Case Details
- Citation: [2018] SGPDPC 26
- Court: Personal Data Protection Commission
- Date: 2018-12-13
- Judges: Tan Kiat How, Commissioner
- Plaintiff/Applicant: -
- Defendant/Respondent: WTS Automotive Services Pte. Ltd.
- Legal Areas: Data Protection – Protection obligation
- Statutes Referenced: Personal Data Protection Act, Personal Data Protection Act 2012
- Cases Cited: [2016] SGPDPC 22, [2016] SGPDPC 19, [2018] SGPDPC 26, [2018] SGPDPC 8
- Judgment Length: 13 pages, 3,232 words
Summary
This case involves a complaint filed with the Personal Data Protection Commission (PDPC) against WTS Automotive Services Pte. Ltd. (the "Organisation"), a vehicle repair and maintenance company in Singapore. The complaint alleged that the Organisation's customer database, containing personal data of over 2,400 customers, was publicly accessible on the internet. The PDPC investigated the matter and found that the Organisation had failed to implement reasonable security arrangements to protect the personal data in its possession or under its control, as required under the Personal Data Protection Act (PDPA).
The PDPC determined that the Organisation was responsible for the data breach, as it had control over the personal data even though the backend system was developed and maintained by third-party vendors. The PDPC found that the Organisation did not adequately document its security requirements or follow up to ensure the vendors implemented the necessary safeguards. As a result, the PDPC issued a direction to the Organisation to implement appropriate measures to protect customer data and prevent future breaches.
What Were the Facts of This Case?
On 9 June 2017, a member of the public (the "Complainant") lodged a complaint with the PDPC, alleging that a URL link to the Organisation's customer database was publicly accessible on the internet. The database contained the personal data of 2,472 of the Organisation's Kaki Bukit customers, including their names, NRIC and FIN numbers, residential addresses, contact numbers, email addresses, and car plate registration numbers.
During the investigation, the PDPC found that there were two other databases that were also publicly accessible as part of the Organisation's backend system: the Gul Circle customer database, which contained the personal data of 2,223 customers, and a master car database with 3,764 records of car owners' details.
The Organisation explained that it had implemented a Backend Electronic Job Card System (the "Backend System") in December 2013, which was developed and maintained by an IT vendor, ZNO International (Pte.) Limited ("ZNO"). The Backend System was meant for internal use only and allowed the Organisation's staff to store and access customer personal data. Another vendor, QGrids, took over the maintenance of the Backend System from ZNO in March 2016.
The Organisation admitted that the webpages providing access to the three databases (the "Compromised URL Links") did not have any authentication mechanisms, unlike the rest of the Backend System. As a result, search engines were able to discover and index these links, making the databases publicly accessible on the internet.
What Were the Key Legal Issues?
The key legal issue in this case was whether the Organisation, ZNO, and QGrids had complied with the obligation under section 24 of the PDPA to implement reasonable security arrangements to protect the personal data in their possession or under their control.
The PDPC had to determine the extent of each party's obligations under section 24 of the PDPA, considering the concepts of "possession" and "control" of personal data. Specifically, the PDPC had to assess whether ZNO and QGrids, as the IT vendors, had any obligations under the PDPA, or if the responsibility rested solely with the Organisation as the data controller.
How Did the Court Analyse the Issues?
The PDPC first considered the meaning of "possession" and "control" under section 24 of the PDPA. Referring to previous PDPC decisions, the Commissioner explained that an organisation can be in control of personal data even if it is not in direct possession of the data, such as when the data is held by a data intermediary. The key factor is the organisation's ability to determine the purposes and manner of processing the personal data.
Regarding ZNO, the PDPC found that while the Organisation claimed it had asked ZNO to implement authentication mechanisms, the only evidence was the statement of the Organisation's General Manager. Even if this was true, the PDPC held that the onus was on the Organisation to review its systems and ensure compliance with the PDPA after the relevant provisions came into force in 2014. Therefore, the PDPC concluded that ZNO did not have an obligation under section 24 of the PDPA.
As for QGrids, the PDPC found that while it had possession of the personal data during the migration of the Backend System to a new web hosting provider, the data breach was not a result of QGrids' actions. Therefore, the PDPC determined that QGrids did not have an obligation under section 24 of the PDPA.
Turning to the Organisation, the PDPC noted that it had control over the personal data in the Backend System, even though it was developed and maintained by third-party vendors. The PDPC emphasized the importance of clearly documenting the obligations of an organisation and its service providers, as set out in a previous decision. The PDPC found that the Organisation failed to adequately document its security requirements and did not follow up to ensure the vendors implemented the necessary safeguards, resulting in the data breach.
What Was the Outcome?
Based on its findings, the PDPC issued a direction to the Organisation to implement the following measures within 60 days:
- Secure all webpages in the Backend System with appropriate authentication mechanisms
- Conduct a comprehensive review of the Backend System to identify and address any other security vulnerabilities
- Develop and implement a data protection policy that includes procedures for engaging and monitoring third-party vendors
- Conduct regular staff training on data protection and security best practices
The PDPC also required the Organisation to submit a compliance report within 90 days to demonstrate that it had implemented the necessary measures.
Why Does This Case Matter?
This case highlights the importance of organisations taking responsibility for the security of personal data in their possession or under their control, even when that data is managed by third-party vendors. The PDPC's decision emphasizes that organisations cannot simply delegate their data protection obligations to service providers and must actively ensure that appropriate security measures are in place.
The case also underscores the need for organisations to clearly document their data protection requirements and follow up with vendors to verify that the necessary safeguards have been implemented. Failure to do so can result in significant consequences, as demonstrated by the PDPC's direction to the Organisation to implement remedial measures.
This decision serves as a valuable precedent for organisations in Singapore, reminding them of their responsibilities under the PDPA and the importance of proactive data protection practices, particularly when engaging third-party service providers. It highlights the PDPC's commitment to holding organisations accountable for data breaches and ensuring that personal data is adequately protected.
Legislation Referenced
- Personal Data Protection Act
- Personal Data Protection Act 2012
Cases Cited
- [2016] SGPDPC 22
- [2016] SGPDPC 19
- [2018] SGPDPC 26
- [2018] SGPDPC 8
Source Documents
This article analyses [2018] SGPDPC 26 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.