Case Details
- Citation: [2020] SGPDPC 13
- Court: Personal Data Protection Commission
- Date: 2020-08-05
- Judges: Yeong Zee Kin, Deputy Commissioner
- Plaintiff/Applicant: -
- Defendant/Respondent: Singapore Telecommunications Limited
- Legal Areas: Data Protection – Protection obligation
- Statutes Referenced: Personal Data Protection Act, Personal Data Protection Act 2012
- Cases Cited: [2017] SGPDPC 16, [2017] SGPDPC 6, [2018] SGPDPC 18, [2019] SGPDPC 49, [2020] SGPDPC 13, [2020] SGPDPC 2
- Judgment Length: 9 pages, 1,715 words
Summary
In this case, the Personal Data Protection Commission (PDPC) investigated an incident where customers of Singapore Telecommunications Limited (Singtel) were able to view the previously assigned service numbers and related usage information of other customers through Singtel's mobile application. The PDPC found that Singtel had taken reasonable security measures to protect its customers' personal data and did not breach its obligations under the Personal Data Protection Act 2012.
What Were the Facts of This Case?
Singapore Telecommunications Limited (Singtel) is a multinational telecommunications conglomerate headquartered in Singapore. Singtel's customers can manage the company's services through its mobile application, the MySingtel mobile application (the "Mobile App"). The Mobile App allows customers to perform tasks such as paying bills, tracking mobile data usage, and subscribing to roaming plans.
On 28 March 2019, Singtel was notified by a customer of an issue with the Mobile App – customers were able to view their previously assigned service numbers (the "Recycled Numbers") and the related usage information of other customers who were the current users of the Recycled Numbers. Singtel notified the PDPC of this incident (the "Incident") on 17 April 2019.
Singtel had engaged a software services provider (the "Vendor") to develop and introduce code changes to the Application Programming Interface (API) that powers the Mobile App. As part of a scheduled code update, the Vendor made changes to the API code and also conducted code optimization using a tool called SonarQube. SonarQube recommended the removal of a code condition that decoupled Recycled Numbers from their previous users (the "Condition"). The Vendor followed this recommendation and removed the Condition, but failed to report this change in the Technical Change Request form submitted to Singtel.
The removal of the Condition led to the API retrieving both active and Recycled Numbers associated with a user of the Mobile App, resulting in the Incident. According to Singtel, 384 of its customers were affected, and the personal data at risk of unauthorized access included the Recycled Numbers, installation addresses, usage details, subscribed services, price plans, and billing cycles.
What Were the Key Legal Issues?
The key legal issue in this case was whether Singtel had breached its obligations under Section 24 of the Personal Data Protection Act 2012 (PDPA) to protect the personal data of its customers.
Section 24 of the PDPA requires an organization to "protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal or similar risks." The PDPC had to determine whether the security measures taken by Singtel were reasonable in the circumstances.
How Did the Court Analyse the Issues?
The PDPC acknowledged that an organization is not required to provide an absolute guarantee for the protection of personal data in its possession. Instead, the organization is expected to make such security arrangements as a reasonable person would consider appropriate, given the nature of the personal data involved and the particular circumstances of the organization.
The PDPC's investigation revealed that Singtel had taken several reasonable measures to protect its customers' personal data:
1. Singtel emphasized the need for personal data protection in its contractual terms with the Vendor, requiring the Vendor to establish security processes and actively enforce policies addressing personal data protection. Singtel also conducted audits on the Vendor to ensure the adequacy and effectiveness of its IT controls and processes.
2. Singtel conducted pre-launch testing of the code changes, including business user acceptance testing and regression testing. While the Organization was unaware of the removal of the Condition because it was not reported in the Technical Change Request, the PDPC found that it was reasonable for Singtel to perform testing only on the changes set out in the request, as there was no reason to suspect additional code changes in a scheduled routine update.
3. Singtel had implemented various quality assurance measures, including user acceptance testing and regression testing of the Mobile App's critical business functions. The test results were reviewed by directors in Singtel's business and IT departments before approving the code changes for deployment.
Based on these findings, the PDPC concluded that the security arrangements put in place by Singtel to protect its customers' personal data were reasonable in the circumstances, and that the Incident appeared to be a one-off incident that was difficult to foresee.
What Was the Outcome?
The PDPC found that Singtel had not contravened its obligations under Section 24 of the PDPA. The PDPC acknowledged that Singtel had taken reasonable security measures to protect its customers' personal data and that the Incident was an isolated occurrence that was difficult to anticipate.
To prevent a recurrence of the Incident or similar risks, Singtel implemented additional regression test scenarios covering the testing of Recycled Numbers, and made enhancements to the Mobile App to prevent the display of historical service information and ensure that only information retrieved for the customer's authenticated session is displayed.
Why Does This Case Matter?
This case is significant as it provides guidance on the interpretation and application of the protection obligation under Section 24 of the PDPA. The PDPC's decision emphasizes that organizations are not required to provide an absolute guarantee for the protection of personal data, but rather must make reasonable security arrangements based on the specific circumstances of the case.
The PDPC's analysis of Singtel's security measures, including its contractual arrangements with vendors, pre-launch testing procedures, and quality assurance processes, offers valuable insights for organizations on how to fulfill their data protection obligations. The case also highlights the importance of effective communication and reporting between organizations and their vendors when implementing system changes that may impact the handling of personal data.
Overall, this decision provides a useful reference for organizations in the telecommunications and other sectors on the practical application of the PDPA's protection obligation, and the steps they can take to safeguard their customers' personal data.
Legislation Referenced
- Personal Data Protection Act
- Personal Data Protection Act 2012
Cases Cited
- [2017] SGPDPC 16
- [2017] SGPDPC 6
- [2018] SGPDPC 18
- [2019] SGPDPC 49
- [2020] SGPDPC 13
- [2020] SGPDPC 2
Source Documents
This article analyses [2020] SGPDPC 13 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.