Case Details
- Citation: [2019] SGPDPC 25
- Court: Personal Data Protection Commission
- Date: 2019-07-22
- Judges: Tan Kiat How, Commissioner
- Plaintiff/Applicant: -
- Defendant/Respondent: ChampionTutor Inc.
- Legal Areas: Data protection – Definition of business contact information
- Statutes Referenced: Personal Data Protection Act 2012 (PDPA)
- Cases Cited: [2017] SGPDPC 15, [2019] SGPDPC 25
- Judgment Length: 7 pages, 1,302 words
Summary
In this case, the Personal Data Protection Commission (PDPC) investigated a complaint against home tuition agency ChampionTutor Inc. regarding the public disclosure of its tutors' personal contact information. The key issues were whether the disclosed information constituted "business contact information" exempt from data protection laws, and whether ChampionTutor had complied with its obligations to appoint a data protection officer and implement data protection policies.
The PDPC found that the tutors' contact details were indeed "business contact information" since the tutors were providing tuition services as a business. However, ChampionTutor was still in breach of the PDPA for failing to appoint a data protection officer and lacking internal data protection policies. The PDPC directed ChampionTutor to pay a financial penalty and implement the required data protection measures.
What Were the Facts of This Case?
On 31 October 2017, the PDPC received a complaint from a former tutor ("Complainant") of ChampionTutor Inc. ("the Organisation"), a home tuition agency in Singapore. The Complainant stated that he had found a URL link to the Organisation's tutor list ("Tutor List") through a Google search.
The investigation by the PDPC found that the Tutor List contained the name, contact number, and email address ("Disclosed Information") of a total of 4,899 individuals, including the Complainant ("Affected Individuals"). These Affected Individuals had provided their contact details to the Organisation in order to be contacted for tuition assignments.
It also emerged during the investigation that the Organisation had not appointed any data protection officer (DPO) and had failed to develop and implement any internal data protection policies.
What Were the Key Legal Issues?
The key legal issues in this case were:
(a) Whether the Disclosed Information constituted "business contact information" as defined under the Personal Data Protection Act 2012 (PDPA), and therefore exempt from the PDPA's data protection obligations.
(b) Whether the Organisation had complied with its obligations under the PDPA to appoint a data protection officer and develop and implement data protection policies and practices.
How Did the Court Analyse the Issues?
On the first issue, the PDPC examined the definition of "business contact information" under the PDPA. The PDPA defines this as "an individual's name, position name or title, business telephone number, business address, business electronic mail address or business fax number and any other similar information about the individual, not provided by the individual solely for his personal purposes".
The PDPC found that the purpose for which the contact information was provided was key in determining whether it qualified as business contact information. In this case, the Affected Individuals had provided their contact details to the Organisation for the purpose of being contacted for tuition assignments. The PDPC also noted that the tutors were carrying out a "business" of providing tuition services, as they were freelancers who were paid directly by students and required to pay a commission to the Organisation, as well as report their earnings to the tax authority.
Therefore, the PDPC concluded that the Disclosed Information constituted "business contact information" under the PDPA, and was thus exempt from the data protection obligations in Parts III to VI of the Act.
On the second issue, the PDPC found that the Organisation was in breach of two key obligations under the PDPA:
1. Section 11(3) requires organisations to designate one or more individuals to be responsible for ensuring compliance with the PDPA. The Organisation's admission that it had not appointed a DPO was a clear breach of this requirement.
2. Section 12 requires organisations to develop and implement data protection policies and practices, and communicate these to their employees. While the Organisation had a privacy policy for tutors and students, it did not have any internal data protection policies to guide its part-time tuition coordinators who had access to personal data.
The PDPC emphasized that an organisation relying on part-time staff needs to have effective data protection policies and training in place to ensure compliance with the PDPA.
What Was the Outcome?
Based on the breaches identified, the PDPC directed the Organisation to:
(a) Pay a financial penalty of S$5,000 within 30 days.
(b) Within 60 days, develop and implement an internal data protection policy and appoint a data protection officer.
Why Does This Case Matter?
This case provides important guidance on the definition of "business contact information" under the PDPA. It clarifies that the purpose for which the information is provided, rather than the nature of the business, is the key factor in determining whether it qualifies as exempt from data protection obligations.
The case also highlights the importance of organisations, even those with part-time staff, having proper data protection policies and a designated data protection officer. This is crucial for ensuring compliance with the PDPA and protecting individuals' personal data.
For practitioners, this case demonstrates the PDPC's willingness to take enforcement action against organisations that fail to meet their data protection obligations, even if the disclosed information is ultimately found to be "business contact information". It serves as a reminder of the need for rigorous data protection practices, especially for organisations handling large volumes of personal data.
Legislation Referenced
Cases Cited
- [2017] SGPDPC 15 (Re M Stars Movers & Logistics Specialist Pte Ltd)
- [2019] SGPDPC 25 (ChampionTutor Inc.)
Source Documents
This article analyses [2019] SGPDPC 25 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.