Case Details
- Citation: [2020] SGPDPC 15
- Court: Personal Data Protection Commission
- Date: 2020-04-01
- Judges: Tan Kiat How, Commissioner
- Plaintiff/Applicant: -
- Defendant/Respondent: Civil Service Club
- Legal Areas: Data Protection – Protection obligation
- Statutes Referenced: Personal Data Protection Act, Personal Data Protection Act 2012
- Cases Cited: [2017] SGPDPC 17, [2020] SGPDPC 15
- Judgment Length: 11 pages, 2,114 words
Summary
In this case, the Personal Data Protection Commission (PDPC) found that the Civil Service Club (the Organisation) had breached its obligations under the Personal Data Protection Act 2012 (PDPA) to make reasonable security arrangements to protect the personal data of its members. The breach occurred when the Organisation's IT vendor, while troubleshooting an issue with the Organisation's membership portal, inadvertently left public access enabled to a directory containing members' profile photographs and NRIC/FIN numbers. The PDPC determined that the Organisation failed to adequately oversee the vendor's handling of the members' personal data and impose sufficient contractual obligations to protect that data.
What Were the Facts of This Case?
The Civil Service Club (the Organisation) is a social club for public service officers and the general public in Singapore. In 2009, the Organisation engaged an IT vendor (the Vendor) to develop its Club Management System (CMS), which included a membership web portal (the Membership Portal).
In March 2019, the Organisation launched a virtual membership card feature on the Membership Portal, which displayed members' profile photographs. The Organisation stored these photographs on a "gateway" server (the Gateway Server), which was meant to isolate the Organisation's network from public access. However, the Vendor had enabled public access to the directory containing the members' profile photographs on three occasions in June 2019 while troubleshooting an issue with the virtual cards.
On 2 July 2019, a member (the Complainant) discovered that he could access the directory containing the profile photographs of other members, including their NRIC/FIN numbers used as file names. The Organisation and Vendor immediately disabled access to the directory, but approximately 1,770 members' personal data had been exposed.
What Were the Key Legal Issues?
The key legal issue was whether the Organisation had breached its obligations under Section 24 of the Personal Data Protection Act 2012 (PDPA) to make reasonable security arrangements to protect the personal data of its members.
Specifically, the PDPC had to determine whether the Organisation had taken sufficient steps to ensure the Vendor, in developing and troubleshooting the CMS and Membership Portal, implemented appropriate measures to protect the members' personal data.
How Did the Court Analyse the Issues?
The PDPC first established that the Organisation was responsible for protecting the members' personal data, as the owner and controller of the servers and data, even though it had engaged the Vendor to develop the CMS.
The PDPC then examined the Organisation's actions (or lack thereof) in relation to its obligations under Section 24 of the PDPA. The PDPC noted that the contract between the Organisation and Vendor, entered into before the PDPA came into force, did not contain any provisions on personal data protection.
The PDPC found that after the PDPA's effective date, the Organisation should have taken proactive steps to review and update the contract and technical requirements to ensure the Vendor implemented appropriate security measures to protect the members' personal data. This could have included adding relevant data protection clauses to the contract and specifying security requirements in the system design documentation.
The PDPC emphasized that as the owner of the CMS, the Organisation was responsible for identifying and addressing gaps in its data protection policies and practices, rather than relying on the Vendor to do so. The Organisation's failure to take reasonable steps in this regard was a breach of its obligations under Section 24 of the PDPA.
What Was the Outcome?
The PDPC found that the Organisation had breached Section 24 of the PDPA by failing to make reasonable security arrangements to protect the personal data of its members.
As a result of the breach, the PDPC directed the Organisation to:
- Engage an independent third-party to review its personal data protection policies and practices, and implement the recommendations;
- Conduct training for its staff on personal data protection obligations; and
- Discontinue the use of NRIC/FIN numbers as membership identifiers and file names for members' profile photographs.
Why Does This Case Matter?
This case provides important guidance on the obligations of organisations under the PDPA when engaging third-party vendors to handle personal data. It emphasizes that organisations cannot simply outsource their data protection responsibilities, but must actively oversee and impose appropriate security requirements on their vendors.
The case highlights that organisations need to proactively review and update their contracts and technical requirements to ensure vendors implement adequate measures to protect personal data, even if the original engagement predated the PDPA. Organisations cannot rely on the status quo or assume vendors will handle data appropriately without clear contractual obligations and specifications.
This judgment serves as a reminder to all organisations that they bear the ultimate responsibility for protecting the personal data in their possession or control, regardless of whether that data is handled by in-house staff or external vendors. Careful planning, oversight, and ongoing review of data protection practices are essential to comply with the PDPA.
Legislation Referenced
- Personal Data Protection Act 2012
Cases Cited
- [2017] SGPDPC 17
- [2020] SGPDPC 15
Source Documents
This article analyses [2020] SGPDPC 15 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.