Case Details
- Citation: [2019] SGPDPC 23
- Court: Personal Data Protection Commission
- Date: 2019-07-04
- Judges: Yeong Zee Kin, Deputy Commissioner
- Plaintiff/Applicant: -
- Defendant/Respondent: X Pte Ltd
- Legal Areas: Data protection – Openness obligation
- Statutes Referenced: Personal Data Protection Act (PDPA)
- Cases Cited: [2017] SGPDPC 15, [2017] SGPDPC 14, [2019] SGPDPC 23
- Judgment Length: 4 pages, 775 words
Summary
In this case, the Personal Data Protection Commission (PDPC) found that X Pte Ltd, an interior design company, had breached its obligations under the Personal Data Protection Act (PDPA) by failing to appoint a data protection officer and develop data protection policies and practices. While the company's use of publicly available personal data was permitted under the PDPA, the PDPC issued directions requiring X Pte Ltd to rectify these procedural failures and pay a financial penalty.
What Were the Facts of This Case?
The case involved X Pte Ltd, an interior design company that provides services for commercial and residential properties. Between May 5-9, 2018, the PDPC received complaints alleging that X Pte Ltd had used complainants' names and residential addresses without their consent to send marketing mailers.
In the course of investigating the complaints, the PDPC found that X Pte Ltd had obtained the personal data used in the mailers from a third-party database compiled from information on caveats lodged with the Singapore Land Authority, which was publicly available. The PDPC determined that X Pte Ltd's use of this publicly available data did not require the individuals' consent under the PDPA.
However, the PDPC also found that X Pte Ltd had not appointed a data protection officer (DPO) and had not developed or implemented any data protection policies and practices, as required by the PDPA. After being notified of the complaints, X Pte Ltd did appoint a DPO and issue some verbal instructions to its employees about handling personal data, but it had not yet developed written data protection policies and practices.
What Were the Key Legal Issues?
The key legal issues in this case were whether X Pte Ltd had breached its obligations under the PDPA by:
- Failing to appoint a data protection officer (DPO) as required by section 11(3) of the PDPA.
- Failing to develop and implement data protection policies and practices as required by section 12 of the PDPA.
The PDPC also had to consider whether X Pte Ltd's use of the publicly available personal data was permitted under the PDPA.
How Did the Court Analyse the Issues?
On the issue of X Pte Ltd's use of the publicly available personal data, the PDPC found that this was permitted under section 17 of the PDPA, read together with the relevant provisions of the Second, Third and Fourth Schedules. The PDPC was satisfied that X Pte Ltd's use of the data did not require the individuals' consent.
However, the PDPC found that X Pte Ltd was clearly in breach of its obligations under sections 11(3) and 12 of the PDPA. Section 11(3) requires organisations to designate one or more individuals (typically a DPO) to be responsible for ensuring compliance with the PDPA. Section 12 requires organisations to develop and implement data protection policies and practices, and to communicate these to their staff.
The PDPC noted that the importance of these requirements has been emphasized in previous decisions. Appointing a DPO is important for ensuring proper implementation of an organisation's data protection policies and practices, as well as overall compliance with the PDPA. Similarly, having documented data protection policies and practices in writing helps to increase awareness and ensure accountability of the organisation's PDPA obligations.
While X Pte Ltd had since appointed a DPO after being notified of the complaints, it had not yet developed the required written data protection policies and practices. The PDPC therefore concluded that X Pte Ltd had breached sections 11(3) and 12 of the PDPA.
What Was the Outcome?
Having found X Pte Ltd in breach of sections 11(3) and 12 of the PDPA, the PDPC issued the following directions under section 29 of the PDPA:
- To develop and implement a data protection policy and appropriate written internal policies and practices to comply with the PDPA, within 30 days.
- To communicate such policies and practices to its employees, and ensure employees handling personal data attend suitable training to understand and comply with PDPA requirements, within 60 days.
- To inform the PDPC of the completion of the above within 7 days.
- To pay a financial penalty of $5,000 within 30 days, failing which interest will accrue on the outstanding amount.
Why Does This Case Matter?
This case is significant as it reinforces the importance of organisations appointing a DPO and developing comprehensive data protection policies and practices, as required by the PDPA. The PDPC has consistently emphasized these obligations in its past decisions, and this case demonstrates that the PDPC will take enforcement action against organisations that fail to comply.
The case also highlights that the PDPC will carefully scrutinize an organisation's data protection measures, even if its actual use of personal data is permitted under the PDPA. Merely appointing a DPO after the fact is not sufficient - organisations must have the required written policies and practices in place proactively.
For legal practitioners, this case provides useful guidance on the PDPC's expectations regarding data protection governance, and the types of directions it may issue to remedy PDPA breaches. It underscores the need for organisations to have a robust data protection compliance framework in order to avoid regulatory enforcement action.
Legislation Referenced
Cases Cited
- [2017] SGPDPC 15 (Re M Stars Movers & Logistics Specialist Pte Ltd)
- [2017] SGPDPC 14 (Re Aviva Ltd)
- [2019] SGPDPC 23 (X Pte Ltd)
Source Documents
This article analyses [2019] SGPDPC 23 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.