Case Details
- Citation: [2018] SGPDPC 17
- Court: Personal Data Protection Commission
- Date: 2018-06-22
- Judges: Tan Kiat How, Commissioner
- Plaintiff/Applicant: -
- Defendant/Respondent: Singapore Taekwondo Federation
- Legal Areas: Data Protection – Openness obligation, Data Protection – Protection obligation
- Statutes Referenced: Personal Data Protection Act
- Cases Cited: [2017] SGPDPC 14, [2017] SGPDPC 15, [2017] SGPDPC 7, [2018] SGPDPC 17
- Judgment Length: 21 pages, 5,340 words
Summary
In this case, the Personal Data Protection Commission (the "Commission") investigated a complaint against the Singapore Taekwondo Federation (the "Organisation") regarding the unauthorised disclosure of students' NRIC numbers on the Organisation's website. The Commission found that the Organisation had breached its obligations under the Personal Data Protection Act 2012 ("PDPA") by failing to designate a data protection officer, implement data protection policies, and put in place reasonable security arrangements to protect the personal data in its possession.
What Were the Facts of This Case?
The Organisation, a society registered with the Registry of Societies, is responsible for promoting, supporting, and developing taekwondo-related programmes and activities in Singapore. Since 2015, the Organisation had been posting PDF documents containing the names and schools of students who participated in the Annual Inter-School Taekwondo Championships on its publicly accessible website.
On 19 May 2017, a member of the public (the "Complainant") discovered that the PDF documents also contained the NRIC numbers of 782 students, which were not immediately visible as they were set out in minimized columns. When the Complainant copied and pasted the contents of the PDF documents, the NRIC numbers became visible. The Complainant informed the Organisation of this unauthorized disclosure, but received no response.
The Complainant then lodged a complaint with the Commission on 30 May 2017. After being notified by the Commission, the Organisation removed the PDF documents from its website and took steps to contact Google to remove the cached versions and instruct its staff to delete the relevant information before uploading any new documents.
What Were the Key Legal Issues?
The key legal issues in this case were whether the Organisation had complied with its obligations under the PDPA:
- To designate one or more persons to be responsible for ensuring the Organisation's compliance with the PDPA (section 11);
- To develop and implement policies and practices necessary for the Organisation to meet its obligations under the PDPA (section 12); and
- To implement reasonable security arrangements to protect the personal data in its possession or under its control (section 24).
How Did the Court Analyse the Issues?
The Commissioner first considered the nature of the personal data involved, noting that the NRIC numbers disclosed constituted personal data as defined in the PDPA, and that there were additional considerations regarding the sensitivity of minors' personal data.
Regarding the Organisation's compliance with section 11 of the PDPA, the Commissioner found that the Organisation had not designated any person to be responsible for ensuring its compliance with the PDPA. The Organisation admitted that it was not aware of the PDPA and had not appointed a data protection officer.
In relation to the Organisation's compliance with section 12 of the PDPA, the Commissioner found that the Organisation had not developed or implemented any data protection policies or practices necessary to meet its obligations under the PDPA.
Regarding the Organisation's compliance with section 24 of the PDPA, the Commissioner found that the Organisation had failed to implement reasonable security arrangements to protect the personal data in its possession. The Organisation had merely minimized the columns containing the NRIC numbers in the Excel spreadsheets, rather than properly hiding them, which resulted in the unauthorized disclosure when the PDF documents were copied and pasted.
What Was the Outcome?
Based on the findings, the Commissioner concluded that the Organisation had breached its obligations under sections 11, 12, and 24 of the PDPA. The Commissioner directed the Organisation to:
- Appoint a data protection officer;
- Develop and implement data protection policies and practices; and
- Implement reasonable security arrangements to protect the personal data in its possession or under its control.
The Commissioner also required the Organisation to provide a written undertaking to comply with these directions within a specified timeframe.
Why Does This Case Matter?
This case is significant for several reasons:
Firstly, it highlights the importance of organisations, even those managed primarily by volunteers, understanding and complying with their obligations under the PDPA. The Commissioner made it clear that the Organisation would be responsible for the actions of its employees and volunteers engaged in the course of their work.
Secondly, the case emphasizes the heightened sensitivity and need for additional safeguards when handling the personal data of minors, such as the students whose NRIC numbers were disclosed. The Commissioner's analysis drew upon guidance from various jurisdictions regarding the special considerations for protecting minors' personal data.
Lastly, the case provides valuable insights into the Commission's approach to assessing compliance with the PDPA's openness and protection obligations. Organisations should take note of the importance of designating a data protection officer, developing comprehensive data protection policies, and implementing robust security measures to protect the personal data in their possession.
Legislation Referenced
- Personal Data Protection Act 2012
Cases Cited
- [2017] SGPDPC 14
- [2017] SGPDPC 15
- [2017] SGPDPC 7
- [2018] SGPDPC 17
Source Documents
This article analyses [2018] SGPDPC 17 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.