Case Details
- Citation: [2018] SGPDPC 12
- Court: Personal Data Protection Commission
- Date: 2018-05-14
- Judges: Yeong Zee Kin, Deputy Commissioner
- Plaintiff/Applicant: N/A
- Defendant/Respondent: Watami Food Service Singapore Pte Ltd
- Legal Areas: Data Protection – Protection obligation
- Statutes Referenced: Personal Data Protection Act
- Cases Cited: [2018] SGPDPC 12
- Judgment Length: 3 pages, 734 words
Summary
In this case, the Personal Data Protection Commission (PDPC) found that Watami Food Service Singapore Pte Ltd ("the Organisation") breached its obligation under Section 24 of the Personal Data Protection Act (PDPA) to protect personal data in its possession or control. The Organisation failed to implement reasonable security arrangements to prevent unauthorized access to a list of employee personal data that was inadvertently made publicly accessible on its website.
The PDPC issued a warning to the Organisation, finding that while the breach was serious, the Organisation's prompt remedial actions and cooperation during the investigation warranted a less severe penalty than a financial fine.
What Were the Facts of This Case?
Watami Food Service Singapore Pte Ltd is a restaurant business. On 10 November 2017, the PDPC received information that the Organisation's internal "Staff Code Name List" (the "List") was accessible via its website. The List contained the full names and staff codes of 405 of the Organisation's employees.
The List was originally intended for internal use only, to facilitate the entry of new employee staff codes into the Organisation's point-of-sale system. However, the List was dated between 2009 and 2013, and was no longer current. The Organisation did not know when or why the List had been uploaded onto its website server.
With no access restrictions in place, the List was indexed by search engines and made publicly searchable online. The URL containing the List was subsequently removed by Fairwin International Limited, a vendor engaged by the Organisation to maintain its website.
What Were the Key Legal Issues?
The key legal issue was whether the Organisation had breached its obligations under Section 24 of the PDPA to protect the personal data of its employees contained in the List.
Section 24 of the PDPA requires an organisation to protect personal data in its possession or under its control by taking reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal or similar risks.
How Did the Court Analyse the Issues?
The PDPC Deputy Commissioner, Yeong Zee Kin, found that the Organisation was in possession and/or control of the personal data in the List, and therefore had an obligation under Section 24 of the PDPA to protect it.
The PDPC relied on the common law concept of res ipsa loquitur (the thing speaks for itself) in this case, as the Organisation was unable to explain how the List, which was meant for internal use, ended up being uploaded onto its publicly accessible website. The PDPC found that the Organisation did not exercise reasonable control over the information on its website, as it was unaware that the List had been accessible and searchable online.
The PDPC also found that the Organisation failed to adopt reasonable steps to monitor its website for potential information leaks. As a result, the personal data in the List remained exposed online for an indeterminate period, potentially from 2013 onwards, until the PDPC contacted the Organisation.
Furthermore, the PDPC found that the Organisation had failed to adequately train its staff on protecting personal data in its possession or control, beyond occasional reminders to use alphanumeric passwords. The Organisation's privacy policy included proper personal information management, but its staff were not provided with formal instructions or training on the Organisation's data protection policies.
What Was the Outcome?
Based on the findings, the PDPC concluded that the Organisation did not put in place reasonable security arrangements to protect the personal data in the List against the risk of unauthorized access. The Organisation was therefore in breach of Section 24 of the PDPA.
In determining the appropriate directions to impose on the Organisation, the PDPC took into account several mitigating factors:
- The Organisation's prompt instruction to Fairwin to delete the URL containing the List from its website;
- The Organisation's cooperation during the PDPC's investigation;
- The Organisation's remedial measures, including restricting access to the website server to only one person and reminding all staff to password-protect documents containing sensitive personal data.
Given these mitigating factors, the PDPC decided to issue a warning to the Organisation for the breach of its obligations under Section 24 of the PDPA, rather than imposing further directions or a financial penalty.
Why Does This Case Matter?
This case highlights the importance of organizations taking reasonable security measures to protect personal data in their possession or control, as required by Section 24 of the PDPA. The PDPC's decision emphasizes that organizations must exercise proper oversight and control over the information published on their websites, and ensure that their staff are adequately trained on data protection policies and practices.
While the PDPC ultimately issued a warning in this case, rather than a financial penalty, the decision serves as a cautionary tale for organizations. Failure to implement appropriate security arrangements can lead to serious consequences, including potential enforcement actions by the PDPC. This case underscores the need for organizations to proactively review and strengthen their data protection practices to avoid similar breaches in the future.
The PDPC's reliance on the common law concept of res ipsa loquitur is also noteworthy. This principle shifts the burden of proof to the defendant (in this case, the Organisation) to explain how the incident occurred, when the organization is in a better position to do so. The PDPC's application of this principle highlights the importance of organizations being able to account for the security and management of personal data in their possession or control.
Legislation Referenced
- Personal Data Protection Act
Cases Cited
- [2018] SGPDPC 12
Source Documents
This article analyses [2018] SGPDPC 12 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.