Signup for LITT - Agentic AI for legal, regulatory & Compliance Knowledge work.
Submit Article
Legal Analysis. Regulatory Intelligence. Jurisprudence.
Search articles, case studies, legal topics...
Singapore
By Sushant Shukla 4 min read

Executive Link Services Pte. Ltd. [2019] SGPDPC 30

Analysis of [2019] SGPDPC 30, a decision of the Personal Data Protection Commission on 2019-08-20.

Case Details

  • Citation: [2019] SGPDPC 30
  • Court: Personal Data Protection Commission
  • Date: 2019-08-20
  • Judges: Yeong Zee Kin, Deputy Commissioner
  • Plaintiff/Applicant: -
  • Defendant/Respondent: Executive Link Services Pte. Ltd.
  • Legal Areas: Data protection – Accountability obligation, Data protection – Protection obligation
  • Statutes Referenced: Personal Data Protection Act 2012 (PDPA)
  • Cases Cited: [2017] SGPDPC 14, [2017] SGPDPC 15, [2018] SGPDPC 17, [2019] SGPDPC 23, [2019] SGPDPC 30
  • Judgment Length: 9 pages, 1,948 words

Summary

This case concerns a data breach at Executive Link Services Pte. Ltd., an employment agency in Singapore. The Personal Data Protection Commission (PDPC) investigated the incident and found that the organization had breached its obligations under the Personal Data Protection Act 2012 (PDPA) by failing to appoint a data protection officer and implement data protection policies and practices. However, the PDPC did not find the organization in breach of its obligation to protect personal data.

What Were the Facts of This Case?

On 11 June 2018, Executive Link Services Pte. Ltd. (the "Organization") reported a data breach to the PDPC. The breach involved the unintended disclosure of personal data of 367 individuals that was stored on the Organization's server.

The incident occurred when one of the Organization's clients engaged a cybersecurity company to scan the internet for information relating to the client. During this scan, the cybersecurity company was able to gain access and retrieve copies of draft contracts of job candidates from the Organization's server.

The compromised personal data included the individuals' names, addresses, contact numbers, email addresses, education levels, salary expectations, employment histories, and salary information. The Organization was alerted to the breach on 8 June 2018.

The events leading to the incident were as follows: The Organization had implemented remote access for staff to access internal files stored on its data storage server, which required the use of a Virtual Private Network (VPN) service. When staff had difficulties with VPN access, the Organization approached its IT vendor, SShang Systems, for assistance. SShang was advised by the server supplier, Blumm Technology Pte. Ltd., to adopt a workaround by opening and enabling file access through the server's File Transport Protocol (FTP) port. SShang implemented this VPN workaround without advising the Organization to password-protect the folders on the server, as Blumm had suggested.

The key legal issues in this case were:

  1. Whether the Organization had complied with its obligation to protect personal data under section 24 of the PDPA.
  2. Whether the Organization had complied with the obligations to appoint a data protection officer (DPO) and develop and implement data protection policies and practices under sections 11(3) and 12 of the PDPA, respectively.

How Did the Court Analyse the Issues?

On the first issue, the PDPC noted that the compromised personal data was in the Organization's sole possession and control, and that the IT vendors, SShang and Blumm, were not engaged to process personal data and were therefore not data intermediaries. The responsibility to protect the data fell solely on the Organization.

The PDPC acknowledged that the server was an internal one meant to be accessed remotely by staff, rather than a publicly accessible website. It recognized that there are "subtle but significant differences" between the two, with remote access requiring the use of VPN software or knowledge of the server's IP address, rather than being easily discoverable by search engines.

The PDPC found that the Organization had relied on its IT vendors' expertise and had implemented VPN access as a security measure. When the VPN workaround was recommended by SShang, the PDPC stated that it was reasonable for the Organization to have expected that the workaround would not materially compromise the security requirements. The PDPC acknowledged that the Organization could have sought clarification on the impact of the workaround, but said it was not unreasonable for the Organization to have relied on SShang's assessment that there was little or no risk of unauthorized access. Ultimately, the PDPC gave the Organization the benefit of the doubt and did not find a breach of the protection obligation under section 24 of the PDPA.

On the second issue, the PDPC found the Organization in breach of its obligations under sections 11(3) and 12 of the PDPA. The Organization had admitted that it had not appointed a DPO and had not developed or implemented any data protection policies, internal guidelines, or procedures. The PDPC emphasized the importance of these requirements, as highlighted in its previous decisions.

What Was the Outcome?

The PDPC directed the Organization to pay a financial penalty of $5,000 within 30 days for its breaches of sections 11(3) and 12 of the PDPA. In determining the penalty, the PDPC took into account mitigating factors, including the Organization's cooperation during the investigation, its prompt and extensive remedial actions, the limited duration of the data exposure, and the fact that the VPN workaround was only intended to be a temporary measure.

Why Does This Case Matter?

This case highlights the importance of organizations complying with the key accountability obligations under the PDPA, even if a data breach does not result from a failure to protect personal data. The PDPC has consistently emphasized the significance of appointing a DPO and implementing data protection policies and practices, as these are fundamental to an organization's ability to meet its obligations under the PDPA.

The case also provides guidance on the PDPC's approach to assessing an organization's compliance with the protection obligation under section 24 of the PDPA. While the PDPC acknowledged the differences between an internal server and a publicly accessible website, it made clear that organizations cannot completely abdicate responsibility for data security to their IT vendors. Organizations must still exercise due diligence and seek clarification when IT changes are proposed that could impact data security.

This decision serves as a reminder to all organizations handling personal data in Singapore to ensure they have the necessary data protection infrastructure and practices in place, even if a specific data breach incident does not result in a finding of liability under the PDPA.

Legislation Referenced

  • Personal Data Protection Act 2012 (PDPA)

Cases Cited

  • [2017] SGPDPC 14
  • [2017] SGPDPC 15
  • [2018] SGPDPC 17
  • [2019] SGPDPC 23
  • [2019] SGPDPC 30

Source Documents

This article analyses [2019] SGPDPC 30 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.

Written by Sushant Shukla
Topics
Singapore SLW Case Law Data Protection – Protection obligation
Share this article
𝕏 in f

More in

Legal Wires

Legal Wires

Stay ahead of the legal curve. Get expert analysis and regulatory updates natively delivered to your inbox.

Success! Please check your inbox and click the link to confirm your subscription.
Already a member? Sign in