Case Details
- Citation: [2020] SGPDPC 10
- Court: Personal Data Protection Commission
- Date: 2020-03-17
- Judges: Yeong Zee Kin, Deputy Commissioner
- Plaintiff/Applicant: N/A
- Defendant/Respondent: Management Corporation Strata Title Plan No. 3400
- Legal Areas: Data Protection – Protection obligation
- Statutes Referenced: Building Maintenance and Strata Management Act, Personal Data Protection Act, Personal Data Protection Act 2012
- Cases Cited: [2016] SGPDPC 14, [2016] SGPDPC 7, [2017] SGPDPC 12, [2018] SGPDPC 168, [2018] SGPDPC 26, [2019] SGPDPC 5, [2019] SGPDC 48, [2019] SGPDPC 1, [2019] SGPDPC 11, [2019] SGPDPC 16
- Judgment Length: 9 pages, 1,912 words
Summary
In this case, the Personal Data Protection Commission (PDPC) found that Management Corporation Strata Title Plan No. 3400 (the "Organisation") had breached its obligations under Section 24 of the Personal Data Protection Act 2012 (PDPA) to protect personal data in its possession. The breach occurred when a directory containing personal data of 562 individuals was accidentally made publicly accessible on the internet due to inadequate security measures by the Organisation.
The PDPC highlighted the importance of organisations conducting regular security reviews and implementing appropriate technical and administrative safeguards to detect and mitigate IT security vulnerabilities that could lead to unauthorized access and disclosure of personal data. While the PDPC acknowledged some mitigating factors, it ultimately found the Organisation in breach of the PDPA and issued directions to address the shortcomings.
What Were the Facts of This Case?
In April 2012, the Organisation purchased a Network Attached Storage (NAS) device for internal file sharing among its administrative staff over a local network. One of the files stored on the NAS was a directory (the "Directory") containing personal data of 562 individuals, including 12 council members and 550 subsidiary proprietors of the Organisation.
The Organisation did not intend for the NAS to be connected to the internet. However, prior to the incident, the Organisation was unaware that the Directory could be accessed via an internet protocol address without any login credentials. On 2 September 2019, the PDPC was notified that the Directory was accessible to the public on the internet, exposing the personal data stored within it to the risk of unauthorized access and disclosure.
The personal data exposed included names, NRIC/passport numbers, contact details, email addresses, property ownership details, financial information, and car plate numbers of the affected individuals. Upon being informed of the incident, the Organisation promptly disconnected the NAS from the internet on the same day.
What Were the Key Legal Issues?
The key legal issue in this case was whether the Organisation had breached its obligations under Section 24 of the PDPA to protect the personal data in its possession or under its control. Section 24 requires organisations to implement "reasonable security arrangements" to prevent unauthorized access, collection, use, disclosure, copying, modification, or disposal of personal data.
The PDPC had to determine whether the Organisation had taken sufficient measures to detect and mitigate the IT security vulnerability that led to the public accessibility of the Directory, and whether the Organisation's actions amounted to a breach of the PDPA's protection obligation.
How Did the Court Analyse the Issues?
The PDPC emphasized the importance of timely detection of IT security vulnerabilities as a key aspect of an organisation's compliance with the protection obligation under the PDPA. It highlighted two key measures that organisations should implement:
1. Conducting code reviews and pre-launch testing before deploying new IT features or changes to IT systems. This allows organisations to identify and rectify errors or flaws that could lead to unintended disclosure or access to personal data.
2. Conducting periodic security reviews of IT systems, which may include the use of vulnerability scanning tools and a manual review component. This helps organisations stay aware of potential security vulnerabilities in their systems and take appropriate remedial actions.
The PDPC noted that organisations should also maintain an up-to-date personal data asset register to have a clear understanding of all the personal data in their possession or control, enabling them to effectively review and implement appropriate data protection measures.
In the present case, the PDPC found that the Organisation had failed to implement these key security measures. It had not conducted any security reviews of its IT systems, including the NAS and the Directory, and was unaware of the configuration that allowed public internet access without any access controls. The PDPC concluded that the Organisation had breached its protection obligation under Section 24 of the PDPA.
What Was the Outcome?
The PDPC found the Organisation in breach of Section 24 of the PDPA and considered various mitigating factors in determining the appropriate directions to be issued.
The PDPC acknowledged that the majority of the affected individuals' personal data exposed were not of a highly sensitive nature, and that the Organisation had promptly disconnected the NAS from the internet upon being notified of the incident. However, the PDPC also noted that the Organisation had failed to implement reasonable security arrangements to protect the personal data in its possession.
As a result, the PDPC directed the Organisation to:
- Engage a qualified external cybersecurity professional to conduct a comprehensive review of its IT systems and data protection practices, and implement the recommended remedial measures;
- Develop and implement a personal data protection policy, including a process for regular reviews and updates;
- Develop and implement a data breach management plan; and
- Conduct training for its staff on data protection and IT security best practices.
Why Does This Case Matter?
This case highlights the importance of organisations taking proactive measures to protect personal data in their possession, particularly in the context of increasing digitization and the growing risk of data breaches involving IT security vulnerabilities.
The PDPC's decision emphasizes that organisations must go beyond merely having data protection policies in place and actively monitor their IT systems for potential security vulnerabilities. Regular security reviews, code testing, and maintaining a comprehensive personal data asset register are crucial steps that organisations must take to fulfill their obligations under the PDPA.
The case also serves as a reminder that the PDPC will not hesitate to take enforcement action against organisations that fail to implement reasonable security arrangements to protect personal data, even if the breach was unintentional. This decision provides valuable guidance for organisations on the specific measures they should consider implementing to comply with the PDPA's protection obligation.
Legislation Referenced
- Building Maintenance and Strata Management Act
- Personal Data Protection Act
- Personal Data Protection Act 2012
Cases Cited
- [2016] SGPDPC 14
- [2016] SGPDPC 7
- [2017] SGPDPC 12
- [2018] SGPDPC 168
- [2018] SGPDPC 26
- [2019] SGPDPC 5
- [2019] SGPDC 48
- [2019] SGPDPC 1
- [2019] SGPDPC 11
- [2019] SGPDPC 16
Source Documents
This article analyses [2020] SGPDPC 10 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.