.jpg)
1 June, 2016
On 21 April 2016, the Personal Data Protection Commission (“PDPC”) issued its first Grounds of Decisions interpreting the scope of various obligations under the Personal Data Protection Act (“PDPA”).
The Grounds of Decision are the first rulings by the PDPC on various issues under PDPA, including:
- breaches of the obligation to protect personal data generally;
- what constitutes “reasonable security arrangements”;
- who is a data intermediary;
- what is personal data;
- the scope of deemed consent;
- application of the “necessary for the individual” exception; and
- factors affecting the PDPC’s enforcement action.
The Grounds of Decision accordingly merit careful review. This Update will examine the key findings set out in the Grounds of Decisions.
Examples of breaches of the Protection Obligation
Breaches of Protection Obligation Generally
Section 24 of the PDPA (the “Protection Obligation”) requires an organisation to “protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks”.
In its decisions, the PDPC highlighted that failure to effectively manage an IT service provider was evidence of a breach of the Protection Obligation. For example:
- In the decision against Challenger Technologies Limited (“Challenger”) and Xirlynx Innovations (Case No: DP-1409- A103, [2016] SGPDPC 6), Challenger was held to have breached the Protection Obligation because it had “neglected to exercise control over [its IT service provider’s] workflow in the processing of Challenger’s ValueClub membership database and the sending of email communications to ValueClub members”. Challenger had left it to the IT service provider (its data intermediary) to implement security measures and had not considered what requirements it would want to implement to fulfil its data protection obligations.
- In the decision against K Box Entertainment Group Pte. Ltd. (“K Box”) and Finantech Holdings Pte. Ltd. (“Finantech”) (Case No: DP-1409-A100, [2016] SGPDPC 1), K Box was held to have failed to effectively manage its data intermediary to protect personal data. K Box had “never emphasised the need for data protection and [Finantech’s] obligation towards K Box under the PDPA or informed Finantech of its data protection obligation after September 2014”, and “did not include any contractual clauses that required Finantech to comply with a standard of protection in relation to the personal data transferred to it that is at least comparable to industry standards”.
These findings indicate that to comply with the Protection Obligation, an organisation cannot delegate all responsibility for protection of personal data to its vendors without actively managing them as data intermediaries.
Other decisions highlighted poor data handling practices which organisations should steer away from:
- The Singapore Computer Society was given a warning (Case No: DP-1504-A390, [2016] SGPDPC 9) for poor data handling practices of (i) not protecting its registration list with a password, and (ii) sending such a registration list in the same email as a draft invite to the public (such that there was a high risk of an employee inadvertently forwarding the entire registration list outside the organisation).
- In the decision against K Box, personal data of over 90,000 members was sent via an unencrypted Excel file through Gmail;
- In the decision against Full House Communications Pte Ltd (“Full House”) (Case No: DP-1503-A368, [2016] SGPDPC 8), a warning was issued for failure to protect personal data by enabling the auto-fill function for drop-down boxes, for a lucky draw form which was to be filled up on the spot using the organisation’s laptop; and
- In the decision against Fei Fah Medical Manufacturing Pte. Ltd. (“Fei Fah”) (Case No: DP-1409-A145, [2016] SGPDPC 3), the PDPC cautioned against encryption of passwords using a common MD5 hash.
What Constitutes “Reasonable Security Arrangements”?
The PDPC also gave examples of failures to make “reasonable security arrangements” as part of the Protection Obligation, such as:
- In the decision against Metro Pte Ltd (Case No: DP-1504-A421, [2016] SGPDPC 7), not addressing SQL injection vulnerabilities which had been highlighted in earlier IT security audits;
- In the decision against the Institution of Engineers Singapore (“IES”) (Case No: DP-1411-A213, [2016] SGPDPC 2), vulnerabilities such as cross site scripting and SQL injections were not addressed, and IES did not take reasonable security arrangements such as storing passwords in encrypted form, conducting audits on outsourcing vendors and conducting penetration testing;
- In the decision against Challenger, the failure to sample and proof read e-statements before they were sent out; and
- In the decision against K Box, the failure to enforce the password policy, not removing unused accounts, failure to utilise newer versions of software libraries, and failure to conduct audits on database security.
Who is a Data Intermediary?
Determination whether organisation is a data intermediary by PDPC
The decisions shed some light on how the PDPC determines whether an organisation is a data intermediary for another. Notably, in the K Box decision, notwithstanding that contracts between K Box and Finantech (its IT service provider) were only quotations which were confirmed and accepted by K Box, the PDPC held Finantech to be K Box’s data intermediary.
Organisation responsible for data processed by data intermediary
This serves as a warning to organisations that they may ultimately be held responsible for the personal data processed by their service providers. Under the PDPA, an organisation has the same obligations in respect of the personal data processed on its behalf and for its purpose by its data intermediary as if the personal data were processed by the organisation itself.
Organisations should therefore be careful to clearly set out each party’s rights and obligations when contracting with vendors.
On the facts of the Challenger decision, Xirlynx, an IT services provider, was also found to be a data intermediary because it handled marketing email blasts for Challenger pursuant to a contract between them.
Wide reading of what constitutes "personal data"
The decisions show that the PDPC generally takes a wide reading of what information can constitute “personal data” under the PDPA.
In the decision against IES, user IDs and passwords of members of the IES site were found to constitute personal data, because a person having access to a user ID and password could log in to the account and access the profile of the person registered under that user ID.
In the decision against Full House, the respondent had argued that no links could be drawn between information contained in different auto-fill drop-down fields in an electronic lucky draw form to identify an individual, because the information in each field was not arranged in chronological order. It argued that the information in each field by itself would only be “generic information” and not personal data.
The PDPC rejected this argument, noting that the information in certain fields e.g. a person’s full name, email address or identity card number could be enough in itself to identify an individual.
Scope of Deemed Consent
Narrow scope of deemed consent?
One decision highlights that PDPC views deemed consent to be narrow and limited to the purposes for which the data subject actually provided consent for on the facts.
In the decision against Universal Travel Corporation Pte Ltd (“UTC”) (Case No: DP-1508-A496, [2016] SGPDPC 4), 4 customers requested formal documentation to confirm cancellation of their flights. UTC sent them a list containing the unredacted personal data of all 37 passengers on the same tour. On the facts the PDPC found that UTC had not sought consent for such disclosure from the 37 passengers.
The PDPC also found that deemed consent was also not applicable in this decision, because the purposes for which the passengers submitted the data did not include the purpose of allowing another passengers to process his/her insurance claim.
Application of the “Necessary for the Individual” Exception
Rejection of argument that consent not required
In the decision against UTC, the PDPC rejected UTC’s arguments that the disclosure of personal data without consent was permitted under the first exception under the Fourth Schedule of the PDPA, which states that consent is not required where “the disclosure is necessary for any purpose which is clearly in the interests of the individual, if consent for its disclosure cannot be obtained in a timely way”.
The PDPC clarified that “interests of the individual” in the exception refers to the interests of the data subject. On the facts, it was not in the interest of the other customers for their personal data to be disclosed to the 4 customers. The PDPC also noted that the data disclosure was not “necessary”, because there was no need to disclose the entire list as-is (the list could have been redacted before release), and finally that there was no urgency involved such that consent for disclosure could be obtained in a timely way.
Factors Affecting PDPC’s Enforcement Action
Stricter penalties as a result of delay in cooperating with PDPC
From the decisions it is apparent that delays in cooperating with the PDPC may result in the PDPC imposing a stricter penalty on the organisation. For example:
- In the decision against Fei Fah, a financial penalty was issued, and the PDPC noted among other things that Fei Fah had provided incomplete and delayed responses and was generally uncooperative in investigations. Further, there were also “undue delays” in implementing remedial actions to address its data breach – more than 10 months after the discovery of the data leak.
- The PDPC noted in the decision against K Box and Finantech (where a financial penalty was issued) that there was a 7 month delay in complying with requests for information by the PDPC during investigations.
- New Advisory Guidelines on the Enforcement of the Data Protection Provision
- Advisory guidelines on powers and procedures of PDPC issued
- The PDPC also issued a set of Advisory Guidelines on the Enforcement of the Data Protection Provisions on 21 April. These guidelines generally elaborate on the PDPC’s powers and procedures in enforcing the PDPA, including:
- The main objectives and considerations the PDPC takes into account when exercising its enforcement powers under the PDPA; and
- Its approach in exercising its powers to issue financial penalties on organizations who have breached the PDPA, including the factors to be considered in deciding whether a financial penalty is to be issued, and aggravating and mitigating factors in calculating the financial penalty.
Impact on organisations
Given the recent PDPC enforcement decisions, organisations may wish to exercise prudence in the handling of personal data, and when conducting outsourcing involving the transfer of personal data, to ensure that such outsourced vendors comply with the relevant requirements under the PDPA and extend appropriate protection over the personal data.
Organisations should also be aware that the PDPC has wide enforcement powers in relation to breaches of the PDPA, including the power to conduct investigations, issue directions and warnings, and impose financial penalties of up to S$1 million. Data subjects also have rights of private action against an organisation for losses arising from the organisation’s breach of its data protection obligations.
For further information, please contact:
Chung Nian Lam, Partner, WongPartnership
chungnian.lam@wongpartnership.com
