Case Details
- Citation: [2019] SGPDPC 6
- Court: Personal Data Protection Commission
- Date: 2019-04-23
- Judges: Yeong Zee Kin, Deputy Commissioner
- Plaintiff/Applicant: N/A
- Defendant/Respondent: PAP Community Foundation
- Legal Areas: Data Protection – Protection obligation
- Statutes Referenced: Personal Data Protection Act, Personal Data Protection Act 2012
- Cases Cited: [2019] SGPDPC 6
- Judgment Length: 7 pages, 1,490 words
Summary
In this case, the Personal Data Protection Commission (PDPC) found that the PAP Community Foundation (the Organisation) had breached its obligations under Section 24 of the Personal Data Protection Act 2012 (PDPA) to make reasonable security arrangements to protect the personal data of students and parents in its possession. The breach arose from an incident where a teacher at one of the Organisation's preschools shared a photograph of a student attendance list containing personal data on a WhatsApp group chat. The PDPC determined that the Organisation lacked specific policies and procedures to guide its employees on the proper handling and disclosure of personal data, particularly in the context of communicating with parents. While the Organisation had provided PDPA training to its staff, the PDPC found that this alone was insufficient without clear data protection policies and procedures in place. Ultimately, the PDPC issued a warning to the Organisation for the breach, taking into account the mitigating factors of the teacher's swift action to remove the data and the relatively small number of individuals impacted.
What Were the Facts of This Case?
The PAP Community Foundation (the Organisation) provides a range of services, including pre-school kindergarten services and senior care services. The central issue in this case, as it relates to the Personal Data Protection Act 2012 (PDPA), is whether the Organisation had made reasonable security arrangements to protect the personal data of the students and students' parents that it had in its possession and control.
One of the Organisation's preschools, Sparkletots @ Kampong Chai Chee, had organised a school trip. In preparation for the trip, the preschool collected the parents' personal data, including NRIC numbers, to allow for verification of the parents' identity on the day of the trip. A few days before the trip, a teacher at the preschool sent a photograph of a consolidated attendance list containing the personal data of 15 students and 5 parents, including their contact numbers and NRIC numbers, to a WhatsApp chat group comprising the parents of students from that class.
The teacher quickly deleted the photograph after being alerted by one of the parents in the group chat. However, the parent who had been alerted lodged a complaint with the Personal Data Protection Commission (PDPC), which then commenced investigations into the incident.
What Were the Key Legal Issues?
The key legal issue in this case was whether the Organisation had breached its obligations under Section 24 of the PDPA to protect the personal data in its possession and control by making reasonable security arrangements to prevent unauthorized access, disclosure, and similar risks.
Specifically, the PDPC had to determine whether the Organisation's lack of specific policies or procedures to guide its employees on the use, handling, and disclosure of personal data, particularly in the context of communicating with parents, amounted to a failure to make reasonable security arrangements as required by the PDPA.
How Did the Court Analyse the Issues?
The PDPC, through Deputy Commissioner Yeong Zee Kin, first established that the personal data in question was indeed "personal data" as defined in the PDPA, and that the Organisation was an "organisation" under the Act and responsible for the data.
The PDPC then examined the Organisation's security arrangements in light of the requirements of Section 24 of the PDPA. The PDPC noted that "security arrangements" encompass physical, technical, and administrative measures, including data protection policies and procedures that employees must comply with.
The PDPC found that the Organisation did not have specific policies or procedures in place to guide its employees on the use and disclosure of personal data, particularly in the context of communications with parents. While the Organisation had provided PDPA training to its staff, the PDPC determined that this alone was insufficient, as reasonable assurance against such incidents requires instituting and enforcing proper policies and procedures within the organisation, with training serving to communicate those policies.
The PDPC emphasized that given the nature and volume of personal data the Organisation handles, with around 360 preschool centres and 43,000 children enrolled, it would be reasonably expected to have specific policies and procedures to guide its staff on PDPA obligations in their day-to-day interactions with parents.
What Was the Outcome?
Based on the findings, the PDPC concluded that the Organisation had breached its obligations under Section 24 of the PDPA to make reasonable security arrangements to protect the personal data in its possession and control.
However, in determining the appropriate directions to be imposed, the PDPC took into account several mitigating factors: the teacher's swift action in removing the personal data, the relatively small number of individuals impacted, and the remedial actions taken by the Organisation, including suspending all WhatsApp chat groups, implementing new policies, and conducting refresher training for its employees.
Ultimately, the PDPC decided to issue a warning to the Organisation for the breach, without imposing any further directions or financial penalty. The PDPC was satisfied that the Organisation's remedial actions had sufficiently addressed the gaps in its policies and practices relating to the handling of personal data by its employees.
Why Does This Case Matter?
This case highlights the importance of organisations, particularly those that handle significant amounts of personal data, having clear and comprehensive data protection policies and procedures in place to guide their employees on the proper use and disclosure of personal information.
The PDPC's decision underscores that mere PDPA training, while valuable, is not a substitute for well-defined policies and procedures. Organisations must take proactive steps to institute and enforce data protection measures that are commensurate with the nature and volume of personal data they possess.
The case also demonstrates the PDPC's willingness to take a pragmatic approach in enforcement, considering mitigating factors and the remedial actions taken by the organisation. This suggests that organisations that promptly address gaps in their data protection practices and implement appropriate safeguards may be able to avoid more severe penalties, even in the event of a breach.
Legislation Referenced
- Personal Data Protection Act
- Personal Data Protection Act 2012
Cases Cited
- [2019] SGPDPC 6
Source Documents
This article analyses [2019] SGPDPC 6 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.