Case Details
- Citation: [2018] SGPDPC 27
- Court: Personal Data Protection Commission
- Date: 2018-12-13
- Judges: Yeong Zee Kin, Deputy Commissioner
- Plaintiff/Applicant: -
- Defendant/Respondent: SLF Green Maid Agency
- Legal Areas: Data Protection – Protection obligation
- Statutes Referenced: Personal Data Protection Act, Personal Data Protection Act 2012
- Cases Cited: [2017] SGPDPC 5, [2018] SGPDPC 27
- Judgment Length: 7 pages, 1,798 words
Summary
In this case, the Personal Data Protection Commission (PDPC) found that SLF Green Maid Agency breached its obligation under the Personal Data Protection Act 2012 (PDPA) to protect personal data in its possession. The breach occurred when the agency's employee handed the complainant pieces of scrap paper containing the personal data of other individuals. The PDPC determined that the agency failed to implement reasonable security arrangements to prevent such unauthorized disclosure of personal data.
What Were the Facts of This Case?
The case arose from the common practice of reusing scrap or discarded paper where the reverse side can still be used. On two separate occasions, an employee of SLF Green Maid Agency (the "Organisation") provided the complainant with pieces of paper that contained personal data of other individuals on the reverse side.
On the first occasion, the used side of the paper contained a photocopy of the front and back of an individual's NRIC (national registration identity card). On the second occasion, the used side of the paper included a letter detailing a family's personal circumstances, explaining why they required a foreign domestic worker, as well as the names, FIN numbers, passport numbers, and passport expiry dates of four individuals. Additionally, the same portion of a contract contained the names and NRIC numbers of five other individuals, along with some accompanying signatures.
The complainant informed the employee that the paper containing personal data should not have been given to her. However, the employee made the same mistake twice, handing over scrap paper with personal data to the same complainant on two separate visits to the agency's office.
What Were the Key Legal Issues?
The key legal issue in this case was whether SLF Green Maid Agency's disclosure of personal data to the complainant amounted to a breach of section 24 of the Personal Data Protection Act 2012 (PDPA). Section 24 of the PDPA requires organizations to protect personal data in their possession or under their control by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal, or similar risks.
The PDPC had to determine whether the agency's security arrangements were reasonable and sufficient to prevent the unauthorized disclosure of personal data that occurred in this case.
How Did the Court Analyse the Issues?
The PDPC found that the unauthorized disclosure of personal data stemmed from the agency's lack of reasonable security arrangements to prevent such disclosure. The PDPC identified two key aspects that organizations should have in place to protect personal data when reusing scrap paper:
1. Implementing a system of processes backed up by policies. The PDPC noted that the agency did not have any process or system for segregating scrap paper containing personal data from the pile of scrap paper that could be reused by staff. The agency also did not have any detailed policies with respect to personal data protection.
2. Providing staff training to be aware of the risks and alert to spot them. The PDPC found that the agency's reliance on verbal instructions by management to screen scrap paper and discard any containing personal data was insufficient. The PDPC stated that structured and periodic training is necessary to inculcate the right employee culture and establish the appropriate level of sensitivity to personal data.
The PDPC also noted that the agency's "Guidelines to Personal Data Protection" did not address the reuse of discarded paper containing personal data directly, and there was no evidence that these guidelines were provided to employees.
Overall, the PDPC concluded that the agency's security arrangements were inadequate, as it failed to implement both the necessary processes and policies, as well as effective staff training, to prevent the unauthorized disclosure of personal data.
What Was the Outcome?
Based on the findings that the agency breached its obligation under section 24 of the PDPA, the PDPC issued the following directions to the agency:
1. Conduct a review of its procedures to prevent the use of discarded or unwanted documents containing personal data within 30 days.
2. Develop a training program to ensure all staff are aware of and will comply with PDPA requirements when handling personal data, within 60 days.
3. Require all staff who have not attended data protection training to do so within 30 days of the training program's development.
4. Inform the PDPC of the completion of each of the above within 7 days of implementation.
The PDPC decided not to impose a financial penalty, considering the limited scope of the unauthorized disclosure in this case.
Why Does This Case Matter?
This case highlights the importance of organizations implementing robust security arrangements to protect personal data, even in the context of seemingly mundane practices like reusing scrap paper. The PDPC's decision underscores that organizations must have both the necessary policies and processes, as well as effective staff training, to meet their obligations under the PDPA.
The case is a valuable precedent for organizations handling personal data, as it provides guidance on the specific security measures that the PDPC considers "reasonable" under section 24 of the PDPA. It emphasizes that verbal instructions alone are insufficient, and that structured, periodic training is necessary to cultivate the right employee culture and sensitivity towards personal data protection.
Furthermore, the PDPC's decision demonstrates its willingness to take enforcement action against organizations that fail to comply with the PDPA, even in cases where the scope of unauthorized disclosure is limited. This sends a clear message to organizations that they must take their data protection obligations seriously and implement appropriate safeguards to prevent such breaches from occurring.
Legislation Referenced
- Personal Data Protection Act
- Personal Data Protection Act 2012
Cases Cited
- [2017] SGPDPC 5 (Re: National University of Singapore)
- [2018] SGPDPC 27 (SLF Green Maid Agency)
- [2018] PDP Digest 245 (Re Aviva Ltd)
Source Documents
This article analyses [2018] SGPDPC 27 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.