Case Details
- Citation: [2019] SGPDPC 2
- Court: Personal Data Protection Commission
- Date: 2019-01-03
- Judges: Yeong Zee Kin, Deputy Commissioner
- Plaintiff/Applicant: -
- Defendant/Respondent: AIG Asia Pacific Insurance Pte Ltd, Toppan Forms (S) Pte Ltd
- Legal Areas: Data Protection – Protection obligation, Data Protection – Data intermediary, Data Protection – Definition of "control"
- Statutes Referenced: Personal Data Protection Act, Personal Data Protection Act 2012
- Cases Cited: [2018] SGPDPC 8, [2019] SGPDPC 1, [2019] SGPDPC 2
- Judgment Length: 17 pages, 4,076 words
Summary
This case examines the obligations of data intermediaries and the organisations that engage them under the Personal Data Protection Act (PDPA) in Singapore. The key issues addressed are whether a data intermediary can have control over the personal data it processes on behalf of an organisation, and if so, what obligations the engaging organisation continues to have. The Personal Data Protection Commission found that while the engaging organisation retains overall control over the purposes for which personal data is processed, a data intermediary may have control over the manner in which the data is processed, particularly where the data intermediary has specialized expertise and tools in data handling. As a result, both the data intermediary and the engaging organisation may have obligations to protect the personal data under their respective control.
What Were the Facts of This Case?
The case arose from an incident where AIG Asia Pacific Insurance Pte Ltd's ("AIG") printing vendor, Toppan Forms (S) Pte Ltd ("Toppan"), mailed out 87 policy renewal letters to AIG policyholders ("Affected Customers") with incorrect business reply envelopes. The incorrect envelopes were addressed to Tan Chong Credit Pte Ltd, one of AIG's scheme partners, instead of AIG.
The policy renewal letters contained personal data of the Affected Customers, including their names, addresses, vehicle details, policy numbers, premiums, and excess amounts. Customers were also required to fill in additional personal information such as their marital status, identification numbers, and payment details on the renewal forms.
AIG informed the Personal Data Protection Commission about the incident on 21 February 2017. The Commission then investigated whether AIG and Toppan had complied with their obligations under the PDPA to protect the personal data in their possession or under their control.
What Were the Key Legal Issues?
The key legal issues in this case were:
1. Whether Toppan was a data intermediary for AIG under the PDPA.
2. Whether AIG had complied with its obligations under section 24 of the PDPA to protect the personal data in its possession or under its control.
3. Whether Toppan had complied with its obligations under section 24 of the PDPA to protect the personal data in its possession or under its control.
How Did the Court Analyse the Issues?
The Commission first determined that Toppan was acting as a data intermediary for AIG. Toppan had agreed to provide printing, collation, and delivery services for AIG, which involved processing the personal data of AIG's policyholders. The Commission found that Toppan was "engaged to carry out activities of 'processing' personal data on behalf of AIG" and was therefore a data intermediary under the PDPA.
The Commission then examined the concept of "control" over personal data under the PDPA. While the PDPA does not define "control", the Commission held that it generally refers to the ability to determine the purposes and manner of processing personal data. The organisation engaging a data intermediary will always have overall control over the purposes for which personal data is processed. However, the Commission found that a data intermediary may have control over the manner of processing personal data, particularly where the data intermediary has specialized expertise and tools in data handling.
Applying this principle, the Commission determined that AIG had control over the personal data as a whole, including the pre-filled information (the "Printed Personal Data") and the additional information filled in by customers (the "In-filled Personal Data"). AIG decided what personal data was required and the purposes for which it would be used. However, Toppan, as the data intermediary, was likely in control of the manner in which the Printed Personal Data was processed, collected, used, and disclosed, given its specialized expertise in data processing.
What Was the Outcome?
The Commission found that AIG did not breach its obligations under section 24 of the PDPA, as it had made reasonable security arrangements to protect the personal data in its possession or under its control. However, the Commission found that Toppan had breached section 24 by failing to make reasonable security arrangements to prevent the disclosure of the Printed Personal Data through the incorrect mailing of the business reply envelopes.
The Commission did not impose any financial penalty on Toppan, as it was the first time the Commission had addressed the issue of a data intermediary's obligations under the PDPA. The Commission instead issued a warning to Toppan and directed it to implement appropriate policies and practices to ensure the protection of personal data in the future.
Why Does This Case Matter?
This case provides important guidance on the obligations of data intermediaries and the organisations that engage them under the PDPA. It clarifies that while the engaging organisation retains overall control over the purposes for which personal data is processed, a data intermediary may have control over the manner of processing, particularly where the data intermediary has specialized expertise and tools.
The case highlights the need for both the engaging organisation and the data intermediary to have a clear understanding of their respective obligations and to work together to ensure the proper protection of personal data. It also underscores the importance of data intermediaries having appropriate policies, practices, and security measures in place to fulfill their obligations under the PDPA.
The decision is significant for organisations that rely on data intermediaries to process personal data on their behalf, as it clarifies the shared responsibilities between the parties. It serves as a useful precedent for future cases involving the obligations of data intermediaries and the organisations that engage them under Singapore's data protection regime.
Legislation Referenced
- Personal Data Protection Act
- Personal Data Protection Act 2012
Cases Cited
- [2018] SGPDPC 8
- [2019] SGPDPC 1
- [2019] SGPDPC 2
Source Documents
This article analyses [2019] SGPDPC 2 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.