Tutor City [2019] SGPDPC 5

Case Details

• Citation: [2019] SGPDPC 5
• Court: Personal Data Protection Commission
• Date: 2019-04-23
• Judges: Yeong Zee Kin, Deputy Commissioner
• Plaintiff/Applicant: N/A
• Defendant/Respondent: Tutor City
• Legal Areas: Data Protection – Protection obligation
• Statutes Referenced: Personal Data Protection Act, Personal Data Protection Act 2012
• Cases Cited: [2016] SGPDPC 22, [2017] SGPDPC 12, [2017] SGPDPC 17, [2017] SGPDPC 5, [2018] SGPDPC 21, [2018] SGPDPC 27, [2018] SGPDPC 20, [2018] SGPDPC 29, [2018] SGPDPC 4, [2018] SGPDPC 6
• Judgment Length: 13 pages, 3,435 words

Summary

In this case, the Personal Data Protection Commission (PDPC) found that Tutor City, an organization that provides matching services between freelance tutors and clients, had breached its obligations under the Personal Data Protection Act (PDPA) by failing to implement reasonable security arrangements to protect the personal data of its tutors. Specifically, the PDPC found that Tutor City had stored the educational certificates of its tutors in a publicly accessible directory on its website, resulting in the unauthorized disclosure of the tutors' personal information.

What Were the Facts of This Case?

Tutor City is a Singapore-based organization that operates a website, www.tutorcity.com.sg, to provide matching services between freelance tutors and prospective clients. As part of this service, tutors were given the option to voluntarily upload up to three of their educational certificates onto the website. These certificates were intended to assist Tutor City in matching the needs of students to suitable tutors, but were not meant to be publicly accessible.

However, the PDPC investigation found that all the uploaded certificates were stored in a publicly accessible directory on the website's server, without any access controls in place. This resulted in the personal data of 50 tutors, including their names, NRIC numbers, educational institutions, and academic grades, being disclosed to the public. The PDPC noted that the certificates were also indexed by search engines, further exacerbating the unauthorized disclosure.

Tutor City had engaged a freelance web developer to design and develop the website in 2011, but the organization had been solely responsible for the website's management and security since then. The PDPC found that Tutor City had not taken any steps to review or enhance the website's security measures after the PDPA came into effect in 2014, despite the organization's continued collection and use of personal data through the website.

What Were the Key Legal Issues?

The key legal issue in this case was whether Tutor City had breached its obligations under Section 24 of the PDPA, which requires organizations to "protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal or similar risks."

Specifically, the PDPC had to determine whether Tutor City had taken reasonable security measures to prevent the unauthorized disclosure of the tutors' personal data through the public accessibility of the educational certificates on the website.

How Did the Court Analyse the Issues?

The PDPC began its analysis by establishing that Tutor City, as the sole administrator of the website, retained full possession and control over the personal data collected through the website. The fact that a web developer had been previously engaged for the website's development did not absolve Tutor City of its responsibility to ensure the security of the personal data.

The PDPC then examined Tutor City's actions (or lack thereof) in relation to the website's security. The PDPC found that Tutor City had paid "little to no attention" to the website's security, despite the organization's continued use of the website to collect personal data after the PDPA came into effect. Specifically, the PDPC noted that Tutor City:

• Did not communicate any specific security requirements to the web developer to protect the personal data stored on the website's server
• Did not make reasonable efforts to understand the security measures implemented by the developer
• Did not attempt to verify that the developer had indeed implemented the necessary security measures
• Did not conduct any reasonable security testing (e.g., penetration tests) on the website

The PDPC emphasized that Tutor City's vague instruction to the developer to "make [the website] safe" did not constitute a reasonable security measure, as the developer would not have known the organization's specific requirements for protecting the tutors' personal data.

The PDPC also rejected Tutor City's defense that the organization lacked technical knowledge or "tech-savviness," stating that this was not a valid excuse for the organization's failure to take any steps to comply with its obligations under the PDPA.

What Was the Outcome?

Based on the findings, the PDPC concluded that Tutor City had breached Section 24 of the PDPA by failing to implement reasonable security arrangements to protect the personal data of its tutors. The PDPC ordered Tutor City to:

• Engage an independent third-party to conduct a comprehensive review of the website's security measures and implement any necessary improvements
• Develop and implement a data protection policy to govern the collection, use, and protection of personal data
• Conduct regular data protection training for its staff
• Pay a financial penalty of S$13,000

Why Does This Case Matter?

This case is significant for several reasons:

First, it underscores the importance of organizations taking proactive steps to ensure the security of personal data, even if the data was collected before the PDPA came into effect. The PDPC made it clear that organizations have a "positive duty" to implement reasonable security measures after the PDPA's implementation, regardless of the pre-existing state of their systems.

Second, the case highlights the need for organizations to clearly communicate their security requirements to any third-party service providers, such as web developers, and to verify that the necessary security measures have been implemented. Vague instructions or a lack of technical knowledge are not valid excuses for failing to protect personal data.

Finally, the case serves as a reminder that the PDPC takes data protection obligations seriously and is willing to impose financial penalties on organizations that fail to comply. The S$13,000 fine imposed on Tutor City sends a clear message to organizations that they must prioritize the security of personal data or face consequences.

Overall, this case provides valuable guidance for organizations on the steps they must take to fulfill their data protection obligations under the PDPA, particularly in the context of online platforms and services that handle sensitive personal information.

Legislation Referenced

• Personal Data Protection Act
• Personal Data Protection Act 2012

Cases Cited

• [2016] SGPDPC 22
• [2017] SGPDPC 12
• [2017] SGPDPC 17
• [2017] SGPDPC 5
• [2018] SGPDPC 21
• [2018] SGPDPC 27
• [2018] SGPDPC 20
• [2018] SGPDPC 29
• [2018] SGPDPC 4
• [2018] SGPDPC 6

Source Documents

• Original Judgment (PDF) — Singapore Law Watch
• Archived Copy (PDF) — Litt Law CDN

This article analyses [2019] SGPDPC 5 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.