Case Details
- Citation: [2024] SGPDPCS 1
- Court: Personal Data Protection Commission
- Date: 2024-07-04
- Judges: Not specified
- Plaintiff/Applicant: Not specified
- Defendant/Respondent: Tok Leng Leng (trading as Top Mobile Gallery (BR))
- Legal Areas: Data Protection – Protection obligation
- Statutes Referenced: Personal Data Protection Act
- Cases Cited: [2024] SGPDPCS 1
- Judgment Length: 9 pages, 1,687 words
Summary
In this case, the Personal Data Protection Commission (the "Commission") investigated Tok Leng Leng (trading as Top Mobile Gallery (BR)) (the "Organisation") for suspected breaches of the Personal Data Protection Act 2012 ("PDPA"). The investigation centered on the Organisation's failure to protect the personal data of its customers, which resulted in the unauthorised use and access of such data for the registration of M1 pre-paid SIM cards. The Commission found the Organisation in breach of the Protection Obligation under section 24 of the PDPA and imposed a financial penalty of $7,000.
What Were the Facts of This Case?
Between December 2020 and April 2021, the Commission received 435 Do Not Call ("DNC") complaints relating to property messages, despite the complainants' numbers being registered with the DNC Register. The complaints were traced to 44 M1 pre-paid SIM cards sold by the Organisation, which was located in a foreign worker dormitory.
The 44 M1 pre-paid SIM cards were registered under 33 unique individuals who were foreign workers living in the dormitory and had purchased the SIM cards from the Organisation. However, investigations revealed that additional pre-paid SIM cards were registered under their names, even though they had not actually purchased these "illicit SIM cards".
As a retailer of M1 SIM cards, the Organisation used a terminal device issued by M1 for the purposes of SIM card registration. The SIM card registration process involved scanning the customer's identity document, scanning the barcode of the SIM card(s), and using a mobile application to load credit value to the pre-paid SIM card(s).
At a certain point, the Organisation started registering M1 pre-paid SIM cards via an M1 mobile application on a mobile phone. Through this process, the Organisation had access to the following types of personal data: name, sex, FIN/work permit number, date of birth, nationality, and name of employer.
What Were the Key Legal Issues?
The key legal issue in this case was whether the Organisation had breached the Protection Obligation under section 24 of the PDPA. Section 24(a) of the PDPA requires organisations to protect personal data in their possession or under their control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, or disposal, or similar risks.
How Did the Court Analyse the Issues?
The Commission's investigation found that the Organisation had failed to implement reasonable security arrangements to protect its customers' personal data, leading to the unauthorised use and access of such data.
Firstly, the Organisation admitted that it did not maintain an inventory of M1 pre-paid SIM cards, which contributed to its failure to account for each SIM card sold and to whom it was registered. The Organisation also failed to have processes in place to require employees to record the details of each SIM card sale and registration.
Secondly, the Organisation allowed all its employees to have equal access to the M1 pre-paid SIM cards and the M1 mobile application used for registration. The login credentials to the application were shared among the employees, and they could use their personal mobile devices to access the application if the Organisation's device was not available. This lack of access control made it easier for employees to misuse the customers' personal data.
Thirdly, the Organisation did not have adequate supervision over its employees' use and access of the customers' personal data. The sole proprietor, Tok Leng Leng, was often not present at the shop and did not regularly review the CCTV footage to monitor the employees' activities.
Based on these findings, the Commission concluded that the Organisation had completely failed to adopt any security arrangements to protect its customers' personal data from misuse, thereby breaching the Protection Obligation under section 24 of the PDPA.
What Was the Outcome?
The Commission determined that a financial penalty of $7,000 would be imposed on the Organisation for its breach of the Protection Obligation under section 24 of the PDPA.
The Organisation was notified of the Commission's preliminary decision and given 14 days to make written representations. While the Organisation did not challenge the findings and basis of the contravention, it made representations seeking that a financial penalty not be imposed, citing its long-standing compliance history and the financial burden of the penalty.
However, the Commission considered the representations but was unable to accept them. The Commission noted that it had already taken into account the Organisation's compliance history and the fact that this was its first contravention of the PDPA in arriving at the preliminary decision. Additionally, the Organisation did not substantiate that it was experiencing financial difficulties that would prevent it from continuing its usual business activities following the imposition of the financial penalty.
Ultimately, the Commission upheld its preliminary decision and required the Organisation to pay a financial penalty of $7,000 within 30 days.
Why Does This Case Matter?
This case is significant as it highlights the importance of organisations complying with the Protection Obligation under the PDPA. The Commission's decision sends a clear message that a failure to implement reasonable security arrangements to protect personal data can result in significant consequences, including the imposition of financial penalties.
The case also underscores the need for organisations to have robust internal controls and processes to prevent the unauthorised use and access of personal data by their employees. Measures such as maintaining inventory records, restricting employee access, and implementing proper supervision are crucial to fulfilling the Protection Obligation.
Furthermore, this decision serves as a valuable precedent for the Commission's approach to enforcing the PDPA and the factors it considers in determining the appropriate financial penalty. Organisations operating in Singapore must take heed of this case and ensure they have adequate safeguards in place to protect the personal data in their possession or under their control.
Legislation Referenced
Cases Cited
Source Documents
This article analyses [2024] SGPDPCS 1 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.