MDIS Corporation Pte Ltd [2020] SGPDPC 11

Case Details

• Citation: [2020] SGPDPC 11
• Court: Personal Data Protection Commission
• Date: 2020-03-17
• Judges: Tan Kiat How, Commissioner
• Plaintiff/Applicant: -
• Defendant/Respondent: MDIS Corporation Pte Ltd
• Legal Areas: Data Protection – Protection obligation
• Statutes Referenced: -
• Cases Cited: [2016] SGPDPC 19, [2018] SGPDPC 26, [2019] SGPDPC 16, [2019] SGPDPC 27, [2019] SGPDPC 38, [2019] SGPDPC 46, [2020] SGPDPC 11, [2020] SGPDPC 5
• Judgment Length: 12 pages, 2,130 words

Summary

This case concerns a breach of the data protection obligation under the Singapore Personal Data Protection Act (PDPA) by MDIS Corporation Pte Ltd, an education institute. The Personal Data Protection Commission (PDPC) found that MDIS failed to implement reasonable security arrangements to protect the personal data of its course participants, leading to unauthorized access and disclosure of the data.

What Were the Facts of This Case?

MDIS Corporation Pte Ltd (the "Organisation") is a not-for-profit professional institute that provides lifelong learning courses. In October 2017, the Organisation engaged a web development vendor (the "Vendor") to develop its website (the "Website"), including a content management system (CMS) and an online registration form (the "Form") for course participants to provide their personal data.

The Organisation did not have written contracts with either the Vendor or the freelance developer (the "Developer") engaged by the Vendor to assist with the Website development. The Organisation conveyed its instructions for the Website development verbally to the Vendor, who acted as the intermediary between the Organisation and the Developer.

In December 2017, the Organisation and Vendor conducted pre-launch testing on the Website, including the Form. The Website went live in September 2018, and the Vendor continued to assist the Organisation in rectifying various features until the Organisation terminated the Vendor's engagement in or around February 2019.

On 2 May 2019 and 17 June 2019, the PDPC received complaints from an individual (the "Complainant") who was able to access a Microsoft Excel spreadsheet (the "Spreadsheet") containing the personal data of 304 individuals, including the Complainant, through a Google search of her NRIC number. This personal data, referred to as the "Disclosed Data", included information such as names, NRIC/identification numbers, email addresses, contact numbers, and course details.

The Organisation promptly took remedial actions, including blocking the CMS administrative backend, inserting a "robot.txt" file to prevent search engines from crawling the Website, and submitting a removal request to Google. However, the Second Incident occurred on 17 June 2019 when the Complainant was again able to access the Spreadsheet through a Google search.

What Were the Key Legal Issues?

The key legal issue in this case was whether the Organisation had breached its obligation under Section 24 of the PDPA to protect the personal data in its possession or under its control by taking reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification, or disposal.

The PDPC had to determine whether the Organisation had failed to communicate data protection requirements to its vendors, failed to conduct adequate pre-launch testing to identify security vulnerabilities, and failed to exercise reasonable oversight over the security arrangements for the Website.

How Did the Court Analyse the Issues?

The PDPC first established that the Organisation, as the owner of the Website and the entity in possession and control of the Disclosed Data, was solely responsible for protecting the personal data, and could not delegate this responsibility to its vendors.

The PDPC then examined the Organisation's actions and found several failures in its data protection measures:

1. The Organisation failed to communicate any data protection requirements to the Vendor or the Developer, either in writing or verbally. The PDPC noted that as the data controller, the Organisation should have clearly documented the scope of services and data protection requirements in its contracts with the vendors.

2. Prior to the Website's launch, the Organisation failed to scope the pre-launch testing to identify risks to the personal data collected through the Form. The PDPC emphasized that website security and personal data protection should be key design considerations at every stage of the website's lifecycle.

3. The Organisation relied on the Vendor to identify and implement appropriate security measures, which the PDPC found unacceptable. As the data controller, the Organisation was required to provide proper instructions to its vendors and exercise reasonable oversight to ensure its instructions were carried out.

The PDPC concluded that the Organisation's failures amounted to a breach of its data protection obligations under Section 24 of the PDPA.

What Was the Outcome?

The PDPC found the Organisation in breach of Section 24 of the PDPA for failing to implement reasonable security arrangements to protect the personal data in its possession. The PDPC did not impose any financial penalty, but directed the Organisation to engage a qualified professional to review and enhance its data protection practices and policies within 3 months.

Why Does This Case Matter?

This case provides important guidance for organizations on their data protection obligations under the PDPA, particularly when engaging third-party vendors for website development and maintenance.

The key lessons from this case are:

1. Organizations must clearly communicate and document their data protection requirements in contracts with vendors, even for verbal engagements.
2. Security and personal data protection should be key design considerations throughout the website development lifecycle, not just during pre-launch testing.
3. Organizations cannot simply delegate their data protection responsibilities to vendors, but must exercise reasonable oversight to ensure their instructions are properly implemented.

This case reinforces that organizations, as data controllers, bear the ultimate responsibility for protecting the personal data in their possession or under their control, regardless of whether they have outsourced website development or other data processing activities to third-party vendors.

Legislation Referenced

• Personal Data Protection Act (PDPA) of Singapore

Cases Cited

• [2016] SGPDPC 19
• [2018] SGPDPC 26
• [2019] SGPDPC 16
• [2019] SGPDPC 27
• [2019] SGPDPC 38
• [2019] SGPDPC 46
• [2020] SGPDPC 5
• [2020] SGPDPC 11

Source Documents

• Original Judgment (PDF) — Singapore Law Watch
• Archived Copy (PDF) — Litt Law CDN

This article analyses [2020] SGPDPC 11 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.