Case Details
- Citation: [2018] SGPDPC 19
- Court: Personal Data Protection Commission
- Date: 2018-08-21
- Legal Areas: Data Protection – Openness obligation, Data Protection – Protection obligation
- Statutes Referenced: N/A
- Cases Cited: [2016] SGPDPC 19, [2017] SGPDPC 14, [2017] SGPDPC 15, [2018] SGPDPC 19
- Judgment Length: 15 pages, 4,057 words
Summary
This case concerns the unauthorized disclosure of personal data of cricket players on the Singapore Cricket Association's (SCA) websites. The Personal Data Protection Commission (PDPC) investigated the incident and found that while the web development company MI did not breach its data protection obligations, the SCA failed to comply with its obligation to develop and implement data protection policies and practices. The PDPC issued directions to the SCA to remedy its data protection shortcomings.
What Were the Facts of This Case?
The SCA is the official governing body of cricket in Singapore, administering various cricket leagues with over 100 participating clubs. All clubs and players are required to register with the SCA, providing personal data such as name, photograph, NRIC/FIN number, date of birth, email, and mobile number.
In 2016, the SCA engaged a web design company, Massive Infinity (MI), to revamp its website. During the development process, MI created new player profile pages that included not only the previously disclosed "Player Profile Information" (name, photograph, player code, and statistics), but also the players' NRIC/FIN numbers, dates of birth, email addresses, and mobile numbers (the "Additional Player Personal Data").
The Revamped Website with the new player profile pages was first launched on the SCA's secondary domain (www.cricketsingapore.com) for testing, and then migrated to the primary domain (www.singaporecricket.org) around January 2017. The Additional Player Personal Data was publicly accessible on these websites until it was removed in February 2017. The SCA estimated that up to 100 players were affected by this unauthorized disclosure.
What Were the Key Legal Issues?
The key legal issues were:
- Whether MI breached its data protection obligations under section 24 of the Personal Data Protection Act (PDPA) by disclosing the Additional Player Personal Data.
- Whether the SCA complied with its obligation under section 12(a) of the PDPA to develop and implement data protection policies and practices.
- Whether the SCA breached section 24 of the PDPA by failing to protect the players' personal data.
How Did the Court Analyse the Issues?
On the first issue, the PDPC found that MI did not breach its data protection obligations under section 24 of the PDPA. The PDPC noted that MI was acting on the instructions of the SCA in creating the new player profile pages, and there was no evidence that MI should have known that the Additional Player Personal Data should not have been disclosed based on the SCA's instructions or the circumstances.
On the second issue, the PDPC found that the SCA failed to comply with its obligation under section 12(a) of the PDPA to develop and implement data protection policies and practices. The SCA had represented that it did not have any internal guidelines or policies for the protection of personal data at the time of the incident and was in the process of reviewing this.
On the third issue, the PDPC found that the SCA breached its data protection obligations under section 24 of the PDPA by failing to take reasonable security arrangements to prevent the unauthorized disclosure of the players' personal data. The PDPC noted that the SCA had failed to provide MI with clear instructions on the type of player information to be included on the new player profile pages, leading to the inclusion of the Additional Player Personal Data.
What Was the Outcome?
The PDPC issued the following directions to the SCA:
- To develop and implement data protection policies and practices necessary to meet its obligations under the PDPA.
- To conduct a comprehensive review of its data protection practices and implement appropriate measures to prevent similar incidents in the future.
- To engage a qualified independent third party to audit its data protection practices and report the findings to the PDPC.
- To notify all affected individuals of the incident and the measures taken to address the issue.
Why Does This Case Matter?
This case highlights the importance for organizations to have robust data protection policies and practices in place, even if they are not directly responsible for the unauthorized disclosure of personal data. The PDPC's findings emphasize that organizations have a duty to provide clear instructions and guidance to their service providers to ensure the proper handling of personal data.
The case also underscores the need for organizations to proactively review and update their data protection measures, rather than waiting for an incident to occur. By failing to develop and implement appropriate data protection policies and practices, the SCA was found to have breached its obligations under the PDPA, despite the web development company not being at fault.
This decision serves as a valuable precedent for organizations in Singapore, demonstrating the PDPC's expectations regarding data protection compliance and the consequences for failing to meet these obligations. It reinforces the importance of having a comprehensive data protection framework in place, including clear policies, procedures, and oversight mechanisms, to prevent and mitigate the risks of personal data breaches.
Legislation Referenced
- Personal Data Protection Act (PDPA)
Cases Cited
- [2016] SGPDPC 19
- [2017] SGPDPC 14
- [2017] SGPDPC 15
- [2018] SGPDPC 19
Source Documents
This article analyses [2018] SGPDPC 19 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.