Iapps Pte Ltd. [2021] SGPDPC 1

Case Details

• Citation: [2021] SGPDPC 1
• Court: Personal Data Protection Commission
• Date: 2021-02-10
• Judges: Lew Chuen Hong, Commissioner
• Plaintiff/Applicant: N/A
• Defendant/Respondent: Iapps Pte Ltd.
• Legal Areas: Data Protection – Protection obligation, Data Protection – Exclusion for organisation acting on behalf of public agency, Data Protection – Data intermediary
• Statutes Referenced: Personal Data Protection Act, Personal Data Protection Act 2012, SSCMMS and Act
• Cases Cited: [2017] SGPDPC 14, [2019] SGPDPC 34, [2020] SGPDPC 1, [2021] SGPDPC 1
• Judgment Length: 12 pages, 2,618 words

Summary

In this case, the Personal Data Protection Commission (PDPC) investigated a complaint regarding the unauthorized disclosure of personal data through the ActiveSG mobile application. The PDPC found that Iapps Pte Ltd, the organization responsible for developing and operating the application, had failed to implement reasonable security arrangements to prevent the unauthorized access, in contravention of the Personal Data Protection Act (PDPA). While Iapps Pte Ltd argued that it was acting as a data intermediary on behalf of the public agency Sport Singapore, the PDPC determined that the relationship was one of an independent third-party vendor, and thus Iapps Pte Ltd could not avail itself of the exclusion for organizations acting on behalf of public agencies under the PDPA.

What Were the Facts of This Case?

The case arose from a complaint received by the PDPC on 1 March 2019 regarding potential unauthorized disclosure of personal data through the ActiveSG mobile application. The complainant was able to view another individual's personal data when he logged into his child's supplementary account on the ActiveSG app.

ActiveSG is a national movement for sports coordinated by Sport Singapore, a statutory board of the Ministry of Culture, Community and Youth. Iapps Pte Ltd, a financial technology company specializing in mobile application development and marketing, was engaged by Sport Singapore to develop, deploy and operate the Super Sports Club Membership Management System (SSCMMS), of which the ActiveSG app was a component.

On 1 March 2019, an Iapps engineer developed a security code fix for the ActiveSG app, which was meant to be deployed into the enterprise (test) environment for further testing. However, due to human error, the code fix was instead deployed into the production environment, resulting in the incident where 153 individuals' personal data was at risk of unauthorized access, and 108 individuals' (including 9 minors) names, NRIC numbers, and in some cases additional personal data such as email addresses, phone numbers, and other details were actually accessed by 84 individuals.

What Were the Key Legal Issues?

The key legal issues in this case were:

1. Whether Iapps Pte Ltd was a data intermediary acting on behalf of the public agency Sport Singapore, and could thus avail itself of the exclusion under the previous section 4(1)(c) of the PDPA.
2. Whether Iapps Pte Ltd had contravened section 24 of the PDPA by failing to make reasonable security arrangements to protect the personal data in its possession or under its control.

How Did the Court Analyse the Issues?

On the first issue, the PDPC examined the relationship between Iapps Pte Ltd and Sport Singapore. The PDPC found that Iapps Pte Ltd was an independent third-party vendor, and not an agent acting on behalf of Sport Singapore. The contract between the parties did not expressly authorize Iapps to act on Sport Singapore's behalf, and the presence of an indemnity clause in the contract was evidence that the relationship was not one of principal and agent. Sport Singapore also confirmed that it had never appointed Iapps to act in its place. Therefore, the PDPC concluded that the exclusion under the previous section 4(1)(c) of the PDPA did not apply to Iapps Pte Ltd.

On the second issue, the PDPC found that Iapps Pte Ltd was in possession and control of the personal data that was accessed during the incident, as it was responsible for operating the SSCMMS and ActiveSG app. Therefore, Iapps Pte Ltd was obliged under section 24 of the PDPA to make reasonable security arrangements to protect this data from unauthorized access.

The PDPC's investigations revealed that Iapps Pte Ltd's processes and procedures for deploying code into the production environment were not sufficiently robust. There was a lack of second-level approvals or supervisory checks, which allowed the engineer's mistake of deploying the code fix directly into production instead of the test environment. The PDPC considered this a "grave and serious error" with potentially severe consequences, and concluded that Iapps Pte Ltd had failed to make reasonable security arrangements as required by the PDPA.

What Was the Outcome?

Based on its findings, the PDPC determined that Iapps Pte Ltd had contravened section 24 of the PDPA by failing to make reasonable security arrangements to protect the personal data in its possession or under its control. The PDPC directed Iapps Pte Ltd to implement additional security measures, including separating its enterprise and production environments, implementing two-factor authentication for engineer access to the production environment, and monitoring affected users for suspicious activities.

Why Does This Case Matter?

This case is significant for several reasons:

1. It clarifies the scope of the exclusion under the previous section 4(1)(c) of the PDPA for organizations acting on behalf of public agencies. The PDPC made it clear that this exclusion will not be applicable in future cases, as it has been amended to apply only to public agencies themselves.
2. The case highlights the importance of having robust processes and procedures in place for the deployment of software and code, especially when dealing with systems that contain sensitive personal data. The PDPC emphasized that the lack of proper oversight and supervisory checks in Iapps Pte Ltd's deployment processes was a "grave and serious error" that led to the unauthorized access incident.
3. The case serves as a warning to organizations that they must fulfill their obligations under the PDPA to make reasonable security arrangements to protect personal data in their possession or control, regardless of whether they are acting as a data intermediary or in some other capacity. Failure to do so can result in enforcement action by the PDPC.

Legislation Referenced

• Personal Data Protection Act 2012
• SSCMMS and Act

Cases Cited

• [2017] SGPDPC 14
• [2019] SGPDPC 34
• [2020] SGPDPC 1
• [2021] SGPDPC 1
• Alwie Handoyo v Tjong Very Sumitomo and anor [2013] 4 SLR 308
• Ong Han Ling and anor v American International Assurance Co Ltd and ors [2018] 5 SLR 549

Source Documents

• Original Judgment (PDF) — Singapore Law Watch
• Archived Copy (PDF) — Litt Law CDN

This article analyses [2021] SGPDPC 1 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.