Case Details
- Citation: [2020] SGPDPC 12
- Court: Personal Data Protection Commission
- Date: 2020-03-30
- Judges: Tan Kiat How, Commissioner
- Plaintiff/Applicant: -
- Defendant/Respondent: The Central Depository (Pte) Limited
- Legal Areas: Data Protection – Protection obligation
- Statutes Referenced: Personal Data Protection Act, Personal Data Protection Act 2012
- Cases Cited: [2017] SGPDPC 18, [2018] SGPDPC 4, [2019] SGPDPC 16, [2019] SGPDPC 20, [2020] SGPDPC 12
- Judgment Length: 11 pages, 2,666 words
Summary
In this case, the Personal Data Protection Commission (PDPC) found that The Central Depository (Pte) Limited ("the Organisation") had breached its obligations under the Personal Data Protection Act 2012 (PDPA) to protect the personal data of its account holders. The breach occurred when the Organisation's system failed to consistently extract the updated addresses of some account holders, resulting in dividend cheques being mailed to outdated addresses and disclosing the account holders' personal information to unauthorized parties.
What Were the Facts of This Case?
The Organisation provides clearing, settlement and depository facilities for securities trading in the Singapore market. In 2018, the Organisation migrated from its legacy Post Trade System (PTS) to a New Post Trade System (NPTS). The NPTS had enhanced features, including the ability to store both the current and historical addresses of account holders.
Prior to the migration, the Organisation conducted some testing, including checking that the new system could properly extract addresses for generating notification letters about address changes. However, the testing did not include a specific scenario to verify that the Dividend Cheque Module, which automated the generation of dividend cheque mailers, would correctly retrieve the updated addresses of account holders.
On 20 March 2019, the Organisation received a complaint from an account holder that a dividend cheque had been mailed to an outdated address. The Organisation investigated but could not replicate the issue. Subsequently, on 12 April 2019, the Organisation received another complaint from the Monetary Authority of Singapore about a similar incident.
Further investigations revealed that the Dividend Cheque Module had a coding error that caused it to not consistently extract the updated addresses of account holders. As a result, 211 account holders had their dividend cheque mailers sent to outdated addresses, potentially disclosing their personal data such as names, NRIC numbers, account numbers, security holdings, and dividend amounts to unauthorized parties.
What Were the Key Legal Issues?
The key legal issue was whether the Organisation had breached its obligations under Section 24 of the PDPA to protect the personal data of its account holders by taking reasonable security measures.
Section 24 of the PDPA requires organizations to protect personal data in their possession or control by taking reasonable security steps or arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal or similar risks. The sensitivity of the personal data involved, which included NRIC numbers and financial information, was a relevant factor in assessing the required standard of security measures.
How Did the Court Analyse the Issues?
The PDPC found that the Organisation had failed to put in place reasonable security arrangements to protect the personal data of its account holders. The key reasons were:
1. The scope of testing conducted by the Organisation before migrating to the new NPTS system was too narrow. The testing did not include a scenario to verify that the Dividend Cheque Module would correctly extract the updated addresses of account holders, even though this was a known issue that had been tested for the address change notification module.
2. The Organisation should have tested the Dividend Cheque Module in an environment that simulated real-world usage, with a sufficient number of test cases to properly cover the change of address scenario.
3. The Organisation acknowledged that there was a "reasonable chance" the coding error in the Dividend Cheque Module could have been detected if the testing had been more comprehensive.
The PDPC emphasized that when dealing with sensitive personal data, organizations must put in place stronger security measures to prevent unauthorized disclosure. The Organisation's failure to conduct adequate testing before the system migration was a breach of its obligations under Section 24 of the PDPA.
What Was the Outcome?
The PDPC found the Organisation in breach of Section 24 of the PDPA. As a result of the breach, the personal data of 211 account holders was at risk of unauthorized disclosure.
The Organisation took several remedial actions, including:
- Introducing an additional measure to ensure the Dividend Cheque Module would consistently extract the updated addresses
- Reviewing all modules interfacing with the new NPTS system to confirm the error was isolated to the Dividend Cheque Module
- Re-issuing replacement cheques and explanation letters to the affected account holders
- Committing to conduct refresher training to ensure timely reporting of issues by its teams
Why Does This Case Matter?
This case highlights the importance for organizations handling sensitive personal data to conduct thorough and comprehensive testing when implementing new systems or making significant changes. Failure to do so can lead to breaches of the PDPA's protection obligations, even if no actual harm or financial loss results from the breach.
The PDPC's decision emphasizes that the standard of reasonable security measures required under the PDPA is higher for sensitive personal data, such as NRIC numbers and financial information. Organizations must take proactive steps to identify and mitigate potential risks, rather than relying on reactive measures after a breach has occurred.
This case provides guidance to organizations on the scope and depth of testing that should be undertaken when migrating to new IT systems or making changes that could impact the handling of personal data. It also underscores the need for organizations to have robust change management processes and to thoroughly investigate and address any reported issues, even if the root cause is not immediately apparent.
Legislation Referenced
- Personal Data Protection Act
- Personal Data Protection Act 2012
Cases Cited
- [2017] SGPDPC 18
- [2018] SGPDPC 4
- [2019] SGPDPC 16
- [2019] SGPDPC 20
- [2020] SGPDPC 12
Source Documents
This article analyses [2020] SGPDPC 12 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.