Case Details
- Citation: [2019] SGPDPC 24
- Court: Personal Data Protection Commission
- Date: 2019-07-22
- Judges: Tan Kiat How, Deputy Commissioner
- Plaintiff/Applicant: -
- Defendant/Respondent: The Central Depository (Pte) Limited & Anor.
- Legal Areas: Data protection – Protection obligation
- Statutes Referenced: Personal Data Protection Act
- Cases Cited: [2016] SGPDPC 22, [2017] SGPDPC 11, [2018] SGPDPC 19, [2019] SGPDPC 24
- Judgment Length: 23 pages, 5,084 words
Summary
This case concerns the unauthorized disclosure of personal data of 1,358 account holders of the Central Depository (Pte) Limited (CDP) when their personal data was wrongly printed in the notification letters of other account holders and sent out. The incident occurred on or about 27 June 2017. The Personal Data Protection Commission (PDPC) had to determine the obligations of CDP and its vendor, Toppan Security Printing Pte Ltd (TSP), under the Personal Data Protection Act 2012 (PDPA) in respect of the data breach incident.
What Were the Facts of This Case?
CDP provides integrated clearing, settlement and depository facilities for customers in the Singapore securities market. TSP was engaged by CDP to carry out secure printing and dispatch of documents, including notification letters of CDP's customers. As part of the arrangement, TSP developed the necessary bespoke software to print the relevant documents.
The notification letters were printed in the following manner: CDP would send the raw data in files over an encrypted channel to TSP, which would then decrypt the files for processing. The processing included a pre-processing stage where TSP's program would carry out checks on the raw data and format it into a consistent structure, as well as a layout stage where a program would extract the formatted data and populate it in the notification letters. The final stage was the printing and dispatch of the notification letters.
Prior to the data breach incident in June 2017, TSP had carried out successful print runs for a different type of notification letters. However, when the "DRP" or "D Type" notification letters were printed the first time, they were printed incorrectly. This occurred because TSP's layout program was programmed to expect exactly four lines of data for each account, corresponding to the four categories of Taxable Income, Tax Exempt Income, Capital, and Other Gains. However, in reality, each account may consist of between one to four such lines. As a result, the layout program assigned data from one account to the notification letter of another account, leading to the unauthorized disclosure of personal data.
What Were the Key Legal Issues?
The key legal issues to be determined by the PDPC were:
(a) What obligations did CDP and TSP each owe under the PDPA in respect of the personal data of the affected account holders?
(b) Whether CDP complied with its obligation under section 24 of the PDPA in respect of the data breach incident that occurred.
(c) Whether TSP complied with its obligation under section 24 of the PDPA in respect of the data breach incident that occurred.
How Did the Court Analyse the Issues?
The PDPC first examined the relevant provisions of the PDPA. Section 24 of the PDPA provides that an organization shall protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification or similar risks (the "Protection Obligation").
This obligation is also conferred on a data intermediary under Section 4(2) of the PDPA. Further, Section 4(3) of the PDPA provides that an organization shall have the same obligation under the PDPA in respect of the personal data processed on its behalf and for its purposes by a data intermediary as if the personal data were processed by the organization itself.
Applying these principles, the PDPC found that both CDP and TSP owed obligations under the PDPA to protect the personal data of the affected account holders. CDP, as the organization that collected and used the personal data, had the primary responsibility to ensure the data was properly protected. TSP, as the data intermediary engaged by CDP to process the personal data, also had an obligation to protect the data.
In assessing whether CDP and TSP complied with their respective obligations under section 24 of the PDPA, the PDPC considered the security arrangements put in place by each party. The PDPC found that CDP had put in place reasonable security arrangements, including engaging TSP as a vendor to handle the printing and dispatch of the notification letters. However, the PDPC found that TSP's security arrangements were inadequate, as the programming error in its layout software led to the unauthorized disclosure of personal data.
What Was the Outcome?
Based on its findings, the PDPC concluded that CDP had complied with its obligations under the PDPA, but TSP had failed to do so. The PDPC thus issued a direction to TSP to pay a financial penalty of $18,000.
It is worth noting that an application for reconsideration was subsequently filed against the decision, and the PDPC decided to reduce the financial penalty imposed on TSP from $18,000 to $12,000. However, as the application did not give rise to significant legal or factual issues, a separate decision on the application was not published.
Why Does This Case Matter?
This case highlights the importance of organizations and their data intermediaries having robust security arrangements in place to protect personal data, especially when handling sensitive information. It underscores the shared responsibility between organizations and their vendors in ensuring compliance with the PDPA.
The case also demonstrates the PDPC's willingness to hold data intermediaries accountable for their failure to protect personal data, even when the organization itself has taken reasonable security measures. This sends a clear message to businesses that they must carefully vet and oversee their data processing vendors to ensure PDPA compliance.
Furthermore, the case provides guidance on the application of the PDPA's Protection Obligation, particularly in situations where an organization engages a third-party vendor to handle personal data processing. It underscores the need for organizations to have a clear understanding of the data processing activities undertaken by their vendors and to implement appropriate contractual and technical safeguards to mitigate the risks of unauthorized data disclosure.
Legislation Referenced
- Personal Data Protection Act 2012
Cases Cited
- [2016] SGPDPC 22
- [2017] SGPDPC 11
- [2018] SGPDPC 19
- [2019] SGPDPC 24
Source Documents
This article analyses [2019] SGPDPC 24 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.