Fullerton Healthcare Group Pte Limited and another [2023] SGPDPC 5

Case Details

• Citation: [2023] SGPDPC 5
• Court: Personal Data Protection Commission
• Date: 2023-03-23
• Judges: Lew Chuen Hong, Commissioner
• Plaintiff/Applicant: -
• Defendant/Respondent: (1) Fullerton Healthcare Group Pte Limited, (2) Agape CP Holdings Pte. Ltd.
• Legal Areas: Data Protection – Protection obligation
• Statutes Referenced: Personal Data Protection Act 2012
• Cases Cited: [2017] SGPDPC 17, [2018] SGPDPC 9, [2020] SGPDPC 16, [2020] SGPDPC 2, [2020] SGPDPC 20, [2021] SGPDPC 72, [2022] SGPCPCR 1, [2022] SGPDPC 2, [2023] SGPDPC 5
• Judgment Length: 17 pages, 3,525 words

Summary

This case involves an investigation by the Personal Data Protection Commission (PDPC) into a data breach incident affecting Fullerton Healthcare Group Pte Limited (FHG) and its data intermediary, Agape CP Holdings Pte. Ltd. (Agape). The PDPC found that both FHG and Agape had breached the protection obligation under the Personal Data Protection Act 2012 (PDPA) by failing to implement reasonable security arrangements to protect the personal data of FHG's customers. The PDPC imposed financial penalties on both organizations for their respective failures.

What Were the Facts of This Case?

FHG is an enterprise healthcare service provider that engaged Agape, a business process outsourcing provider and social enterprise, to provide call center and appointment booking services for its customers. As part of this arrangement, FHG provided Agape with access to the personal data of its customers via Microsoft SharePoint.

To facilitate the Agents (inmates from Changi Women's Prison) in accessing FHG's customer data, Agape downloaded the data onto a computer and re-uploaded it onto an internet-facing file server (the "Online Drive"). The Online Drive was then whitelisted for access by the Agents from within the prison.

On 15 October 2021, FHG became aware that its customer data was being offered for sale on a dark web forum. FHG's investigation confirmed that the incident solely involved and affected Agape's Online Drive, and that FHG's own systems and servers were not affected.

The personal data of 156,900 FHG customers, including their names, NRIC/FIN numbers, dates of birth, gender, contact information, financial information, and health information, was accessed without authorization during the incident. The exact volume of exfiltrated personal data was unknown.

What Were the Key Legal Issues?

The key legal issues in this case were:

1. Whether Agape, as a data intermediary of FHG, had breached the protection obligation under section 24 of the PDPA by failing to implement reasonable security arrangements to protect the personal data of FHG's customers.
2. Whether FHG, as the organization that engaged Agape as a data intermediary, had breached the protection obligation by failing to exercise reasonable oversight over Agape's data processing activities.

How Did the Court Analyse the Issues?

In analyzing the issues, the PDPC made the following key findings:

Agape's Breach of the Protection Obligation: The PDPC found that Agape had breached the protection obligation under the PDPA. Agape had failed to conduct reasonable periodic security reviews of its IT systems, including the internet-facing Online Drive, which resulted in the password protection for the Online Drive being inadvertently disabled for an estimated 20 months. This caused the Online Drive to become an open directory listing on the internet, highly vulnerable to unauthorized access. The PDPC also found that Agape's password policy and management were inadequate, as the password for the Online Drive was shared among the Agents and had no expiry date.

FHG's Breach of the Protection Obligation: The PDPC found that FHG had also breached the protection obligation under the PDPA. As the organization that engaged Agape as a data intermediary, FHG was required to exercise reasonable oversight over Agape's data processing activities. However, FHG failed to do so, which resulted in the security vulnerabilities in Agape's systems and the subsequent data breach incident.

The PDPC emphasized that under the PDPA, an organization that engages a data intermediary bears the same obligations as if the personal data was processed by the organization itself. The data controller (FHG) has a supervisory or general role for the protection of the personal data, while the data intermediary (Agape) has a more direct and specific role in the protection of personal data.

What Was the Outcome?

Based on the findings, the PDPC imposed financial penalties on both FHG and Agape for their respective breaches of the protection obligation under the PDPA.

FHG was fined S$60,000, while Agape, as a social enterprise, was fined S$30,000. The PDPC took into account various factors in determining the appropriate penalties, including the severity of the breaches, the volume of personal data affected, the organizations' cooperation and remedial actions, and Agape's status as a social enterprise.

Why Does This Case Matter?

This case is significant for several reasons:

1. Importance of Oversight over Data Intermediaries: The case reinforces the principle that organizations engaging data intermediaries to process personal data on their behalf must exercise reasonable oversight over the data intermediary's data processing activities. Failure to do so can result in the organization being held liable for the data intermediary's breaches of the PDPA.
2. Emphasis on Periodic Security Reviews: The case highlights the importance of organizations conducting regular, comprehensive security reviews of their IT systems and processes, including legacy systems and components. Failure to do so can lead to the identification and remediation of vulnerabilities being overlooked, as was the case with Agape's Online Drive.
3. Importance of Robust Password Policies: The case underscores the need for organizations to implement and enforce robust password policies, including measures such as password expiration and prohibiting the sharing of passwords among multiple users. Weak password management can significantly increase the risk of unauthorized access to personal data.
4. Penalties for Social Enterprises: The case demonstrates that even social enterprises are not exempt from the PDPA's requirements and can face financial penalties for breaches of the protection obligation. However, the PDPC did take Agape's status as a social enterprise into account in determining the appropriate penalty.

Legislation Referenced

• Personal Data Protection Act 2012

Cases Cited

• [2017] SGPDPC 17 - Social Metric Pte Ltd
• [2018] SGPDPC 9
• [2020] SGPDPC 16
• [2020] SGPDPC 2 - SCAL Academy Pte. Ltd.
• [2020] SGPDPC 20 - Everlast Projects Pte Ltd and others
• [2021] SGPDPC 72 - Terra Systems Pte. Ltd.
• [2022] SGPCPCR 1 - Terra Systems Pte Ltd
• [2022] SGPDPC 2 - Quoine Pte Ltd
• [2023] SGPDPC 5 - Fullerton Healthcare Group Pte Limited and another

Source Documents

• Original Judgment (PDF) — Singapore Law Watch
• Archived Copy (PDF) — Litt Law CDN

This article analyses [2023] SGPDPC 5 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.