Case Details
- Citation: [2021] SGPDPC 7
- Court: Personal Data Protection Commission
- Date: 2021-08-06
- Judges: Lew Chuen Hong, Commissioner
- Plaintiff/Applicant: -
- Defendant/Respondent: Terra Systems Pte. Ltd.
- Legal Areas: Data Protection – Protection obligation
- Statutes Referenced: Infectious Diseases Act (Cap 137), Legal notices issued under the Infectious Diseases Act, Personal Data Protection Act
- Cases Cited: [2020] SGPDPC 20, [2021] SGPDPC 7, [2022] SGPDPCR 1
- Judgment Length: 10 pages, 2,614 words
Summary
In this case, the Personal Data Protection Commission (PDPC) found that Terra Systems Pte. Ltd. (the Organisation) had failed to implement reasonable security arrangements to protect the personal data of individuals served with Stay-Home Notices (SHNs), in breach of its obligations under the Personal Data Protection Act (PDPA). The Incident involved unauthorised access and modification of the SHN data in the Organisation's customer relationship management portal. The PDPC imposed a financial penalty of $12,000 on the Organisation for its negligent contravention of the PDPA's protection obligation.
What Were the Facts of This Case?
On 14 July 2020 and 21 July 2020, the Organisation's customer relationship management portal containing the personal data of persons served with SHNs was accessed and modified without authorisation. The Organisation was notified of the incident by the Singapore Police Force on 27 July 2020, and the PDPC commenced investigations thereafter.
The Organisation had been awarded a government contract to provide call centre services to help verify the whereabouts of persons serving SHNs. To facilitate the operations of the call centre, the Immigration and Checkpoints Authority (ICA) provided the Organisation with a daily spreadsheet containing the personal data of persons serving SHNs, including their names, NRIC numbers, gender, contact numbers, SHN end dates, addresses, and COVID-19 test appointment dates.
The Organisation created an internal portal to administer the call centre operations. Users were granted different levels of access to the portal - directors and managers could view all cases, team leaders could view cases assigned to their teams, and agents (temporary staff) were assigned generic user IDs and a common daily password to access only the cases assigned to them.
What Were the Key Legal Issues?
The key legal issue was whether the Organisation had breached its obligations under section 24 of the PDPA to protect the personal data in its possession by taking reasonable security arrangements to prevent unauthorised access, use, or modification.
How Did the Court Analyse the Issues?
The PDPC found that the Organisation had failed to implement reasonable IT access controls and policies to mitigate the risks associated with using a common daily password for the portal.
Firstly, the use of generic user IDs and a common daily password for agents posed serious security risks, as any agent could have accessed another agent's cases. The PDPC noted that while there was evidence of only 4 cases being accessed and modified, the perpetrator could have accessed the data of all 125 persons assigned to their former team. Implementing unique user IDs and passwords for each agent could have prevented this incident.
Secondly, the PDPC found that the Organisation's efforts to mitigate the risks of using a common password were inadequate. It was foreseeable that agents would share the daily password with each other, and the Organisation failed to implement policies prohibiting such sharing or requiring agents to obtain the password directly from their team leaders or managers. This allowed the perpetrator, a disgruntled former employee, to obtain the password from other employees on multiple occasions.
The PDPC acknowledged that the Organisation was under pressure to operationalise the call centre and portal quickly, but stated that this did not excuse its failure to make reasonable security arrangements to protect the sensitive SHN data.
What Was the Outcome?
The PDPC found that the Organisation had breached its protection obligation under section 24 of the PDPA. In determining the appropriate enforcement action, the PDPC considered various aggravating and mitigating factors.
As aggravating factors, the PDPC noted that the SHN data was sensitive in nature and unauthorized disclosure could have caused individuals to experience discrimination or social stigma. As mitigating factors, the PDPC acknowledged that the Organisation had to operationalise the portal under urgent circumstances, took prompt remedial actions, and was cooperative during the investigations.
Ultimately, the PDPC imposed a financial penalty of $12,000 on the Organisation for its negligent contravention of the PDPA's protection obligation.
Why Does This Case Matter?
This case is significant for several reasons:
Firstly, it highlights the importance of implementing robust access controls and security policies when handling sensitive personal data, even in situations where organisations are under pressure to quickly operationalize new systems. The PDPC made it clear that such circumstances do not excuse failures to meet the PDPA's protection obligation.
Secondly, the case demonstrates the PDPC's willingness to impose financial penalties for breaches of the protection obligation, even where the actual harm or exposure of personal data may have been limited. The PDPC emphasized the sensitivity of the SHN data and the potential for discrimination or social stigma, underscoring that the protection obligation applies regardless of the specific consequences of a breach.
Finally, the case provides guidance on the types of security measures and policies that the PDPC expects organisations to implement, such as unique user IDs and passwords, restrictions on sharing of credentials, and logging and monitoring mechanisms. Organisations handling sensitive personal data should take note of these expectations and ensure their security practices are robust and proportionate to the risks involved.
Legislation Referenced
- Infectious Diseases Act (Cap 137)
- Legal notices issued under the Infectious Diseases Act
- Personal Data Protection Act
Cases Cited
- [2020] SGPDPC 20
- [2021] SGPDPC 7
- [2022] SGPDPCR 1
Source Documents
This article analyses [2021] SGPDPC 7 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.