i-vic International Pte. Ltd. [2019] SGPDPC 41

Case Details

• Citation: [2019] SGPDPC 41
• Court: Personal Data Protection Commission
• Date: 2019-11-12
• Judges: Yeong Zee Kin, Deputy Commissioner
• Plaintiff/Applicant: -
• Defendant/Respondent: i-vic International Pte. Ltd.
• Legal Areas: Data protection – Protection obligation
• Statutes Referenced: -
• Cases Cited: [2019] SGPDPC 41
• Judgment Length: 5 pages, 1,144 words

Summary

In this case, the Personal Data Protection Commission (PDPC) found that i-vic International Pte. Ltd. (the Organisation) had failed to make reasonable security arrangements to protect personal data in its possession, in contravention of section 24 of Singapore's Personal Data Protection Act (PDPA). The Organisation, which was engaged by the Employment and Employability Institute Ltd (e2i) to process claims and queries related to a work trial programme, inadvertently disclosed the personal data of three individuals to nine other individuals due to a coding error in its automated email generation process.

The PDPC directed the Organisation to pay a financial penalty of $6,000 for its failure to put in place proper testing and security measures to prevent such data breaches. However, the PDPC did not issue any further directions as the Organisation had taken remedial actions to fix the coding error and implement encryption for email attachments.

This case highlights the importance for organisations handling personal data to have robust security measures and thorough testing procedures in place to comply with the PDPA's protection obligation. It also demonstrates the PDPC's willingness to impose financial penalties on organisations that fail to adequately safeguard personal data entrusted to them.

What Were the Facts of This Case?

The Employment and Employability Institute Ltd (e2i) had engaged i-vic International Pte Ltd (the Organisation) to process claims and queries from members of the public relating to a work trial programme that e2i administered on behalf of a public agency, Workforce Singapore (WSG). As part of this engagement, the Organisation was required to manage e2i's mailbox, develop and maintain the IT infrastructure and customer relationship management (CRM) software used to operate the mailbox, and either reply to emails from the public or escalate queries to the relevant e2i representatives.

The Organisation's CRM system had an "Automated Email Generation Process" that would automatically generate and send two emails when an employee of the Organisation escalated a query - a holding reply to the member of the public and an email to the relevant e2i representative, with the necessary documents attached. However, this process was unable to run while the Organisation was running a separate "Reward Programme Process" on the 1st of every month.

On 1 April 2019, while the Reward Programme Process was running, one of the Organisation's employees attempted to generate new emails using the Automated Email Generation Process. Due to an error in the code, the system attached the wrong documents containing the personal data of three individuals (the "Affected Individuals") to the emails and sent them out to 9 different recipients. The disclosed personal data included the Affected Individuals' names, NRIC numbers, signatures, residential addresses, mobile numbers, email addresses, age, race, bank account numbers, academic qualifications, work trial details, and work experience.

After becoming aware of the incident, the Organisation took remedial actions, including fixing the coding error and implementing automated encryption of email attachments to prevent unauthorized access to personal data.

What Were the Key Legal Issues?

The key legal issue in this case was whether the Organisation had failed to make reasonable security arrangements to protect the personal data in its possession or under its control, as required by section 24 of the PDPA.

As a preliminary matter, the PDPC noted that e2i, which was acting on behalf of WSG in relation to the work trial programme, was not subject to the PDPA's data protection obligations under sections 24-26 for the collection, use, and disclosure of personal data for that purpose. However, the Organisation, as a data intermediary processing personal data on behalf of e2i, was required to comply with the PDPA's protection obligation under section 24.

How Did the Court Analyse the Issues?

In analysing whether the Organisation had breached section 24 of the PDPA, the PDPC first acknowledged that the Organisation had asserted that it had tested the code of the Automated Email Generation Process. However, the PDPC found that the Organisation had failed to properly test how the code would function when the Automated Email Generation Process had to process instructions to generate and send emails that were queued while the Reward Programme Process was running.

The PDPC explained that the Organisation ought to have known that the Automated Email Generation Process would be unable to run while the Reward Programme Process was executing on the 1st of every month. Therefore, the PDPC held that the Organisation should have tested the impact of this circumstance on the Automated Email Generation Process, as diligent and properly scoped testing would likely have detected the issue of documents containing personal data being incorrectly attached to the queued emails.

The PDPC concluded that the Organisation's failure to put in place such diligent and properly scoped testing amounted to a failure to make reasonable security arrangements to protect the personal data in its possession or under its control, thereby contravening section 24 of the PDPA.

What Was the Outcome?

In view of the PDPC's findings, the Deputy Commissioner directed the Organisation to pay a financial penalty of $6,000 within 30 days. The PDPC did not issue any further directions, as the Organisation had already taken remedial actions to fix the coding error and implement automated encryption of email attachments to prevent similar incidents from occurring in the future.

Why Does This Case Matter?

This case is significant for several reasons:

Firstly, it demonstrates the PDPC's strict interpretation of the PDPA's protection obligation under section 24. The PDPC made it clear that organisations handling personal data must have robust security measures and thorough testing procedures in place to prevent data breaches, even if the organisation is acting as a data intermediary on behalf of another entity.

Secondly, the case highlights the importance of proactively anticipating and testing for potential vulnerabilities in an organisation's data processing systems. The PDPC found that the Organisation should have foreseen the impact of the Reward Programme Process on the Automated Email Generation Process and tested accordingly, even though the Organisation had initially tested the code.

Thirdly, the imposition of a $6,000 financial penalty shows that the PDPC is willing to take enforcement action and levy meaningful sanctions against organisations that fail to adequately protect personal data. This serves as a strong deterrent for organisations to prioritize data protection compliance.

Overall, this case provides valuable guidance for organisations on the PDPA's protection obligation and the need to implement comprehensive security measures and testing procedures to avoid data breaches and regulatory enforcement action.

Legislation Referenced

• Personal Data Protection Act (PDPA) of Singapore

Cases Cited

• [2019] SGPDPC 41

Source Documents

• Original Judgment (PDF) — Singapore Law Watch
• Archived Copy (PDF) — Litt Law CDN

This article analyses [2019] SGPDPC 41 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.