PDPA, particularly when outsourcing the development of digital systems and platforms.
Legislation Referenced
- Personal Data Protection Act 2012
Cases Cited
- [2018] SGPDPC 9 (Re Habitat for Humanity Singapore Ltd)
- [2019] SGPDPC 35 (Advance Home Tutors)
- [2019] SGPDPC 5 (Re Tutor City)
Source Documents
This article analyses [2019] SGPDPC 35 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.