Signup for LITT - Agentic AI for legal, regulatory & Compliance Knowledge work.
Submit Article
Legal Analysis. Regulatory Intelligence. Jurisprudence.
Search articles, case studies, legal topics...
Singapore
By Sushant Shukla 4 min read

Terra Systems Pte. Ltd. [2022] SGPDPCR 1

Analysis of [2022] SGPDPCR 1, a decision of the Personal Data Protection Commission on 2022-03-04.

Case Details

  • Citation: [2022] SGPDPCR 1
  • Court: Personal Data Protection Commission
  • Date: 2022-03-04
  • Judges: Lew Chuen Hong, Commissioner
  • Plaintiff/Applicant: -
  • Defendant/Respondent: Terra Systems Pte. Ltd.
  • Legal Areas: Data Protection – Protection obligation
  • Statutes Referenced: Personal Data Protection Act, Personal Data Protection Act 2012, UK Data Protection Act
  • Cases Cited: [2018] SGPDPC 9, [2020] SGPDPC 11, [2020] SGPDPC 20, [2020] SGPDPC 21, [2020] SGPDPC 22, [2021] SGHC 125, [2021] SGPDPC 7, [2021] SGPDPCS 1, [2021] SGPDPCS 2, [2021] SGPDPCS 4
  • Judgment Length: 12 pages, 3,768 words

Summary

In this case, the Personal Data Protection Commission (the "Commission") reconsidered its earlier decision in Terra Systems Pte. Ltd. [2021] SGPDPC 7, where it had found the organization in breach of the Protection Obligation under the Personal Data Protection Act 2012 ("PDPA"). The key issues were whether the organization had implemented reasonable IT access controls and adequate policies to protect the personal data of individuals serving Stay-Home Notices ("SHN Data"), and whether the organization should be held responsible for the unauthorized access and modification of the SHN Data by an ex-employee.

What Were the Facts of This Case?

Terra Systems Pte. Ltd. (the "Organization") was awarded a government contract to provide call center services to help verify the whereabouts of persons serving SHNs during the COVID-19 pandemic. For its internal administration of the call center, the Organization created a customer relationship management portal (the "Portal") that contained the SHN Data, including each person's name, last 4 digits of NRIC, gender, contact number, last day of SHN, address where SHN was served, and COVID-19 Test Appointment dates.

The Portal was designed to be accessible by the Organization's employees from home via the Internet. Directors, managers, and team leaders were assigned unique user IDs and passwords to log into the Portal, while agents (temporary staff employed to contact persons serving SHNs) were assigned simple user IDs based on their respective teams and a common daily password that was shared with them during a daily morning Zoom briefing.

On 14 July 2020 and 21 July 2020, the Portal was accessed and modified without the Organization's authorization. Crude remarks were inserted in the remarks field of several cases in the Portal. The perpetrator was believed to be an ex-employee of the Organization who had obtained the login details and common daily password from other employees.

The key legal issues in this case were:

1. Whether the Organization had implemented reasonable IT access controls and adequate policies to protect the SHN Data in the Portal, in compliance with the Protection Obligation under the PDPA.

2. Whether the Organization should be held responsible for the unauthorized access and modification of the SHN Data by the ex-employee, given that the ex-employee was authorized to access the data at the material time.

How Did the Court Analyse the Issues?

On the first issue, the Commission found that the Organization's access controls and policies were inadequate. While the Organization had implemented roles-based access to the Portal, the use of generic user IDs for agents and a common daily password were insufficient security measures given the sensitivity of the SHN Data and the context of the COVID-19 pandemic. The Commission emphasized that there is no "one size fits all" solution for compliance with the Protection Obligation, and that organizations must assess the risks and implement reasonable measures accordingly.

The Commission noted that the SHN Data was sensitive in nature, as it related to individuals who had been in close contact with affected COVID-19 individuals. In the context of the pandemic, such data had to be handled with much higher levels of care. The Organization's use of generic user IDs and a common daily password, which were known to all agents, did not constitute reasonable security arrangements to prevent unauthorized access or modification of the SHN Data.

On the second issue, the Commission rejected the Organization's argument that the ex-employee had been authorized to access the SHN Data and that the Organization should not be held responsible for his actions. The Commission held that while the ex-employee may have been authorized to access the data for his employment functions, his unauthorized modification of the data for personal reasons was not closely connected to his employment. The Commission relied on the principles in the UK Supreme Court decision in WM Morrison Supermarkets plc v Various Claimants, where an employer was held liable for the data breach caused by an employee acting for his own personal reasons.

What Was the Outcome?

The Commission upheld its earlier finding that the Organization had breached the Protection Obligation under the PDPA. The Commission directed the Organization to pay a financial penalty of $12,000.

Why Does This Case Matter?

This case provides important guidance on the application of the Protection Obligation under the PDPA. It emphasizes that organizations must implement reasonable security measures to protect personal data, taking into account the sensitivity and context of the data. The use of generic user IDs and common passwords, even if implemented with additional policies, may not be sufficient to discharge the Protection Obligation, especially for sensitive personal data.

The case also clarifies that organizations can be held responsible for data breaches caused by employees acting for their own personal reasons, even if the employees were initially authorized to access the data. The principles from the UK Supreme Court decision in WM Morrison Supermarkets plc v Various Claimants are applicable in the Singapore context.

This decision serves as a reminder to organizations handling sensitive personal data to carefully assess their access controls and security policies, and to implement appropriate measures to prevent unauthorized access or modification of the data. Failure to do so can result in financial penalties and reputational damage.

Legislation Referenced

  • Personal Data Protection Act
  • Personal Data Protection Act 2012
  • UK Data Protection Act

Cases Cited

  • [2018] SGPDPC 9
  • [2020] SGPDPC 11
  • [2020] SGPDPC 20
  • [2020] SGPDPC 21
  • [2020] SGPDPC 22
  • [2021] SGHC 125
  • [2021] SGPDPC 7
  • [2021] SGPDPCS 1
  • [2021] SGPDPCS 2
  • [2021] SGPDPCS 4
  • WM Morrison Supermarkets plc (Appellant) v Various Claimants (Respondent) [2020] UKSC 12

Source Documents

This article analyses [2022] SGPDPCR 1 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.

Written by Sushant Shukla
Topics
Singapore SLW Case Law Data Protection – Protection obligation
Share this article
𝕏 in f

More in

Legal Wires

Legal Wires

Stay ahead of the legal curve. Get expert analysis and regulatory updates natively delivered to your inbox.

Success! Please check your inbox and click the link to confirm your subscription.
Already a member? Sign in