_commit_at,_commit_hash,_id,_item,_version,_commit,description,tags,date,pdf-url,nature,title,url,timestamp,pdf-content,decision,_item_full_hash,_changed_columns 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,190,190,1,952,"A financial penalty of $9,000 was imposed on AIG for failing to make reasonable security arrangements to prevent the unauthorised disclosure of personal data. This case involved an incorrect facsimile number used by AIG on its renewal notices.","[""Protection"", ""Financial Penalty"", ""Finance and Insurance""]",2018-05-03,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds_of_Decision_AIG_030518.pdf,Protection,Breach of Protection Obligation by AIG,https://www.pdpc.gov.sg/all-commissions-decisions/2018/05/breach-of-protection-obligation-by-aig,2018-05-03,"PERSONAL DATA PROTECTION COMMISSION [2018] SGPDPC 8 Case No DP-1707-B0901 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And AIG Asia Pacific Insurance Pte. Ltd. … Organisation DECISION AIG Asia Pacific Insurance Pte. Ltd. Tan Kiat How, Commissioner — Case No DP-1707-B0901 3 May 2018 Background 1 On 30 June 2017, the Personal Data Protection Commission (the “Commission”) received a data breach notification from the Organisation, AIG Asia Pacific Insurance Pte. Ltd (the “Organisation” or “AIG”), informing the Commission that: (a) the personal data of some of the Organisation’s policyholders (for its Individual Personal Accident product) had been compromised and disclosed to an unauthorised party (the “Unauthorised Disclosure”); and (b) the Unauthorised Disclosure had occurred because the Organisation had stipulated an incorrect facsimile number on the policy renewal notices issued to its policyholders, which had caused its policyholders to fax their renewal notices to a third party, Tokyu Hands Singapore Pte. Ltd. (“Tokyu Hands”) instead of the Organisation. 2 On account of the notification made, the Commissioner commenced an investigation under section 50 of the Personal Data Protection Act 2012 (the “PDPA”) to ascertain whether the Organisation had breached its obligations under the PDPA. The Commissioner’s findings and decision are set out below. AIG Asia Pacific Insurance Pte. Ltd [2018] SGPDPC 8 Material Facts 3 The Organisation is a general insurance company, and among the largest 4 The Organisation implemented a new electronic policy administration general insurance companies in Singapore. system on 29 November 2016. This system was responsible for generating forms including for its Individual Personal Accident product. These forms included the quote application form, endorsement quote form, policy schedule, endorsement schedule and renewal notice. 5 The form which is the subject of the data breach notification is the renewal notice. The renewal notice is a form that is generated by the Organisation and sent to a policyholder to notify the policyholder on policy renewal and to facilitate the policyholder renewing his or her policy. The policyholder can renew his or her policy by endorsing the renewal notice and returning it to the Organisation. 6 The renewal notice generated by the Organisation contains personal data of the policyholder including the policyholder’s name, address and policy details as well as, depending on the policy, personal data of the policyholder’s family members (the “Personal Data”). The renewal notice also contains a section which allows policyholders to provide their updated personal data such as updated address, email address and/or telephone numbers to the Organisation as well as their payment details. 7 From 29 November 2016 (when the new system was implemented) and until 19 May 2017, an incorrect facsimile number was indicated on all the forms generated by the system for the Individual Personal Accident product, including the renewal notice. This incorrect facsimile number was provided by a member 2 AIG Asia Pacific Insurance Pte. Ltd [2018] SGPDPC 8 of the Organisation’s staff during the development of template forms for the system. This incorrect facsimile number was formerly in use by the Organisation prior to 11 March 2011 but is now in use by Tokyu Hands. 8 As a result of the incorrect facsimile number, policyholders who were sending and returning their renewal notices to the Organisation during this period by facsimile had their renewal notices sent to Tokyu Hands instead of the Organisation. 9 The incorrect facsimile number was (fortuitously) corrected when the Organisation conducted a standardisation exercise on its system to ensure that the same contact information was provided across the Organisation’s different forms for different products. Even then, the Organisation did not realise that there had been an error in the facsimile previously provided. It was only on 29 May 2017 that the Organisation became aware of the error after receiving notice from Tokyu Hands that it had been receiving the renewal notices intended for the Organisation. 10 The Organisation informed the Commission that Tokyu Hands had received approximately 1 to 5 facsimiles weekly that were intended for the Organisation. In other words, for the period from 29 November 2016 to 29 May 2017, between 25 to 125 renewal notices intended for the Organisation could have been sent to Tokyu Hands. It also appears that the majority of these renewal notices had been sent by the Organisation’s own agents (on behalf of its policyholders). 11 The renewal notice with the incorrect facsimile number had been in circulation for a period of six months. In this regard, even after the notices were corrected, Tokyu Hands continued to receive renewal notices intended for the 3 AIG Asia Pacific Insurance Pte. Ltd [2018] SGPDPC 8 Organisation by facsimile, with 11 such notices received between 30 May 2017 and 25 July 2017. Such risk would of course reduce with the passage of time. In this regard, the Organisation had in its representations, by way of its letter of 5 April 2018, confirmed that any outstanding renewal notices have by now lapsed and, as such, it is unlikely that any further renewal notices would be faxed to the wrong number. Given the process put in place between the Organisation and Tokyu Hands to contain the breach, any possibility of further renewal notices being faxed to Tokyu Hands was not considered in determining the quantum of financial penalty to be imposed. Nonetheless, there was no reduction of the financial penalty on the basis of the Organisation’s confirmation that that the renewal notices have since lapsed. 12 In addition to correcting the facsimile number, the Organisation has since taken additional steps to address the data breach and the impact on affected policyholders: (a) the Organisation has sought and obtained confirmation from Tokyu Hands that it has either destroyed or returned to the Organisation, all renewal notices received by Tokyu Hands, and that no copies of such notices have been retained; (b) the Organisation has made arrangements to contact Tokyu Hands on a bi-weekly basis, and to collect any renewal notices that may have been sent to Tokyu Hands; (c) the Organisation had on 1 June 2017, communicated to all its producers and agents, the correct facsimile number to be used; 4 AIG Asia Pacific Insurance Pte. Ltd (d) [2018] SGPDPC 8 the Organisation is (or will be) undertaking a thorough review of all other forms used in its system to ensure that the contact and facsimile numbers are correct; and (e) the Organisation has taken steps to reverse any negative impact on the policies of policyholders who had sent their renewal notices to Tokyu Hands instead of the Organisation (e.g. lapsed policies due to late renewal submissions have been backdated and renewed). 13 The Organisation has also put in place measures to reduce the risks of a similar incident by: (a) requiring its managers to verify the accuracy of contact (b) including in the user acceptance testing process for its systems, information collated by its staff; and a step to confirm that documents sent using the contact details provided by the Organisation is received by the intended recipient. Commissioner’s Findings and Basis for Determination Issues to be determined 14 An investigation was conducted into the unauthorised disclosure. The issue in the present case is whether the Organisation had breached section 24 of the PDPA in providing an erroneous facsimile number on the renewal notices to which policyholders were to fax the duly completed renewal notices, resulting in the notices (and the personal data contained therein) being sent to an unauthorised third party. 5 AIG Asia Pacific Insurance Pte. Ltd 15 [2018] SGPDPC 8 There is no question or dispute that the data in the renewal notice is “personal data” as defined under the PDPA. The data concerned comprised of names, addresses, policy details, payment details and contact details of policyholders. There is also no question or dispute that the PDPA applies to the Organisation as it falls within the PDPA’s definition of “organisation”. The Organisation was in control or possession of the Personal Data 16 Taking the formulation of the elements of a breach of section 24 of the PDPA from Re Hazel Florists & Gifts Pte Ltd [2017] SGPDPC 9 at [8], the next question to be asked is whether the Personal Data is in possession or control of the Organisation such that the obligation to make reasonable security arrangements attaches in respect of the Personal Data. 17 The Organisation was in possession of the Personal Data for the following reasons. First, it had the Personal Data of each of the affected individuals on record as each of them had an existing relationship with the Organisation. Second, it generated the renewal notices with the Personal Data pre-filled such that the individual need only sign the renewal notice and return it by facsimile transmission. It is only where there had been changes to the Personal Data on record that the individual had to provide updated information. 18 The Organisation was also in control of the Personal Data. While there is no definition of “control” in the PDPA, the meaning of control in the context of data protection is generally understood to cover the ability, right or authority to determine (i) the purposes for; and/or (ii) the manner in which, personal data is processed, collected, used or disclosed. 19 In this regard, the Hong Kong Administrative Appeals Board, in the case of Shi Tao v. The Privacy Commissioner for Personal Data (Administrative 6 AIG Asia Pacific Insurance Pte. Ltd [2018] SGPDPC 8 Appeal No. 16 of 2007), agreed with the view of the Hong Kong Privacy Commissioner for Personal Data that control “can either mean the physical act of collecting, holding, processing or using the personal data or it can mean the ability of determining the purpose for which or the manner in which the data are to be collected, held, processed or used”. Further, the UK Information Commissioner’s Office (“ICO”), in its guidance1 on the difference between data controllers and data processors stated that “[t]he data controller determines the purposes for which and the manner in which personal data is processed. It can do this either on its own or jointly or in common with other organisations. This means that the data controller exercises overall control over the ‘why’ and the ‘how’ of a data processing activity”. 20 It is clear that the Organisation which collected, processed and used the Personal Data for the purposes of providing its clients with insurance services was in control of the Personal Data. The Organisation determined what personal data it required to provide its services and the purposes for, and the manner in, which the Personal Data was collected, processed, used and disclosed. This is not in dispute. In particular, the Organisation was in a position to decide, and did in fact do so, that as a matter of providing a better experience to its customers when renewing their policies, it pre-filled the renewal notices with each customer’s Personal Data on record. This clearly demonstrates the Organisation’s control of the Personal Data. 1 U.K., ICO, Data controllers and data processors: what the difference is and what the governance implications are (6 May 2014) at [15]. 7 AIG Asia Pacific Insurance Pte. Ltd 21 [2018] SGPDPC 8 Given that AIG is an organisation within the definition of the PDPA and that it is in possession and control of the Personal Data, section 24 of the PDPA applies to it in respect of the Personal Data. 22 However, before assessing whether the Organisation had made reasonable security arrangements to protect the Personal Data, the Commissioner, for completeness, assessed whether the Organisation was in control of the payment details and updated contact details which were entered into the renewal notice by, or on behalf of, the individual policyholders after the renewal notices left the Organisation’s actual possession. 23 In this regard, in Re The Cellar Door Pte Ltd and another [2016] SGPDPC 22, it was found that there is a distinction between the possession and control of personal data and that an organisation that does not possess personal data may still be in control of the personal data (albeit in that case, the personal data was processed by a data intermediary on behalf of the organisation). 24 In the present case, the Organisation designed the renewal notice, pre- filled in the forms with relevant data including the Personal Data and stipulated the fields in the renewal notice which the individual policyholders were supposed to fill up, including the payment details and the updated contact details. The Organisation also devised the process for which policyholders may renew their insurance policies by faxing the duly completed renewal notice to the facsimile number it provided. Therefore, the Organisation was solely responsible for determining the purposes for which the payment details and updated contact details were collected, processed and used and directing the manner and mode of transmitting the renewal notice (and the Personal Data contained therein). Therefore, insofar as the policyholders were transmitting the renewal notices (and their personal data) in accordance with the Organisation’s 8 AIG Asia Pacific Insurance Pte. Ltd [2018] SGPDPC 8 instructions, such Personal Data was within the Organisation’s control at the material time (i.e. when the personal data was filled in and faxed to the erroneous facsimile number). 25 The Commissioner therefore finds that the Organisation was in possession and control of the Personal Data (including the payment details and the updated contact details where such data was filled in by policyholders) within the meaning of section 24 of the PDPA. 26 The final issue that remains is whether the Organisation had taken reasonable security arrangements to protect the Personal Data concerned, when the Personal Data was in the Organisation’s possession and control. Whether reasonable security arrangements taken by the Organisation 27 The fact that personal data had been disclosed to an unauthorised party by an error or flaw in an organisation’s systems and processes does not automatically mean that the organisation is liable under section 24 of the PDPA for failing to take reasonable security arrangements to protect personal data. 28 For the purposes of section 24, the Commissioner has to consider what security arrangements (if any) an organisation had implemented to prevent such unauthorised disclosure, and whether those arrangements are reasonable. 29 In this case, the Organisation failed to stipulate the correct facsimile number to which the duly completed renewal notices were to be sent. Such a failure would necessarily (and did) result in the notices being sent and disclosed to an unauthorised third party to whom the incorrect facsimile number belongs. The issue is therefore whether the Organisation had taken reasonable 9 AIG Asia Pacific Insurance Pte. Ltd [2018] SGPDPC 8 arrangements to prevent an unauthorised disclosure of the Personal Data through the stipulation of an incorrect facsimile number. 30 The investigations found that the Organisation did not have any security arrangements to prevent such unauthorised disclosure. In particular, the Organisation did not have any arrangement or process to verify the accuracy of facsimile numbers uploaded or in use by its systems (and in the forms generated by its system). The Organisation clarified in its representations that it relied on the facsimile numbers provided by the relevant departments within the Organisation when entering the numbers into the new system and verifying that the numbers keyed in matched the numbers provided by the relevant departments. There was, however, no check to verify that the facsimile numbers were up to date. When the system was developed and tested, the scope of the testing only involved a verification that the facsimile number in the template forms (which was then incorrect) corresponded with the forms generated by the system. Also, the user acceptance testing process did not provide for the tester to send a test fax to the facsimile number to verify that the document was received. 31 This failure to undertake any verification is particularly alarming given that the incorrect facsimile number had not been in use by the Organisation for over five years by the time it was uploaded into the system. The incorrect facsimile number was (fortuitously) corrected almost six months after the system was operative, without the Organisation realising that there had been an error. The Commissioner is of the view that merely verifying the facsimile numbers entered into the system against the facsimile numbers provided by the relevant departments was wholly insufficient as a security arrangement and did not warrant a reduction in the penalty imposed. In fact, had the foregoing verification also not been present, the Commissioner may have increased the 10 AIG Asia Pacific Insurance Pte. Ltd [2018] SGPDPC 8 penalty imposed, as it would show a very grave lack of basic information security practices. 32 The Commissioner also takes the view that it is only reasonable for a company like the Organisation to have some arrangement to ensure that the contact details they provide for the purposes of receiving personal data are accurate. As a general insurer, the Organisation receives a large volume of documents containing personal data of its many existing and prospective policyholders. It is therefore incumbent on the Organisation to stipulate correct and updated contact details (and ensure that they have done so) to avoid the risk of such personal data being sent to an unauthorised third party instead (as in the present case). 33 One of the considerations that an organisation should factor into its information security arrangements is the monitoring of its systems and processes to detect potential data security breaches (such monitoring to detect data security breaches will be referred to as “data security monitoring”). In this regard, the Organisation intimated that it does monitor its renewal business but that its monitoring did not indicate any significant deviation. It is not clear whether the Organisation monitored the number of renewal notices it received by fax (which was the suggestion by the Commissioner) as opposed to the general renewal business (including renewals by other means and not just by way of facsimile). The monitoring of the general renewal business would not constitute data security monitoring; instead this is generally done for business reasons and any data security aspect would be incidental. However, the monitoring of the number of renewal notices received by facsimile, may constitute a data security monitoring measure. To be clear, such a data security monitoring measure would not have prevented the unauthorised disclosure or a finding of breach given the facts of this matter. Any such data security 11 AIG Asia Pacific Insurance Pte. Ltd [2018] SGPDPC 8 monitoring measure would, nevertheless, be imperative in containing any unauthorised disclosure. The monitoring of the number of renewal notices received by facsimile would have been a very basic and relatively inexpensive form of data security monitoring and would have, likely, only provided sufficient feedback after a significant period. In the circumstances, and considering all the facts of this case and the Organisation’s representations, the Commissioner is of the view that the penalty imposed in this case (set out at paragraph 38 below) is warranted and maintains his decision on the quantum of the penalty. 34 The Organisation has maintained that the data breach arose due to inadvertent human error. As it has been noted on a number of occasions (including in Re Social Metric Pte Ltd [2017] SGPDPC 17), inadvertent human error is not a valid reason for an organisation failing to comply with section 24 of the PDPA. 35 Accordingly, the Commissioner finds that the Organisation has breached section 24 of the PDPA. The Commissioner’s Directions 36 Given the Commissioner’s findings that the Organisation is in breach of its obligations under section 24 of the PDPA, the Commissioner is empowered under section 29 of the PDPA to issue the Organisation such directions as it deems fit to ensure compliance with the PDPA. This may include directing the Organisation to pay a financial penalty of such amount not exceeding S$1 million. 12 AIG Asia Pacific Insurance Pte. Ltd 37 [2018] SGPDPC 8 In assessing the breach and determining the directions to be imposed on the Organisation in this case, the Commissioner considered the following factors: (a) the Organisation had initiated the data breach notification to the (b) the Organisation took prompt action (described in paragraphs 12 Commission and was cooperative in the investigations; and 13 above) to mitigate the impact of the data breach and to prevent future breaches of a similar nature from occurring; (c) the extent of the unauthorised disclosure was limited, and the disclosure was only to a single third party, Tokyu Hands (which has confirmed that it has destroyed or returned the renewal notices received). While the exact number of affected individuals cannot be determined and there remains a possibility that individuals continue to be affected, the Commissioner is satisfied that the Organisation has taken steps to minimise the impact to any affected individual. 13 AIG Asia Pacific Insurance Pte. Ltd 38 [2018] SGPDPC 8 In consideration of the factors above and the circumstances of the present case, pursuant to section 29(2) of the PDPA, the Commissioner hereby directs that the Organisation pay a financial penalty of S$9,000 within 30 days of the Commissioner’s direction, failing which, interest at the rate specified in the Rules of Court in respect of judgment debts, shall accrue and be payable on the outstanding amount of such financial penalty until the financial penalty is paid in full. YEONG ZEE KIN DEPUTY COMMISSIONER FOR COMMISSIONER FOR PERSONAL DATA PROTECTION 14 ",Financial Penalty,a778a93346bf023cc07d334e01a78d1dcd71299d,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,191,191,1,952,"A financial penalty of $10,000 was imposed on NTUC Income for lapses in its print process which resulted in an unauthorised disclosure of personal data of 212 individuals.","[""Protection"", ""Financial Penalty"", ""Finance and Insurance""]",2018-05-03,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds_of_Decision_NTUC_Income_Insurance_Co-operative_030518.pdf,Protection,Breach of the Protection Obligation by NTUC Income,https://www.pdpc.gov.sg/all-commissions-decisions/2018/05/breach-of-the-protection-obligation-by-ntuc-income,2018-05-03,"PERSONAL DATA PROTECTION COMMISSION [2018] SGPDPC 10 Case No DP-1706-B0894 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And NTUC Income Insurance Co-operative Ltd … Organisation DECISION NTUC Income Insurance Co-operative Ltd NTUC Income Insurance Co-operative Ltd [2018] SGPDPC 10 Tan Kiat How, Commissioner— Case No DP-1706-B0894 Date: 3 May 2018 Background 1 This matter deals with a flaw in the design of the Organisation’s processes surrounding the printing of various types of letters resulting in the unauthorised disclosure of personal data of 214 of the Organisation’s clients (the “Impacted Clients”). Material Facts 2 The Organisation is an insurance co-operative that offers various types of insurance plans to its policyholders. 3 On 21 June 2017, a customer (the “Complainant”) of the Organisation lodged a complaint (the “Complaint”) with the Personal Data Protection Commission (“PDPC”) alleging that she received a duplex printed letter from the Organisation correctly addressed to her, but the reverse of which was a letter addressed to another client of the Organisation. Subsequently, on 30 June 2017, the Organisation submitted a voluntary notification of a breach of the Personal Data Protection Act 2012 (the “PDPA”) which confirmed the Complainant’s allegations and provided details surrounding the Complaint. 2 NTUC Income Insurance Co-operative Ltd 4 On 5 June 2017, the Organisation printed a batch of 426 letters that were sent out to its clients. These letters were no more than a page long. The vast majority of the 426 letters (the “Policy Letters”) that the Organisation printed were letters reminding its clients to pay their insurance premium (“Premium Reminder Letters”). This batch of letters also included 6 letters (“Policy Cancellation Letters”) informing the relevant clients of the termination of their insurance policies with the Organisation, and 32 letters recording the relevant clients’ non-acceptance of the Organisation’s offer of insurance coverage (“Non-Take Up Letters”). The personal data (“Personal Data”) found in these letters are set out in the table below: Policy Cancellation Letters Non-Take Up Letters Premium Reminder Letters Name; Name; Name; Full residential address; Full residential address; Type of policy; Full residential address; and Policy number; and Type of policy. Policy number; and Endorsement number. 5 Type of policy; Premium amount. The Organisation was informed by some of its clients that, similar to the Complainant, they had each received a Policy Letter addressed to them the reverse of which was a letter addressed to another client (the “Incident”). 6 An investigation was carried out under section 50(1) of the PDPA in relation to a breach of section 24 of the PDPA. The Organisation’s process for printing the Policy Letters 7 The Organisation’s process for printing the Policy Letters was largely automated. Policy Letters issued by the Organisation to be mailed to its clients 3 NTUC Income Insurance Co-operative Ltd would be sent to the system (the “Printing System”) used by the Organisation’s print room operators. The computer files containing these Policy Letters were programmed, before the files were sent to the Printing System, to be printed either in simplex (ie printed on a single side of the paper) or duplex (ie printed on both sides of the paper) according to the type of letters to be printed. The print room operators would initiate the printing of the Policy Letters by releasing the files in the print queue. 8 On 5 June 2017, according to the Organisation one of the three printers in the print room was “overloaded”. The Organisation uses the term “overloading” to describe the situation when too many files were automatically sent to one of the printers in the print room. This was a fairly common occurrence and there was a procedure to handle this overloading. The print room operator on duty would have to manually transfer the print files from one printer to another to ensure that the printing load was spread evenly across the three printers. The procedure for the manual transfer of print jobs was as follows: (a) The print room operator was required to select the specific file to be transferred. (b) The print room operator would then select the file name and choose the option “forward”. A dialog box stating “enable queues” will appear. (c) The print room operator would then select the particular printer available to receive the file for printing and type in ‘(dept)_simplex’ or ‘(dept)_duplex’ under ‘queue name’ in the dialog box. 9 As a matter of protocol, the print room operator is required to choose to print the file in the format it was originally sent to the Printing System when he 4 NTUC Income Insurance Co-operative Ltd undertakes the manual transfer of the print job from one printer to another. In other words, if a letter sent to the Printing System was to be printed in simplex format, then the print room operator should choose to print the letter in simplex. 10 However, on this occasion the print room operator had mistakenly chosen to print the letters in duplex instead of simplex format. This led to two different Policy Letters addressed to two different policyholders being printed on each sheet of paper that was printed during the print run. Findings and Assessment Issue for determination 11 The issue to be determined is whether the Organisation had, pursuant to section 24 of the PDPA, put in place reasonable security arrangements to protect the Personal Data from unauthorised disclosure. 12 Section 24 requires an organisation to protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks. Whether the Organisation was in breach of section 24 of the PDPA The Personal Data was disclosed without authorisation 13 It is not disputed that the Personal Data fell within the definition of “personal data” under section 2 of the PDPA as it was possible to identify the Impacted Clients from that information alone. It is also not in dispute that the Personal Data was disclosed mistakenly and without authorisation. 5 NTUC Income Insurance Co-operative Ltd 14 Based on the investigations carried out, the Commissioner found that the unauthorised disclosure of the Personal Data was a result of a breach of the Organisation’s obligation to make reasonable security arrangements for the protection of the Personal Data. The reasons for this finding are set out below. The Organisation did not implement any measures to prevent the Incident 15 According to the Organisation, the print room operator was required to conduct a visual check (“visual check”) of 10% of printed letters for the quality of print and alignment. The print room operator was also required to reconcile (the “Reconciliation”) the number of letters printed as shown on the electronic counter of the individual printers with the number of letters sent for printing as displayed on the Printing System. The quantity of the printouts would be recorded in a printout log book (the “Log Book”). No other checks or security arrangements were implemented with respect to the printing process to prevent the unauthorised disclosure of personal data. 16 The Commissioner was of the view that the visual check and Reconciliation were not designed to adequately address the protection of personal data. 17 Such checks were to be undertaken by the same print room operator who printed the letters. As has been traversed in other cases, it is not advisable for an organisation to rely on a member of its staff checking his own work to ensure that he has undertaken a task properly to meet the Organisation’s protection obligation under section 24 of the PDPA: see Re Aviva Ltd [2017] SGPDPC 14 at [28]; Re Furnituremart.sg [2017] SGPDPC 7 at [20] - [21]. 18 Further, these checks had little to do with protecting personal data. The visual check was a check to ensure that the print on the letters were legible and 6 NTUC Income Insurance Co-operative Ltd not faded or smudged and that the letter was correctly aligned such that words were not missing or cut off. The Organisation did not require the print room operator or any other staff to check that the information on both sides of duplex printed letters were meant for the same individual. There was also no requirement to check that Policy Letters were printed in the correct format, either simplex or duplex, as it was originally sent to the Printing System when a manual transfer of print jobs was undertaken. 19 The Reconciliation check would not catch an error in the choice of print format as the reconciliation was based on the number of letters which were sent to be printed against the number of pages printed as shown on the electronic counter of the printers. The number of pages printed would not change whether or not the letters were printed in the simplex or duplex format, it will merely show the number of pages printed in total. If 5 letters sent to the Printing System were printed, the electronic counter on the printer would show that 5 pages were printed, whether or not the letters were printed in the simplex or duplex format. 20 While investigations showed that a check was implemented at the enveloping stage, this check also did not address situations such as this Incident. At the enveloping stage, letters would be inserted into a mail insertion machine for enveloping by one of the Organisation’s mail insertion operators. The mail insertion operator was required to reconcile the number of sealed envelopes with the number of sheets of paper printed by the print room operator. If instead, the mail insertion operator was required to reconcile the number of sealed envelopes with the number of letters sent for printing, the Incident would likely have been prevented. As it stands, however, this final check also did not address situations such as this Incident. 7 NTUC Income Insurance Co-operative Ltd 21 Given that the Personal Data includes insurance data of the Complainant and other policyholders, the Commissioner would also highlight that information such as the type of insurance policy and insurance premium amounts have been determined in the past to be sensitive personal data: Re Aviva Ltd & anor [2016] SGPDPC 15 at [38(b)]. The Commissioner has in the past expressly stated his view that an Organisation should accord a higher standard of protection to sensitive personal data: Re Aviva Ltd [2017] SGPDPC 14 at [18] – [19]. In this case, the standard of protection provided was not even sufficient for non-sensitive personal data. 22 In the circumstances, taking the printing and enveloping process as a whole, the Commissioner finds that the Organisation did not implement reasonable security arrangements to prevent the unauthorised disclosure of the Personal Data. Organisations are required to preserve documents and records relating to an investigation 23 Before moving on to the remediation action taken by the Organisation and to the directions in this matter, the Commissioner takes this opportunity to remind the Organisation and organisations in general about their duty to preserve evidence, including but not limited to documents and records, in relation to an investigation by the PDPC. 24 This issue arises in this case because the Organisation was unable to provide copies of the Log Book when asked pursuant to the investigations powers set out in the Ninth Schedule of the PDPA; the Organisation alleged that the copies were destroyed, in line with the Organisation’s three-month retention period for such records. Notably, the destruction of copies of the Log Book took place after the commencement of investigations. 8 NTUC Income Insurance Co-operative Ltd 25 The Commissioner does not look favourably on the destruction or deletion of potentially relevant documents and records and may impose tough sanctions on any organisation that is found to have destroyed or deleted such documents or records. 26 Analogous to the preservation of evidence in civil proceedings, the Commissioner will consider, in deciding on the necessary and appropriate sanctions to be imposed, amongst other things, whether the deletion or destruction of the documents or records was deliberate (which includes negligent or reckless conduct resulting in destruction) and to what extent did the deletion or destruction of the records or documents prejudice a fair investigation into a potential breach of the PDPA.1 In summary, the approach of the Commission will be to first consider whether a fair investigation into a potential breach of the PDPA is possible. If investigations may still proceed, particularly in reliance on evidence that may still substantially be obtained from other sources, the Commission may draw adverse inferences against the organisation that failed to preserve and produce any piece of evidence to the effect that had the evidence been produced, it would have been adverse to its case (see section 116 of the Evidence Act (Cap. 97)).2 Adverse inferences may also be drawn against a complainant if the evidence ought to have been preserved and produced by the complainant. 27 Another pertinent factor for consideration is whether the litigation or legal proceedings was anticipated or contemplated by the party that destroyed 1 K Solutions Pte Ltd v. National University of Singapore [2009] 4 SLR(R) 254 at [125]. 2 Section 116 of the Evidence Act (Cap. 97) states: “The court may presume the existence of any fact which it thinks likely to have happened, regard being had to the common course of natural events, human conduct, and public and private business, in their relation to the facts of the particular case”. 9 NTUC Income Insurance Co-operative Ltd the document or record. In the case of K Solutions Pte Ltd v. National University of Singapore [2009] 4 SLR(R) 254, the appellants had anticipated litigation for some time before its action was filed, and had given instructions to its staff to back up the email in their accounts. The high court did not find it credible that all of the appellant’s internal emails had been deleted without backup, and determined that the appellants had deliberately suppressed documents and had lied about it.3 In contrast, the court in Tan Chor Chuan v. Tan Yeow Hiang Kenneth [2004] SGHC 259 dismissed the plaintiff’s application for striking out as it did not find anything sinister in the defendant’s explanation for the deletion of the email in question – it was the defendant’s practice to delete emails from their computer systems regularly to free up memory space; the defendants saw no necessity to archive or keep copies of emails after the EGM; and litigation had not been anticipated at the time. The court determined that the deletion of the email was not an attempt to pervert the course of justice.4 In K Solutions, the court exercised its discretion to dismiss the case brought by the party in default. Applying the same principles to investigations conducted by the Commission, the Commissioner may discontinue or refuse to conduct investigations under section 50(3)(e) of the PDPA. 28 The obligation to preserve evidence is taken further by section 50(4) of the PDPA, which imposes an obligation on organisations to retain records relating to an investigation, for one year or such longer period as directed, after the investigation has been completed. This ensures that evidence relevant to any possible application for reconsideration or appeal from an investigation remains available even after investigations are completed. 3 K Solutions Pte Ltd v. National University of Singapore [2009] 4 SLR(R) 254 at [131] – [137]. 4 Tan Chor Chuan v. Tan Yeow Hiang Kenneth [2004] SGHC 259 at [24] – [25]. 10 NTUC Income Insurance Co-operative Ltd 29 Given the foregoing, the Commissioner takes the view that organisations should have a detailed litigation hold policy in place to ensure that documents and records relating to an investigation or potential investigation of a breach of its obligations under the PDPA are preserved and not deleted, disposed of or destroyed. Organisations should also ensure that relevant procedures and practices are fully implemented to give effect to such a litigation hold policy. 30 In respect of the matter at hand, however, the Commissioner is of the view that the contents of the Log Book, which were meant to have recorded the Reconciliation check by the print room operator, were not required for the Commissioner to make a finding of breach of section 24 given the finding that the Reconciliation was not a security arrangement designed to prevent the Incident. As such, the Commissioner did not impose any sanctions against the Organisation for the failure to preserve copies of the relevant Log Book. Remediation Actions Taken by the Organisation 31 The Commissioner notes that after the data breach incident, the Organisation undertook the following remediation actions: (a) the manual transfer of print jobs may now only be activated by the supervisors of the print room operators. Once activated, the print room operators may undertake the manual transfer of print jobs under the oversight of the supervisors; (b) both the print room operators and mail insertion operators are now required to check that the letters are printed in the correct format (ie either in the simplex or duplex formats) by comparing the files sent for printing in the Printing System with the printed letters before enveloping. The checks will be done on 20% of letters printed in a batch 11 NTUC Income Insurance Co-operative Ltd on a random basis where no manual transfer of print jobs is undertaken. Where a manual transfer is undertaken, the print room operator and the mail insertion operator are required to check all letters; and (c) the above measures have been included in the Standard Operating Procedure (“SOP”) for the print and mail room operations. A briefing was also held for the print and mail room operators to inform them of the changes in the SOP. Directions 32 The Commissioner is empowered under section 29 of the PDPA to give the Organisation such directions as he deems fit to ensure the Organisation’s compliance with the PDPA. This may include directing the Organisation to pay a financial penalty of such amount not exceeding S$1 million as the Commissioner thinks fit. 33 In assessing the breach and determining the directions to be imposed on the Organisation in this case, the Commissioner took into account the following aggravating and mitigating factors: Aggravating factors (a) the unauthorised disclosure was systemic in nature; (b) the Personal Data included sensitive personal data. However, in this regard, the Commissioner took cognisance that the insurance data that was disclosed in this matter was less sensitive than personal data of the type disclosed in Re Aviva Ltd & anor [2016] SGPDPC 15 which included the names of beneficiaries and dependants and the sum insured; 12 NTUC Income Insurance Co-operative Ltd Mitigating factors (c) the Organisation had cooperated fully with investigations; (d) the Organisation took prompt action to remedy the flaw in the process; and (e) there was no evidence to suggest that there had been any actual loss or damage resulting from the unauthorised disclosure. 34 Pursuant to section 29(2) of the PDPA, and the investigation and assessment of this matter having been completed, the Commissioner is satisfied that the Organisation did not make reasonable security arrangements to protect the Personal Data and is in breach of section 24 of the PDPA. Having carefully considered all the relevant factors of this case, the Commissioner hereby directs the Organisation to pay a financial penalty of S$10,000 within 30 days from the date of the directions, failing which interest shall be payable on the outstanding amount of such financial penalty. YEONG ZEE KIN DEPUTY COMMISSIONER FOR COMMISSIONER FOR PERSONAL DATA PROTECTION 13 ",Financial Penalty,bed61db05f60a9ee91df93b1594e6b3f45923cb9,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,192,192,1,952,"Directions were issued to Habitat for Humanity Singapore for breaches of the PDPA. The organisation did not make reasonable security arrangements to prevent unauthorised disclosure of its volunteers’ personal data, failed to put in place data protection policies, and omitted to communicate data protection policies and practices to its staff.","[""Accountability"", ""Protection"", ""Directions"", ""Social Service""]",2018-05-03,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds_of_Decision_Habitat_for_Humanity_Singapore_030518.pdf,"Accountability, Protection",Breach of Openness and Protection Obligations by Habitat for Humanity Singapore,https://www.pdpc.gov.sg/all-commissions-decisions/2018/05/breach-of-openness-and-protection-obligations-by-habitat-for-humanity-singapore,2018-05-03,"PERSONAL DATA PROTECTION COMMISSION [2018] SGPDPC 9 Case No DP-1707-B0971 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Habitat for Humanity Singapore Ltd … Organisation DECISION Habitat for Humanity Singapore Ltd [2018] SGPDPC 9 Yeong Zee Kin, Deputy Commissioner — Case No DP-1707-B0971 3 May 2018 Background 1 On 20 July 2017, the Organisation sent out an email to 32 of its volunteers with a PDF attachment comprising a batch of community involvement programme (“CIP”) letters (the “CIP Letters”) acknowledging the participation of each volunteer at an event organised by the Organisation (the “Incident”). The Personal Data Protection Commission (the “PDPC”) was informed of the Incident on 22 July 2017 and commenced its investigations thereafter. I set out below my findings and grounds of decision based on the investigations carried out in this matter. Material Facts 2 The Organisation is a registered charity under the National Council of Social Services, which objectives include seeking to eliminate poverty housing worldwide by providing decent and affordable housing. In furtherance of its objectives, the Organisation organises community involvement programmes, where volunteers can participate in activities such as mass clean-up events. After such events, the Organisation would generally send out a CIP letter to acknowledge and verify each individual volunteer’s participation. Habitat for Humanity Singapore Ltd 3 [2018] SGPDPC 9 The Incident involved the disclosure of a batch of CIP Letters in an email (the “Email”) that was prepared by a manager (the “Manager”) in the Organisation. The CIP Letters were created using the mail merge function in Microsoft Word which would fill in a CIP letter template with the names and NRIC numbers of the volunteers. This created a single Microsoft Word document containing the CIP Letters for all the volunteers, which the Manager then converted from Microsoft Word to PDF format. The Manager then sent the PDF containing the entire batch of CIP Letters to another member of staff (“Admin Staff”), along with the volunteers’ email addresses and instructed the Admin Staff to send out the CIP Letters. 4 The Organisation’s usual practice was for the document containing the entire batch of CIP Letters to be segregated and split into individual CIP Letters before each CIP Letter was individually sent to its respective volunteers. However, in this case, neither the Manager nor the Admin Staff had prepared and/or handled any CIP Letters prior to the Incident. The Manager failed to instruct the Admin Staff on the proper procedure. 5 On 20 July 2017, the Admin Staff sent a mass email to all the volunteers who were involved in the mass clean-up event, attaching the PDF document which contained the entire batch of CIP Letters. As a result, the PDF attachment containing the CIP Letters revealed the names and NRIC numbers of all the volunteers who had participated in the Organisation’s mass clean-up event. Additionally, the Email was also sent with the email addresses of all the recipients in the “cc” field. Consequently, the Organisation received two emails from the volunteers who had received the Email, expressing their concern that their personal data had been disclosed to other parties without their consent. 2 Habitat for Humanity Singapore Ltd [2018] SGPDPC 9 Findings and Basis for Determination 6 The issues for determination are: (a) whether the Organisation complied with its obligations under section 12 of the PDPA; and (b) whether the Organisation was in breach of section 24 of the PDPA. 7 As a preliminary point, the names, NRIC numbers and email addresses disclosed in the Email and CIP Letters fall within the definition of “personal data” under section 2(1) of the PDPA, as it was clearly possible to identify an individual from that data. 8 Pursuant to section 53(1) of the PDPA, any act done or conduct engaged in by a person in the course of his employment shall be treated for the purposes of the PDPA as done or engaged in by his employer as well as by him, regardless of whether it was done or engaged in with the employer’s knowledge or approval. The Organisation is therefore responsible for its employees’ conduct in relation to the Incident. (a) Whether the Organisation complied with its obligations under section 12 of the PDPA 9 Section 12(a) of the PDPA requires an organisation to develop and implement policies and practices that are necessary to meet its obligations under the PDPA. Section 12(c) of the PDPA also requires the organisation to communicate to its staff information about such policies and practices. 10 The Organisation claimed to have instructed its employees on the Organisation’s obligations under the PDPA and the importance of safeguarding 3 Habitat for Humanity Singapore Ltd [2018] SGPDPC 9 its volunteers and donors’ personal data. Employees who were required to deal with personal data were also briefed on the following data protection practices and procedures “on a need basis”: (a) to use the “bcc” function when sending out mass emails; (b) to send the CIP Letters individually; (c) to avoid sharing collected personal data with unauthorised third parties; (d) to contact individuals only for purposes that they have given consent; (e) to use personal data only for the purposes for which it was collected; and (f) 11 to secure all documents containing personal data safely. However, there were no documented policies, practices or procedures in relation to sending out the CIP Letters. Indeed, the Incident could very well have been averted if the Organisation had implemented, and documented, a standard operating procedure for the sending out of the CIP Letters. By the Organisation’s own admission, the Manager had omitted to instruct the Admin Staff on the Organisation’s usual procedure for sending out the CIP Letters and she “should have written down the instruction clearly for [the Admin Staff], which [she] had forgotten to do.” 12 I take this opportunity to reiterate the benefits and importance of documenting an organisation’s data protection policies and practices in a written 4 Habitat for Humanity Singapore Ltd policy as emphasised in [2018] SGPDPC 9 Re Furnituremart.sg [2017] SGPDPC 7 (“Furnituremart.sg”) at [14]: “The lack of a written policy is a big drawback to the protection of personal data. Without having a policy in writing, employees and staff would not have a reference for the Organisation’s policies and practices which they are to follow in order to protect personal data. Such policies and practices would be ineffective if passed on by word of mouth, and indeed, the Organisation may run the risk of the policies and practices being passed on incorrectly. Having a written policy is conducive to the conduct of internal training, which is a necessary component of an internal data protection programme.” 13 In this regard, the Organisation was unable to demonstrate or produce any evidence that it had developed and implemented policies and practices necessary for it to comply with its obligations under the PDPA in respect of sending out the CIP Letters. 14 In addition, the Organisation did not provide any formalised data protection training for its employees. As the Commissioner observed in Re National University of Singapore [2017] SGPDPC 5 (at [21]), data protection training may fall under both the openness obligation (specifically, section 12 of the PDPA) and the protection obligation (section 24 of the PDPA). Data protection training is an effective mode of communication of the Organisation’s policies and practices to fulfil the openness obligation (section 12(c) of the PDPA). 15 The Manager’s failure to communicate the Organisation’s data protection policy was evidenced by the Admin Staff’s lack of awareness of the use of the “bcc” function and the implications of her actions in respect of the Email. Although the Admin Staff claimed to have been instructed on the “rules with regard to volunteers’ personal details”, the fact that she: (a) did not query 5 Habitat for Humanity Singapore Ltd [2018] SGPDPC 9 whether it was appropriate to send the entire batch of CIP Letters containing personal data to all the volunteers; and (b) did not think to check whether the email addresses of the recipients of a mass email should be inserted in the “bcc” field instead of the “to” or “cc” fields suggests that there was a lack of awareness of the Organisation’s obligations under the PDPA. 16 Accordingly, I find that the Organisation has breached its openness obligation, given that it did not develop and implement a data protection policy as necessary for the Organisation to meet its obligations under the PDPA at the time of the Incident, and it did not communicate its data protection policies and practices to its staff, as required under sections 12(a) and (c) of the PDPA. (b) Whether the Organisation was in breach of section 24 of the PDPA 17 Section 24 of the PDPA requires an organisation to protect the personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks. 18 In this case, the Organisation’s informal practices and verbal reminders “on a need basis” were an insufficient security arrangement for the purposes of compliance with section 24 of the PDPA. The Organisation did not implement any checks and controls to prevent or minimise the risk of unauthorised disclosure of personal data. Knowing that the output produced by the Microsoft Word mail merge function was a single file containing the CIP Letters for all volunteers in the batch, the Organisation did not implement technical 6 Habitat for Humanity Singapore Ltd [2018] SGPDPC 9 arrangements such as installing IT tools1 that would have enabled the CIP Letters to be generated from the CIP letter template as separate documents. At the minimum, greater awareness of the need to protect the personal data of volunteers would have prompted the Admin Staff to process the PDF or Microsoft Word document containing the entire batch of CIP Letter manually in order to split the document into individual PDF files. The Manager would also have had a role to play in ensuring that this was done and could have implemented simple process checks to identify errors. Furthermore, technical controls could also have been installed to remind employees to use the “bcc” function when multiple email addresses are pasted in the “to” or “cc” field. Unnecessary disclosure of NRIC numbers 19 At this juncture, I observe that the disclosure of the volunteers’ NRIC numbers in the CIP Letters was unnecessary as the CIP Letters had already referred to the volunteers by their full names. Given that an individual’s NRIC number is a permanent and irreplaceable identifier which can be used to unlock large amounts of information relating to the individual, organisations should not disclose an individual’s NRIC number except where it is required under the law or where it is necessary to accurately establish and verify the identity of the individual by way of the same. It is not apparent to me that the need to identify an individual in a CIP Letter was to such a degree of specificity that his or her NRIC had to be included. The nature and function of a CIP Letter did not necessitate the publication of the volunteer’s NRIC number. 1 There were IT tools reasonably available that would have enabled the CIP Letters to be generated from a template as separate documents. For instance, the installable PDF Split & Merge program allows a single PDF or Microsoft Word output from a mail merge operation to be processed into individual PDF files. 7 Habitat for Humanity Singapore Ltd 20 [2018] SGPDPC 9 Organisations that choose to disclose more sensitive data than are required for their business or legal purposes have to be able to defend such decisions and bear the burden of ensuring an appropriate level of security for the personal data of varying levels of sensitivity. As observed in Re Aviva Ltd [2017] SGPDPC 14 (at [18]): “The Advisory Guidelines on Key Concepts in the PDPA states that an organisation should “implement robust policies and procedures for ensuring appropriate levels of security for personal data of varying levels of sensitivity”. This means that a higher standard of protection is required for more sensitive personal data.” [Emphasis added.] 21 In the premises, I find that the Organisation failed to make reasonable security arrangements to protect the personal data in its possession and control, as the Organisation: (a) did not put in place basic administrative security arrangements such as setting out its data protection policies and procedures in writing; (b) did not implement any checks and controls to ensure that its employees were complying with its data protection practices and policies; (c) did not provide any formalised data protection training for its employees; (d) failed to properly supervise the employees who were in charge of preparing and sending out the CIP Letters; and (e) did not have any other form of security arrangement to protect its volunteers’ personal data. 8 Habitat for Humanity Singapore Ltd [2018] SGPDPC 9 Directions 22 Having found that the Organisation is in breach of sections 12(a), 12(c), and 24 of the PDPA, I am empowered under section 29 of the PDPA to give the Organisation such directions as I deem fit to ensure compliance with the PDPA. 23 In assessing the breach and determining the directions to be imposed, I took into account, as an aggravating factor, the fact that the personal data disclosed included the volunteers’ NRIC number, which was of a sensitive nature. 24 I also took into account the following mitigating factors: (a) the disclosure only affected a limited number of people; and (b) the Organisation had cooperated fully in the PDPC’s investigation. 25 Pertinently, the PDPC has recently issued a public consultation on the proposed advisory guidelines for NRIC numbers, which, inter alia, discourages the indiscriminate use of NRIC numbers. Due weight has been given to the unsatisfactory practices that currently abound. Our practices as a society need to be improved as we become more knowledgeable about the risks of identity theft and other identity-related risks (and I do not restrict this caution as referring only to online risks). In future, similar conduct may call for the imposition of a financial penalty as proposed changes to the advisory guidelines on the collection, use and disclosure of NRIC numbers are implemented. This case should serve as a clarion call for all organisations to start handling personal data such as NRIC numbers, which are unique and permanent identifiers of individuals, with a much higher degree of care and discernment than the present. 9 Habitat for Humanity Singapore Ltd 26 [2018] SGPDPC 9 I hereby issue the following directions to the Organisation: (a) to conduct a review of all its activities involving the handling of personal data of its volunteers and donors; (b) to put in place a data protection policy, including process safeguards and written internal policies, such as standard operating procedures, to comply with the provisions of the PDPA; (c) to arrange for personal data protection training for its staff; and (d) to complete the above directions within 90 days from the date of this decision and inform the Deputy Commissioner of the completion thereof within 1 week of implementation. YEONG ZEE KIN DEPUTY COMMISSIONER FOR PERSONAL DATA PROTECTION 10 ",Directions,2f49f6f980fa80609521241128a33eb6a528f5a9,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]"