We are pleased to share with you the new issue of our Quarterly Update on decisions published by the Personal Data Protection Commission (“PDPC”). This is a publication that provides a snapshot of the PDPC decisions published in Singapore. The decisions provide valuable insights and lessons so that organisations can implement measures to prevent similar occurrences.
This issue provides an overview of the decisions published between April 2021 and June 2021.
In total, there were 10 decisions published in the second quarter of 2021.
|
|---|
A short summary of each abovementioned decision can be found below.
Tripartite Alliance
Introduction
A financial penalty of $29,000 was imposed on Tripartite Alliance (“Tripartite”) for failing to put in place reasonable security arrangements to prevent the unauthorised access of approximately 20,000 individuals’ data stored in its customer relationship system database.
Brief Facts
Tripartite is in the business of promoting fair and progressive employment practices, as well as providing mediation and advice in employment-related disputes. It used a customer relationship management (“CRM”) system which handled employment related enquiries, feedback and complaints. This CRM system was provided by an external vendor (the “Vendor”).
On 3 March 2020, Tripartite notified the PDPC that its CRM system was infected with ransomware. In this regard, Tripartite voluntarily admitted that it breached its Protection Obligation under section 24 of the Personal Data Protection Act 2012 (“PDPA”). At the time of the breach, the CRM system contained data of approximately 12,000 individuals and 8,000 companies’ representatives.
Decision
The Vendor not in breach of any data protection obligation
The Vendor provided maintenance and security monitoring services for the CRM system. These services did not entail the processing of personal data. Hence, the Vendor was not a “data intermediary” and therefore not responsible for the protection of the individuals’ personal data under the PDPA.
Tripartite in breach of its Protection Obligation
Tripartite had failed to put in place adequate processes to ensure that the Vendor proactively monitored alerts and took actions to block malicious activities in a timely manner. In failing to exercise oversight over the Vendor’s performance to ensure that they met the required information security standards, Tripartite had breached its Protection Obligation under section 24 of the PDPA.
In deciding on the eventual financial penalty of $29,000, the PDPC had regard to the following factors:
• Aggravating factors
- The high number of affected individuals (approximately 20,000)
- The nature of the affected data, which involved details of employment-related complaints and dispute which were expected to have a high level of confidence
• Mitigating factors
- Tripartite’s upfront admission of the breach and prompt remedial actions
- No evidence of exfiltration of the database in the CRM system
Chapel of Christ the Redeemer
Introduction
Chapel of Christ the Redeemer (“CCR”) failed to put in place reasonable measures to protect its members’ personal data. Further, it did not have written policies and practices necessary to comply with the PDPA.
Brief Facts
On 6 October 2020, CCR informed the PDPC that a file containing personal data of 815 members (the “File”) was inadvertently disclosed online, as a staff had accidentally uploaded the file (which was meant to be an internal document) onto the sub-directory.
CCR admitted that there were no access controls to the sub-directory prior to the incident as the sub-directory was intended to be accessible to public. CCR also admitted that they had not developed any internal policies and practices to ensure compliance with the PDPA. In particular, there was no system of checks for the uploading of files onto CCR’s website.
Decision
In determining the directions to impose, the PDPC took the following factors into account:
- CCR had voluntarily notified the PDPC of the incident, fully cooperating with investigations;
- CCR implemented prompt remedial measures to address the breach; and
- there was minimal access to the File and no evidence that personal data had been misused.
In light of the foregoing, the PDPC did not impose any financial penalty. Instead, it directed the organisation to develop and implement internal data protection policies and practices to comply with the provisions of the PDPA.
St. Joseph’s Institution International
Introduction
A warning was issued to St. Joseph’s Institution International (“SJII”) for failing to put in place reasonable security arrangements to protect the personal data in its possession. The incident resulted in the personal data being at risk of unauthorised access.
Brief Facts
On 16 October 2020, SJII informed the PDPC that a file listing the personal data of 3,155 parents and students (the “File”) was found on a website called VirusTotal. This happened when a staff of SJII downloaded and deployed a Google Chrome browser extension developed by VirusTotal for additional security scanning. Unknown to the staff, the extension also forwarded scanned samples to premium members of VirusTotal for security analysis and research. The retention and use of samples by VirusTotal were provided for in its privacy policy.
Decision
The breach put the personal data of the affected students and parents at risk of unauthorised access. However, given the limited risk of disclosure and SJII’s commitment to improve its processes, a warning was issued to the organisation.
Flying Cape
Introduction
A warning was issued to Flying Cape Pte Ltd (“FCPL”), a data intermediary, for failing to put in place reasonable security arrangements to protect the personal data of 191 users of a website. Flying Cape was managing the website on behalf of its client.
Brief Facts
In October 2020, the personal data of 191 users of ACCA Singapore’s (“ACCA”) website was exfiltrated by an unauthorised party. The website was owned by ACCA, but hosted, managed and operated by FCPL as ACCA’s data intermediary. This was a result of an FCPL employee failing to protect the file containing the data with a password or encrypt it as required by FCPL’s IT policy. Moreover, the employee incorrectly stored the file in a publicly accessible online storage bucket as opposed to the correct secure storage bucket.
On 12 November 2020, FCPL notified the PDPC after receiving a ransom demand in respect of the exfiltrated data.
Decision
ACCA not in breach of its Protection Obligation
As the data controller and owner of its website, ACCA owed the Protection Obligation to the affected individuals as well. However, the PDPC was satisfied that it had discharged this obligation by (i) carrying out a due diligence assessment of FCPL’s data protection policies before engaging them; and (ii) stipulating data protection requirements in its contract when engaging with FCPL.
FCPL in breach of its Protection Obligation
Pursuant to section 53(1) of the PDPA, FCPL was liable for acts done by its employees. The question therefore was whether FCPL had taken reasonable steps to prevent or detect mistakes such as the one made by the employee in question. The investigations did not show any arrangements to supervise or verify its employees’ compliance with internal policies. FCPL was therefore in breach of its Protection Obligation under section 24.
However, the PDPC decided not to impose any penalties or directions to FCPL in view of the following:
- number of affected individuals was low;
- the exfiltrated data was of low sensitivity;
- FCPL took immediate remedial actions to prevent the occurrence of a similar incident; and
- FCPL voluntarily notified the PDPC of the incident.
An individual v HSBC Bank
Introduction
A review application under section 28 of the PDPA (now known as section 48H(1)(a)) was conducted following a failed request by an individual (the “Applicant”) to obtain his full unredacted internal evaluation report (the “Report”) prepared by HSBC Bank (Singapore) Limited (“HSBC”) for the purpose of evaluating his credit card application.
Brief Facts
The Applicant had applied to HSBC for a credit card but was unsuccessful. Dissatisfied, he requested HSBC to provide him a copy of the Report. The Applicant’s request for access to the Report was made pursuant to section 21(1) of the PDPA, which imposed an Access Obligation on organisations to provide access to an individual’s personal data under its control or possession.
In response, HSBC provided the Applicant a redacted version of the Report. In this regard, HSBC had refused to provide the redacted data on the grounds that it constituted opinion data, which was an exception to the Access Obligation under paragraph 1(a) of the Fifth Schedule. This led the Applicant to file a review application against HSBC.
Decision
The redacted data was opinion data auto-generated by HSBC’s proprietary algorithm that determined an individual’s suitability for a credit card by analysing data from various sources. It therefore fell within the exception under paragraph 1(a) of the Fifth Schedule and HSBC was not obliged to disclose it.
Progressive Builders and Greatearth Corporation
Introduction
This case involves a series of incidents that led to the unauthorised collection, use and disclosure of the personal data of 8 crane operators (the “Complainants”) by a construction company, Greatearth Corporation Pte Ltd (“GCPL”). A warning was issued to GCPL for failing to obtain consent to disclose personal data of 8 crane operators on the external façade of a construction site.
Another construction company involved in the series of incidents, Progressive Builders Pte Ltd (“PBPL”), was found not to have breached any of the obligations under the PDPA.
Brief Facts
PBPL was the main contractor for a housing project in Geylang. The 8 crane operators were operating cranes for PBPL under this project. Between 12 and 18 July 2019, a series of incidents involving the Complainants and the staff of PBPL occurred at the Geylang site. As a result, PBPL banned the Complainants from entering their worksite in Geylang. After the incidents, PBPL’s Workplace Safety & Health Officer (“WSHO”) compiled a list of the Complainants’ details (“Banned Operators List”) to identify the Complainants involved in the workplace incidents and inform the Ministry of Manpower of these individuals.
On 17 July 2019, PBPL’s WSHO (without any authorisation from PBPL) sent the Banned Operators List to a private WhatsApp group comprising other WSHOs in Singapore along with the following message:
“… [details of the incident]. Please look out for such operators in future at your site.”
GCPL’s WSHO was a member of the WhatsApp group. On 24 July 2019, GCPL’s WSHO sent the Banned Operators List to GCPL’s safety coordinator, instructing him to print and paste a copy of the list in the guard room so that the security guards could keep a lookout for the Complainants. However, GCPL’s safety coordinator misunderstood the instructions, and pasted the list on the external façade of their worksite with the word “BANNED” added as a header (the “Poster”). The Poster was visible to all persons walking onto the Clementi Worksite.
Decision
PBPL not in breach of any data protection obligation
Pursuant to section 53(1) of the PDPA, an organisation is liable for acts done by its employees in the course of their employment.
In the present case, PBPL’s WSHO was not acting in the course of his employment when he disclosed the Banned Operators List to the WhatsApp group. This was because PBPL had not directed him to share the list, and in sharing the list, PBPL’s WSHO had acted in contravention of the confidentiality obligations under his employment contract.
Since PBPL’s WSHO acted outside the course of his employment, section 53(1) of the PDPA did not apply and WSHO’s actions were not attributed to PBPL.
GCPL in breach of the Consent Obligation
Although GCPL’s WSHO also did not obtain the Banned Operators List in the course of his employment, he was still acting in the course of his employment when he instructed GCPL’s safety coordinator to put up a copy of the Banned Operators List in the guardhouse. GCPL’s safety coordinator was also acting in the course of his employment when he pasted the Poster on the external façade of the worksite. Therefore section 53(1) applied, and the breach of the Consent Obligation under section 13 of the PDPA by both the WSHO and safety coordinator of GCPL was attributed to GCPL.
In determining that a warning to GCPL would suffice, the PDPC took into account the following mitigating factors:
- the incident occurred because GCPL’s safety coordinator misunderstood the instructions given to him;
- the incident had originated from GCPL’s WSHO whose actions arose out of concern for the safety of his worksite;
- there was limited disclosure of personal data. Any disclosure would have been limited to those who entered GCPL’s worksite on foot; and
- upon being notified of the complaints, GCPL took prompt remedial actions by removing the Banned Operators List from the workplace.
ST Logistics
Introduction
A financial penalty of $8,000 was imposed on ST Logistics for failing to put in place reasonable security arrangements to prevent the unauthorised access of 2,400 military personnel’s personal data.
Brief Facts
ST Logistics provides logistical services to Singapore’s government and defence sectors. On 2 October 2019, ST Logistics’ users received phishing emails,[1] containing an attachment. 13 users from ST Logistics opened the attachment. 7 of them had protection software installed and thus were unaffected. However, 6 of the 13 users did not have any protection software installed, resulting in the installation of a malware in their laptops. Unencrypted files containing the personal data of 2,400 MINDEF and SAF personnel were stored in 4 of the infected users’ laptops.
Decision
The PDPC found that ST Logistics breached its Protection Obligation under section 24 of the PDPA. Crucially, ST Logistics failed to conduct periodic security reviews to detect vulnerabilities in its IT systems. A reasonably conducted security review would have included (i) verifying complete installation and proper configuration of security software on all of its users’ laptops; and (ii) ensuring that the security software is updated.
In contrast, the PDPC found that the arrangements ST Logistics had implemented toward training its staff on data protection was reasonable in the circumstances. The PDPC recognised that at any one point in time, there would always be members at different stages of training. Therefore, although not all affected users had completed the relevant data protection training at the time of the incident, efforts such as ST Logistics’ PDPA awareness programmes and bi-monthly staff induction programmes covering PDPA compliance were reasonable efforts in the circumstances.
In deciding on the financial penalty of S$8,000, the PDPC took into account ST Logistic’s cooperation with investigations and its prompt and forthcoming responses to its queries.
HMI Institute of Health Science
Introduction
A financial penalty of $35,000 was imposed on HMI Institute of Health Sciences Pte Ltd (“HMI”) for failing to put in place reasonable security arrangements to protect personal data stored in its server. This resulted in the data being subjected to a ransomware attack.
Brief Facts
HMI is a dedicated private provider of healthcare training to individuals in Singapore. HMI owned a file server (the “Server”) containing the personal data of both its customers and employees. The server was maintained by an external vendor (the “Vendor”).
On 4 December 2019, the Server was affected by a ransomware attack. The attack encrypted and denied access to a file containing personal data of the HMI’s staff and trainees. The Server was protected by a firewall that blocked all connections to the server, except for connections through a port used for Remote Desktop Protocol (“RDP Port”). The RDP Port was kept open from sometime in 2014 up to December 2019 to allow the Vendor quick and easy access.
On 5 December 2019, HMI engaged a cybersecurity expert company to conduct a thorough assessment of the incident. The cybersecurity company found that the attacker likely discovered the open RDP Port following a random, opportunistic search for vulnerabilities, and had used brute force attacks to gain access to the Server and execute the ransomware.
In total, the personal data of approximately 110,080 individuals whom HMI provides healthcare training to, and 253 employees were affected by the incident.
Decision
The Vendor not in breach of any data protection obligation
The scope of the Vendor’s engagement did not involve the processing or handling of any personal data on behalf of HMI. The Vendor was therefore not a “data intermediary”, and the responsibility to protect the affected personal data fell squarely on HMI.
HMI in breach of its Protection Obligation
HMI failed to implement reasonable security arrangements to protect the affected personal data from the risk of unauthorised access, modification and disposal, as required under its Protection Obligation. In this regard, the PDPC highlighted the following:
First, HMI failed to adequately regulate remote access to the Server. It did not have a sufficiently robust process to ensure safe remote access to the Server via the RDP Port. While there was no strict requirement that the RDP Port must always be closed, it should have regularly reviewed and assessed the potential risks of keeping such public facing ports open. Where it is necessary to keep the RDP Port on a server open, HMI should have ensured that there were sufficient measures in place to protect the personal data stored on the server.
Second, HMI failed to implement proper password management policies. Although HMI adopted a password policy, it did not take steps to ensure that the password policy was complied with in practice. The passwords used by HMI also incorporated an acronym of the organisation’s name, which made them easy to guess and vulnerable to brute force attacks.
Third, HMI failed to take reasonable steps to ensure that the Vendor would protect personal data. Although the Vendor was not strictly a data intermediary, it was nevertheless expected to handle personal data in the course of its work. As such, to discharge its Protection Obligation, HMI should have specified clear business requirements on the protection of the data in the Server.
In determining to impose a financial penalty of $35,000, the PDPC had regard to the following factors:
• Aggravating factor
- HMI’s failure to put in place security measures put the personal data in its possession at risk of exposure for more than four year
• Mitigating factors
- HMI took prompt remedial actions
- HMI was cooperative during the investigations
Webcada
Introduction
A financial penalty of $25,000 was imposed on Webcada for breaches of the PDPA. First, the organisation failed to put in place reasonable measures to protect personal data on its database servers. Second, it did not have written policies and practices necessary to ensure its compliance with the PDPA.
Brief Fcts
Webcada is a web design company. On 29 August 2020, three of its database servers had been subjected to a ransomware attack affecting the personal data of 522,722 individuals. The ransomware had been uploaded onto the affected servers via a computer interface specification used for remote monitoring and management of servers. There was no evidence of data exfiltration, and all affected data was restored from available back-ups.
Webcada admitted to breaching both the Accountability Obligation under section 12 and the Protection Obligation under section 24 of the PDPA.
Decision
Webcada in breach of the Accountability Obligation
Webcada admitted it did not have a written data protection policy prior to the breach. The PDPC took this opportunity to reiterate that an organisation must document its data protection policies and practices in writing as they serve to increase awareness and ensure accountability of the organisation’s obligations under the PDPA.
Webcada in breach of the Protection Obligation
Webcada also admitted that it did not configure its computer interface specification settings correctly, prior to the breach. It enabled access to its servers from the public internet when this was not necessary. Furthermore, it omitted to scan the relevant interface in its monthly vulnerability scans, which resulted in its inability to detect vulnerabilities.
After considering factors including (i) Webcada’s upfront voluntary admission of liability; and (ii) its prompt remedial actions, the PDPC imposed a financial penalty of $25,000.
Larsen & Toubro Infotech
Introduction
A financial penalty of $7,000 was imposed on Larsen & Toubro Infotech (“LTI”) for failing to put in place reasonable security arrangements to prevent the unauthorised disclosure of personal data of job applicants, and for disclosing the personal data of job applicants without their consent.
Brief Facts
On 25 November 2020, an LTI employee emailed a job applicant (the “Complainant”) a set of sample forms which contained the personal data of a past job applicant, to assist him in filling up his own forms. This led the Complainant to lodge a complaint with the PDPC.
Once notified by the PDPC of the complaint, LTI undertook a review of its employees’ emails from 2016 to 2020 and uncovered 73 other instances where past job applicants’ personal data had been disclosed to other job applicants. In total, 13 past job applicants’ forms were disclosed by 10 of LTI’s employees to 74 other job applicants.
Decision
While LTI claimed to have a general Corporate Privacy Policy and an Employee Privacy Notice, these did not provide any guidance to employees on how they should handle personal data in the course of their work. LTI had no targeted policies or standard operating procedures specifically for the employees handling recruitment matters, despite the type and volume of personal data handled by such employees. The fact that as many as 10 of LTI’s employees had engaged in the same conduct over a 4-year period, reinforced the finding that the existing instructions were inadequate.
After considering the circumstances of the case including LTI’s cooperation with investigations, its proactive review, and its prompt remedial actions, the PDPC imposed a financial penalty of $7,000 for the breach.
Concluding Thoughts
We have four observations of the decisions published:
First, breaches of the Protection Obligation continue to dominate the majority (8 of 10) of the decisions. In situations involving external vendors (Tripartite Alliance decision; HMI Institute of Health Science decision), organisations are well advised to provide proper instructions and exercise reasonable oversight over their vendors to ensure that their outsource providers are indeed delivering the services contracted. Without reasonable oversight, the risk from any failure falls on the organisation. It is hence critical for organisations to ensure that their vendors have the same understanding on the latter’s’ duty of care under the relevant services contract and supervise the vendors’ work through clear instruction on regular reporting and updates by the vendors.
Second, for organisations that heavily use or rely on AI-augmented decision-making and data analysis, the HSBC decision showcases the importance of having robust internal policy documentation to take into account the specific elements of (i) automated decision making, (ii) transparency, (iii) fairness of the actions taken as a result of the AI-augmented decision-making; (iv) data subject access request (“DSAR”) and (v) the possibility for proper appeal against the rejected DSAR. In the HSBC decision, by providing the individual its policies on how AI and Big Data are used in an ethical manner by the bank and how technology is used to conduct credit facility assessment, the PDPC found the bank to have acted reasonably. From the perspective of accountability and disclosure of policies and practices, HSBC was held to have acquitted itself.
Third, financial penalties were imposed in only 50% of the decisions, with an average value of $20,800. These numbers (in percentage and average value terms) might seem low to some given the headlines around the increasing maximum fine amount provided for in the recent PDPA amendments.
Finally, none of the recent decisions related to the new data breach notification obligations in the PDPA and corresponding regulations. We expect that the PDPC will undertake investigations in this regard in the future and decisions / action from the PDPC are anticipated. This will likely provide further guidance on several key provisions in the new notification regime (some of which might benefit from additional clarification).
We hope this quarterly update edition was useful. For decisions published by the PDPC from July 2021 to September 2021, please look out for our next edition.
Should you have any queries on data protection compliance and cyber breach management, our team would be happy to assist. Please do not hesitate to contact Thomas Choo or Nicholas Sykes.
[1] Phishing is a method employed by cyber criminals, often disguising themselves as legitimate individuals or reputable organisations, to fraudulently obtain personal data and other sensitive or confidential information. Once cyber criminals obtain an individual’s personal data, they may gain access to the individual’s online accounts and may impersonate the individual to scam persons known to the individual.