Case Details
- Citation: [2019] SGPDPC 38
- Court: Personal Data Protection Commission
- Date: 2019-10-04
- Judges: Tan Kiat How, Commissioner
- Plaintiff/Applicant: -
- Defendant/Respondent: EU Holidays Pte. Ltd.
- Legal Areas: Data Protection – Protection obligation, Data Protection – Accountability obligation
- Statutes Referenced: Personal Data Protection Act 2012 (PDPA)
- Cases Cited: [2019] SGPDPC 38, [2019] SGPDPC 5
- Judgment Length: 6 pages, 1,666 words
Summary
In this case, the Personal Data Protection Commission (PDPC) found that EU Holidays Pte. Ltd. (the Organisation) had breached its obligations under the Personal Data Protection Act 2012 (PDPA) by failing to implement reasonable security measures to protect the personal data of its customers, as well as by not developing and implementing internal data protection policies. The PDPC directed the Organisation to pay a financial penalty and take remedial actions to address the data protection lapses.
What Were the Facts of This Case?
The case arose from a complaint received by the PDPC on 14 January 2019 that personal data of EU Holidays' customers was accessible through its website. The Organisation had engaged an IT vendor (the Vendor) to develop a new website with e-commerce capabilities, which was launched on 9 December 2017. The website allowed customers to make online reservations for tour packages, either directly or through the Organisation's partner agents.
The PDPC's investigation revealed that information relating to travel reservations, including customers' personal data, was stored in two web directories on the website. For reservations made directly by customers, the tax invoices were stored in one directory (Web Directory 1), while for reservations made through partner agents, the tax invoices were stored in another directory (Web Directory 2). The scope of the contract between the Organisation and the Vendor did not include any requirements regarding the storage and protection of the customers' personal data collected through the website.
On or around 5 January 2019, a member of the public (the Complainant) discovered copies of tax invoices containing customers' personal information while browsing the website. The Complainant notified the PDPC of the incident. The PDPC's investigation found that from 9 December 2017 to 14 January 2019, tax invoices containing the personal data of 1,077 customers were exposed to unauthorized access and disclosure through the publicly accessible links to Web Directory 1 and Web Directory 2.
What Were the Key Legal Issues?
The key legal issues in this case were whether the Organisation had breached its obligations under the PDPA, specifically:
1. The protection obligation under Section 24 of the PDPA, which requires an organisation to protect personal data in its possession or under its control by taking reasonable security steps or arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal or similar risks.
2. The accountability obligation under Section 12 of the PDPA, which requires organisations to develop and implement policies and practices that are necessary for the organisation to meet its obligations under the PDPA and communicate information about such policies to its staff.
How Did the Court Analyse the Issues?
On the issue of the protection obligation under Section 24 of the PDPA, the PDPC found that the Organisation had failed to put in place reasonable security arrangements to protect the customers' personal data. Firstly, the Organisation had failed to assess the risks to the personal data collected through its website and stored in the two web directories. It had left it to the Vendor to implement the appropriate security arrangements, without providing any specific instructions or requirements.
The PDPC noted that organisations engaging IT vendors to develop and maintain their websites should emphasize the need for personal data protection in the contractual terms. Given that the website was developed for e-commerce purposes, involving the collection of customers' personal data, the Organisation's failure to specify clear requirements for the protection of such data was a significant lapse.
Secondly, the PDPC observed that common and direct methods of controlling access and preventing unauthorized access to documents containing personal data on web servers include implementing folder or directory permissions. The PDPC stated that the Organisation could have instructed the Vendor to implement reasonable technical security measures, such as placing the documents in a non-public folder or directory, or controlling access through web applications on the server.
On the issue of the accountability obligation under Section 12 of the PDPA, the PDPC found that the Organisation did not have any internal data protection policies to provide guidance to its employees on the handling of customer personal data, despite regularly collecting such data for its business operations. This was a contravention of the PDPA's requirement for organisations to develop and implement necessary data protection policies and practices.
What Was the Outcome?
Based on the findings, the PDPC directed the Organisation to:
1. Pay a financial penalty of $15,000 within 30 days.
2. Complete the following within 60 days:
- Review the security of the website and implement appropriate security arrangements to protect personal data in its possession and/or under its control.
- Put in place a data protection policy, including written internal policies, to comply with the provisions of the PDPA.
- Develop a training program for the Organisation's employees on their obligations under the PDPA when handling personal data, and require all employees to attend such training.
Why Does This Case Matter?
This case is significant as it highlights the importance of organisations, particularly those engaged in e-commerce activities involving the collection of customer personal data, to take proactive steps to protect such data and comply with their obligations under the PDPA.
The PDPC's findings emphasize that organisations cannot simply delegate the responsibility for data protection to their IT vendors without providing clear instructions and requirements. Organisations must actively assess the risks to the personal data they collect and implement reasonable security measures to prevent unauthorized access or disclosure.
Furthermore, the case underscores the need for organisations to develop and implement comprehensive data protection policies and practices, and to ensure that their employees are properly trained on their obligations under the PDPA. This is crucial for organisations to demonstrate accountability and meet their legal responsibilities in handling personal data.
The PDPC's directions in this case, including the financial penalty and the remedial actions required, serve as a reminder to organisations of the consequences of failing to comply with the PDPA. This judgment provides valuable guidance for practitioners on the standards expected of organisations in fulfilling their data protection obligations.
Legislation Referenced
- Personal Data Protection Act 2012 (PDPA)
Cases Cited
- [2019] SGPDPC 38
- [2019] SGPDPC 5
Source Documents
This article analyses [2019] SGPDPC 38 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.