Case Details
- Citation: [2018] SGPDPC 14
- Court: Personal Data Protection Commission
- Date: 2018-05-14
- Judges: Yeong Zee Kin, Deputy Commissioner
- Plaintiff/Applicant: N/A
- Defendant/Respondent: Credit Bureau (Singapore) Pte Ltd
- Legal Areas: Data Protection – Accuracy obligation, Data Protection – Retention limitation obligation
- Statutes Referenced: Personal Data Protection Act
- Cases Cited: [2018] SGPDPC 14
- Judgment Length: 4 pages, 852 words
Summary
This case concerns the accuracy and retention obligations of Credit Bureau (Singapore) Pte Ltd ("the Organisation") under the Personal Data Protection Act (PDPA) with respect to bankruptcy information in the Organisation's Enhanced Consumer Credit Report (ECCR). The Complainant, who had a past bankruptcy application that was withdrawn, disputed the accuracy of the "HX" risk grading assigned to him in the ECCR, as well as the Organisation's retention of this information for 5 years. The Deputy Commissioner found that the Organisation had not breached its obligations under the PDPA, as the "HX" rating did not imply the Complainant was a bankrupt, and the 5-year retention period for bankruptcy information was reasonable for the Organisation's credit reporting business purposes.
What Were the Facts of This Case?
The Organisation is a consumer credit bureau that aggregates credit-related information from its participating members and presents individuals' risk profiles in its ECCR. In June 2012, a bankruptcy application was taken out against the Complainant, but it was withdrawn by the creditor in July 2012. However, the Complainant was given a "HX" risk grade in his ECCR, which meant there could be a past or existing bankruptcy record associated with him.
The Complainant felt that the "HX" risk grading was inaccurate as he believed it implied he had an outstanding bankruptcy record or was not creditworthy. He therefore requested the Organisation to amend his risk grading. The Organisation informed the Complainant that it was its practice to display bankruptcy-related data for 5 years. Dissatisfied, the Complainant lodged a complaint against the Organisation to the Personal Data Protection Commission on 24 May 2017, alleging that the Organisation had retained his personal data when it was no longer necessary for legal or business purposes.
What Were the Key Legal Issues?
The key legal issues in this case were:
(a) Whether the Organisation had made a reasonable effort to ensure that the personal data it had collected, specifically the Complainant's bankruptcy information, was accurate and complete pursuant to section 23(b) of the PDPA.
(b) Whether the Organisation had retained the Complainant's personal data, again the bankruptcy information, when it was no longer necessary for legal or business purposes pursuant to section 25 of the PDPA.
How Did the Court Analyse the Issues?
On the issue of accuracy under section 23(b) of the PDPA, the Deputy Commissioner found that the Organisation had adequately explained that a "HX" rating merely indicated there was a past or existing bankruptcy record associated with the individual, and did not represent that the individual was currently a bankrupt. The Organisation had also cautioned creditors against upfront rejection of credit applications based solely on a "HX" rating, which showed that the rating alone did not determine creditworthiness.
Furthermore, the Deputy Commissioner noted that financial institutions (FIs) consider information from various sources, including public registry searches, when making lending decisions. Records from the Insolvency & Public Trustee Office also showed the Complainant was not a bankrupt. Therefore, FIs would have been able to obtain the same information on the Complainant's bankruptcy status through their own due diligence, beyond just relying on the "HX" rating in the ECCR.
On the issue of retention under section 25 of the PDPA, the Deputy Commissioner found that the Organisation's 5-year retention period for bankruptcy-related information, including "HX" ratings, was reasonable. This aligned with the display period of publicly available bankruptcy information maintained by the Insolvency & Public Trustee Office. The Deputy Commissioner stated that the retention of bankruptcy data for 5 years served a valid business purpose for the Organisation's credit reporting services, as it provided FIs with useful credit history information to facilitate their lending decisions, along with other data sources.
What Was the Outcome?
Based on the above analysis, the Deputy Commissioner concluded that the Organisation had not breached either section 23(b) or section 25 of the PDPA. The Complainant's complaint was therefore dismissed.
Why Does This Case Matter?
This case provides important guidance on the application of the accuracy and retention obligations under the PDPA in the context of credit reporting. It clarifies that an organisation like the Credit Bureau is not required to remove or amend personal data, such as bankruptcy information, merely because an individual disputes its accuracy, as long as the organisation has made reasonable efforts to ensure the data is accurate and complete.
The case also establishes that a 5-year retention period for bankruptcy-related information can be considered reasonable for a credit reporting organisation's legitimate business purposes, even if the underlying bankruptcy event has been resolved. This recognizes the practical needs of the credit industry to maintain comprehensive credit histories, while balancing individuals' data protection rights.
The decision reinforces that the PDPA's obligations must be interpreted in a balanced manner, taking into account the legitimate interests and operational realities of organisations that handle personal data, not just the preferences of individual data subjects. This helps provide legal certainty for credit bureaus and other data intermediaries in fulfilling their statutory obligations.
Legislation Referenced
- Personal Data Protection Act
Cases Cited
- [2018] SGPDPC 14
Source Documents
This article analyses [2018] SGPDPC 14 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.