Case Details
- Citation: [2020] SGPDPC 8
- Court: Personal Data Protection Commission
- Date: 2020-03-30
- Judges: Tan Kiat How, Commissioner
- Plaintiff/Applicant: -
- Defendant/Respondent: Secur Solutions Group Pte Ltd
- Legal Areas: Data Protection – Protection obligation
- Statutes Referenced: Personal Data Protection Act
- Cases Cited: [2020] SGPDPC 8
- Judgment Length: 12 pages, 1,794 words
Summary
This case concerns an incident where one of Secur Solutions Group Pte Ltd's servers, which stored a database containing personal data of around 800,000 blood donors, was discovered to be accessible from the internet. The Personal Data Protection Commission found that Secur Solutions Group Pte Ltd had breached its obligation under the Personal Data Protection Act to make reasonable security arrangements to protect the personal data in its possession. The Commission directed Secur Solutions Group Pte Ltd to pay a financial penalty of $120,000.
What Were the Facts of This Case?
Secur Solutions Group Pte Ltd (the "Organisation") has been engaged by the Health Sciences Authority ("HSA") since 2013 to develop and maintain various IT systems, including a queue management system ("QMS") for blood donors. Pursuant to this QMS engagement, HSA provided the Organisation with files containing copies of a database ("Database") of blood donor personal data for the purposes of testing and developing the QMS.
The Organisation stored these files containing the Database on a server designated for testing and development purposes (the "Testing and Development Server"). However, the Testing and Development Server was accessible through the internet and had no security measures in place, such as firewalls or access restrictions. As a result, a cybersecurity expert was able to access the personal data in the Database through the Organisation's server.
The personal data in the Database included the names, NRIC numbers, gender, mobile numbers, blood donation history, and in some cases blood type, height and weight, of around 800,000 individual blood donors (the "Affected Individuals").
What Were the Key Legal Issues?
The key legal issue was whether the Organisation had complied with its obligations under section 24 of the Personal Data Protection Act (the "PDPA") to protect the personal data in its possession by making reasonable security arrangements.
The Organisation admitted that it had breached section 24 of the PDPA by failing to put in place reasonable security arrangements to protect the personal data. It acknowledged that the files containing the Database should not have been stored on the unsecured Testing and Development Server, which was accessible from the internet without any access restrictions or security protocols.
How Did the Court Analyse the Issues?
The Commissioner noted that as a data intermediary of HSA, the Organisation was required to comply with section 24 of the PDPA with respect to the personal data in its possession. Section 24 requires an organisation to protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.
The Commissioner found that the Organisation had breached section 24 by failing to make reasonable security arrangements. The Organisation admitted that it ought to have been aware that the files provided by HSA contained actual personal data, rather than just dummy data, based on its past experience of directly retrieving personal data from HSA's servers for testing and development purposes.
Despite this, the Organisation stored the files containing the personal data on the unsecured Testing and Development Server, which was accessible from the internet without any firewalls, access restrictions or other security protocols in place. The Commissioner found that this was a breach of the Organisation's own data protection policies and practices, which required personal data to be protected and secured regardless of the purposes for which it was provided.
What Was the Outcome?
The Commissioner directed the Organisation to pay a financial penalty of $120,000 within 30 days, failing which interest would accrue on the outstanding amount.
The Commissioner noted that the Organisation had implemented various remedial actions to address the incident, including disconnecting the compromised server from the internet, disabling remote access to its servers, conducting forensic analysis, and reviewing and improving its internal data protection and cybersecurity processes. The Commissioner was satisfied that these remedial actions had sufficiently addressed the risks to the personal data, and therefore did not impose any further directions on the Organisation.
Why Does This Case Matter?
This case highlights the importance of organisations having robust data protection and cybersecurity measures in place, even when handling personal data for the purposes of testing and development. Organisations cannot simply rely on the fact that data is being used for non-production purposes as an excuse for failing to implement reasonable security arrangements.
The case also demonstrates the Personal Data Protection Commission's willingness to impose significant financial penalties on organisations that breach their obligations under the PDPA. The $120,000 penalty imposed on Secur Solutions Group Pte Ltd serves as a strong deterrent and underscores the Commission's commitment to enforcing data protection laws in Singapore.
For legal practitioners, this case provides useful guidance on the scope of an organisation's obligations under section 24 of the PDPA, and the factors the Commission will consider in determining the appropriate enforcement actions. It emphasizes that organisations must take proactive steps to secure personal data in their possession, regardless of the context in which that data is being used.
Legislation Referenced
- Personal Data Protection Act
Cases Cited
- [2020] SGPDPC 8
Source Documents
This article analyses [2020] SGPDPC 8 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.