Case Details
- Citation: [2020] SGPDPC 18
- Court: Personal Data Protection Commission
- Date: 2020-06-18
- Judges: Tan Kiat How, Commissioner
- Plaintiff/Applicant: N/A
- Defendant/Respondent: (1) Times Software Pte Ltd, (2) Dentons Rodyk & Davidson LLP, (3) Liberty Specialty Markets Singapore Pte Limited, (4) Red Hat Asia Pacific Pte Ltd, (5) TMF Singapore H Pte Ltd
- Legal Areas: Data Protection – Protection obligation, Data Protection – Retention limitation obligation, Data Protection – Data intermediary
- Statutes Referenced: Personal Data Protection Act, Personal Data Protection Act 2012
- Cases Cited: [2016] SGPDPC 22, [2019] SGPDPC 3, [2019] SGPDPC 34, [2020] SGPDPC 18
- Judgment Length: 32 pages, 5,938 words
Summary
This case involves an investigation by the Personal Data Protection Commission (PDPC) into a data breach incident that exposed the personal data of over 600 employees from three different organizations. The PDPC found that the data intermediary, Times Software Pte Ltd (Times), had breached its obligations under the Personal Data Protection Act (PDPA) to protect the personal data in its possession and to limit the retention of such data. The PDPC also examined the obligations of the organizations that had engaged Times as a data intermediary.
What Were the Facts of This Case?
Times Software Pte Ltd (Times) is an information technology services vendor that provides various services to its clients. Between January and February 2018, three organizations - Dentons Rodyk & Davidson LLP (Dentons), Red Hat Asia Pacific Pte Ltd (Red Hat), and Liberty Specialty Markets Singapore Pte Limited (LIU) - became aware that the personal data of some of their current and former employees (the "Employee Data") had been exposed online from Times' servers and could be found using the Google search engine.
Dentons had engaged Times since 2001 to use a payroll software application developed by Times (the "Payroll Software"), which was hosted internally on Dentons' servers. In 2015, Dentons commissioned the development of a new functionality for the Payroll Software that would enable the creation of customized employee reports, and provided Times with Dentons' Employee Data to test this functionality.
Red Hat and LIU had each engaged TMF Singapore H Pte Ltd (TMF), a professional services company, for certain HR and payroll services in 2015 and 2016 respectively. TMF, in turn, had engaged Times since 2008 to use the Payroll Software to provide services to its clients, including Red Hat and LIU. Sometime between December 2015 and February 2016, TMF provided Times with Red Hat and LIU's Employee Data.
What Were the Key Legal Issues?
The key legal issues in this case were whether Times had breached its obligations under the PDPA as a data intermediary, specifically:
1. The Protection Obligation under Section 24 of the PDPA to protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal or similar risks.
2. The Retention Limitation Obligation under Section 25 of the PDPA to cease retaining documents containing personal data, or remove the means by which the personal data can be associated with particular individuals, as soon as it is reasonable to assume that the purpose for which the personal data was collected is no longer being served by the retention of the personal data, and retention is no longer necessary for legal or business purposes.
How Did the Court Analyse the Issues?
The PDPC found that Times had breached both its Protection Obligation and Retention Limitation Obligation under the PDPA.
Regarding the Protection Obligation, the PDPC found that Times' processes in remediating the hard disk failure in its File Server System (FSS) fell short of the standard required under Section 24 of the PDPA. Times' Standard Operating Procedure (SOP) required the employee who carried out the server restoration to enable the authentication function (password protection), but the employee had failed to do so, and this was not discovered by the employee's supervisor. The PDPC held that relying solely on employees to perform their tasks diligently is not a sufficiently reasonable security arrangement, and Times should have had proactive measures to detect and discourage non-compliance with its SOP.
The PDPC also found that Times' other internal policies, such as its poor password management practices, fell short of the reasonable protection expected for an organization handling the amount and type of personal data that Times did.
Regarding the Retention Limitation Obligation, the PDPC found that Times had breached this obligation by retaining the Employee Data even though the purpose for which it was collected (testing the new functionality of the Payroll Software) was no longer being served, and retention was no longer necessary for legal or business purposes.
What Was the Outcome?
The PDPC found that Times had breached its obligations under Sections 24 and 25 of the PDPA. The PDPC also examined the obligations of the organizations that had engaged Times as a data intermediary, Dentons, Red Hat, and LIU, and found that they had taken appropriate remedial actions in response to the data breach incident.
The PDPC did not make any findings of breach against TMF, the professional services company that had provided the Employee Data to Times, as the PDPC found that the findings regarding TMF's breach of its Protection Obligation were not dependent on whether TMF had consented to Times' use of the Employee Data to develop the new functionality within the Payroll Software.
Why Does This Case Matter?
This case is significant for several reasons:
1. It provides guidance on the obligations of data intermediaries under the PDPA, particularly the Protection Obligation and Retention Limitation Obligation. The PDPC's findings emphasize that data intermediaries must have robust security measures and data retention policies in place, and cannot solely rely on their employees to comply with internal procedures.
2. The case also highlights the obligations of organizations that engage data intermediaries, such as ensuring that appropriate contractual provisions are in place and actively monitoring the data intermediary's compliance with data protection requirements.
3. The case serves as a reminder to all organizations handling personal data, whether as a data controller or data intermediary, to carefully review their data protection practices and implement reasonable security arrangements to prevent data breaches and unauthorized access to personal data.
Legislation Referenced
- Personal Data Protection Act
- Personal Data Protection Act 2012
Cases Cited
- [2016] SGPDPC 22
- [2019] SGPDPC 3
- [2019] SGPDPC 34
- [2020] SGPDPC 18
Source Documents
This article analyses [2020] SGPDPC 18 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.