Case Details
- Citation: [2019] SGPDPC 48
- Court: Personal Data Protection Commission
- Date: 2019-12-26
- Judges: Tan Kiat How, Commissioner
- Plaintiff/Applicant: -
- Defendant/Respondent: Society of Tourist Guides (Singapore)
- Legal Areas: Data protection – Protection obligation
- Statutes Referenced: Personal Data Protection Act, Personal Data Protection Act 2012
- Cases Cited: [2017] SGPDPC 14, [2017] SGPDPC 15, [2018] SGPDPC 26, [2019] SGPDPC 48, [2019] SGPDPC 5
- Judgment Length: 11 pages, 2,265 words
Summary
In this case, the Personal Data Protection Commission (PDPC) found that the Society of Tourist Guides (Singapore) (the "Organisation") had failed to implement reasonable security measures to protect the personal data of its members, in contravention of the Personal Data Protection Act 2012 (PDPA). The PDPC also found that the Organisation had breached its obligations under the PDPA to appoint a data protection officer and develop data protection policies.
The key issues were whether the Organisation had failed to protect the personal data of its members, and whether it had breached its accountability obligations under the PDPA. The PDPC determined that the Organisation was solely responsible for the protection of the personal data, and that it had failed to take reasonable security steps to prevent unauthorized access and disclosure of sensitive member information, such as NRIC numbers, driving licenses, and employment passes.
The PDPC ordered the Organisation to pay a financial penalty and take various remedial actions, underscoring the importance of organisations implementing appropriate data protection measures and fulfilling their legal obligations under the PDPA.
What Were the Facts of This Case?
The Organisation is a non-profit organization that works with the Singapore Tourism Board to promote the professionalism of tourist guides. In May 2018, the Organisation engaged a Vietnam-based IT company (the "Vendor") to develop its website, https://societyoftouristguides.org.sg (the "Website").
One of the purposes of the Website was to collect personal data from the Organisation's members, including their names, photographs, contact information, and details about the services they provide (the "Profile Data"). Members could also upload images of their identification documents, such as NRIC, employment passes, and driving licenses (the "ID Data").
The Organisation did not provide any specific requirements to the Vendor regarding the storage and protection of the members' personal data collected through the Website. The Website was launched on October 1, 2018, and the Organisation has since been managing it, with the Vendor providing only ad-hoc technical assistance.
On March 3, 2019, the PDPC received a complaint that sensitive information of individuals, including NRIC numbers, driving licenses, and photographs, had been disclosed without consent through links on the Website. The PDPC's investigation revealed that a total of 111 unique members were affected by this incident (the "Affected Members").
The PDPC found that the publicly accessible directories on the Website (the "Web Directories") were storing images of identification documents that contained the ID Data of the Affected Members (the "Disclosed Data"). This included sensitive information such as names, NRIC numbers, photographs, addresses, dates of birth, and other personal details.
Furthermore, the PDPC's investigation revealed that the Organisation had not appointed a data protection officer (DPO) and had not developed or implemented any data protection policies, as required under the PDPA.
What Were the Key Legal Issues?
The key legal issues in this case were:
1. Whether the Organisation had contravened section 24 of the PDPA by failing to protect the personal data of its members.
2. Whether the Organisation had breached its accountability obligations under sections 11(3) and 12 of the PDPA by failing to appoint a DPO and develop data protection policies and practices.
How Did the Court Analyse the Issues?
On the first issue, the PDPC found that the Organisation had failed to put in place reasonable security arrangements to protect the Disclosed Data, as required by section 24 of the PDPA.
The PDPC noted that the Organisation did not specify any requirements to its Vendor regarding the storage and protection of the personal data collected through the Website. The PDPC stated that the Organisation, as the business owner of the Website, should have communicated clear requirements to the Vendor that the ID Data was not meant to be publicly accessible, even though the Vendor was responsible for the technical implementation.
The PDPC also found that the Organisation had failed to conduct any security testing on the Website since its launch, despite its lack of technical expertise. The PDPC emphasized that a responsible organization would have made genuine attempts to provide proper instructions to its service providers, even if it did not have the requisite technical expertise.
The PDPC further noted that the Organisation could have implemented reasonable technical security measures, such as placing the documents containing the Disclosed ID Data in a non-public folder or directory, or controlling access to these documents through web applications on the server.
On the second issue, the PDPC found that the Organisation had breached its accountability obligations under sections 11(3) and 12 of the PDPA by failing to appoint a DPO and develop data protection policies and practices.
The PDPC emphasized the importance of these requirements, as they serve to increase awareness and ensure the proper implementation of an organization's data protection obligations. The PDPC noted that while the Organisation had since appointed DPOs, it had not yet developed written data protection policies and practices necessary to ensure its compliance with the PDPA.
What Was the Outcome?
The PDPC found that the Organisation had contravened section 24 of the PDPA by failing to protect the personal data of its members, and had breached its accountability obligations under sections 11(3) and 12 of the PDPA.
The PDPC ordered the Organisation to pay a financial penalty and take the following remedial actions:
- Appoint two DPOs (which the Organisation had already done).
- With the assistance of its Vendor, disable public access to the Web Directories and contact Google to remove all cached images of the Disclosed Data.
- Develop a data protection policy.
Why Does This Case Matter?
This case highlights the importance of organizations, even non-profit entities, implementing appropriate data protection measures and fulfilling their legal obligations under the PDPA. The PDPC's findings underscore the need for organizations to provide clear instructions to their service providers regarding the handling and protection of personal data, and to conduct regular security testing and reviews, even if they lack the requisite technical expertise.
The case also emphasizes the significance of organizations appointing a DPO and developing comprehensive data protection policies and practices. These measures are crucial for ensuring the proper implementation of an organization's data protection obligations and increasing awareness of its staff regarding data protection requirements.
The PDPC's decision in this case serves as a valuable precedent for organizations in Singapore, particularly those that collect and handle sensitive personal data, to review and strengthen their data protection practices to avoid similar breaches and regulatory enforcement actions.
Legislation Referenced
- Personal Data Protection Act 2012
Cases Cited
- [2017] SGPDPC 14
- [2017] SGPDPC 15
- [2018] SGPDPC 26
- [2019] SGPDPC 48
- [2019] SGPDPC 5
Source Documents
This article analyses [2019] SGPDPC 48 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.