Case Details
- Citation: [2020] SGPDPC 20
- Court: Personal Data Protection Commission
- Date: 2020-10-30
- Judges: Yeong Zee Kin, Deputy Commissioner
- Plaintiff/Applicant: N/A
- Defendant/Respondent: (1) Everlast Projects Pte Ltd, (2) Everlast Industries (S) Pte Ltd, (3) ELG Specialist Pte Ltd
- Legal Areas: Data Protection – Accountability obligation, Data Protection – Data intermediary, Data Protection – Protection obligation
- Statutes Referenced: Personal Data Protection Act, Personal Data Protection Act 2012
- Cases Cited: [2016] SGPDPC 22, [2017] SGPDPC 7, [2018] SGPDPC 26, [2018] SGPDPC 8, [2019] SGPDPC 1, [2019] SGPDPC 18, [2019] SGPDPC 44, [2020] SGPDPC 20
- Judgment Length: 12 pages, 3,036 words
Summary
This case concerns a data breach incident at Everlast Projects Pte Ltd (EPPL), Everlast Industries (S) Pte Ltd (EIPL), and ELG Specialist Pte Ltd (ESPL) (collectively, "the Organisations"), where a ransomware attack encrypted the personal data of 384 employees stored on the Organisations' server. The Personal Data Protection Commission (PDPC) investigated the Organisations' compliance with their obligations under the Personal Data Protection Act 2012 (PDPA) and found them in breach of the accountability and protection obligations.
What Were the Facts of This Case?
The Organisations, which are owned by the same shareholder and managed by the same directors, operate in the construction industry and specialize in architectural metal works, glass, and aluminium products. They share common premises and centralize their payroll processing, with the human resources (HR) department of EPPL handling the payroll for employees of all three Organisations.
On 29 September 2019, EPPL notified the PDPC that its server had been hacked and all the files within it were encrypted by ransomware sometime in August 2019. The physical backup of the server was also affected and rendered unusable. A total of 384 employees across the three Organisations, referred to as the "Affected Employees," had their personal data at risk of unauthorized access, including their names, NRIC/FIN numbers, dates of birth, bank account details, and salary information.
EPPL was unable to determine the cause of the ransomware infection or confirm whether any of the personal data had been exfiltrated. However, the Organisations promptly ceased using the affected server upon discovery of the incident.
What Were the Key Legal Issues?
The PDPC had to determine two key issues in this case:
- Whether the Organisations had each complied with their obligations under section 12 of the PDPA (the "Accountability Obligation").
- Whether the Organisations had each complied with their obligations under section 24 of the PDPA (the "Protection Obligation").
How Did the Court Analyse the Issues?
Regarding the Accountability Obligation, the PDPC noted that organizations must develop and implement written data protection policies and practices, and communicate them to their staff. The lack of a written policy is a significant drawback, as it makes the policies and practices ineffective if passed on only by word of mouth.
In this case, the Organisations admitted that they did not have any written data protection policies and relied only on verbal instructions to employees. The PDPC recognized that the Organisations operated as a group and centralized their payroll processing, with EPPL acting as a data intermediary for EIPL and ESPL. However, the Organisations did not have any binding group-level written policies, intra-group agreements, or binding corporate rules (BCRs) to ensure a common standard of data protection across the group. As a result, the PDPC found each of the Organisations in breach of the Accountability Obligation.
Regarding the Protection Obligation, the PDPC determined that EPPL was a data controller with respect to its own employees' personal data, and a data intermediary for EIPL and ESPL's employees' personal data that it was processing on their behalf. EIPL and ESPL were also found to be in control of their respective employees' personal data, even though it was centrally hosted on EPPL's server.
The PDPC emphasized that organizations should have a written contract with their data intermediaries that clearly specifies the data protection obligations. For a group of companies, this requirement may be met through binding group-level written policies, intra-group agreements, or BCRs. In this case, the Organisations did not have such arrangements in place.
Additionally, the PDPC noted that the Organisations failed to implement sufficient technical and administrative security measures to prevent the unauthorized modification of the personal data by the ransomware attack, which encrypted the data and rendered it unusable. As a result, the PDPC found each of the Organisations in breach of the Protection Obligation.
What Was the Outcome?
The PDPC concluded that each of the Organisations - EPPL, EIPL, and ESPL - had breached their obligations under both section 12 (Accountability Obligation) and section 24 (Protection Obligation) of the PDPA. The PDPC did not impose any financial penalties on the Organisations, as it recognized that they had taken prompt remedial action upon discovery of the incident and cooperated fully with the investigation.
Why Does This Case Matter?
This case highlights the importance of organizations, especially those operating as a group, having comprehensive written data protection policies and practices in place to meet their obligations under the PDPA. The lack of such policies and the reliance on verbal instructions were found to be a breach of the Accountability Obligation.
The case also emphasizes the need for organizations to have appropriate contractual arrangements and security measures in place when engaging data intermediaries, even within a corporate group. Failure to do so can result in a breach of the Protection Obligation, as demonstrated by the Organisations' inability to prevent the unauthorized modification of personal data by the ransomware attack.
The PDPC's decision in this case provides valuable guidance for organizations on the steps they must take to comply with the PDPA, particularly in the context of group structures and the use of data intermediaries. It underscores the importance of proactive data protection measures and the need for written policies and contractual arrangements to ensure the proper safeguarding of personal data.
Legislation Referenced
- Personal Data Protection Act
- Personal Data Protection Act 2012
Cases Cited
- [2016] SGPDPC 22
- [2017] SGPDPC 7
- [2018] SGPDPC 26
- [2018] SGPDPC 8
- [2019] SGPDPC 1
- [2019] SGPDPC 18
- [2019] SGPDPC 44
- [2020] SGPDPC 20
Source Documents
This article analyses [2020] SGPDPC 20 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.