Signup for LITT - Agentic AI for legal, regulatory & Compliance Knowledge work.
Submit Article
Legal Analysis. Regulatory Intelligence. Jurisprudence.
Search articles, case studies, legal topics...
Singapore
By Sushant Shukla 4 min read

SearchAsia Consulting Pte. Ltd. [2019] SGPDPC 40

Analysis of [2019] SGPDPC 40, a decision of the Personal Data Protection Commission on 2019-10-24.

Case Details

  • Citation: [2019] SGPDPC 40
  • Court: Personal Data Protection Commission
  • Date: 2019-10-24
  • Judges: Yeong Zee Kin, Deputy Commissioner
  • Plaintiff/Applicant: -
  • Defendant/Respondent: SearchAsia Consulting Pte. Ltd.
  • Legal Areas: Data Protection – Protection obligation
  • Statutes Referenced: Personal Data Protection Act, Personal Data Protection Act 2012
  • Cases Cited: [2016] SGPDPC 19, [2018] SGPDPC 26, [2019] SGPDPC 40, [2019] SGPDPC 5
  • Judgment Length: 4 pages, 1,189 words

Summary

In this case, the Personal Data Protection Commission (PDPC) found that SearchAsia Consulting Pte. Ltd. (the "Organisation") had breached its obligations under the Personal Data Protection Act 2012 (PDPA) to make reasonable security arrangements to protect the personal data of job seekers whose résumés were uploaded to the Organisation's website. The Organisation was directed to pay a financial penalty of $7,000 for its failure to adequately secure the personal data.

What Were the Facts of This Case?

SearchAsia Consulting Pte. Ltd. is a recruitment company in Singapore that matches job seekers with employers. The Organisation allowed job seekers to upload their résumés to its website, www.searchasia.com.sg, so that the Organisation could assess their suitability for roles it was engaged to fill. These résumés contained personal data such as the job seekers' names, contact details, employment history, qualifications, and in some cases, additional information like nationality, date of birth, marital status, and current salary.

The Organisation intended for the résumés to be accessible only to its own recruitment agents. However, the résumés were stored in an unsecured folder on the website's server, which allowed them to be indexed by search engine crawlers. As a result, when members of the public searched for the names or email addresses of the affected individuals, the search results would include links to their résumés, which could then be accessed by clicking on the links.

The Organisation claimed that it had instructed its third-party web developer to restrict access to the folder containing the résumés, but it did not provide any documentary evidence to support this assertion. The web developer, in its statement to the PDPC, denied receiving any security specifications from the Organisation. The Organisation also admitted that it had not conducted any checks or tests to ensure that access to the folder was restricted or that the data was encrypted.

The key legal issue in this case was whether the Organisation had fulfilled its obligations under Section 24 of the PDPA to make reasonable security arrangements to protect the personal data of the job seekers whose résumés were uploaded to its website.

Section 24 of the PDPA requires organizations to make reasonable security arrangements to protect personal data in their possession or under their control from unauthorized access, disclosure, and similar risks. The PDPC had to determine whether the Organisation's actions, or lack thereof, amounted to a breach of this obligation.

How Did the Court Analyse the Issues?

The PDPC found that the Organisation had clearly failed to make reasonable security arrangements to protect the personal data in the résumés uploaded to its website. The cause of the data breach incident was that the folder containing the résumés was set to allow public access without any restrictions, and the Organisation had not given the appropriate instructions to its contractors, including the web developer and web hosting provider, to protect the personal data in the folder.

The PDPC noted that one of the fundamental actions an organization is required to undertake to fulfill its obligation to make reasonable security arrangements is to conduct relevant tests of its IT environment, including websites, to ensure that personal data has been adequately protected. The Organisation had failed to do this, which was a breach of its obligations under Section 24 of the PDPA.

The PDPC also emphasized the importance of an organization clearly documenting its instructions and expectations when engaging a service provider, as stated in previous PDPC decisions. The Organisation had not done this with its web developer, which contributed to the failure to protect the personal data.

What Was the Outcome?

Having found the Organisation in breach of Section 24 of the PDPA, the PDPC directed the Organisation to pay a financial penalty of $7,000 within 30 days. The PDPC noted that the Organisation had undertaken several remedial actions after being informed of the data breach incident, including disabling the directory listing function of the website, engaging an external web developer to add a mechanism to prevent future indexing by search engine crawlers, removing public access permissions from sensitive file directories, and requesting Google to remove the cached copies of the affected individuals' résumés from its search engine results.

Given these remediation efforts, the PDPC decided not to issue any other directions against the Organisation.

Why Does This Case Matter?

This case is significant for several reasons. Firstly, it reinforces the PDPC's strict approach to enforcing the protection obligation under Section 24 of the PDPA. The PDPC has consistently emphasized that organizations must take proactive steps to test and verify the security of their IT systems and the personal data they hold, rather than simply relying on assurances from third-party service providers.

Secondly, the case highlights the importance of organizations clearly documenting their instructions and expectations when engaging external service providers, such as web developers and web hosting providers. Failing to do so can undermine an organization's ability to demonstrate that it has made reasonable security arrangements to protect personal data.

Finally, the case serves as a warning to organizations that handle personal data, particularly those in the recruitment and HR sectors, about the need to implement robust security measures to protect sensitive information like job applicants' résumés. Failure to do so can result in significant financial penalties and reputational damage, as demonstrated by the PDPC's decision in this case.

Legislation Referenced

  • Personal Data Protection Act
  • Personal Data Protection Act 2012

Cases Cited

  • [2016] SGPDPC 19
  • [2018] SGPDPC 26
  • [2019] SGPDPC 40
  • [2019] SGPDPC 5

Source Documents

This article analyses [2019] SGPDPC 40 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.

Written by Sushant Shukla
Topics
Singapore SLW Case Law Data Protection – Protection obligation
Share this article
𝕏 in f

More in

Legal Wires

Legal Wires

Stay ahead of the legal curve. Get expert analysis and regulatory updates natively delivered to your inbox.

Success! Please check your inbox and click the link to confirm your subscription.
Already a member? Sign in