Case Details
- Citation: [2019] SGPDPC 42
- Court: Personal Data Protection Commission
- Date: 2019-11-19
- Judges: Tan Kiat How, Commissioner
- Plaintiff/Applicant: -
- Defendant/Respondent: The Travel Corporation (2011) Pte. Ltd.
- Legal Areas: Data protection – Protection obligation, Data Protection – Openness obligation
- Statutes Referenced: -
- Cases Cited: [2017] SGPDPC 15, [2019] SGPDPC 42
- Judgment Length: 8 pages, 1,472 words
Summary
In this case, the Personal Data Protection Commission (PDPC) found that The Travel Corporation (2011) Pte. Ltd. (the Organisation) breached its obligations under the Personal Data Protection Act (PDPA) by failing to make reasonable security arrangements to protect its customers' personal data and by failing to designate a data protection officer (DPO) prior to a data breach incident. The PDPC imposed a financial penalty of $12,000 on the Organisation.
What Were the Facts of This Case?
The Travel Corporation (2011) Pte. Ltd. is a company that offers travel packages directly to Singapore customers and through third-party travel agencies. On 1 October 2018, the Organisation notified the PDPC about the loss of a portable hard disk (the "Hard Disk") that contained unencrypted files with the personal data of the Organisation's customers, employees, and suppliers.
The facts of the incident are as follows: On 25 July 2018, a new employee of the Organisation left the office with her laptop and the Hard Disk and misplaced both devices on her way home. She initially only informed the Organisation about the loss of the laptop and a police report was made on 31 July 2018. She eventually informed the Organisation about the loss of the Hard Disk on 21 September 2018, and the Organisation made another police report that day.
The Hard Disk contained the personal data of 18,630 individuals, including 5,437 customers, 11,000 prospective customers, 1,900 suppliers, and the Organisation's own employees. The types of personal data included names, email addresses, phone numbers, dates of birth, postal addresses, passport numbers, and NRIC numbers.
What Were the Key Legal Issues?
The key legal issues in this case were:
1. Whether the Organisation had breached its obligation to protect personal data under section 24 of the PDPA.
2. Whether the Organisation was in breach of section 11(3) of the PDPA for failing to designate a data protection officer (DPO).
How Did the Court Analyse the Issues?
On the first issue, the PDPC found that the Organisation failed to protect its customers' personal data (the "Customers' Personal Data") as it did not have appropriate internal policies and procedures governing the use of portable storage devices containing personal data. While the Organisation had a Portable Computer and Storage Devices Policy that required portable devices to have designated custodians, it did not have any operational frameworks or procedures to effectively implement this policy. The Organisation also did not implement any password protection or data encryption policies for its portable storage devices, including the Hard Disk, despite having clear guidelines in its other policies to do so.
The PDPC noted that section 24 of the PDPA requires organisations to protect personal data in their possession or under their control by making reasonable security arrangements. Since the Organisation failed to implement appropriate security measures for the Customers' Personal Data, the PDPC found that it had breached its obligations under section 24 of the PDPA.
On the second issue, the PDPC found that the Organisation was in breach of section 11(3) of the PDPA for failing to designate a DPO prior to the data breach incident. The PDPC emphasized that appointing a DPO is important in ensuring the proper implementation of an organisation's data protection policies and practices, as well as compliance with the PDPA.
What Was the Outcome?
In view of the breaches found, the PDPC directed the Organisation to pay a financial penalty of $12,000 within 30 days. The PDPC took into account the following mitigating factors:
(a) The Organisation notified the PDPC of the incident and fully cooperated with the investigations.
(b) The Organisation promptly implemented remedial measures, such as ceasing the use of portable storage devices and appointing a DPO.
(c) The Organisation was actively addressing system security-related recommendations provided by an external auditor.
(d) The PDPC had not received any complaints as a result of the incident.
The PDPC decided not to impose any other directions on the Organisation, given the remedial measures it had taken.
Why Does This Case Matter?
This case is significant for several reasons:
1. It reinforces the importance of organisations making reasonable security arrangements to protect personal data in their possession, including implementing appropriate policies and procedures for the use of portable storage devices.
2. It emphasizes the mandatory requirement for organisations to designate a DPO to ensure compliance with the PDPA, even if the organisation is unable to immediately identify a qualified individual for the role.
3. It demonstrates the PDPC's willingness to impose financial penalties on organisations that breach their data protection obligations, while also considering mitigating factors such as prompt notification, cooperation, and remedial actions.
4. The case provides guidance to organisations on the steps they should take to comply with their data protection obligations, such as conducting PDPA impact and gap analyses, developing and enhancing internal PDPA policies and procedures, and providing PDPA training to employees.
Legislation Referenced
- Personal Data Protection Act (PDPA)
Cases Cited
- [2017] SGPDPC 15 (Re M Stars Movers & Logistics Specialist Pte Ltd)
- [2019] SGPDPC 42 (The Travel Corporation (2011) Pte. Ltd.)
Source Documents
This article analyses [2019] SGPDPC 42 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.