Case Details
- Citation: [2022] SGPDPC 6
- Court: Personal Data Protection Commission
- Date: 2022-09-15
- Judges: Lew Chuen Hong, Commissioner
- Plaintiff/Applicant: -
- Defendant/Respondent: Farrer Park Hospital Pte Ltd
- Legal Areas: Data Protection – Protection Obligation, Data Protection – Financial penalty
- Statutes Referenced: Personal Data Protection Act, Personal Data Protection Act 2012
- Cases Cited: [2011] SGHC 29, [2013] SGHC 194, [2019] SGPDPC 16, [2019] SGPDPC 31, [2020] SGPDPC 17, [2020] SGPDPCS 13, [2021] SGPDPC 10, [2022] SGPDPC 6
- Judgment Length: 30 pages, 5,031 words
Summary
In this case, the Personal Data Protection Commission (PDPC) investigated Farrer Park Hospital Pte Ltd (the Organisation) for a data breach incident where 9,271 emails containing the personal data of 3,539 individuals were automatically forwarded from two employees' email accounts to a third-party email address over a 19-month period. The PDPC found that the Organisation had breached its obligation under the Personal Data Protection Act 2012 (PDPA) to make reasonable security arrangements to protect the personal data in its possession. The PDPC imposed a financial penalty on the Organisation for its failure to implement adequate security measures to prevent the unauthorized access and disclosure of the sensitive personal data.
What Were the Facts of This Case?
Farrer Park Hospital Pte Ltd is a private tertiary healthcare institute that provides a range of healthcare services. The nature of the Organisation's operations requires its employees to regularly handle highly sensitive personal data of past, present, and prospective patients. The personal data includes names, gender, nationality, dates of birth, NRIC numbers, passport details, contact numbers, photographs, and medical information such as medical conditions, medical history, and medical results/reports.
In July 2020, the PDPC received a data breach notification from the Organisation. The Organisation discovered that between 8 March 2018 and 25 October 2019, 9,271 emails had been automatically forwarded from two employees' (the "Employees") Microsoft Office 365 work email accounts (the "Email Accounts") to a third-party's email address (the "Third Party"), thereby disclosing the personal data of 3,539 unique individuals (the "Incident").
At the time of the Incident, the Organisation had implemented various IT and data protection policies, including a Data Protection Handbook, a Personal Data Protection Policy for Patient Records, an IT Security Management Standards policy, an Access Control Standards policy, and an Acceptable Use Policy. The Organisation had also implemented various IT security measures such as staff training, phishing exercises, email filtering, endpoint protection, user behavior analytics, webpage whitelisting, firewalls, and network intrusion prevention.
In June 2019, the Organisation implemented multi-factor authentication (MFA) for all of its employees' work email accounts. However, the MFA was not in place at the time when the Incident first occurred on 8 March 2018.
What Were the Key Legal Issues?
The key legal issue in this case was whether the Organisation had breached its obligation under section 24 of the PDPA to protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal, or similar risks (the "Protection Obligation").
The PDPC had to determine whether the security measures implemented by the Organisation were reasonable and appropriate in the circumstances, taking into consideration the nature of the personal data and the possible impact on the affected individuals if the data was improperly accessed or disclosed.
How Did the Court Analyse the Issues?
The PDPC noted that there is no "one size fits all" solution for organizations to comply with the Protection Obligation. Each organization should consider adopting security arrangements that are reasonable and appropriate in the circumstances, taking into account factors such as the nature of the personal data, the form in which the data has been collected, and the possible impact on the individuals if the data is improperly accessed or disclosed.
In this case, the PDPC found that the personal data involved was highly sensitive, as it included medical information such as diagnoses, medical histories, and test results. The PDPC stated that organizations should design and organize their security arrangements to fit the nature of the personal data held and the possible harm that might result from a security breach.
The PDPC acknowledged that the Organisation had implemented various IT and data protection policies, as well as technical security measures. However, the PDPC found that these measures were not sufficient to prevent the unauthorized access and disclosure of the sensitive personal data in this case. Specifically, the PDPC noted that the MFA was not implemented at the time the Incident first occurred, and the Organisation's security solutions did not detect the anomalous email forwarding activity for a significant period of time.
The PDPC concluded that the Organisation had failed to make reasonable security arrangements to prevent the unauthorized access and disclosure of the personal data, and therefore breached its Protection Obligation under the PDPA.
What Was the Outcome?
As a result of the breach, the PDPC imposed a financial penalty of S$80,000 on the Organisation. In determining the appropriate penalty, the PDPC took into account several factors, including the Organisation's voluntary admission of liability, its cooperation with the investigation, and the remedial measures it had taken after discovering the Incident.
The PDPC also directed the Organisation to further enhance its security measures, including upgrading and refreshing its network and endpoint security solutions by 2022.
Why Does This Case Matter?
This case is significant as it highlights the importance of organizations implementing reasonable and appropriate security measures to protect the personal data in their possession, particularly sensitive information such as medical data. The PDPC's decision emphasizes that organizations must continuously assess and improve their security arrangements to keep pace with evolving threats and technological developments.
The case also serves as a reminder that the PDPA's Protection Obligation is not a one-size-fits-all requirement, but rather a fact-specific assessment that organizations must undertake based on the nature of the personal data they handle and the potential harm that could result from a breach. Organizations must be prepared to demonstrate that their security measures are tailored to the risks posed by the personal data in their care.
Finally, this case underscores the PDPC's willingness to impose financial penalties on organizations that fail to meet their data protection obligations, even where the organization has taken some security measures. This sends a strong message to organizations that they must prioritize data protection and be proactive in enhancing their security arrangements to avoid potential regulatory action.
Legislation Referenced
- Personal Data Protection Act 2012
Cases Cited
- [2011] SGHC 29
- [2013] SGHC 194
- [2019] SGPDPC 16
- [2019] SGPDPC 31
- [2020] SGPDPC 17
- [2020] SGPDPCS 13
- [2021] SGPDPC 10
- [2022] SGPDPC 6
Source Documents
This article analyses [2022] SGPDPC 6 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.