Case Details
- Citation: [2019] SGPDPC 27
- Court: Personal Data Protection Commission
- Date: 2019-07-25
- Legal Areas: Data protection – Openness obligation
- Statutes Referenced: Data Protection Act, Data Protection Act 1998, Personal Information Online Code
- Cases Cited: [2017] SGPDPC 15, [2018] SGPDPC 6, [2019] SGPDPC 27
- Judgment Length: 18 pages, 4,435 words
Summary
In this case, the Personal Data Protection Commission (PDPC) found that Horizon Fast Ferry Pte. Ltd. (the Organisation) failed to comply with its obligations under the Data Protection Act (PDPA) regarding the openness of its data protection policies and practices. The PDPC determined that the Organisation did not have a designated data protection officer (DPO) or adequate data protection policies in place at the time of the incident, which involved the auto-retrieval and auto-population of passengers' personal data on the Organisation's booking website.
The PDPC ordered the Organisation to implement appropriate data protection policies and practices, including appointing a DPO, and to pay a financial penalty for its breaches of the PDPA.
What Were the Facts of This Case?
Horizon Fast Ferry Pte. Ltd. is a Singapore-based ferry operator that provides ferry services between Singapore and Batam. As part of its service offerings, the Organisation operates a website that allows passengers to purchase ferry tickets directly online (the "Booking Site").
At the material time, passengers booking tickets through the Booking Site were required to provide a set of personal data, including their full name, gender, nationality, date of birth, passport number, and passport expiry date (the "Personal Data Set"). This same Personal Data Set was also collected from passengers when they checked in at the Organisation's counter.
The Organisation stored and retained all the Personal Data Sets collected from the Booking Site and the counter check-in system in an internal database (the "Database"), even after the passengers' last travel date. One of the features of the Organisation's internal counter check-in system was the ability to automatically retrieve and populate a returning passenger's Personal Data Set from the Database when their passport number was entered.
In or around May 2017, the Organisation engaged a contractor to revamp the Booking Site. Unbeknownst to the Organisation, the contractor replicated the auto-retrieval and auto-population feature from the internal counter check-in system into the Booking Site. As a result, whenever a user entered a passport number that matched a returning passenger's record in the Database, the system would automatically retrieve and populate the remaining fields in the Booking Form with the associated Personal Data Set.
The Organisation was not aware of this functionality until it was notified of the incident by a complainant on 9 October 2017. At the time of the investigation, the Database contained a total of 444,000 Personal Data Sets, representing 295,151 unique passengers.
What Were the Key Legal Issues?
The two main issues for determination were:
1. Whether the Organisation complied with its obligations under sections 11(3) and 12(a) of the PDPA regarding the appointment of a data protection officer and the development and implementation of data protection policies and practices.
2. Whether the Organisation breached section 24 of the PDPA, which requires an organisation to protect personal data in its possession or under its control.
How Did the Court Analyse the Issues?
On the first issue, the PDPC found that the Organisation had blatantly disregarded its obligations under sections 11(3) and 12(a) of the PDPA.
The PDPC noted that the Organisation did not have a designated data protection officer (DPO) at the time of the incident, only appointing one after being notified of the complaint. The PDPC emphasized the vital role of the DPO in building a robust data protection framework and ensuring an organisation's compliance with the PDPA, regardless of the size of the organisation.
Additionally, the PDPC found that the Organisation did not have adequate data protection policies and practices in place. While the Organisation claimed to have an internal guideline on confidentiality, this did not set out any actual processes or practices to protect the personal data in its possession. The PDPC stressed that the development and implementation of comprehensive data protection policies is a fundamental and crucial starting point for organisations to comply with their obligations under the PDPA.
On the second issue, the PDPC determined that the personal data stored in the Organisation's Database, which included sensitive information such as passport details, constituted "personal data" under the PDPA. The PDPC found that the Organisation's failure to have proper data protection policies and practices in place, as well as the unintended auto-retrieval and auto-population feature on the Booking Site, resulted in a breach of the Organisation's obligation to protect the personal data in its possession under section 24 of the PDPA.
What Was the Outcome?
Based on its findings, the PDPC ordered the Organisation to:
1. Implement appropriate data protection policies and practices, including appointing a DPO, to ensure compliance with its obligations under the PDPA.
2. Pay a financial penalty of S$7,000 for its breaches of sections 11(3), 12(a), and 24 of the PDPA.
Why Does This Case Matter?
This case highlights the importance of organisations, regardless of their size, to have a robust data protection framework in place, including the appointment of a designated DPO and the development and implementation of comprehensive data protection policies and practices.
The PDPC's decision emphasizes that the failure to meet the "openness obligation" under the PDPA, which requires organisations to be transparent about their data protection measures, can lead to broader data protection breaches and regulatory action. This case serves as a reminder to all organisations that handle personal data to prioritize compliance with the PDPA and take proactive steps to protect the personal information in their possession.
The PDPC's analysis of the DPO's role and the importance of data protection policies also provides valuable guidance for organisations seeking to enhance their data protection practices and avoid similar regulatory issues.
Legislation Referenced
- Data Protection Act
- Data Protection Act 1998
- Personal Information Online Code
Cases Cited
- [2017] SGPDPC 15
- [2018] SGPDPC 6
- [2019] SGPDPC 27
Source Documents
This article analyses [2019] SGPDPC 27 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.