Case Details
- Citation: [2019] SGPDPC 28
- Court: Personal Data Protection Commission
- Date: 2019-07-30
- Judges: Yeong Zee Kin, Deputy Commissioner
- Plaintiff/Applicant: -
- Defendant/Respondent: Avant Logistic Service Pte. Ltd.
- Legal Areas: Data protection – Protection obligation
- Statutes Referenced: Personal Data Protection Act
- Cases Cited: [2017] SGPDPC 9, [2019] SGPDPC 28
- Judgment Length: 10 pages, 2,016 words
Summary
This case concerns the unauthorized disclosure of personal data by an employee of Avant Logistic Service Pte. Ltd. ("the Organisation"), a delivery service provider engaged by e-commerce platform Ezbuy Holdings Ltd. ("Ezbuy"). The Personal Data Protection Commission ("the Commission") found that the Organisation had failed to make reasonable security arrangements to prevent such unauthorized disclosure, in breach of its obligations under the Personal Data Protection Act ("PDPA").
The Commission ultimately decided not to impose a financial penalty, noting that the breach was a one-off incident involving a relatively small amount of personal data. However, the case highlights the importance for organisations to have clear policies and training in place to ensure their employees handle personal data properly and in compliance with the PDPA.
What Were the Facts of This Case?
Ezbuy operates an online e-commerce platform that allows customers to shop from various online retailers and platforms. It engaged the Organisation to provide delivery services in Singapore. The Organisation is an affiliate of Ezbuy, and its delivery personnel are required to adhere to Ezbuy's Privacy Policy and other relevant policies.
On 9 November 2017, a customer of Ezbuy ("the complainant") was scheduled to self-collect a package she had ordered from Ezbuy at a collection point in Bishan. One of the Organisation's employees ("OA") was assigned to distribute packages at that location that evening. When the complainant arrived, OA gave her two packages that belonged to another Ezbuy customer ("CA"). The complainant informed OA of this, but was told to take the packages as they were tagged to her mobile number in Ezbuy's system.
Later that night, OA sent CA screenshots of two delivery lists containing the Ezbuy user IDs and mobile numbers of several Ezbuy customers, including the complainant. OA explained to CA that he suspected the complainant had collected CA's packages. CA then used the complainant's Ezbuy user ID to locate her Facebook and Instagram profiles and contacted her to recover the packages, which the complainant subsequently returned to Ezbuy.
What Were the Key Legal Issues?
The key legal issues in this case were:
1. Whether the Ezbuy user IDs and mobile numbers disclosed by OA constituted "personal data" under the PDPA.
2. Whether the Organisation had made "reasonable security arrangements" to protect the personal data in its possession, as required by section 24 of the PDPA.
How Did the Court Analyse the Issues?
On the first issue, the Commission found that the mobile numbers disclosed by OA constituted personal data, as they enabled direct identification of the individuals. The Ezbuy user IDs also qualified as personal data, as one of the user IDs (the complainant's) enabled indirect identification through her social media profiles.
On the second issue, the Commission found that the Organisation had not made reasonable security arrangements to protect the personal data. While the Organisation's delivery personnel were required to comply with Ezbuy's Privacy Policy and Employee Handbook, these documents were inadequate, as they did not provide specific instructions on how to handle and protect customer personal data.
The Commission noted that the Organisation did not have any policies, standard operating procedures, or training in place to prohibit the unauthorized use or disclosure of personal data by its delivery personnel. The mere inclusion of a confidentiality clause in the employment contract was also insufficient, as it did not elaborate on what constitutes personal data or how it should be handled.
The Commission emphasized that this was particularly important for the Organisation's delivery personnel, who frequently handle personal data and are on the frontline of the Organisation's customer-facing operations, where the potential for improper use and disclosure of personal data cannot be ignored.
What Was the Outcome?
Despite finding that the Organisation had breached its obligations under section 24 of the PDPA, the Commission decided not to impose a financial penalty in this case. The Commission noted that the breach was a one-off incident, with few affected individuals and relatively little personal data disclosed.
However, the Commission did order the Organisation and Ezbuy to take several remedial actions to prevent similar incidents in the future, including:
- Requiring delivery personnel to request both the customer's Ezbuy user ID and mobile number for verification during self-collection
- Updating Ezbuy's Delivery and Collection Standard Operating Procedure to highlight the importance of the PDPA and prohibit the disclosure of customer information
- Conducting regular briefings for delivery personnel on the proper handling of customer personal data
- Revising Ezbuy's Employee Handbook to include detailed enforcement and disciplinary actions for breaches of confidentiality and data protection
Why Does This Case Matter?
This case is significant for several reasons:
First, it demonstrates the broad scope of what can constitute "personal data" under the PDPA. The Commission's finding that Ezbuy user IDs can qualify as personal data if they enable indirect identification of an individual is an important clarification, as organisations may not always assume that such identifiers are not personal data.
Second, the case highlights the importance for organisations to have clear, comprehensive policies and training in place to ensure their employees, particularly those in customer-facing roles, handle personal data properly and in compliance with the PDPA. Merely relying on general confidentiality clauses or high-level privacy policies is not sufficient.
Finally, while the Commission ultimately decided not to impose a financial penalty in this case, the decision serves as a warning that the Commission takes breaches of the PDPA's protection obligations seriously. Organisations must ensure they have robust data protection measures in place to avoid potential enforcement action.
Legislation Referenced
- Personal Data Protection Act
Cases Cited
- [2017] SGPDPC 9
- [2019] SGPDPC 28
Source Documents
This article analyses [2019] SGPDPC 28 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.