The Singapore Personal Data Protection Commission (“PDPC”) published its latest enforcement decision on 22 June 2023 consisting of 1 enforcement decision (Fullerton Healthcare and Agape CP Holdings case).
In this client update, we summarise the decision and present our key takeaways.
Key takeaways:
There are several key takeaways from this recent decision:
1. The incident solely involved and affected Agape CP Holdings’ (“Agape”) online drive and not Fullerton Healthcare’s (“FHG”) own systems and servers. However, as Agape was FHG’s data intermediary, FHG (as the data controller) had the same obligations under the PDPA as if the personal data was processed by FHG itself.
Specifically, in the context of an organisation’s (data controller’s) relationship with its data intermediary, the data controller has a supervisory or general role for the protection of the personal data, while the data intermediary has a more direct and specific role in the protection of personal data arising from its direct possession or control over the personal data. This means that a data controller may be found in breach of the Protection Obligation, even though its data intermediary may not be found in breach, and vice versa.
2. In this case, FHG engaged Agape as its data intermediary to carry out Agape’s services using the personal data provided by FHG. Under the Protection Obligation, FHG was required to exercise reasonable oversight of Agape’s data processing activities. The PDPC considered that FHG had conducted high-level IT due diligence review of Agape prior to its decision to onboard Agape as a vendor, and that FHG’s written agreement with Agape required the latter to comply with the PDPA including obligations to take all appropriate and reasonable administrative, physical and technical safeguards and security arrangements. However, FHG failed to exercise reasonable oversight through regular monitoring of Agape’s personal data handling processes throughout the engagement, including how Agape stored and granted Agents’ access to the customer data.
3. Given that FHG was aware that access to the customer data would have to be granted to a third party that was offsite for the provision of the services, FHG should have made reasonable enquiries to ascertain how the customer data was to be stored and transmitted, and how access to the customer data would be controlled. Had FHG made these enquiries and discovered the true state of affairs, they would have no doubt required Agape to implement stricter controls to regulate Agents’ access and use of the customer data. By failing to make such enquiries, FHG failed to appreciate the reality of how Agape was storing, transmitting, and retaining the customer data, and failed to exercise reasonable oversight over Agape’s data processing activities.
4. In quantifying the fines imposed, no weight was placed on Agape’s status as a social enterprise. The standard of security arrangements expected under the Protection Obligation will depend on the volume and nature of personal data in the organisation’s possession or control, regardless of whether the organisation is a for-profit business, a charity, or a social enterprise.
| Name of Decision / Undertaking | Summary of Incident | Type of Potential Breach of the PDPA | Complaint / Self-reported | Number of affected individuals; Types of personal data affected | Outcome |
|---|---|---|---|---|---|
| Fullerton Healthcare and Agape CP Holdings | Personal Data breach Personal data of FHG’s customers had been exfiltrated and offered for sale on the dark web. Agape was the data intermediary of FHG and the incident solely involved and affected Agape’s online drive. | Protection Obligation The PDPC held that Agape as FHG’s data intermediary failed to:Conduct reasonable periodic security reviews on its internet-facing online drive; and Implement adequate password policy and management.For FHG, it:Failed to exercise reasonable oversight of vendor; and Inadvertently disclosed sensitive personal data such as bank account numbers and codes, onto the Sharepoint system shared with Agape. | Self-reported | 156,900 individuals (133,866 direct patients and 23,034 employees of FHG’s corporate clients)Personal data affected included:Direct patientsNameNRIC Number / FINDate of BirthGenderEmail addressTelephone numberFinancial information (bank account numbers and bank codes)Health information (international classification of diseases codes that pertain to an individual’s diagnosis information, and codes for surgical procedures done in hospitals)Employees of FHG’s corporate clientsNameNRIC number / FIN / Passport numberDate of birthEmail addressFinancial informationHealth, and other information (information relating to the utilisation of health benefits by individual members, which include details of clinic names and claim amount) | FHG: Fine of SGD58,000Agape: Fine of SGD10,000Various directives issued by the PDPC to both organisations to review and enhance processes relating to data handling processes, security audits and access controls to bolster their data protection arrangem |