Case Details
- Citation: [2019] SGPDPC 45
- Court: Personal Data Protection Commission
- Date: 2019-12-16
- Judges: Yeong Zee Kin, Deputy Commissioner
- Plaintiff/Applicant: -
- Defendant/Respondent: SAFRA National Service Association
- Legal Areas: Data protection – Protection obligation
- Statutes Referenced: Personal Data Protection Act 2012
- Cases Cited: [2019] SGPDPC 45
- Judgment Length: 6 pages, 1,846 words
Summary
In this case, the Personal Data Protection Commission (PDPC) found that SAFRA National Service Association (the Organisation) had breached its obligations under the Personal Data Protection Act 2012 (PDPA) to protect the personal data of its members. The breach occurred when an employee of the Organisation accidentally attached a spreadsheet containing the personal data of 780 members to mass emails sent to 491 members. The PDPC imposed a financial penalty of $10,000 on the Organisation and directed it to review its email processes and implement safeguards to prevent similar incidents in the future.
What Were the Facts of This Case?
On 13 September 2018, the PDPC received a voluntary breach notification from SAFRA National Service Association (the Organisation). An employee of the Organisation (the Employee) had sent out two separate batches of emails attaching an Excel spreadsheet (the Spreadsheet) containing the personal data of certain members of the Organisation's shooting club (the SSC) to other members.
According to the Employee, his job scope included sending mass emails to SSC members, which he had been doing at least once a month since September 2016. He claimed that he was not aware of any standard operating procedures (SOPs) for sending such mass emails, and that his supervisor had only verbally instructed him on the process. This process involved preparing the email, attaching the spreadsheet containing the recipients' email addresses, sending the draft email to the official SSC email account, and then copying the email addresses into the email and deleting the attached spreadsheet before sending the mass email.
The Organisation stated that it was not aware of this process and had only verbally instructed its staff to use the "bcc" function when sending mass emails and to check that no unnecessary information or documents were attached before sending. However, the Organisation was unable to provide evidence that it had replicated the issues encountered by the Employee when attempting to delete the attached spreadsheet.
What Were the Key Legal Issues?
The key legal issue in this case was whether the Organisation had breached its obligations under Section 24 of the PDPA to protect the personal data of its members by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification, or disposal of such data.
Specifically, the PDPC had to determine whether the Organisation's reliance on a manual process for sending mass emails, without proper documentation or automation, constituted a failure to make reasonable security arrangements to prevent the accidental disclosure of its members' personal data.
How Did the Court Analyse the Issues?
The PDPC noted that the Organisation's method of drafting the mass email using the individual work email address of the relevant employee and then sending it to the official SSC email address with the spreadsheet attached gave rise to the risk of accidental disclosure of the personal data in the spreadsheet. The PDPC found that manual processes such as this, which the Employee had been following for at least two years, inherently carry a higher risk of human error.
The PDPC referenced its own guidance, the "Guide to Preventing Accidental Disclosure When Processing and Sending Personal Data" and the "Guide on Printing Processes for Organisations," which recommend that organizations implement automated processing of documents or communications containing personal data, such as through mail-merge functions or the creation of frequently used mailing lists. The PDPC stated that the Organisation should have had a properly documented process and considered the use of such process automation tools for this regular task of sending monthly mass emails to members.
Additionally, the PDPC found that the Organisation's reliance on verbal instructions to its staff was insufficient, as employees would be unable to refer to them in the course of their duties and may forget such instructions over time. For a regular and frequent task like sending mass emails, the PDPC expected the Organisation to have a more robust, documented process in place.
What Was the Outcome?
Based on the above analysis, the PDPC was satisfied that the Organisation had contravened Section 24 of the PDPA by failing to make reasonable security arrangements to protect the personal data of its members.
The PDPC directed the Organisation to pay a financial penalty of $10,000 within 30 days. The PDPC also directed the Organisation to conduct a review of its email system and processes and to put in place process safeguards and written internal standard operating procedures to protect the personal data of its members within 120 days.
Why Does This Case Matter?
This case is significant as it highlights the importance of organizations having robust and documented processes in place for handling personal data, particularly for regular and frequent tasks. The PDPC's decision emphasizes that reliance on manual, undocumented processes can constitute a breach of the PDPA's protection obligation, even if no actual misuse of personal data occurred.
The case also provides guidance on the types of measures organizations should consider implementing, such as the use of automated processing tools and the establishment of clear written procedures, to fulfill their obligations under the PDPA. This decision serves as a reminder to organizations to regularly review their data protection practices and implement appropriate safeguards to prevent accidental disclosure of personal data.
Furthermore, the PDPC's willingness to impose a financial penalty in this case, despite the mitigating factors, underscores the importance it places on organizations taking their data protection responsibilities seriously. This decision sends a clear message to organizations that they will be held accountable for failing to meet their obligations under the PDPA.
Legislation Referenced
- Personal Data Protection Act 2012
Cases Cited
- [2019] SGPDPC 45
Source Documents
This article analyses [2019] SGPDPC 45 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.