Singapore Red Cross Society [2020] SGPDPC 16

Case Details

• Citation: [2020] SGPDPC 16
• Court: Personal Data Protection Commission
• Date: 2020-05-05
• Judges: Tan Kiat How, Commissioner
• Plaintiff/Applicant: N/A
• Defendant/Respondent: Singapore Red Cross Society
• Legal Areas: Data Protection – Protection obligation, Data Protection – Retention limitation obligation
• Statutes Referenced: Personal Data Protection Act, Personal Data Protection Act 2012
• Cases Cited: [2017] SGPDPC 12, [2018] SGPDPC 12, [2018] SGPDPC 26, [2019] SGPDPC 1, [2019] SGPDPC 22, [2019] SGPDPC 44, [2020] SGPDPC 16
• Judgment Length: 9 pages, 1,548 words

Summary

In this case, the Singapore Personal Data Protection Commission (PDPC) found that the Singapore Red Cross Society (the "Organisation") had breached its obligations under the Personal Data Protection Act (PDPA) to protect personal data and limit its retention. The Organisation had failed to implement adequate security measures to prevent unauthorised access to a database containing personal data of blood donors, resulting in a data breach. The Organisation also retained personal data longer than necessary, in breach of the PDPA's retention limitation obligation. The PDPC imposed a financial penalty on the Organisation, but reduced the amount after considering the Organisation's remedial actions and cooperation.

What Were the Facts of This Case?

The Singapore Red Cross Society operates a website that allows the public to make appointments for blood donations. For this purpose, the Organisation collects personal data of individuals such as their names, contact numbers, email addresses and blood types (the "Personal Data"). This Personal Data was stored in the Organisation's blood donor appointment database (the "Database"), which was accessible via the website.

On 9 May 2019, the Organisation notified the PDPC that unauthorised individual(s) had accessed and extracted the Personal Data of approximately 4,297 individuals ("Affected Individuals") from the Database (the "Incident"). After being notified of the Incident, the Organisation took remedial actions, including removing the appointment booking system from its website to temporarily cease collecting Personal Data, and revising and strengthening its internal procedures to comply with the PDPA.

The Organisation admitted that it had failed to implement adequate security measures to protect the Personal Data stored in the Database, and had also retained the Personal Data of approximately 900 Affected Individuals longer than necessary.

What Were the Key Legal Issues?

The key legal issues in this case were whether the Organisation had breached its obligations under the PDPA to:

1. Protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification or similar risks (the "Protection Obligation"); and
2. Cease to retain personal data, or remove the means by which the personal data can be associated with particular individuals, as soon as it is reasonable to assume that the purpose for which the personal data was collected is no longer served by retaining the data, and the retention is no longer necessary for legal or business purposes (the "Retention Limitation Obligation").

How Did the Court Analyse the Issues?

The PDPC found that the Organisation had breached both the Protection Obligation and the Retention Limitation Obligation under the PDPA.

Regarding the Protection Obligation, the PDPC found that the Organisation had failed to implement adequate security measures to protect the Personal Data stored in the Database. Specifically, the PDPC noted that the Organisation had employed a vendor to develop the website, but there was a lack of supervision over the vendor's work, which led to the presence of a phpMyAdmin database administration tool (the "Tool") that was used to manage the Database. The Organisation also did not have a password management policy requiring strong passwords, resulting in a weak password ("12345") being set for the Tool. Additionally, the Organisation did not conduct regular security reviews to identify applications that it did not need, and consequently did not realize that the Tool remained connected to the website even after the development of the website had been completed. This allowed unauthorized individuals to gain access to the Database through the Tool with the weak password.

Regarding the Retention Limitation Obligation, the PDPC found that the Organisation had retained the Personal Data of approximately 900 Affected Individuals longer than necessary. Prior to the Incident, the Organisation had intended to purge this Personal Data from the Database, but provided the wrong instructions to its vendor, resulting in only some data elements being removed instead of the entire records. The Organisation also failed to conduct verification checks to ensure the purging exercise was properly carried out.

What Was the Outcome?

The PDPC found the Organisation in breach of Sections 24 (Protection Obligation) and 25 (Retention Limitation Obligation) of the PDPA. The PDPC initially intended to impose a higher financial penalty on the Organisation, but reduced the amount after considering the Organisation's representations.

Specifically, the PDPC directed the Organisation to pay a financial penalty of $5,000 within 30 days, taking into account the Organisation's upfront voluntary admission of liability and its comprehensive remedial actions to address the inadequacies in its procedures and processes that contributed to the Incident. The PDPC did not impose any other directions, noting that the remedial measures taken by the Organisation were sufficient.

Why Does This Case Matter?

This case is significant for several reasons:

1. It reinforces the importance of organisations implementing adequate security measures to protect personal data in their possession or under their control, in accordance with the PDPA's Protection Obligation. The case highlights the need for proper password management, regular security reviews, and effective supervision of vendors to prevent unauthorized access to personal data.
2. It underscores the PDPA's Retention Limitation Obligation, which requires organisations to cease retaining personal data as soon as the purpose for which it was collected is no longer served, and the retention is no longer necessary for legal or business purposes. Organisations must have robust processes in place to ensure the timely and complete purging of personal data that is no longer required.
3. The case demonstrates the PDPC's approach to enforcement, where it considers mitigating factors such as an organisation's voluntary admission of liability, remedial actions, and cooperation, in determining the appropriate financial penalty. However, the PDPC emphasizes that an organisation's charitable status or previous decisions in other cases do not automatically lower the standard expected of it in complying with its PDPA obligations.
4. The case provides guidance to organisations on the PDPC's expectations regarding data protection practices and the potential consequences of non-compliance, which can include significant financial penalties.

Legislation Referenced

• Personal Data Protection Act
• Personal Data Protection Act 2012

Cases Cited

• [2017] SGPDPC 12
• [2018] SGPDPC 12
• [2018] SGPDPC 26
• [2019] SGPDPC 1
• [2019] SGPDPC 22
• [2019] SGPDPC 44
• [2020] SGPDPC 16

Source Documents

• Original Judgment (PDF) — Singapore Law Watch
• Archived Copy (PDF) — Litt Law CDN

This article analyses [2020] SGPDPC 16 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.