Case Details
- Citation: [2018] SGPDPC 8
- Court: Personal Data Protection Commission
- Date: 2018-05-30
- Judges: Tan Kiat How, Commissioner
- Plaintiff/Applicant: -
- Defendant/Respondent: AIG Asia Pacific Insurance Pte. Ltd.
- Legal Areas: Data Protection – Protection obligation, Data Protection – Definition of "control", Data Protection – Definition of "possession"
- Statutes Referenced: Personal Data Protection Act, Personal Data Protection Act 2012
- Cases Cited: [2016] SGPDPC 22, [2017] SGPDPC 17, [2017] SGPDPC 9, [2018] SGPDPC 8
- Judgment Length: 14 pages, 3,594 words
Summary
In this case, the Personal Data Protection Commission (PDPC) investigated AIG Asia Pacific Insurance Pte. Ltd. (AIG) for a data breach involving the unauthorized disclosure of its policyholders' personal data. The breach occurred when AIG inadvertently provided an incorrect fax number on its policy renewal notices, causing the notices to be sent to a third party instead of AIG. The PDPC found that AIG had breached its obligations under the Personal Data Protection Act (PDPA) to make reasonable security arrangements to protect the personal data in its possession or control.
What Were the Facts of This Case?
AIG is a general insurance company in Singapore. In November 2016, AIG implemented a new electronic policy administration system that generated various forms, including policy renewal notices for its Individual Personal Accident product. These renewal notices contained the personal data of AIG's policyholders, including their names, addresses, policy details, and in some cases, their family members' personal data.
Due to an error, AIG had inadvertently included an incorrect fax number on all the forms generated by the new system, including the renewal notices. This incorrect fax number was previously used by AIG but was now in use by a third party, Tokyu Hands Singapore Pte. Ltd. (Tokyu Hands). As a result, when policyholders tried to fax their completed renewal notices back to AIG, the notices were instead sent to Tokyu Hands.
AIG only became aware of the error on 29 May 2017, after Tokyu Hands notified AIG that it had been receiving the renewal notices. AIG estimated that between 25 to 125 renewal notices may have been sent to Tokyu Hands over the 6-month period from November 2016 to May 2017. The majority of these were sent by AIG's own agents on behalf of policyholders.
What Were the Key Legal Issues?
The key legal issue was whether AIG had breached its obligations under Section 24 of the PDPA to make reasonable security arrangements to protect the personal data in its possession or control. Specifically, the PDPC had to determine whether AIG was in possession or control of the personal data contained in the policy renewal notices, and whether the inclusion of the incorrect fax number constituted a failure to make reasonable security arrangements.
How Did the Court Analyse the Issues?
The PDPC first established that the personal data contained in the renewal notices, which included names, addresses, policy details, and in some cases, family members' personal data, fell within the definition of "personal data" under the PDPA. There was no dispute that the PDPA applied to AIG as an "organization" under the Act.
The PDPC then considered whether AIG was in possession or control of the personal data, such that the obligation to make reasonable security arrangements would apply. The PDPC found that AIG was in possession of the personal data, as it had the data on record for each policyholder and generated the renewal notices containing the pre-filled personal data.
Additionally, the PDPC determined that AIG was in control of the personal data, as it had the ability to decide the purposes for and manner in which the personal data was collected, processed, used, and disclosed. This was evident from AIG's decision to pre-fill the renewal notices with the policyholders' personal data to provide a better customer experience.
Having established that AIG was in possession and control of the personal data, the PDPC then considered whether AIG had breached its obligation under Section 24 of the PDPA to make reasonable security arrangements. The PDPC found that the inclusion of the incorrect fax number on the renewal notices, which resulted in the personal data being disclosed to an unauthorized third party, constituted a failure to make reasonable security arrangements.
The PDPC noted that while AIG had taken remedial actions, such as correcting the fax number, communicating the correct number to its agents, and making arrangements to retrieve any outstanding renewal notices sent to Tokyu Hands, these steps were taken after the breach had already occurred. The PDPC concluded that AIG's initial failure to verify the accuracy of the contact information on the forms generated by its new system amounted to a breach of its obligations under the PDPA.
What Was the Outcome?
Based on its findings, the PDPC determined that AIG had breached its obligations under Section 24 of the PDPA. As a result, the PDPC imposed a financial penalty of S$10,000 on AIG.
Why Does This Case Matter?
This case is significant as it provides guidance on the interpretation of key data protection concepts, such as "possession" and "control" of personal data, under the PDPA. The PDPC's analysis of these concepts, drawing on relevant case law and guidance from other jurisdictions, helps to clarify the scope of an organization's obligations to protect personal data in its care.
The case also highlights the importance of organizations implementing robust data protection practices, including thorough verification of information used in their systems and processes. The PDPC's decision underscores that merely taking remedial actions after a breach has occurred is not sufficient to fulfill an organization's obligations under the PDPA. Proactive measures to ensure the accuracy and security of personal data are crucial.
This case serves as a valuable precedent for organizations in Singapore to review their data protection practices and ensure they are making reasonable security arrangements to protect the personal data they possess or control, in line with the requirements of the PDPA.
Legislation Referenced
- Personal Data Protection Act
- Personal Data Protection Act 2012
Cases Cited
- [2016] SGPDPC 22
- [2017] SGPDPC 17
- [2017] SGPDPC 9
- [2018] SGPDPC 8
Source Documents
This article analyses [2018] SGPDPC 8 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.