Case Details
- Citation: [2021] SGPDPC 6
- Court: Personal Data Protection Commission
- Date: 2021-07-30
- Judges: Lew Chuen Hong, Commissioner
- Plaintiff/Applicant: -
- Defendant/Respondent: SAP Asia Pte. Ltd.
- Legal Areas: Data Protection – Data intermediary, Data Protection – Protection obligation
- Statutes Referenced: Personal Data Protection Act, Personal Data Protection Act 2012
- Cases Cited: [2016] SGPDPC 19, [2018] SGPDPC 19, [2019] SGPDPC 10, [2019] SGPDPC 20, [2019] SGPDPC 24, [2019] SGPDPC 27, [2020] SGPDPC 11, [2020] SGPDPC 14, [2021] SGPDPC 6
- Judgment Length: 12 pages, 2,786 words
Summary
This case concerns a data protection breach by SAP Asia Pte. Ltd. ("the Organisation"), where the personal data of 43 former employees was improperly disclosed due to issues with the development and deployment of a new payslip issuance program. The Personal Data Protection Commission ("the Commission") found that the Organisation failed to adequately communicate its requirements to the external vendor developing the program, resulting in a design flaw that led to the unauthorised disclosure of the former employees' personal information. The Commission determined that the Organisation had breached its data protection obligations under the Personal Data Protection Act 2012.
What Were the Facts of This Case?
The Organisation had engaged an external vendor ("the Vendor") to provide IT solutions for its human resources and payroll system ("the HR System"). The process of issuing payslips to current employees had been automated as part of the HR System. However, when payslips needed to be issued to former employees (e.g. final payslips, expense reimbursements), this had to be done manually by the Organisation's human resources department.
Sometime around April 2019, the Organisation requested the Vendor to develop a new program within the HR System to automate the issuance of payslips to former employees ("the Programme"). The Organisation intended to use the Programme to generate and email multiple payslips to multiple former employees simultaneously in one execution ("Multiple Payslip Issuance"). However, this intention was not properly communicated to the Vendor, and the Programme was designed on the incorrect understanding that only a single payslip would need to be issued to a single employee at a time ("Single Payslip Issuance").
On 31 March 2020, the Organisation executed the Programme for the first (and only) time to generate and deliver payslips to 43 former employees. Believing the Programme was capable of Multiple Payslip Issuance, the Organisation's representative selected all 43 former employees to be issued payslips in one selection screen. However, due to the design flaw, this execution of the Programme resulted in 29 out of the 43 former employees receiving not only their own payslip, but also the payslips of other employees.
What Were the Key Legal Issues?
The key legal issues in this case were:
1. Whether the Organisation, as the data controller, had breached its data protection obligations under the Personal Data Protection Act 2012 ("PDPA") by failing to make reasonable security arrangements to prevent the unauthorised disclosure of the former employees' personal data.
2. Whether the Vendor, in developing the Programme, was acting as a data intermediary on behalf of the Organisation, or whether the Organisation's data protection obligations were borne solely by the Organisation itself.
How Did the Court Analyse the Issues?
The Commission found that the Organisation, as the data controller, had breached its data protection obligations under Section 24 of the PDPA, which requires an organisation to protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.
The Commission noted that in the context of the Programme's development, the Organisation's responsibilities under the data protection obligations included ensuring that: (a) the specifications provided to the Vendor accurately reflected the intended use of the IT feature being developed; and (b) pre-launch testing of the new feature was accurately scoped to simulate the full range of intended use.
The Commission found that the Organisation had failed in both of these responsibilities. The Organisation's instructions to the Vendor regarding the Programme were brief and ambiguous, only referring to the issuance of a payslip to a "selected employee" in the singular, rather than multiple employees. This resulted in the Vendor designing the Programme under the wrong impression that Single Payslip Issuance was required, rather than Multiple Payslip Issuance as intended by the Organisation.
The Commission highlighted that it is a data controller's responsibility to ensure that external vendors engaged to modify its IT systems know the scope of their work, and that there must be a clear meeting of minds as to the services the vendor has agreed to undertake. The Organisation's failure to properly communicate its requirements to the Vendor led to the design flaw that ultimately caused the unauthorised disclosure of the former employees' personal data.
The Commission also addressed the issue of whether the Vendor was acting as a data intermediary on behalf of the Organisation. The Commission found that in the context of the Programme's development, the Vendor did not process personal data on behalf of the Organisation and was not the Organisation's data intermediary. Accordingly, the data protection obligations in respect of the former employees' personal data were borne solely by the Organisation as the data controller.
What Was the Outcome?
The Commission found that the Organisation had breached its data protection obligations under the PDPA and directed the Organisation to pay a financial penalty of S$9,000.
As part of the remedial actions, the Organisation had: (a) informed the affected former employees about the error and requested them to delete the payslips they had received in error; (b) followed up with the former employees to confirm deletion of the other payslips; (c) disabled the Programme and reverted to manually generating and emailing payslips to former employees; and (d) agreed on continuous process improvements with the Vendor with clear communicated requirements.
Why Does This Case Matter?
This case highlights the importance of data controllers, such as organisations, clearly communicating their requirements and intended use of IT systems and features to external vendors involved in the development or modification of those systems. Failure to do so can lead to design flaws that result in the unauthorised disclosure of personal data, which constitutes a breach of the data controller's obligations under the PDPA.
The case also emphasizes that data controllers cannot simply delegate their data protection responsibilities to external vendors. Even when engaging a vendor to develop or modify IT systems that process personal data, the data controller remains solely responsible for ensuring that reasonable security arrangements are in place to protect the personal data in its possession or under its control.
This decision serves as a valuable precedent for organisations in Singapore, reminding them of the need to exercise proper oversight and due diligence when working with external vendors on projects that involve the processing of personal data. It underscores the importance of clear communication, thorough testing, and continuous process improvements to ensure compliance with the PDPA's data protection obligations.
Legislation Referenced
- Personal Data Protection Act
- Personal Data Protection Act 2012
Cases Cited
- [2016] SGPDPC 19
- [2018] SGPDPC 19
- [2019] SGPDPC 10
- [2019] SGPDPC 20
- [2019] SGPDPC 24
- [2019] SGPDPC 27
- [2020] SGPDPC 11
- [2020] SGPDPC 14
- [2021] SGPDPC 6
Source Documents
This article analyses [2021] SGPDPC 6 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.