Spize Concepts Pte Ltd [2019] SGPDPC 22

Case Details

• Citation: [2019] SGPDPC 22
• Court: Personal Data Protection Commission
• Date: 2019-07-04
• Judges: Tan Kiat How, Commissioner
• Plaintiff/Applicant: -
• Defendant/Respondent: Spize Concepts Pte Ltd
• Legal Areas: Data protection – Transfer obligation, Data protection – Openness obligation, Data protection – Protection obligation
• Statutes Referenced: Personal Data Protection Act, Personal Data Protection Act 2012
• Cases Cited: [2017] SGPDPC 11, [2017] SGPDPC 12, [2019] SGPDPC 22
• Judgment Length: 14 pages, 3,422 words

Summary

This case involves a complaint filed with the Personal Data Protection Commission (PDPC) against Spize Concepts Pte Ltd, a food and beverage company in Singapore, for a data breach incident. The PDPC found that Spize had breached its obligations under the Personal Data Protection Act (PDPA) to protect its customers' personal data, develop and implement data protection policies, and properly manage its data intermediary relationship with the company that hosted its online ordering system.

What Were the Facts of This Case?

On 12 August 2017, the PDPC received a complaint from a member of the public regarding Spize's online ordering portal, https://orders.spize.sg. A link on the site named "Call Center" had allowed members of the public to view the personal data of approximately 148 of Spize's customers, including their names, contact numbers, email addresses, and residential addresses.

The incident was caused by a user logging onto the Managing Director's administrator account to enable the "Call Center" link to be publicly accessible on or around 9 February 2017. The link was intended only for internal use and not accessible to the public. Spize had engaged a company called Novadine, Inc. to develop and host its website and online ordering system since around 2012, and the customer personal data was stored in databases within Novadine's servers.

Upon receiving news of the incident on 14 August 2017, Spize requested Novadine to rectify the weakness in the site, and Novadine subsequently disabled the link. The link has not been publicly accessible since 16 August 2017.

What Were the Key Legal Issues?

The key legal issues the PDPC had to determine were:

1. Whether Spize had breached its obligation to protect personal data under section 24 of the Personal Data Protection Act 2012 (PDPA).

2. Whether Spize had breached the "Openness Obligation" under sections 11(3) and 12(a) of the PDPA by failing to designate a data protection officer and develop and implement necessary data protection policies and practices.

3. Whether Novadine was a data intermediary of Spize, and if so, whether Spize had breached section 12(d)(i) of the PDPA by failing to be in a position to make information available on request about its policies and practices which addressed Novadine's processing of personal data on Spize's behalf.

4. Whether Spize had transferred personal data outside of Singapore in breach of section 26 of the PDPA.

How Did the Court Analyse the Issues?

On the first issue, the PDPC found that Spize had failed to make reasonable security arrangements to protect its customers' personal data, as required under section 24 of the PDPA. The PDPC identified three key failures by Spize:

1. Spize lacked knowledge of the Novadine system and the fact that enabling the "Call Center" link could disclose customer personal data to the public.

2. Spize lacked knowledge of the security arrangements in place within the Novadine system to protect the personal data being processed on Spize's behalf.

3. Spize's administrator accounts, particularly the Managing Director's account, lacked proper authentication and authorization measures, such as a robust password policy and regular password changes.

On the second issue, the PDPC found that Spize had breached its "Openness Obligation" under sections 11(3) and 12(a) of the PDPA, as it did not have any data protection policies, internal guidelines, or a designated data protection officer in place at the time of the incident.

Regarding the third issue, the PDPC determined that Novadine was a data intermediary of Spize, as Novadine processed the personal data of Spize's customers through the online ordering system. The PDPC found that Spize had failed to ensure it had appropriate policies and practices in place to govern Novadine's processing of personal data on its behalf, as required under section 12(d)(i) of the PDPA.

On the fourth issue, the PDPC did not find any evidence that Spize had transferred personal data outside of Singapore in breach of section 26 of the PDPA.

What Was the Outcome?

Based on the findings, the PDPC concluded that Spize had breached its obligations under sections 24, 11(3), and 12(a) of the PDPA. The PDPC did not find a breach of section 26 (transfer of personal data outside Singapore).

Why Does This Case Matter?

This case is significant for several reasons:

1. It reinforces the principle that an organization has the primary responsibility to protect personal data, even if it has engaged a data intermediary to process the data on its behalf. The organization cannot simply outsource its data protection obligations.

2. It highlights the importance of organizations having a good understanding of the systems and security measures in place to protect the personal data they control or possess, including those implemented by their data intermediaries.

3. It emphasizes the need for organizations to have proper data protection policies, practices, and a designated data protection officer in place, as required by the PDPA's "Openness Obligation".

4. The case serves as a warning to organizations that they must carefully manage their relationships with data intermediaries and ensure there are appropriate contractual arrangements and oversight mechanisms in place to govern the processing of personal data.

Overall, this decision underscores the PDPC's commitment to enforcing the PDPA's requirements for organizations to implement reasonable security measures and maintain transparency in their data protection practices, even when they rely on third-party service providers to process personal data on their behalf.

Legislation Referenced

• Personal Data Protection Act 2012
• Personal Data Protection Act

Cases Cited

• [2017] SGPDPC 11
• [2017] SGPDPC 12
• [2019] SGPDPC 22

Source Documents

• Original Judgment (PDF) — Singapore Law Watch
• Archived Copy (PDF) — Litt Law CDN

This article analyses [2019] SGPDPC 22 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.