Case Details
- Citation: [2018] SGPDPC 28
- Court: Personal Data Protection Commission
- Date: 2018-12-13
- Judges: Tan Kiat How, Commissioner
- Plaintiff/Applicant: -
- Defendant/Respondent: Institute of Singapore Chartered Accountants
- Legal Areas: Data Protection – Protection obligation
- Statutes Referenced: Personal Data Protection Act 2012
- Cases Cited: [2018] SGPDPC 28
- Judgment Length: 11 pages, 2,310 words
Summary
This case examines the data protection obligations of the Institute of Singapore Chartered Accountants (ISCA) under the Personal Data Protection Act 2012 (PDPA). The Personal Data Protection Commission found that ISCA breached its obligation to make reasonable security arrangements to protect personal data when one of its employees inadvertently emailed an unencrypted file containing personal information of 1,906 individuals to an unintended recipient. The Commission determined that ISCA's security policies were insufficient, as they did not require password-based encryption for internal emails containing large volumes of sensitive personal data.
What Were the Facts of This Case?
ISCA is the national professional body for accountants in Singapore, with around 32,000 members. As part of its business operations, ISCA employees regularly accessed and handled a significant volume of members' personal data, including sensitive information such as employment history, qualifications, and exam results.
On 23 November 2017, two ISCA employees were unable to open a Microsoft Excel file containing personal data of 1,906 individuals, as the file appeared to be corrupted. They sought assistance from ISCA's IT department to recover the file from the backup server. The IT System/Network Engineer then emailed the recovered file to the two employees, as well as inadvertently to an unintended recipient - an accounts manager at a telecommunications service provider that worked with ISCA.
The Excel file contained a wide range of personal data, including NRIC numbers, passport numbers, names, dates of birth, addresses, email addresses, mobile numbers, employment history, qualifications, exam results, and appeal status. The file was not encrypted with a password.
ISCA took immediate remedial action, including notifying the unintended recipient to delete the file, obtaining a declaration that the file had been deleted, and informing all 1,906 affected individuals about the incident.
What Were the Key Legal Issues?
The key legal issue was whether ISCA had complied with its obligations under Section 24 of the PDPA to protect the personal data in its possession by making reasonable security arrangements.
Specifically, the Personal Data Protection Commission had to determine whether ISCA's security policies and practices were sufficient to prevent unauthorized access, disclosure, or similar risks when ISCA employees handled large volumes of sensitive personal data, particularly during email transmission.
How Did the Court Analyse the Issues?
The Commission found that the personal data contained in the Excel file was clearly "personal data" under the PDPA, and that ISCA, as the organization in possession and control of the data, was subject to the PDPA's requirements.
In assessing ISCA's compliance with Section 24, the Commission noted that ISCA had general policies on information sensitivity and data protection, as well as some targeted policies and standard operating procedures for specific departments. However, the Commission determined that these policies were insufficient in the circumstances.
The Commission highlighted that the Excel file contained a large volume of personal data, including sensitive information with a high expectation of confidentiality. Given the nature and volume of the data, the Commission found that ISCA should have had a policy requiring password-based encryption for all internal and external emails containing such sensitive personal data, regardless of the intended recipients.
The Commission rejected ISCA's argument that its policies only required encryption for external emails, as the risk of unauthorized access existed even for internal emails. The Commission also found ISCA's excuse that the IT employee was unaware of the file's contents unconvincing, as the employee should have at least checked the file before sending it.
Ultimately, the Commission concluded that ISCA's security arrangements were not reasonable, as they did not adequately address the risks of unauthorized access or disclosure when ISCA employees handled large volumes of sensitive personal data, particularly during email transmission.
What Was the Outcome?
The Personal Data Protection Commission found that ISCA had breached its obligations under Section 24 of the PDPA by failing to implement reasonable security arrangements to protect the personal data in the Excel file.
The Commission did not impose any financial penalty on ISCA, as the organization had taken prompt remedial actions and cooperated fully with the investigation. However, the Commission directed ISCA to review and strengthen its data protection policies and practices to ensure compliance with the PDPA going forward.
Why Does This Case Matter?
This case highlights the importance of organizations having robust data protection policies and practices, particularly when handling large volumes of sensitive personal data. It underscores that general information security policies may be insufficient, and that organizations must have specific measures in place to address the risks associated with the nature and volume of personal data they process.
The case also serves as a reminder that the PDPA's protection obligations extend to internal data handling and transmission, not just external disclosures. Organizations cannot rely on the intended recipients being authorized or trusted parties as a justification for not implementing appropriate security controls.
Ultimately, this decision sends a clear message to organizations that the Personal Data Protection Commission will closely scrutinize their data protection practices and hold them accountable for failing to make reasonable security arrangements, even in the absence of actual harm or financial penalties. It emphasizes the need for proactive and comprehensive data protection measures to ensure compliance with the PDPA.
Legislation Referenced
- Personal Data Protection Act 2012
Cases Cited
- [2018] SGPDPC 28
Source Documents
This article analyses [2018] SGPDPC 28 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.