Cigna Europe Insurance Company S.A.-N.V. [2019] SGPDPC 18

Case Details

• Citation: [2019] SGPDPC 18
• Court: Personal Data Protection Commission
• Date: 2019-06-20
• Judges: Yeong Zee Kin, Deputy Commissioner
• Plaintiff/Applicant: -
• Defendant/Respondent: Cigna Europe Insurance Company S.A.-N.V.
• Legal Areas: Data protection – Unauthorised disclosure of personal data
• Statutes Referenced: Personal Data Protection Act, Personal Data Protection Regulations 2014
• Cases Cited: [2019] SGPDPC 18
• Judgment Length: 9 pages, 1,957 words

Summary

In this case, the Personal Data Protection Commission (the "Commission") investigated Cigna Europe Insurance Company S.A.-N.V. (the "Organisation") for failing to comply with its obligations under the Personal Data Protection Act 2012 (the "PDPA"). The investigation was prompted by the Organisation's notification of a data breach incident involving the inadvertent disclosure of certain personal data of individuals who had taken up health insurance coverage with the Organisation.

The Commission found that the Organisation had in place appropriate measures to ensure the protection of its members' personal data that was processed by a related company, Cigna European Services (UK) Limited ("CES"), pursuant to a services agreement. The Commission also examined the requirements under section 26(1) of the PDPA for the transfer of personal data from Singapore to a country outside Singapore, and concluded that the contractual arrangements between the Organisation and CES met the necessary standards.

While the data breach incidents were not directly attributable to the Organisation, the Commission's decision provides guidance on the obligations of organisations under the PDPA when engaging third-party service providers to process personal data.

What Were the Facts of This Case?

Cigna Europe Insurance Company S.A.-N.V. is a company established in Belgium which offers health insurance solutions and coverage in Singapore through a registered branch office (the "Organisation"). On 1 June 2018, the Organisation notified the Personal Data Protection Commission (the "Commission") of a data breach incident involving the inadvertent disclosure of certain personal data of individuals who had taken up health insurance coverage with the Organisation.

The Organisation provides health insurance coverage to employees of its clients and their families who decided to take up such coverage ("Members"). In order to provide this health insurance coverage, it collects, uses and processes personal data of the Members.

In 2012, the Organisation entered into a services agreement (the "Services Agreement") with Cigna European Services (UK) Limited ("CES") for the provision of various insurance-related services. CES is a related company of the Organisation within the Cigna group of companies ("Cigna Group"). The services provided by CES included the processing of insurance claims (among other services) and this involved activities such as generating and sending claim settlement letters and letters accompanying cheque payments to Members who had made an insurance claim. Such claims were processed through an information technology ("IT") system which was operated by CES and used by various companies in the Cigna Group (the "System"). In order to make use of the System, the Organisation transferred its Members' personal data to CES and these data were processed in the System.

It transpired that, in two separate incidents in January 2017 and May 2018, claims settlement letters intended for certain Members were erroneously sent by CES to other Members. These incidents were due to technical issues affecting the production of the claims settlement letters by CES. In the second incident, the technical issues also affected the production of payment accompanying letters which were sent to some Members. CES initially did not inform the Organisation about the first incident. The Organisation only came to know about the two incidents after the second incident occurred.

What Were the Key Legal Issues?

The key legal issues in this case were:

1. Whether the Organisation had failed to comply with its obligations under the PDPA, particularly the requirement to protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, disclosure and similar risks (section 24 of the PDPA).

2. Whether the transfer of personal data from the Organisation (in Singapore) to CES (in the United Kingdom) met the requirements of section 26(1) of the PDPA, which prohibits the transfer of personal data to a country or territory outside Singapore except in accordance with prescribed requirements to ensure a comparable standard of protection.

How Did the Court Analyse the Issues?

On the first issue, the Commission found that the Organisation had in place the appropriate measures or could rely upon measures established within the Cigna Group to ensure protection of personal data by CES and to monitor CES' compliance. These measures included:

a) Contractual provisions in the Services Agreement and an Interaffiliate Data Processing and Transfer Agreement that required CES to protect the confidentiality of the Organisation's customer data, take appropriate security measures, and provide the Organisation with access for the purpose of reviewing and monitoring the quality of the services and the management of risks.

b) Various internal frameworks, policies and standards within the Cigna Group, including the Cigna Information Protection (CIP) and General Computing Control (GCC) governance frameworks, which addressed various aspects of IT security.

c) CES being subject to Cigna Group's corporate audit and annual GCC assessment processes, as well as external audits that may include IT audit reviews.

On the second issue, the Commission examined the requirements under section 26(1) of the PDPA and the relevant regulations in the Personal Data Protection Regulations 2014 (the "PDPR"). The Commission explained that when a Singapore organisation (the "transferring organisation") transfers personal data to a recipient outside Singapore, the contract between the parties must:

a) Require the recipient to provide a standard of protection for the transferred personal data that is at least comparable to the protection under the PDPA.

b) Specify the countries and territories to which the personal data may be transferred under the contract.

The Commission found that the contractual arrangements between the Organisation and CES met these requirements, as the agreements imposed obligations on CES to protect the confidentiality and security of the personal data in a manner comparable to the PDPA's Protection Obligation (section 24).

What Was the Outcome?

The Commission concluded that the Organisation had not failed to comply with its obligations under the PDPA. While the data breach incidents were due to technical issues with the IT system operated by CES, the Commission found that the Organisation had taken appropriate measures to ensure the protection of its members' personal data in accordance with section 24 of the PDPA.

Additionally, the Commission determined that the transfer of personal data from the Organisation to CES met the requirements of section 26(1) of the PDPA, as the contractual arrangements between the parties imposed obligations on CES to provide a standard of protection that was at least comparable to the PDPA.

The Commission did not issue any directions or impose any financial penalties on the Organisation as a result of this investigation.

Why Does This Case Matter?

This case provides important guidance on the obligations of organisations under the PDPA when engaging third-party service providers to process personal data. It demonstrates that organisations can rely on appropriate contractual arrangements and group-wide security frameworks to meet their obligations under the PDPA, even when the data processing activities are carried out by a related company.

The Commission's analysis of the requirements for cross-border data transfers under section 26(1) of the PDPA and the PDPR is also noteworthy. The decision clarifies the standards that must be met in the contractual arrangements between the transferring organisation and the overseas recipient, particularly with respect to ensuring a comparable level of data protection.

This case is a valuable reference for organisations in Singapore that outsource personal data processing activities to related or third-party entities, both locally and internationally. It highlights the importance of having robust contractual and governance frameworks in place to ensure compliance with the PDPA's data protection obligations.

Legislation Referenced

• Personal Data Protection Act 2012
• Personal Data Protection Regulations 2014

Cases Cited

• [2019] SGPDPC 18

Source Documents

• Original Judgment (PDF) — Singapore Law Watch
• Archived Copy (PDF) — Litt Law CDN

This article analyses [2019] SGPDPC 18 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.