Case Details
- Citation: [2020] SGPDPC 2
- Court: Personal Data Protection Commission
- Date: 2020-01-08
- Judges: Tan Kiat How, Commissioner
- Plaintiff/Applicant: -
- Defendant/Respondent: SCAL Academy Pte. Ltd.
- Legal Areas: Data Protection – Protection obligation
- Statutes Referenced: Personal Data Protection Act, Personal Data Protection Act 2012
- Cases Cited: [2018] SGPDPC 26, [2020] SGPDPC 2
- Judgment Length: 6 pages, 1,370 words
Summary
In this case, the Personal Data Protection Commission (PDPC) found that SCAL Academy Pte. Ltd. (the Organisation) had breached its obligations under the Personal Data Protection Act 2012 (PDPA) to protect the personal data of its course participants. The breach occurred when the Organisation's website inadvertently allowed public access to scanned copies of participants' registration documents, which contained sensitive personal information. While the Organisation took prompt remedial action, the PDPC determined that it had failed to implement reasonable security arrangements to prevent the unauthorized disclosure of the data, and directed the Organisation to pay a financial penalty of $15,000.
What Were the Facts of This Case?
SCAL Academy Pte. Ltd. is an organization that provides courses, seminars, and workshops to individuals (the "Participants"). It collects the personal data of Participants through its website, http://www.scal-academy.com.sg (the "Website"), for registration purposes. The Website was developed and maintained by a freelance vendor (the "Vendor").
On 29 November 2018, the PDPC received a complaint that the results of an online search of the names of Participants displayed links to scanned copies of their registration documents (the "Documents") on the Website (the "Incident"). The Documents were accessible by clicking on the listed links and contained various personal data of 3,628 Participants, including their names, race, nationality, date of birth, gender, country of birth, NRIC or work permit numbers, addresses, occupations, and the names of the companies they were employed by (the "Compromised Personal Data").
The cause of the Incident was traced to an enhancement to the Website (the "Enhancement") which allowed Participants to upload the Documents directly onto a folder (the "Folder") on the Website. The Vendor had been tasked with developing the Enhancement on 7 February 2018, but in the course of doing so, the Vendor omitted to program the Enhancement to verify that only authorized employees could access the Folder. As a result, the Documents were accessible without the need for login credentials. Additionally, the Vendor had also, through an oversight, omitted to implement another requirement to prevent bot crawlers from searching and indexing the Website content.
What Were the Key Legal Issues?
The key legal issue in this case was whether SCAL Academy Pte. Ltd. had contravened section 24 of the Personal Data Protection Act 2012 (PDPA), which requires an organization to protect personal data in its possession or under its control by taking reasonable security steps or arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal, or similar risks.
How Did the Court Analyse the Issues?
The PDPC, as the adjudicating body, first established that SCAL Academy Pte. Ltd. owned and managed the Website and had possession and control over the Compromised Personal Data at all material times. While the Vendor had been engaged to develop and maintain the Website, including the Enhancement, the Vendor had not processed any personal data collected via the Website on the Organisation's behalf. Therefore, the Vendor was not a data intermediary of the Organisation, and the obligations under the PDPA did not apply to the Vendor in respect of its engagement by the Organisation.
The PDPC then examined whether SCAL Academy Pte. Ltd. had taken reasonable security steps or arrangements to protect the personal data in the Documents, as required by section 24 of the PDPA. The PDPC found that while the Organisation had instructed the Vendor to prevent the Documents from being "leaked" online, it did not check with the Vendor what specific security arrangements had been put in place to ensure this. The PDPC emphasized that it is essential for an organization to work with its vendor to agree on the necessary security measures, follow through with testing, and verify the effectiveness of the arrangements in protecting the personal data.
The PDPC noted that the actions the Organisation should have taken, such as articulating its business requirements, working with the Vendor on agreed technical measures, and conducting proper testing based on risk scenarios, do not require deep technical expertise. Rather, they are basic steps that organizations should undertake to fulfill their obligations under the PDPA.
What Was the Outcome?
Based on the above analysis, the PDPC found that SCAL Academy Pte. Ltd. had not put in place reasonable security arrangements to protect the personal data in the Documents and, accordingly, was in breach of section 24 of the PDPA.
In determining the appropriate directions to be imposed on the Organisation, the PDPC took into account the following mitigating factors:
- The Organisation was cooperative in the investigations and provided information promptly.
- Upon being notified of the Incident, the Organisation swiftly took remedial actions, such as implementing measures to prevent Google trawling and indexing, removing the Documents from the Website, disabling the upload function, and notifying affected individuals who were likely to suffer significant harm or impact.
Considering these factors, the PDPC directed SCAL Academy Pte. Ltd. to pay a financial penalty of $15,000 within 30 days, failing which interest would accrue on the outstanding amount. The PDPC decided not to issue any further directions in light of the remedial actions taken by the Organisation.
Why Does This Case Matter?
This case is significant for several reasons:
First, it reinforces the importance of organizations taking reasonable security measures to protect the personal data in their possession or control, as required by the PDPA. The PDPC emphasized that this obligation does not require deep technical expertise, but rather basic steps such as articulating business requirements, collaborating with vendors on agreed security measures, and conducting proper testing.
Second, the case highlights the need for organizations to closely monitor and verify the security arrangements implemented by their vendors, even when the vendor is responsible for the technical development and maintenance of the system. The PDPC made it clear that the organization remains ultimately responsible for the protection of the personal data, regardless of the involvement of a third-party vendor.
Finally, the case demonstrates the PDPC's willingness to impose financial penalties on organizations that fail to fulfill their data protection obligations, even when the breach was caused by a vendor's oversight. This serves as a reminder to organizations to take their data protection responsibilities seriously and to exercise due diligence when engaging third-party service providers.
Legislation Referenced
- Personal Data Protection Act
- Personal Data Protection Act 2012
Cases Cited
- [2018] SGPDPC 26
- [2020] SGPDPC 2
Source Documents
This article analyses [2020] SGPDPC 2 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.