Case Details
- Citation: [2019] SGPDPC 46
- Court: Personal Data Protection Commission
- Date: 2019-12-26
- Judges: Yeong Zee Kin, Deputy Commissioner
- Plaintiff/Applicant: N/A
- Defendant/Respondent: National Healthcare Group Pte Ltd
- Legal Areas: Data protection – Protection obligation
- Statutes Referenced: Medical Registration Act, Personal Data Protection Act, Personal Data Protection Act 2012
- Cases Cited: [2018] SGPDPC 26, [2019] SGPDPC 46
- Judgment Length: 10 pages, 2,398 words
Summary
In this case, the Personal Data Protection Commission (PDPC) found that the National Healthcare Group Pte Ltd (the Organisation) had breached its data protection obligations under the Personal Data Protection Act 2012 (PDPA) by failing to implement reasonable security measures to protect the personal data of its partner doctors and members of the public. The Organisation had engaged a website developer and an IT services provider to build and maintain its website, but failed to properly oversee the security of the website, leading to the personal data being accessible on the internet. The PDPC imposed a financial penalty on the Organisation for its failure to comply with the PDPA's protection obligation.
What Were the Facts of This Case?
In February 2018, the National Healthcare Group Pte Ltd (the Organisation) notified the PDPC about a complaint it had received regarding a list containing personal information of its partner doctors (the List) that was accessible on the internet (the Incident). The List contained the full names, mobile numbers, mailing addresses, email addresses, clinic addresses, Singapore Medical Council registration numbers, NRIC numbers, dates of birth, and photographs of 129 general practitioners (GPs) who had registered as the Organisation's partners. The List also contained the full names, email addresses, and mobile numbers of 5 members of the public who had submitted feedback on the Organisation's website.
The Organisation had engaged a website developer (the Website Developer) in March 2015 to develop its website (the Website). An IT services provider (the IT Services Provider) was also engaged to provide IT support and ensure the IT specifications were met. During the website development process, a section for restricting access to the Website (including the List) was not included in the web configuration file. The Organisation, Website Developer and IT Services Provider signed off on the Website's functional requirements and user acceptance testing, but the relevant web configuration file was not examined before the Website went live in December 2015.
In around June or July 2016, the Organisation engaged a vendor to conduct a penetration test of the Website. The penetration test report (the Penetration Test Report) highlighted the unrestricted access to the List through the internet as a vulnerability and recommended that the authorization rules be configured to restrict internet access to authorized users only. However, this vulnerability was not remedied before the Incident occurred in February 2018 when a GP found the List through a Google search.
What Were the Key Legal Issues?
The key legal issues in this case were:
1. Whether the data protection obligations under the PDPA applied to the personal data contained in the List.
2. Whether the Organisation had breached its data protection obligations under section 24 of the PDPA by failing to implement reasonable security measures to protect the personal data.
How Did the Court Analyse the Issues?
On the first issue, the PDPC found that the protection obligation under section 24 of the PDPA only applied to the GP's "Other Data" (NRIC numbers, dates of birth, and photographs) and the "Other Individual's Data" (full names, email addresses, and mobile numbers of 5 members of the public). The GP's contact information (full names, mobile numbers, mailing addresses, email addresses, and clinic addresses) and the GP's registration numbers were found to be exempt from the PDPA's protection obligation.
On the second issue, the PDPC found that the Organisation had failed to implement reasonable security arrangements to protect the Disclosed Personal Data, as required by section 24 of the PDPA. The PDPC noted that the Penetration Test Report had clearly identified the vulnerability that allowed unrestricted internet access to the List, and had recommended the necessary remedial action over a year before the Incident occurred. However, the Organisation failed to address this vulnerability in a timely manner.
The PDPC rejected the Organisation's arguments that it had relied on the IT Services Provider to address the issues identified in the Penetration Test Report. The PDPC emphasized that an organisation's responsibility for complying with the PDPA's obligations cannot be delegated to third-party vendors. The Organisation was solely responsible for the protection of the personal data, and its failure to exercise reasonable oversight over the security of its website amounted to a breach of the PDPA's protection obligation.
What Was the Outcome?
Based on its findings, the PDPC imposed a financial penalty of S$8,000 on the Organisation for its breach of the PDPA's protection obligation. The PDPC noted that the Organisation had taken prompt remedial actions after being notified of the Incident, including taking the website offline, contacting the affected individuals, and implementing additional security measures to prevent a recurrence. However, these post-incident actions did not absolve the Organisation of its earlier failure to implement reasonable security arrangements.
Why Does This Case Matter?
This case is significant for several reasons:
1. It reinforces the PDPC's strict interpretation of the PDPA's protection obligation, which requires organisations to take proactive and reasonable steps to safeguard the personal data in their possession or control. Organisations cannot simply delegate this responsibility to third-party vendors and must exercise proper oversight over the security of their systems and data.
2. The case highlights the importance of conducting regular security assessments, such as penetration testing, and promptly addressing any vulnerabilities identified. Organisations cannot simply rely on the assurances of their IT service providers and must actively monitor and manage the security of their systems.
3. The case serves as a warning to organisations that failure to comply with the PDPA's protection obligation can result in financial penalties, even if no actual data breach or misuse has occurred. Organisations must take their data protection responsibilities seriously and implement appropriate security measures to avoid such penalties.
4. The case provides guidance on the scope of the PDPA's protection obligation, clarifying that certain types of "business contact information" and publicly available data may be exempt from the PDPA's requirements. Organisations should carefully assess the nature of the personal data they hold to determine the applicable data protection obligations.
Legislation Referenced
- Medical Registration Act
- Personal Data Protection Act
- Personal Data Protection Act 2012
Cases Cited
- [2018] SGPDPC 26
- [2019] SGPDPC 46
Source Documents
This article analyses [2019] SGPDPC 46 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.