The recent decisions of the Personal Data Protection Commission (“PDPC”) – Furnituremart.sg [2017] SGPDPC 07 (“Furnituremart.sg”) and Asia-Pacific Star Pte Ltd [2017] SGPDPC 06 (“APS”)– provided some insight into an organisation’s obligation to protect its customers’ personal data. This article summarises and evaluates the main learning points which businesses can take away from these two decisions.
1. Data breaches is not always due to external interference.
Contrary to popular belief, data breaches are not synonymous with “hacking” or other forms of external interference into an organisation’s internal databases and systems. The circumstances that gave rise to the two decisions demonstrate that data breaches could very easily stem from an organisation’s own internal errors or oversight.
Issuance of invoice with personal data of another customer on the reverse side (Furnituremall.sg)
In the Furnituremall.sg case, a complaint was made to the PDPC against Furnituremall.sg for issuing to the complainant an invoice containing another customer’s personal data printed on the reverse side. The circumstances that gave rise to this breach happens more frequently than we realise in our offices – what had happened was that the complainant’s invoice originated from another returned invoice that was reused as printing paper for the complainant’s invoice.
Improper disposal of documents containing sensitive personal data (Asia-Pacific Star)
The circumstances that gave rise to the breach in the APS case arose out of similarly ordinary circumstances. APS, who was a sub-contractor to SATS, was responsible for managing the boarding process, reconciling passenger numbers and verifying the documents at the boarding gate. On the day of the incident, an APS employee on gate duty had run out of paper while printing a copy of the passenger name list. The APS employee then disposed of the partially-printed name list in a rubbish bin in the gate hold room, which was accessible to passengers and airport staff. The partially-printed passenger name list contained the passenger’s personal data (including their names, booking reference number, fare class, sequence number of check-in, date of booking, seat number, destination and flight number). Significantly, other sensitive data (e.g. the passenger’s passport number, home address, phone number, email address, and the last four digits of the credit card used to pay for the plane ticket) could have been easily retrieved by entering the passenger’s name and booking reference number into Tigerair’s online portal.
Crucially, the facts that gave rise to the two decisions demonstrate how data breaches can occur during a business’s daily operations, even in seemingly trivial tasks. Thus, these decisions bring forth the important observation that data protection does not merely entail the installation of sophisticated systems to prevent cyber-attacks – much of it also comes from changing the habits of staff members who handle personal data in the course of their work.
Thus, businesses and their employees alike are reminded to take their data protection obligations seriously, and be mindful that small blunders can give rise to significant consequences for the organisation.
2. Policies, guidelines and safeguards for the protection of personal data should not merely exist, but should also be implemented.
The Protection Data Protection Act 2012 (“PDPA”) places a positive obligation on organisations to make “reasonable security arrangements” to protect the personal data in its possession or under its control and to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks. In the APS case, “reasonableness” was said to be determined against what a reasonable person would consider appropriate given the nature of the personal data involved and the particular circumstances of the organisation.
Therefore, in determining the nature and extent of security arrangements necessary to fulfil this obligation, businesses should consider the following factors:
- The nature of the personal data;
- The form in which the personal data has been collected (e.g. physical or electronic); and
- The possible impact to the individual concerned if an unauthorised person obtained, modified or disposed of the personal data.
Evidently, the greater the risk involved and the more severe the impact due to the sensitive nature of the data concerned, the greater the level of protection expected from the organisation.
As a general guideline, the following pointers are instructive:
- There must be in place a written data protection policy to ensure accuracy and effectiveness in dissemination and implementation.
- The existence of a written policy alone is insufficient without actual implementation. Briefings to raise staff awareness and regular, ongoing training should be executed to educate and familiarise staff on the data protection procedure and processes. All these goes towards developing a culture of privacy awareness which is essential to ensure compliance. Even though the organisations in both cases purported to have had internal policies in place, there was no evidence of their employees receiving ongoing training on the same.
- For organisations engaged in sub-contracting work like APS, effort must be made to translate and contextualise the group level policies for their own specific circumstances. For APS, they have relied solely on the administrative safeguards implemented by SATS and did not have any procedure or policy of its own.
- A one-off briefing on data protection is insufficient. Regular refresher training should be provided for employees to ensure that the employees are constantly reminded of their data protection obligations.
3. Vicarious liability of organisations for employees’ oversight and the importance of staff training.
Both Furnituremart.sg and APS were held liable for the conduct of their own employees resulting in the disclosure of customer personal information. Indeed, the PDPA deems any act done or conduct engaged in by an employee in the course of his employment as done by his or her employer, regardless of whether the act or conduct was done with the employer’s knowledge or approval.
Other than the organisation’s obligation to put in place policies and measures to protect personal data and prevent unauthorised use, businesses must be mindful of their obligation under section 12(c) of the PDPA that require organisations to communicate their data protection policies and practices to their staff through an effective form of training.
As such, several pointers are apposite:
- It is crucial that data protection policies and practices are formulated and adopted at the management level so that it sends a strong signal to employees about the importance placed on information security.
- The management must actively and diligently observe, supervise and monitor employees and take responsibility for creating a culture of security awareness. The management should not simply assume that employees will always do the right thing, whether with sufficient guidance or otherwise.
4. Organisation cannot contract out of their data protection obligations.
Sub-contracting of services is fairly common in many industries. While businesses may delegate certain information-heavy processes to other service providers to conduct such processes on their behalf, they cannot contractually exclude themselves out of the obligation to protect personal data obtained. They remain ultimately responsible for the protection of personal data.
However, sub-contracting appears to have some impact on an organisation’s data protection obligation. The threshold of reasonableness required under Section 24 is lowered because an organisation can reasonably expect its sub-contractor to carry out its data protection obligations incorporated under the sub-contract. Notwithstanding this, organisations must at least have in place sufficient data protection policies and exhibit considerable commitment towards enforcing these policies.
5. Fine line between an isolated incident and a data protection breach at the organisational level.
Both Furnituremart.sg and APS attempted to escape liability by alleging that the data breaches were a result of a one-off, isolated incident and not due to any failure to put in place reasonable security arrangements required under the PDPA. This argument was rejected by the PDPC in both decisions.
The reason for this is simple – both Furnituremart.sg and APS exhibited significant deficiencies in their internal data protection practices in the first place. The PDPC in Furnituremart.sg observed that there were “more deep-rooted problems with [Furnituremart.sg’s] processes, and it lacked the necessary policies and practices to protect personal data”. The pertinent conclusions made by the PDPC were as follows:
- The internal policy provided by Furnituremart.sg was suspect given the coincidental congruence between the points in the policy and the data breach incident.
- There was no evidence to show that steps were taken to implement the supposed internal policy.
- There was no evidence to show that Furnituremart.sg had an effective supervisory check put in place. No explanation was also given as to why the supervisor did not pick up on the erroneous invoices.
- Furnituremart.sg did not provide any data protection training to its employees.
- Furnituremart.sg relied entirely on its employees to carry out their jobs correctly, with little effort and responsibility undertaken on a management level to fulfil its obligation to protect personal data.
In closing, businesses are urged to commit their resources and efforts towards formulating sound data protection policies and educating their employees of the same. While both Furnituremart.sg and APS did not incur any financial penalties due to several mitigating factors in their circumstances, businesses are reminded that the PDPC holds the discretion to impose fines of up to S$1 million for data breaches pursuant to section 29(2) of the PDPA. Failure to heeds these lessons may prove to be very costly for businesses at the end of the day.
Find out how you can avoid the costly mistake of running afoul of the PDPA by consulting a lawyer today.
