Case Details
- Citation: [2019] SGPDPC 21
- Court: Personal Data Protection Commission
- Date: 2019-07-04
- Judges: Yeong Zee Kin, Deputy Commissioner
- Plaintiff/Applicant: N/A
- Defendant/Respondent: SME Motor Pte. Ltd.
- Legal Areas: Data protection – Protection obligation
- Statutes Referenced: Personal Data Protection Act (PDPA)
- Cases Cited: [2017] SGPDPC 5, [2017] SGPDPC 7, [2018] SGPDPC 27, [2019] SGPDPC 21
- Judgment Length: 6 pages, 1,304 words
Summary
In this case, the Personal Data Protection Commission (PDPC) found that SME Motor Pte. Ltd. (the Organisation) had breached its obligations under the Personal Data Protection Act (PDPA) by failing to implement reasonable security measures to protect the personal data in its possession. The breach occurred when the Organisation printed a customer's invoice on the reverse side of a document containing the personal data of two other individuals. The PDPC directed the Organisation to implement a data protection policy and conduct staff training to prevent similar breaches in the future.
What Were the Facts of This Case?
On 31 January 2019, the PDPC received a complaint from an individual (the Complainant) regarding the disclosure of other individuals' personal data that had been printed on the reverse side of an invoice issued to the Complainant by SME Motor Pte. Ltd. (the Organisation). The Organisation is a business that provides auto repair and servicing services.
The Complainant had brought her vehicle to the Organisation's workshop for repair following a car accident. The Organisation had a practice of re-using scrap or unwanted paper documents by printing other documents on the reverse side. In this case, the Organisation had printed the Complainant's workshop repair invoice on a piece of paper that contained the personal data of two other individuals (the "Personal Data") on the reverse side.
The Personal Data disclosed to the Complainant included the first individual's name, National Registration Identification Card (NRIC) number, and insurance policy number, as well as the second individual's name, insurance policy number, and claim number.
What Were the Key Legal Issues?
The key issue in this case was whether the Organisation had complied with its obligations under section 24 of the PDPA to protect the personal data in its possession or under its control by taking reasonable security steps or arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal or similar risks.
How Did the Court Analyse the Issues?
The PDPC found that the Organisation did not have reasonable security measures in place to protect the Personal Data for the following reasons:
First, the Organisation failed to prevent the unwanted or scrap documents that contained personal data from being re-used or given to other customers, and did not provide instructions on the proper handling and disposal of such documents. The Organisation's internal guidelines did not mention any process or system for segregating unwanted or scrap paper containing personal data from the pile of papers designated for re-use.
Second, the Organisation did not train its employees to be aware that customers' personal data could be at risk of unauthorized disclosure through the practice of re-using unwanted or scrap paper. The Organisation admitted that its employees used the reverse sides of unwanted documents for "environment protection" reasons, without considering the data protection risks.
Third, the Organisation did not provide proper data protection training for its employees. Given that the Organisation regularly handles sensitive personal data such as NRIC numbers, insurance policy numbers and claims information, it was crucial for the Organisation to provide structured, periodic data protection training to its staff to help them identify risks and protect the personal data in their possession.
What Was the Outcome?
Based on these findings, the PDPC determined that the Organisation had breached its obligations under section 24 of the PDPA to implement reasonable security arrangements to protect the Personal Data.
However, the PDPC did not impose a financial penalty, taking into account mitigating factors such as the fact that only two individuals were affected, the Personal Data was only disclosed to a single individual, there was no evidence of actual loss or damage, and the Organisation was cooperative during the investigation.
Instead, the PDPC issued the following directions to the Organisation:
- Comply with the PDPA by putting in place a data protection policy and internal guidelines, including a procedure for the proper control and disposal of unwanted or scrap documents containing personal data, within 30 days.
- Conduct training to ensure that its staff are aware of, and will comply with, the requirements of the PDPA when handling personal data within 60 days.
- Inform the PDPC of the completion of the above directions within 1 week of implementation.
Why Does This Case Matter?
This case highlights the importance of organizations implementing robust data protection policies and practices, particularly when it comes to the handling and disposal of documents containing personal data. The PDPC's decision emphasizes that simply having general document storage and disposal procedures is not sufficient to meet the "reasonable security arrangements" required under the PDPA.
Organizations must proactively identify and address the specific risks of unauthorized disclosure of personal data, including through practices like re-using scrap paper. Proper staff training is also a crucial component of an organization's data protection compliance, as it helps to create awareness and instill good data handling practices among employees.
The case also demonstrates the PDPC's willingness to take enforcement action against organizations that fail to comply with their obligations under the PDPA, even in the absence of significant harm or damage. While the PDPC did not impose a financial penalty in this case, the directions to implement a data protection policy and conduct staff training underscore the need for organizations to take their data protection responsibilities seriously.
Legislation Referenced
- Personal Data Protection Act (PDPA)
Cases Cited
- [2017] SGPDPC 5 (Re National University of Singapore)
- [2017] SGPDPC 7 (Re Furnituremart.sg)
- [2018] SGPDPC 27 (Re SLF Green Maid Agency)
- [2019] SGPDPC 21 (SME Motor Pte. Ltd.)
Source Documents
This article analyses [2019] SGPDPC 21 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.