Case Details
- Citation: [2021] SGPDPCR 1
- Court: Personal Data Protection Commission
- Date: 2021-01-29
- Judges: Lew Chuen Hong, Commissioner
- Plaintiff/Applicant: Jigyasa
- Defendant/Respondent: -
- Legal Areas: Data Protection – Protection obligation, Data Protection – Accountability obligation
- Statutes Referenced: Personal Data Protection Act, Personal Data Protection Act 2012
- Cases Cited: [2018] SGPDPC 4, [2020] SGPDPC 9, [2021] SGPDPCR 1
- Judgment Length: 11 pages, 2,247 words
Summary
In this case, the Personal Data Protection Commission (the "Commission") found that Jigyasa (the "Organisation") had breached its obligations under the Personal Data Protection Act 2012 ("PDPA") by failing to implement reasonable security arrangements to protect the personal data of 671 employees of its clients. The Commission imposed a financial penalty of $90,000 on the Organisation and directed it to appoint a data protection officer and develop and implement data protection policies and practices.
The Organisation applied for reconsideration of the decision, seeking the removal or reduction of the financial penalty. The Commission dismissed the application, finding that the Organisation's submissions did not constitute mitigating factors that warranted a reduction in the penalty.
What Were the Facts of This Case?
The key facts of this case are as follows:
In 2010, the Organisation discontinued the use of a web application (the "Web Application") that it had used to collect survey results from employees of its clients, which were then used to generate employee assessment reports (the "Reports"). The Reports were stored on a server that hosted the Web Application (the "Server").
In July 2017, it was discovered that three of the Reports were publicly accessible through links generated by internet searches. The Commission's investigation found that the webpages containing the Reports may have been inadvertently created in February 2017 when the Organisation's website (the "Website") was being redesigned by an independent developer (the "Developer").
The Organisation did not provide the Developer with any specific instructions to protect personal data or on the security arrangements for the Website during the redesign process. The Organisation also did not conduct any vulnerability scans or other security testing on the Website before or after the redesign.
Furthermore, the Organisation did not appoint a data protection officer ("DPO") or develop and implement any data protection policies and practices.
What Were the Key Legal Issues?
The key legal issues in this case were:
1. Whether the Organisation had breached its obligations under section 24 of the PDPA to protect the personal data of the 671 employees (the "Affected Individuals") whose Reports were at risk of unauthorized access and disclosure.
2. Whether the Organisation had breached its obligations under sections 11(3) and 12 of the PDPA to appoint a DPO and develop and implement data protection policies and practices.
How Did the Court Analyse the Issues?
In its analysis, the Commission found that the Organisation had indeed breached its obligations under the PDPA.
Regarding the protection obligation under section 24, the Commission noted that the Organisation had failed to implement reasonable security arrangements to protect the personal data in the Reports. The Organisation did not provide the Developer with clear instructions on the need for security arrangements during the Website redesign, and it did not conduct any security testing on the Website before or after the redesign. This resulted in the Reports being inadvertently made publicly accessible, exposing the Affected Individuals' personal data to the risk of unauthorized access and disclosure.
With respect to the accountability obligations under sections 11(3) and 12, the Commission found that the Organisation had failed to appoint a DPO and develop and implement any data protection policies and practices. The Commission rejected the Organisation's argument that the sole proprietor was "automatically" considered the DPO, as the PDPA requires a formal appointment.
In considering the appropriate enforcement action, the Commission noted that the personal data in the Reports was sensitive in nature, as it included assessments of the Affected Individuals' work performance. Unauthorized access to such data could potentially result in harm to the individuals concerned. The Commission also emphasized that the Incident revealed the Organisation's ignorance of the data protection provisions in the PDPA.
What Was the Outcome?
The Commission dismissed the Organisation's application for reconsideration and upheld the original decision. The Organisation was directed to:
- Pay a financial penalty of $90,000;
- Appoint a DPO; and
- Develop and implement policies and practices necessary for the Organisation to meet its obligations under the PDPA, and communicate them to its staff.
Why Does This Case Matter?
This case is significant for several reasons:
First, it reinforces the importance of organizations implementing reasonable security arrangements to protect the personal data they hold, even if the data is not actively being used. The Commission emphasized that the fact that the Reports were old and the feedback providers were anonymous did not negate the potential harm to the Affected Individuals.
Second, the case highlights the need for organizations to provide clear and specific instructions to third-party service providers, such as website developers, regarding the protection of personal data. Relying solely on the goodwill and integrity of the service provider is not sufficient to meet the organization's obligations under the PDPA.
Third, the case underscores the Commission's strict enforcement of the PDPA's accountability obligations, including the requirement to appoint a DPO and develop and implement data protection policies and practices. Organizations cannot simply assume that they are compliant with these obligations.
Overall, this case serves as a valuable reminder to organizations of all sizes of the importance of implementing robust data protection measures and maintaining a strong culture of data protection compliance, even for legacy data and systems.
Legislation Referenced
- Personal Data Protection Act 2012
- Personal Data Protection Act
Cases Cited
- [2018] SGPDPC 4
- [2020] SGPDPC 9
- [2021] SGPDPCR 1
Source Documents
This article analyses [2021] SGPDPCR 1 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.