Information Technology Management Association (Singapore) [2018] SGPDPC 11

Case Details

• Citation: [2018] SGPDPC 11
• Court: Personal Data Protection Commission
• Date: 2018-05-14
• Judges: Yeong Zee Kin, Deputy Commissioner
• Plaintiff/Applicant: -
• Defendant/Respondent: Information Technology Management Association (Singapore)
• Legal Areas: Data Protection – Protection obligation
• Statutes Referenced: Personal Data Protection Act 2012 (PDPA)
• Cases Cited: [2018] SGPDPC 11
• Judgment Length: 4 pages, 869 words

Summary

In this case, the Personal Data Protection Commission (PDPC) of Singapore found that the Information Technology Management Association (Singapore) (the "Organisation") had breached its obligation under Section 24 of the Personal Data Protection Act 2012 (PDPA) to protect personal data in its possession. The Organisation had inadvertently disclosed the personal data of 28 delegates, including their full names, gender, nationality, dates of birth, and passport numbers, to all 49 delegates participating in a study trip. While the PDPC found that the Organisation had developed and implemented adequate policies and practices to comply with the PDPA as required under Section 12(a), it issued a warning to the Organisation for the breach of its protection obligation.

What Were the Facts of This Case?

The Organisation engaged a travel service provider to organize a study trip for 49 delegates. On 8 August 2017, the Organisation received an email from the travel service provider with two attachments, one of which was a list containing the full names, gender, nationality, dates of birth, and passport numbers of 28 delegates (the "List"). On 10 August 2017, the Organisation forwarded the email, including the List, to all 49 delegates, resulting in the inadvertent disclosure of the personal data.

Upon receiving feedback from one of the delegates about the List, the Organisation promptly emailed an apology to the 28 delegates whose personal data was disclosed. The Organisation also contacted all 49 recipients and requested that they delete the copy of the List that they had received.

What Were the Key Legal Issues?

The key legal issues in this case were:

1. Whether the Organisation breached Section 24 of the PDPA by failing to protect the personal data in the List from unauthorized access or disclosure.
2. Whether the Organisation breached Section 12(a) of the PDPA by failing to develop and implement policies and practices to comply with the Act.

How Did the Court Analyse the Issues?

Regarding the first issue, the PDPC noted that under Section 24 of the PDPA, an organization must take reasonable steps to protect personal data in its possession or under its control from unauthorized access, copying, modification, or disposal. In this case, the PDPC found that the Organisation had failed to do so when it sent the email containing the List to all 49 delegates, resulting in the personal data being disclosed to recipients who were not intended to receive such information.

The PDPC referenced the Commissioner's Guide to Preventing Accidental Disclosure when Processing and Sending Personal Data, which states that employees should ensure that attachments are checked and verified before sending them to the intended recipients. The PDPC concluded that the Organisation had failed to do so in this case, leading to the breach of its protection obligation under Section 24 of the PDPA.

Regarding the second issue, the PDPC examined the Organisation's Personal Data Protection Statement (PDP Statement), which outlined how collected personal data might be used, the limitation of access to personal data to only those employees who needed to process it, and the sharing of personal data only when there was a "legitimate reason". The PDPC also noted that an employee had been assigned to process all personal data handled by the Organisation and had received formal training on the requirements of the PDPA.

The PDPC assessed that the Organisation's PDP Statement and its efforts to limit access to personal data and provide PDPA compliance training to the relevant employee complied with the requirement under Section 12(a) to develop and implement policies and practices to meet its obligations under the PDPA. The PDPC also considered the Organisation's remedial measures, such as requiring employees to review all emails and attachments before sending or forwarding, and to check whether personal data is being sent to unintended and/or unauthorized recipients, as forms of practices to help employees manage the risk of unauthorized disclosure of personal data.

What Was the Outcome?

The PDPC found that the Organisation had breached its protection obligation under Section 24 of the PDPA by failing to take reasonable steps to prevent the unauthorized disclosure of the personal data in the List. However, the PDPC did not find the Organisation in breach of its obligation under Section 12(a) to develop and implement policies and practices to comply with the PDPA.

In considering the appropriate enforcement action, the PDPC took into account the Organisation's prompt action to inform all 49 delegates to delete the List, its voluntary notification of the incident and cooperation in the investigation, and its reasonable remedial measures to address the risk of similar incidents. As a result, the PDPC decided to issue a warning to the Organisation for the breach of its protection obligation under Section 24 of the PDPA, rather than imposing further directions or a financial penalty.

Why Does This Case Matter?

This case is significant for several reasons:

First, it highlights the importance of organizations taking reasonable steps to protect personal data in their possession, as required under Section 24 of the PDPA. The case demonstrates that even inadvertent disclosure of personal data can constitute a breach of the protection obligation, and organizations must have robust processes in place to prevent such incidents from occurring.

Second, the case provides guidance on the PDPC's interpretation of the requirement under Section 12(a) for organizations to develop and implement policies and practices to comply with the PDPA. The PDPC's assessment of the Organisation's PDP Statement and its efforts to limit access to personal data and provide PDPA compliance training suggests that organizations can meet this requirement by having well-documented policies and implementing practical measures to manage the risks of unauthorized access or disclosure.

Finally, the case highlights the PDPC's approach to enforcement, where it considers various mitigating factors, such as the organization's prompt remedial actions, voluntary notification, and cooperation, in determining the appropriate enforcement action. This suggests that organizations that proactively address data protection issues and demonstrate a commitment to compliance may be treated more favorably by the PDPC.

Legislation Referenced

• Personal Data Protection Act 2012 (PDPA)

Cases Cited

• [2018] SGPDPC 11

Source Documents

• Original Judgment (PDF) — Singapore Law Watch
• Archived Copy (PDF) — Litt Law CDN

This article analyses [2018] SGPDPC 11 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.