Habitat for Humanity Singapore Ltd [2018] SGPDPC 9

Case Details

• Citation: [2018] SGPDPC 9
• Court: Personal Data Protection Commission
• Date: 2018-05-30
• Judges: Yeong Zee Kin, Deputy Commissioner
• Plaintiff/Applicant: N/A
• Defendant/Respondent: Habitat for Humanity Singapore Ltd
• Legal Areas: Data Protection – Openness obligation, Data Protection – Protection obligation, Data Protection – Personal data
• Statutes Referenced: N/A
• Cases Cited: [2017] SGPDPC 14, [2017] SGPDPC 5, [2017] SGPDPC 7, [2018] SGPDPC 9
• Judgment Length: 10 pages, 2,592 words

Summary

In this case, the Personal Data Protection Commission (PDPC) found that Habitat for Humanity Singapore Ltd (the Organisation) breached its obligations under the Personal Data Protection Act (PDPA) by failing to develop and implement proper data protection policies and practices, and by failing to adequately protect the personal data of its volunteers. The breach arose from the Organisation's improper handling of a batch of community involvement programme (CIP) letters, which resulted in the disclosure of the volunteers' names and NRIC numbers to all recipients of the email.

What Were the Facts of This Case?

The Organisation is a registered charity that organises community involvement programmes where volunteers can participate in activities such as mass clean-up events. After such events, the Organisation would generally send out a CIP letter to acknowledge and verify each individual volunteer's participation.

On 20 July 2017, the Organisation sent out an email to 32 of its volunteers with a PDF attachment comprising the batch of CIP letters. The CIP letters were created using the mail merge function in Microsoft Word, which filled in a template with the names and NRIC numbers of the volunteers. The Organisation's usual practice was to segregate and split the document containing the entire batch of CIP letters into individual letters before sending them out. However, in this case, the manager who prepared the email failed to instruct the administrative staff member who sent out the email on this procedure.

As a result, the PDF attachment containing the CIP letters revealed the names and NRIC numbers of all the volunteers who had participated in the Organisation's mass clean-up event. Additionally, the email was also sent with the email addresses of all the recipients in the "cc" field. The Organisation received complaints from volunteers concerned that their personal data had been disclosed without their consent.

What Were the Key Legal Issues?

The key legal issues in this case were:

1. Whether the Organisation complied with its obligations under section 12 of the PDPA to develop and implement data protection policies and practices, and to communicate these to its staff.
2. Whether the Organisation was in breach of section 24 of the PDPA, which requires an organisation to protect the personal data in its possession or under its control by making reasonable security arrangements.

How Did the Court Analyse the Issues?

On the first issue, the PDPC found that the Organisation did not have any documented data protection policies or procedures in place for the sending out of the CIP letters. The PDPC emphasized the importance of having a written data protection policy, as it provides a reference for employees to follow and enables effective internal training on data protection practices.

The PDPC also found that the Organisation did not provide any formal data protection training for its employees. While the Organisation claimed to have verbally instructed its employees on data protection practices, the lack of awareness demonstrated by the administrative staff who sent out the email suggested that these verbal instructions were insufficient.

On the second issue, the PDPC found that the Organisation's informal practices and verbal reminders were an insufficient security arrangement to comply with section 24 of the PDPA. The PDPC noted that the Organisation did not implement any checks or controls to prevent the risk of unauthorized disclosure of personal data, such as technical arrangements to generate the CIP letters as separate documents or to remind employees to use the "bcc" function when sending mass emails.

The PDPC also observed that the disclosure of the volunteers' NRIC numbers was unnecessary, as the CIP letters had already referred to the volunteers by their full names. The PDPC emphasized that organisations should not disclose NRIC numbers except where it is required by law or necessary to accurately establish and verify an individual's identity.

What Was the Outcome?

Based on its findings, the PDPC concluded that the Organisation had breached its obligations under both sections 12 and 24 of the PDPA. The PDPC directed the Organisation to implement the following measures:

• Develop and implement a data protection policy that addresses the Organisation's obligations under the PDPA, and communicate this policy to all its staff.
• Conduct regular data protection training for all staff involved in handling personal data.
• Implement technical and administrative measures to prevent the risk of unauthorized disclosure of personal data, such as generating documents containing personal data as separate files and using the "bcc" function when sending mass emails.
• Refrain from collecting or disclosing NRIC numbers unless it is required by law or necessary to accurately establish and verify an individual's identity.

Why Does This Case Matter?

This case highlights the importance of organisations having well-documented data protection policies and practices, as well as providing effective data protection training for their employees. The PDPC's decision emphasizes that merely having informal or verbal data protection instructions is not sufficient to meet the requirements of the PDPA.

The case also underscores the need for organisations to implement appropriate technical and administrative measures to protect the personal data in their possession, including being mindful of the sensitivity of certain types of personal data, such as NRIC numbers. Organisations must take proactive steps to mitigate the risks of unauthorized disclosure of personal data, rather than relying on ad-hoc or reactive measures.

This decision serves as a valuable precedent for organisations in Singapore, demonstrating the PDPC's expectations regarding compliance with the PDPA's openness and protection obligations. It provides guidance on the types of policies, practices, and controls that organisations should have in place to safeguard the personal data they handle.

Legislation Referenced

• Personal Data Protection Act (PDPA)

Cases Cited

• [2017] SGPDPC 14
• [2017] SGPDPC 5
• [2017] SGPDPC 7
• [2018] SGPDPC 9

Source Documents

• Original Judgment (PDF) — Singapore Law Watch
• Archived Copy (PDF) — Litt Law CDN

This article analyses [2018] SGPDPC 9 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.