HMI Institute of Health Science [2024] SGPDPCS 5

Case Details

• Citation: [2024] SGPDPCS 5
• Court: Personal Data Protection Commission
• Date: 2024-11-29
• Judges: Not specified
• Plaintiff/Applicant: Not specified
• Defendant/Respondent: HMI Institute of Health Science Pte. Ltd.
• Legal Areas: Data Protection – Protection obligation
• Statutes Referenced: Personal Data Protection Act, Personal Data Protection Act 2012
• Cases Cited: [2024] SGPDPCS 5
• Judgment Length: 6 pages, 1,047 words

Summary

In this case, the Personal Data Protection Commission (the "Commission") found that HMI Institute of Health Science Pte. Ltd. (the "Organisation") breached the Protection Obligation under Section 24 of the Personal Data Protection Act 2012 ("PDPA"). The Organisation had inadvertently made publicly available an Excel file containing the personal data of 761 individuals on its website, after failing to properly decommission a student portal and exercise reasonable oversight over its vendor. The Commission imposed a financial penalty of $10,000 on the Organisation and directed it to take several remedial actions to ensure compliance with the PDPA going forward.

What Were the Facts of This Case?

The Organisation is a healthcare training provider in Singapore. On 2 May 2024, the Organisation notified the Commission of a personal data breach incident after it received a complaint from an affected individual who found an Excel file containing the personal data of 761 individuals, which the Organisation had inadvertently made publicly available on the Internet.

The personal data disclosed included a combination of the name, address, email address, telephone number, NRIC number, date of birth, nationality, race, gender and educational qualification of the affected individuals. These individuals had provided their personal data to the Organisation via the Students' Career Portal (the "Portal"), which was previously part of the Organisation's website from 2017 to 2019.

In December 2019, the Organisation decided to decommission the Portal. However, the Organisation did not follow up with the vendor to ensure that the Portal had been properly decommissioned, other than checking and confirming that the Portal was no longer accessible at its original URL address. As a result, the Excel file continued to reside in the web directory of the Organisation's website with no access control to prevent indexing by online search engines. This led to the Excel file being indexed and made publicly accessible via an online search using relevant keywords.

What Were the Key Legal Issues?

The key legal issue in this case was whether the Organisation had breached the Protection Obligation under Section 24 of the PDPA. Section 24(a) of the PDPA requires organisations to "protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks."

The Commission had to determine whether the Organisation's failure to properly decommission the Portal and exercise reasonable oversight over its vendor amounted to a breach of the Protection Obligation under the PDPA.

How Did the Court Analyse the Issues?

The Commission found that the Organisation had admitted to a breach of Section 24 of the PDPA. The Commission noted that while the Organisation alluded to its own lack of technical expertise and reliance on the vendor to decommission the Portal, this was not an adequate defence to the Organisation's failure to take the necessary steps to comply with its obligation under Section 24.

The Commission explained that the exercise of reasonable vendor oversight did not require technical expertise. The Organisation could have exercised reasonable oversight by verifying with its vendor that the personal data previously collected via the Portal had been properly deleted and was no longer accessible following the decommissioning of the Portal. However, the Organisation did not have the policies and processes in place to allow it to adequately supervise the work carried out by its vendor.

The Commission further noted that this was the second contravention of the PDPA by the Organisation, which was a relevant factor in determining the appropriate enforcement action.

What Was the Outcome?

Based on the findings, the Commission required the Organisation to pay a financial penalty of $10,000 within 30 days. The Commission also directed the Organisation to take several remedial actions to ensure its compliance with the Protection Obligation under the PDPA, including:

• Creating and maintaining a personal data asset inventory for tracking its personal data assets;
• Putting in place a well-documented vendor management policy and relevant processes for effective management and supervision of its IT vendors;
• Conducting a vulnerability assessment and/or penetration testing of its existing IT systems and resolving any identified vulnerabilities; and
• Preparing and submitting to the Commission a written report on the completion of the remediation actions within 60 days.

Why Does This Case Matter?

This case highlights the importance of organisations having robust policies and processes in place to ensure the proper management and oversight of their vendors, particularly when it comes to the handling of personal data. The Commission's decision emphasizes that a lack of technical expertise is not an adequate excuse for an organisation's failure to exercise reasonable oversight over its vendors and comply with its obligations under the PDPA.

The case also serves as a reminder that the Commission takes a serious view of data breaches and will not hesitate to impose financial penalties on organisations that fail to protect the personal data in their possession or control. The remedial actions ordered by the Commission in this case are designed to help the Organisation strengthen its data protection practices and prevent similar incidents from occurring in the future.

This decision is likely to be of significant interest to legal practitioners and organisations operating in Singapore, as it provides valuable guidance on the Commission's interpretation and enforcement of the Protection Obligation under the PDPA. It also highlights the importance of effective vendor management and the need for organisations to have robust data protection policies and procedures in place to ensure compliance with the PDPA.

Legislation Referenced

• Personal Data Protection Act 2012

Cases Cited

• [2024] SGPDPCS 5

Source Documents

• Original Judgment (PDF) — Singapore Law Watch
• Archived Copy (PDF) — Litt Law CDN

This article analyses [2024] SGPDPCS 5 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.