Case Details
- Citation: [2023] SGPDPCS 5
- Court: Personal Data Protection Commission
- Date: 2023-07-26
- Judges: Not specified
- Plaintiff/Applicant: Not specified
- Defendant/Respondent: Century Evergreen Private Limited
- Legal Areas: Data Protection – Protection obligation
- Statutes Referenced: Personal Data Protection Act, Personal Data Protection Act 2012
- Cases Cited: [2019] SGPDPC 38, [2019] SGPDPC 38, [2023] SGPDPCS 5
- Judgment Length: 6 pages, 1,112 words
Summary
In this case, the Personal Data Protection Commission (PDPC) found that Century Evergreen Private Limited, a manpower contracting services company, had breached its obligations under the Personal Data Protection Act 2012 (PDPA) by failing to implement reasonable security arrangements to protect the personal data of job applicants in its possession. Specifically, the company's website had a vulnerability that allowed public access to 96,889 images of identification documents belonging to 23,940 individuals. The PDPC imposed a financial penalty of S$9,000 on the company for its failure to adequately secure the personal data and its lack of contractual provisions with its IT vendor to ensure data protection.
What Were the Facts of This Case?
On 11 December 2022, the PDPC received a complaint that images of identification documents, including National Registration Identity Cards, submitted by job applicants to Century Evergreen Private Limited were publicly accessible on the company's website. Century Evergreen is a manpower contracting services company that required job applicants to submit their identification documents to verify their identity and suitability.
The PDPC commenced an investigation and found that the company had an "Insecure Direct Object References" (IDOR) vulnerability on its website, which had existed since the website's launch on 9 November 2015. This vulnerability allowed the complainant to manipulate the URL and access the identification document images. As a result, 96,889 images belonging to 23,940 individuals were downloaded from the company's website between 10 and 12 December 2022.
The company admitted that it had failed to include any security requirements to protect personal data in its contract with the IT vendor who developed and maintained the website. The company also acknowledged that it had not conducted any security tests on the website, either before its launch or afterwards.
What Were the Key Legal Issues?
The key legal issue in this case was whether Century Evergreen had breached its obligations under section 24(a) of the PDPA, which requires organizations to "protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal or similar risks."
Specifically, the PDPC had to determine whether the company's failure to implement adequate security measures, including the lack of contractual provisions with its IT vendor to ensure data protection, amounted to a breach of the PDPA's protection obligation.
How Did the Court Analyse the Issues?
The PDPC found that Century Evergreen had breached section 24(a) of the PDPA by failing to make reasonable security arrangements to protect the personal data in its possession. The Commission noted that the company's non-compliance was not merely negligent, but rather "gross negligence" due to the long period of non-compliance since the website's launch in 2015.
The PDPC highlighted that the Commission had previously issued guidance, such as the "Guide on Building Websites for SMEs," which advised organizations to emphasize the protection of personal data in their contracts with IT vendors. However, the PDPC found that Century Evergreen had a "glaring omission of clauses to protect personal data" in its contract with the IT vendor.
Furthermore, the PDPC noted that the company had not conducted any security tests on the website, either before its launch or afterwards, despite the Commission's consistent advice to organizations to do so. The PDPC concluded that the company's failure to implement reasonable security arrangements and its lack of contractual provisions with the IT vendor to ensure data protection amounted to a breach of the PDPA's protection obligation.
What Was the Outcome?
The PDPC found Century Evergreen in breach of section 24(a) of the PDPA and directed the company to pay a financial penalty of S$9,000 within 30 days of the decision. The PDPC considered several factors in determining the appropriate penalty, including the impact of the personal data breach on the affected individuals, the nature and duration of the company's non-compliance, and the company's cooperation and remedial actions.
The PDPC noted that the personal data affected included not just identification numbers, but also 96,889 images of identification documents belonging to 23,940 individuals. The PDPC also considered the company's long period of non-compliance since 2015, as well as its prompt remedial actions after becoming aware of the vulnerability, such as rectifying the IDOR vulnerability, improving security measures, and securing a new contract with its IT vendor to manage the website's security.
Why Does This Case Matter?
This case highlights the importance of organizations, particularly those handling sensitive personal data, to implement reasonable security arrangements to protect such data, as required by the PDPA. The PDPC's decision emphasizes that organizations cannot simply outsource their data protection responsibilities to IT vendors without ensuring adequate contractual provisions and ongoing security measures.
The case also serves as a reminder to organizations that the PDPC takes a serious view of breaches of the PDPA's protection obligation, and is willing to impose financial penalties, even on smaller companies, to enforce compliance. The PDPC's consideration of factors such as the nature and duration of the non-compliance, as well as the company's cooperation and remedial actions, provides guidance on how the Commission may approach future cases involving data protection breaches.
Ultimately, this decision underscores the need for organizations to proactively address data protection concerns, both in their contractual arrangements with service providers and in their ongoing security practices, to ensure compliance with the PDPA and avoid potential regulatory action and penalties.
Legislation Referenced
Cases Cited
Source Documents
This article analyses [2023] SGPDPCS 5 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.