Signup for LITT - Agentic AI for legal, regulatory & Compliance Knowledge work.
Submit Article
Legal Analysis. Regulatory Intelligence. Jurisprudence.
Search articles, case studies, legal topics...
Singapore
By Sushant Shukla 4 min read

Galaxy Credit & Investments Pte. Ltd. [2018] SGPDPC 22

Analysis of [2018] SGPDPC 22, a decision of the Personal Data Protection Commission on 2018-09-25.

Case Details

  • Citation: [2018] SGPDPC 22
  • Court: Personal Data Protection Commission
  • Date: 2018-09-25
  • Judges: Yeong Zee Kin, Deputy Commissioner
  • Plaintiff/Applicant: -
  • Defendant/Respondent: Galaxy Credit & Investments Pte. Ltd.
  • Legal Areas: Data Protection – Protection obligation
  • Statutes Referenced: Personal Data Protection Act
  • Cases Cited: [2016] SGPDPC 10, [2017] SGPDPC 18, [2018] SGPDPC 22
  • Judgment Length: 9 pages, 2,213 words

Summary

In this case, the Personal Data Protection Commission (PDPC) found that Galaxy Credit & Investments Pte. Ltd., a licensed moneylender, had breached its obligations under the Personal Data Protection Act (PDPA) by failing to implement reasonable security measures to protect the personal data of its borrowers. The PDPC also found that the moneylender's practice of attaching borrowers' photographs to letters of demand and leaving them at the borrowers' residences was not a purpose that a reasonable person would consider appropriate.

What Were the Facts of This Case?

The facts of the case are straightforward. Galaxy Credit & Investments Pte. Ltd. (the "Organisation") is a licensed moneylender that issues letters of demand (LODs) to borrowers who default on loan repayments. As part of this process, the Organisation would provide the debt collector with the LOD and a photograph of the borrower to help the debt collector correctly identify the borrower.

The Organisation's instructions to the debt collector were to attach the photograph to the LOD and hand it to the borrower. If the borrower was not present, the debt collector was to place the photograph together with the LOD into a sealed envelope and leave it at the borrower's residence.

The issue arose when the Organisation mistakenly attached the photograph of one borrower, Mr. T, to the LODs issued to another borrower, Mr. W. This occurred because the Organisation had a practice of taking photographs of new borrowers and only tagging them to the respective borrower's account at the end of each day, rather than immediately. As a result, the Organisation had incorrectly tagged Mr. T's photograph to Mr. W's account.

The Organisation was only made aware of the issue when the Registry of Moneylenders & Pawnbrokers, Ministry of Law (ROMP) informed the PDPC of the incident.

The key legal issues in this case were:

1. Whether the Organisation had complied with its obligations under section 24 of the PDPA to protect the personal data in its possession or under its control by making reasonable security arrangements.

2. Whether the Organisation's practice of attaching borrowers' photographs to letters of demand and leaving them at the borrowers' residences was a use of personal data that a reasonable person would consider appropriate under section 18(a) of the PDPA.

How Did the Court Analyse the Issues?

On the first issue, the PDPC found that the Organisation did not have adequate measures in place to ensure that borrowers' photographs were correctly tagged to their respective accounts. The practice of tagging the photographs at the end of each day, rather than immediately, created a vulnerability that led to the mistaken tagging of Mr. T's photograph to Mr. W's account. The PDPC concluded that the Organisation had failed to make reasonable security arrangements to protect the personal data in its possession, and was therefore in breach of section 24 of the PDPA.

On the second issue, the PDPC considered whether the Organisation's practice of attaching borrowers' photographs to letters of demand and leaving them at the borrowers' residences was a use of personal data that a reasonable person would consider appropriate under section 18(a) of the PDPA.

The PDPC noted that in a previous decision, Credit Counselling Singapore [2017] SGPDPC 18, it had considered an individual's financial information, including information about their indebtedness, to be "sensitive personal data." The PDPC explained that the disclosure of such information to third parties could lead to social stigma, discrimination, or reputational harm, and therefore organizations handling such data should exercise a greater degree of diligence and care.

In this case, the PDPC found that the Organisation had failed to provide a satisfactory explanation for its practice of placing the borrower's photograph together with the letter of demand and leaving it at the borrower's residence. The PDPC drew the inference that there was no appropriate purpose for using the borrower's photographs in this manner, and concluded that this practice was not for a purpose that a reasonable person would consider appropriate under section 18(a) of the PDPA.

What Was the Outcome?

Based on its findings, the PDPC concluded that the Organisation had breached both section 24 (the protection obligation) and section 18(a) (the purpose limitation obligation) of the PDPA.

The PDPC noted that the Organisation had taken some remedial actions, such as changing its practices to immediately tag photographs to borrowers' accounts, no longer attaching photographs to letters of demand, and providing additional data protection training for its employees. However, the PDPC still found it necessary to issue a direction to the Organisation to ensure compliance with the PDPA going forward.

Why Does This Case Matter?

This case is significant for several reasons:

1. It reinforces the PDPC's position that financial information, including information about an individual's indebtedness, should be treated as sensitive personal data that requires a greater degree of care and protection.

2. It highlights the importance of implementing robust data protection measures, such as ensuring the accurate tagging of personal data, to prevent unauthorized access or disclosure.

3. It provides guidance on the PDPC's interpretation of the "purpose limitation" obligation under section 18(a) of the PDPA, emphasizing that the use of personal data must be for a purpose that a reasonable person would consider appropriate in the circumstances.

4. The case serves as a reminder to organizations, particularly those in the financial services industry, to carefully consider the appropriateness and potential impact of their data handling practices, even if they have obtained consent from individuals.

Legislation Referenced

  • Personal Data Protection Act

Cases Cited

  • [2016] SGPDPC 10
  • [2017] SGPDPC 18
  • [2018] SGPDPC 22

Source Documents

This article analyses [2018] SGPDPC 22 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.

Written by Sushant Shukla
Topics
Singapore SLW Case Law Data Protection – Protection obligation
Share this article
𝕏 in f

More in

Legal Wires

Legal Wires

Stay ahead of the legal curve. Get expert analysis and regulatory updates natively delivered to your inbox.

Success! Please check your inbox and click the link to confirm your subscription.
Already a member? Sign in