Case Details
- Citation: [2020] SGPDPC 9
- Court: Personal Data Protection Commission
- Date: 2020-03-30
- Judges: Tan Kiat How, Commissioner
- Plaintiff/Applicant: N/A
- Defendant/Respondent: Jigyasa
- Legal Areas: Data Protection – Protection obligation, Data Protection – Accountability obligation
- Statutes Referenced: Personal Data Protection Act, Personal Data Protection Act 2012
- Cases Cited: [2017] SGPDPC 7, [2018] SGPDPC 26, [2019] SGPDPC 17, [2019] SGPDPC 5, [2020] SGPDPC 9
- Judgment Length: 18 pages, 4,706 words
Summary
This case concerns the unauthorized disclosure of employee assessment reports, such as 360 Feedback Reports and evaluation reports, on the website of Jigyasa, a human resource and management consultancy business. The Personal Data Protection Commission found that Jigyasa breached its obligations under the Personal Data Protection Act 2012 to protect personal data and maintain proper data protection policies and practices.
What Were the Facts of This Case?
Jigyasa is a business operated by a sole proprietor with one part-time employee. The organization generated employee assessment reports, including 360 Degree Feedback Reports and evaluation reports, based on survey results collected through its web application. These reports contained detailed information about the employees of Jigyasa's clients, including their names, employers, performance appraisals, and 360 feedback scores.
In July 2017, the Personal Data Protection Commission received complaints from three individuals (the "Complainants") stating that when they searched their names online, they found links to their 360 Feedback Reports, which were accessible through the Jigyasa website. The Complainants expressed concern that the disclosure of this private and confidential information could significantly impact their job prospects and career options.
Jigyasa claimed that it was not aware that the reports were being stored on its server and made publicly accessible through the website. The organization stated that it had engaged an independent developer to redesign the website, and during this process, password protection for the reports was not implemented, despite having been in place previously. Jigyasa maintained that the public accessibility of the reports was an unintended consequence of the website redesign.
What Were the Key Legal Issues?
The key legal issues in this case were whether Jigyasa had breached its obligations under the Personal Data Protection Act 2012 (PDPA) to:
- Protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification, or disposal (the "Protection Obligation" under Section 24 of the PDPA).
- Develop and implement data protection policies and practices (the "Accountability Obligation" under Section 12 of the PDPA).
- Appoint a data protection officer (the "Accountability Obligation" under Section 11 of the PDPA).
How Did the Court Analyse the Issues?
In analysing the Protection Obligation under Section 24 of the PDPA, the Commission found that Jigyasa demonstrated a lack of knowledge about the security arrangements of its website, particularly regarding the creation and storage of the employee assessment reports. The organization was under the mistaken impression that the personal data had been removed from the server when the previous website was discontinued.
The Commission noted that to fulfill its Protection Obligation, Jigyasa was required to, at the very least, be aware of how and where it stores personal data in order to implement measures to protect such data. The organization had also failed to provide the independent developer with clear instructions to ensure that no personal data was subject to unauthorized disclosure or access as a result of the website redesign.
Regarding the Accountability Obligation under Sections 12 and 11 of the PDPA, the Commission found that Jigyasa lacked data protection policies and practices, and had failed to appoint a data protection officer. The organization's lack of awareness of its obligations under the PDPA and its failure to implement appropriate data protection measures demonstrated a breach of the Accountability Obligation.
What Was the Outcome?
Based on the findings, the Personal Data Protection Commission concluded that Jigyasa had breached its obligations under the PDPA to protect personal data and maintain proper data protection policies and practices. The Commission directed Jigyasa to:
- Implement appropriate policies and practices to comply with the PDPA, including appointing a data protection officer.
- Conduct a review of its data protection practices and implement reasonable security arrangements to prevent similar incidents in the future.
- Provide a copy of the Commission's decision to the Complainants.
Why Does This Case Matter?
This case is significant as it highlights the importance of organizations, particularly small and medium-sized enterprises (SMEs), understanding and fulfilling their obligations under the PDPA. The Commission's decision emphasizes that organizations must be proactive in managing the personal data in their possession, including being aware of how and where such data is stored, and implementing appropriate security measures to prevent unauthorized access or disclosure.
The case also underscores the need for organizations to provide clear instructions and oversight to any third-party vendors or developers engaged to work on their websites or IT systems, to ensure that personal data is properly protected. Relying solely on the goodwill and integrity of a third-party vendor is not sufficient to meet the organization's data protection obligations under the PDPA.
Furthermore, the case serves as a reminder that the Accountability Obligation under the PDPA requires organizations to have in place data protection policies, practices, and a designated data protection officer. Failure to do so can result in regulatory action by the Personal Data Protection Commission.
Legislation Referenced
- Personal Data Protection Act 2012
Cases Cited
- [2017] SGPDPC 7
- [2018] SGPDPC 26
- [2019] SGPDPC 17
- [2019] SGPDPC 5
- [2020] SGPDPC 9
Source Documents
This article analyses [2020] SGPDPC 9 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.