_commit_at,_commit_hash,_id,_item,_version,_commit,description,tags,date,pdf-url,nature,title,url,timestamp,pdf-content,decision,_item_full_hash,_changed_columns 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,143,143,1,952,Directions were issued to Avant Logistic Service for failing to make reasonable security arrangements to prevent the unauthorised disclosure of customers' personal data. The lapses resulted in personal data of customers being disclosed by an employee.,"[""Protection"", ""Directions"", ""Wholesale and Retail Trade""]",2019-08-02,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Avant-Logistic-Service-Pte-Ltd---300719.pdf,Protection,Breach of the Protection Obligation by Avant Logistic Service,https://www.pdpc.gov.sg/all-commissions-decisions/2019/08/breach-of-the-protection-obligation-by-avant-logistic-service,2019-08-02,"PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC 28 Case No DP-1802-B1709 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Avant Logistic Service Pte. Ltd. … Organisation DECISION Avant Logistic Service Pte. Ltd. [2019] SGPDPC 28 Yeong Zee Kin, Deputy Commissioner — Case No DP-1802-B1709 30 July 2019 Background 1 On 25 November 2017, a customer of Ezbuy Holdings Ltd. (“Ezbuy”) made a complaint to the Personal Data Protection Commission (the “Commission”) alleging that her personal data had been disclosed to another customer of Ezbuy without her consent by an employee of Avant Logistic Service Pte. Ltd. (the “Organisation”). The facts of this case are as follows. 2 Ezbuy provides an online e-commerce platform that allows its customers to shop for items from various online retailers and platforms around the world. It engaged the Organisation to provide delivery services in Singapore. The Organisation is an affiliate of Ezbuy and its delivery personnel are required to adhere to Ezbuy’s Privacy Policy and the terms and conditions in Ezbuy’s Employee Handbook and Ezbuy’s Delivery and Collection Standard Operation Procedure (“SOP”). 3 When a customer ordered an item through Ezbuy’s platform, they would be offered two modes of delivery, (i) delivery to a designated collection point 1 Avant Logistic Service Pte. Ltd. [2019] SGPDPC 28 (referred to by Ezbuy as “self-collection”), or (ii) delivery to the customer’s address. If the customer opted for self-collection, the customer would proceed to the designated collection point at a specified time. The delivery personnel there would verify their identity using their Ezbuy user ID or their mobile number registered with Ezbuy and then hand over the package with their item. 4 On 9 November 2017, the complainant scheduled to self-collect a package that she ordered from Ezbuy at a collection point in Bishan at around 6.30 p.m. One of the Organisation’s employees (referred to in this Decision as “OA”), was assigned to distribute packages there that evening. When the complainant met OA at the collection point, he gave the complainant two packages (the “Packages”) after verifying her identity. The complainant noticed that the Packages were not hers because they bore the user ID and mobile number of another person (referred to in this Decision as “CA”). According to the complainant, she informed OA of this but was told to take the Packages as they were tagged to her mobile number in the Ezbuy system. The complainant also alleged that OA asked her to inform Ezbuy’s customer service that the wrong packages had been sent to her. The complainant then left the collection point with the Packages. 5 CA arrived to collect the Packages shortly after the complainant left. OA informed her that someone else had already collected the Packages and told her 2 Avant Logistic Service Pte. Ltd. [2019] SGPDPC 28 that he would try to locate them and arrange for their subsequent delivery. At this time, OA did not realise that it was the complainant who had collected the Packages. 6 Later that night, OA sent CA screenshots of two delivery lists containing Ezbuy user IDs and mobile telephone numbers of some Ezbuy customers (the “Disclosed Data”). The first list that was sent contained the Ezbuy user IDs and mobile telephone numbers of eight Ezbuy customers who had been scheduled to collect their packages at Bukit Panjang. (This was apparently sent by mistake.) The second list contained the user IDs of four Ezbuy customers, including that of the complainant, who had been scheduled to collect their packages at Bishan. The telephone numbers in the second list were redacted by OA. However, OA also sent the complainant’s mobile telephone number to CA. OA explained to CA that he suspected that the complainant had collected the Packages because his records showed that the complainant had not collected her own packages. 7 CA eventually managed to find the complainant’s Facebook and Instagram pages using the complainant’s Ezbuy user ID as the complainant had used the same name (which was not her real name) for her Facebook, Instagram and Ezbuy user IDs. CA then sent a series of messages to the complainant via 3 Avant Logistic Service Pte. Ltd. [2019] SGPDPC 28 Facebook Messenger in order to recover the Packages. The complainant subsequently returned the Packages to Ezbuy. Remedial actions by Ezbuy and the Organisation 8 After being informed of the incident by the Commission, Ezbuy and the Organisation jointly undertook the following measures to prevent the unauthorised disclosure of customers’ personal data in the future: (a) All delivery personnel are required to request for both a customer’s user ID and mobile telephone number for verification during the self-collection process; (b) Ezbuy’s Delivery and Collection SOP was updated to comply with the provisions of the PDPA and to highlight the importance of the PDPA. In particular, a clause was added by Ezbuy stating that no customer information can be disclosed to any party under all circumstances, and that any unauthorised disclosure will lead to disciplinary action as listed in Ezbuy’s Employee Handbook; (c) A briefing was conducted to all delivery personnel to reinforce the instruction and policy that no customer’s personal data should be provided to any third party under all circumstances, and this briefing is repeated to all delivery personnel every morning; and 4 Avant Logistic Service Pte. Ltd. (d) [2019] SGPDPC 28 Ezbuy revised its Employee Handbook to include detailed enforcement and disciplinary actions to be taken for breach of confidentiality and employee misconduct, including any leak or sale of customer data. Findings and Basis for Determination Was the Disclosed Data personal data? 9 As a preliminary issue, I find that most of the Disclosed Data was personal data within the meaning of the PDPA. The term “personal data” is defined in section 2(1) of the PDPA as follows: “personal data” means data, whether true or not, about an individual who can be identified – (a) from that data [“Direct Identification”]; or (b) from that data and other information to which the organisation has or is likely to have access [“Indirect Identification”].” 10 The mobile telephone numbers disclosed by OA constitute personal data since they enable Direct Identification of the respective individuals. As explained in the Commission’s Advisory Guidelines on Key Concepts in the Personal Data Protection Act [at 5.9 to 5.10], an individual’s personal mobile 5 Avant Logistic Service Pte. Ltd. [2019] SGPDPC 28 telephone number is a ‘unique identifier’ and capable, on its own, of identifying the individual. 11 On the other hand, since Ezbuy user IDs do not enable Direct Identification, whether they qualify as “personal data” depends on whether they enable Indirect Identification. In this case, CA was able to find the complainant’s Facebook and Instagram pages and identify her using the complainant’s Ezbuy user ID. The complainant’s Ezbuy user ID therefore constitutes personal data under the PDPA, even though the user ID did not contain complainant’s real name, as it enabled Indirect Identification of the complainant. 12 Although organisations cannot be expected to know in advance if the user IDs of their customers enable Indirect Identification, they should not assume that user IDs per se do not constitute personal data as such an assumption may not, in fact, be true (as seen from this case). Organisations should therefore exercise prudence in handling user IDs. As there is no evidence that the other Ezbuy user IDs in the Disclosed Data allowed for Indirect Identification, I grant the Organisation the benefit of the doubt and accept that they do not constitute personal data. Nevertheless, it remains that the personal data of nine individuals (corresponding to the nine mobile telephone numbers 6 Avant Logistic Service Pte. Ltd. [2019] SGPDPC 28 disclosed) was disclosed without their consent or the authorisation of the Organisation. Whether the Organisation had made reasonable security arrangements 13 Section 24 of the PDPA requires organisations to protection personal data in their possession or under their control by making reasonable security arrangements to prevent unauthorised use, disclosure and similar risks. Although the Organisation’s delivery personnel were required to comply with Ezbuy’s Privacy Policy and Employee Handbook, this was, at the time of the incident, inadequate as they did not inform employees of exactly what they were required to do in order to protect customers’ personal data: (a) Ezbuy’s Privacy Policy only stated its commitment to ensuring security of customer information and that “suitable physical, electronic and managerial procedures” had been put in place to safeguard customer information; and (b) Ezbuy’s Employee Handbook only included a provision highlighting that customer information (among others) was confidential. 14 At the time of the incident, the Organisation had not made any effort to impress upon its delivery personnel the need to protect personal data in their possession. The Organisation did not have measures in place, such as policies 7 Avant Logistic Service Pte. Ltd. [2019] SGPDPC 28 or standard operating procedures, to prohibit the unauthorised use or disclosure of personal data by its delivery personnel. The Organisation also had not provided any instruction or training to its delivery personnel on the proper handling of personal data and on compliance with the PDPA. 15 In the course of the Commission’s investigation, the Organisation sought to rely on a clause in OA’s employment contract which prohibited him from disclosing confidential information, including customer information, without the Organisation’s prior consent (the “Confidentiality Clause”). While such clauses are relevant to an organisation’s security arrangements to protect personal data, they are insufficient on their own because they typically do not elaborate on what constitutes personal data, nor how employees should handle and protect it. Organisations are expected to provide their staff with specific, practical instruction on how to handle personal data and comply with the PDPA (Re Hazel Florist & Gifts Pte Ltd [2017] SGPDPC 9 at [18]). This is particularly important for the Organisation’s delivery personnel who frequently handle personal data and are on the frontline of the Organisation’s customer-facing operations where the potential for improper use and disclosure of personal data cannot be ignored. 16 In the circumstances, I find that the Organisation had not made reasonable security arrangements to protect the personal data comprised in the 8 Avant Logistic Service Pte. Ltd. [2019] SGPDPC 28 Disclosed Data. The Organisation is accordingly in breach of section 24 of the PDPA. 17 One additional point I wish to address is that when OA was asked about the incident, he claimed that he had given the complainant the Packages as the complainant had provided him with CA’s Ezbuy user ID and mobile telephone number for verification. As there is no evidence that the complainant and CA were known to each other, I do not find OA’s recollection of the events to be credible or acceptable. In any case, this does not detract from the above conclusion that the Organisation had failed to make reasonable security arrangements as required under section 24 of the PDPA. Outcome 18 Taking the totality of the circumstances into account, I have decided not to impose a financial penalty in this case. In particular, I note that: (a) The breach was a one-off incident, with few affected individuals and relatively little personal data disclosed (comprising the nine mobile telephone numbers and user IDs); (b) The Organisation took prompt remedial actions to prevent a recurrence of such an incident; and 9 Avant Logistic Service Pte. Ltd. (c) 19 [2019] SGPDPC 28 The Organisation was cooperative during investigations. Instead, I have decided to issue the following directions to the Organisation to ensure its compliance with the PDPA: (a) To put in place the appropriate written policies and process safeguards which are necessary for it to protect personal data in its possession or under its control within 30 days from date of this direction; (b) To arrange for personal data protection training for its staff within 60 days from date of this direction; and (c) To inform the Commission in writing of the completion of each of the above within 1 week of completion. YEONG ZEE KIN DEPUTY COMMISSIONER FOR PERSONAL DATA PROTECTION 10 ",Directions,080f1f19619de2e97b442d076d6b4f4a81f71d57,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,144,144,1,952,"A financial penalty of $54,000 was imposed on Horizon Fast Ferry for failing to appoint a data protection officer, develop and implement data protection policies and practices, and put in place reasonable security arrangements to protect the personal data collected from its customers.","[""Protection"", ""Financial Penalty"", ""Transport and Storage""]",2019-08-02,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Horizon-Fast-Ferry---250719.pdf,Protection,Breach of the Protection Obligation by Horizon Fast Ferry,https://www.pdpc.gov.sg/all-commissions-decisions/2019/08/breach-of-the-protection-obligation-by-horizon-fast-ferry,2019-08-02,"COMMISSIONER FOR PERSONAL DATA PROTECTION [2019] SGPDPC 27 Case No DP-1710-B1202 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Horizon Fast Ferry Pte. Ltd. (UEN No. 201221074R) … Organisation DECISION Horizon Fast Ferry Pte. Ltd. [2019] SGPDPC 27 Tan Kiat How, Commissioner — Case No DP-1710-B1202 25 July 2019 1 On 9 October 2017, the Complainant informed the Personal Data Protection Commission (the “Commission”) that by entering her passport number in the booking form on the Organisation’s website, her name, gender, nationality, date of birth and passport expiry date were automatically populated in the corresponding fields on the form on the Booking Site without any requirement for further authentication (the “Incident”). Material Facts 2 The Organisation is a Singapore-based ferry operator with ferry services running between Singapore and Batam. 3 As part of its service offerings, the Organisation operates a website that allows passengers to purchase ferry tickets directly from the Organisation online (“Booking Site”). At the material time, passengers who wanted to purchase ferry tickets through the Booking Site were required to provide the following personal data (the “Personal Data Set”) as set out in the form on the Booking Site (“Booking Form”): (a) the passenger’s full name; (b) gender; (c) nationality; (d) date of birth; (e) passport number; and (f) passport expiry date. 4 The same Personal Data Set was collected from passengers and entered into the Organisation’s Counter Check-In System (“CCIS”) when they checked in at the check-in counter. The CCIS is an internal system used by the Organisation’s counter staff to manage the passenger check-in process and is only accessible by authorised counter staff. 5 As a matter of practice, all Personal Data Sets collected from the Booking Site and the CCIS were stored and retained on the Organisation’s internal database (the “Database”) even after the last travelling date of the passenger’s itinerary to facilitate and speed up subsequent check-ins for passengers who have previously travelled with the Organisation (“Returning Passengers”).1 6 In this regard, one of the features of the CCIS was the auto-retrieval of the personal data of Returning Passengers. By entering a Returning Passenger’s passport number, the CCIS would automatically retrieve the Personal Data Set associated with a Returning Passenger’s passport number from the Database and populate the remaining fields in the Booking Form. Counter staff would no longer need to manually enter the Returning Passenger’s personal data. The personal data retrieved from the Database was only meant to be accessible by authorised counter staff on the CCIS. Booking Site revamp 7 In or around May 2017, the Organisation engaged an independent contractor (the “Contractor”) on an informal basis to revamp the Booking Site, specifically to improve the user interface and user experience, such as when purchasing ferry tickets online. The parties did not enter into any written contract for the revamping of the Booking Site and all instructions and requirements for the revamp of the Booking Site were conveyed either verbally or through WhatsApp text messages. The Organisation did not inform or instruct the Contractor of its data protection obligations in relation to the personal data in the Database. 8 Unbeknownst to the Organisation and contrary to its intention, the Contractor replicated the auto-retrieval and auto-population feature (which was only meant to be used in the internal CCIS) in the Booking Site as part of the website revamp. Consequently, whenever a user entered a passport number which matched a Returning Passenger’s passport number in the 1 The Organisation also represented that the Personal Data Sets were retained on the Database for audit and accounting and internal reporting purposes. Database, the system would automatically retrieve and populate the remaining fields in the Booking Form with the Personal Data Set associated with the Returning Passenger’s passport number. As the Organisation failed to conduct proper user acceptance tests before launching the revamped Booking Site, the Organisation was not aware of this function until it was notified of the Incident. 9 At the time of the investigation, there were a total of 444,000 Personal Data Sets stored in the Database.2 However, the Organisation represented that out of the 444,000 Personal Data Sets, there were only a total of 295,151 unique passengers whose Personal Data Sets were stored in the Database as a number of passengers had made bookings under different passport numbers (valid and expired).3 10 The Organisation took the following remedial actions shortly after it was notified of the Incident: (a) the Organisation commenced investigations and removed the auto-retrieval and auto-population feature from the Booking Site a little more than a week after the Organisation was first notified of the Incident; (b) the Organisation conducted checks to ensure that the auto-retrieval and auto- population feature was disabled from the Booking Site; and (c) the Organisation implemented administrative measures to protect the personal data in their possession, such as ensuring that documents containing booking data and passenger manifests were properly shredded at the end of the day, that monthly reports with passenger data were kept in a locked room and sent for mass disposal at the end of the financial year and the Organisation appointed a data protection officer to be responsible for ensuring the Organisation’s compliance with the PDPA. Findings and Basis for Determination 11 2 The two main issues for determination are: Approximately three months after the date of the Complaint, on 12 December 2017. Other than the Personal Data Sets, some users also supplied their mobile phone numbers. There were 5,218 unique mobile numbers collected and stored in the Database as at 12 December 2017. 3 (a) whether the Organisation complied with its obligations under sections 11(3) and 12(a) of the PDPA; and (b) 12 whether the Organisation breached section 24 of the PDPA. The Personal Data Sets stored in the Database are “personal data” as defined in section 2(1) of the PDPA. In particular, given that the unauthorised disclosure of the Personal Data Set as a whole could have led to an increased risk of such personal data being used for illegal activities such as identity theft or fraud, they are personal data of a more sensitive nature.4 Whether the Organisation complied with its obligations under sections 11(3) and 12(a) of the PDPA 13 Section 11(3) of the PDPA requires an organisation to designate one or more individuals to be responsible for ensuring compliance with the PDPA. In a similar vein, section 12(a) of the PDPA requires an organisation to develop and implement policies and practices that are necessary to meet its obligations under the PDPA (collectively, the “Openness Obligation”). 14 As mentioned above, all passengers who purchased ferry tickets from the Organisation were required to provide the personal data in the Personal Data Set to the Organisation either at the time of booking through the Booking Site or at the Organisation’s check-in counter. 15 However, even though the Organisation routinely collected and processed large volumes of personal data in the course of its business, the Organisation demonstrated a blatant disregard for its data protection obligations. 16 By its own admission, at the time of the Incident, the Organisation did not designate any individual to be responsible for ensuring that the Organisation complies with the PDPA, i.e. a data protection officer (“DPO”). The Organisation’s current DPO was only appointed after 6 November 2017, when the Organisation was first informed of the Incident. 17 Similarly, the Organisation’s privacy policy was only implemented and uploaded on its Booking Site after it was informed of the Incident. While the Organisation represented that it 4 See Re: Singapore Management University Alumni Association [2018] SGPDPC 6 at [20] had an internal guideline titled “Workplace policies: confidentiality” in place at the time of the Incident, apart from a reference to its commitment to “[e]stablish data protection practices (e.g. secure locks, data encryption, frequent backups, access authorization)”, the internal guidelines do not set out any actual practices or processes to protect the personal data in the Organisation’s possession. 18 The development and implementation of data protection policies is a fundamental and crucial starting point for organisations to comply with their obligations under the PDPA. This was highlighted in Re M Star Movers & Logistics Specialist Pte Ltd [2017] SGPDPC 15 (at [25]) (“M Star Movers”): At the very basic level, an appropriate data protection policy should be drafted to ensure that it gives a clear understanding within the organisation of its obligations under the PDPA and sets general standards on the handling of personal data which staff are expected to adhere to. To meet these aims, the framers, in developing such policies, have to address their minds to the types of data the organisation handles which may constitute personal data; the manner in, and the purposes for, which it collects, uses and discloses personal data; the parties to, and the circumstances in, which it discloses personal data; and the data protection standards the organisation needs to adopt to meet its obligations under the PDPA. An overarching data protection policy will ensure a consistent minimum data protection standard across an organisation’s business practices, procedures and activities (e.g. communications through social media). 19 Likewise, the DPO plays a vital role in building a robust data protection framework to ensure the organisation’s compliance with its obligations under the PDPA regardless of the size of the organisation.5 20 As highlighted in M Stars Movers (at [34]), the responsibilities of a DPO include, but are not limited to: (a) ensuring compliance with the PDPA when developing and implementing policies and processes for handling personal data, including processes and formal procedures to handle queries and/or complaints from the public; (b) fostering a data protection culture and accountability among employees and communicating personal data protection policies to stakeholders; 5 M Stars Movers at [37]. (c) handling and managing personal data protection related queries and complaints from the public, including making information about the organisation’s data protection policies and practices available on request to the public; (d) alerting management to any risks that might arise with regard to personal data; and (e) liaising with the Commissioner on data protection matters, if necessary. 21 In the circumstances, it is clear that the Organisation failed to meet its obligations under sections 11(3) and 12(a) of the PDPA. Had the Organisation met its Openness Obligation under the PDPA, the Organisation would have had a clearer understanding of its data protection obligations under the PDPA and appropriate measures may have been put in place earlier which could have prevented the Incident from occurring. Whether the Organisation breached the Protection Obligation under the PDPA 22 As a preliminary point, although the Contractor appears to have been responsible for carrying out the Booking Site revamp, seeing as the parties did not enter into any written agreement and there was no evidence to suggest that the Contractor stored, held or managed the personal data in the Database on behalf of the Organisation, the Contractor is not a data intermediary of the Organisation. The Organisation is solely responsible for complying with all the data protection obligations under the PDPA, including the obligation to make reasonable security arrangements to protect the personal data in its possession or under its control under section 24 of the PDPA. 23 At the time of the Incident, the Database was shared by the Booking Site and the CCIS. However, the Organisation conceded that it omitted to inform the Contractor of its data protection obligations and did not instruct the Contractor to put in place proper safeguards to protect the personal data in the Organisation’s possession or control. 24 In this regard, one of the key considerations for organisations as highlighted in the Guide on Building Websites for SMEs (at [4.2.1]) is the importance of emphasising the need for personal data protection to their IT vendors: Organisations should emphasise the need for personal data protection to their IT vendors, by making it part of their contractual terms. The contract should also state clearly the responsibilities of the IT vendor with respect to the PDPA. When discussing the scope of outsourced work, organisations should consider whether the IT vendor’s scope of work will include any of the following: 25  Requiring that IT vendors consider how the personal data should be handled as part of the design and layout of the website.  Planning and developing the website in a way that ensures that it does not contain any web application vulnerabilities that could expose the personal data of individuals collected, stored or accessed via the website through the Internet.  Requiring that IT vendors who provide hosting for the website should ensure that the servers and networks are securely configured and adequately protected against unauthorised access.  When engaging IT vendors to provide maintenance and/or administrative support for the website, requiring that any changes they make to the website do not contain vulnerabilities that could expose the personal data. Additionally, discussing whether they have technical and/or non-technical processes in place to prevent the personal data from being exposed accidentally or otherwise. Even more concerning was the fact that the Organisation did not put in place reasonable arrangements to discover risks to its personal data when changes were made to the Booking Site that was linked to the Database which held the personal data of close to 300,000 individuals. The Organisation did not conduct any proper user acceptance testing prior to the launch of the revamped Booking Site. The only test that the Organisation carried out was to key in a simulated passport number to test the new user interface. However, as the simulated passport number did not match any record in the Database, the Organisation failed to detect the auto-retrieval and population feature in the revamped Booking Site. 26 Websites connected to the Internet are subject to a multitude of cyber threats that may compromise the website and expose any personal data it collects. Organisations should therefore ensure that the protection of the personal data and the security of the website is a key design consideration at each stage of the website’s life cycle – be it during the requirements gathering, design and development stage or when conducting user acceptance testing or deployment and operations and support.6 27 As a result of the Organisation’s failure to conduct proper user acceptance tests, the gap in the revamped Booking Site which allowed for the unauthorised access to personal data stored 6 See PDPC’s Guide on Building Websites for SMEs at [3.2] to [3.3]. in the Database went undetected. This was not rectified for approximately one month, thereby causing the personal data of close to 300,000 of the Organisation’s passengers to be exposed to the risks of unauthorised disclosure. 28 As a matter of good practice, organisations should consider whether there is a need to conduct a data protection impact assessment whenever a new system or process is being introduced, developed or implemented that involves the handling of personal data or an existing system or process is being reviewed or substantially redesigned.7 29 In this regard, the Guide to Data Protection Impact Assessments (published on 1 November 2017) (at [1.2]) states that: A [Data Protection Impact Assessment] involves identifying, assessing and addressing personal data protection risks based on the organisation’s functions, needs and processes. In doing so, an organisation would be better positioned to assess if their handling of personal data complies with the PDPA or data protection best practices, and implement appropriate technical or organisational measures to safeguard against data protection risks to individuals. 30 In adopting this view, the Commissioner agrees with the observations in the Joint Guidance Note issued by the Office of the Privacy Commissioner of Canada, the Office of the Information and Privacy Commissioner of Alberta and the Office of the Information and Privacy Commissioner for British Columbia on the proper use of risk assessment tools for all new projects involving personal information:8 Privacy risks evolve over time. Conducting risk assessments, at least on an annual basis, is an important part of any privacy management program to ensure that organizations are in compliance with applicable legislation. We have seen instances of organizations offering new services that collect, use or disclose personal information that have not been thoroughly vetted from a privacy perspective. Proper use of risk assessment tools can help prevent problems. Fixing a privacy problem after the fact can be costly so careful consideration of the purposes for a particular initiative, product or service, and an assessment that minimizes any privacy impacts beforehand is vital. See PDPC’s Guide to Data Protection Impact Assessments. Office of the Privacy Commissioner of Canada, Office of the Information and Privacy Commissioner of Alberta and the Office of the Information and Privacy Commissioner for British Columbia, Getting Accountability Right with a Privacy Management Program 7 8 As a result, such assessments should be required throughout the organization for all new projects involving personal information and on any new collection, use or disclosure of personal information. Organizations should develop a process for identifying and mitigating privacy and security risks, including the use of privacy impact assessments and security threat risk assessments. [Emphasis added.] 31 In view of the above and the Organisation’s failure to put in place adequate security arrangements to protect the personal data in the Database, the Commissioner finds that the Organisation was in breach of the Protection Obligation under section 24 of the PDPA. 32 Finally, although the Organisation did not intend to offer the auto-retrieval and auto- population function in its Booking Site, organisations that do offer such functions should take note of the following comments made by the UK Information Commissioner’s Office (“ICO”) in the Personal Information Online Code of Practice on the use of auto-completion facilities for forms and passwords: If your site offers auto-completion facilities for forms and passwords, it is good practice to notify users if this could leave them vulnerable, for example if their mobile device or laptop is stolen. However, ultimately users have a role to play in protecting themselves online, for example by adjusting the auto-complete settings on their browser or on a website they visit. Autocompletion can present a particular risk where an individual’s payment card details have been retained for ‘auto-fill’ purposes. This may mean not offering auto-completion in certain contexts – e.g. on password fields for authorising payments. [Emphasis added.]] Directions 33 Having found that the Organisation is in breach of sections 11(3), 12(a) and 24 of the PDPA, the Commissioner is empowered under section 29 of the PDPA to give the Organisation such directions as he deems fit to ensure compliance with the PDPA. This may include directing the Organisation to pay a financial penalty of such amount not exceeding S$1 million. 34 In deciding whether to direct an organisation to pay a financial penalty, one of the Commissioner’s key objectives is to promote compliance with the PDPA. As such, while the Commissioner will seek to ensure that the financial penalty imposed is reasonable and proportionate on the facts, the financial penalty should also be sufficiently meaningful to act both as a sanction and as a deterrent to prevent similar contraventions of the PDPA. 35 In this regard, as highlighted in the Advisory Guidelines on Enforcement of the Data Protection Provisions (at [24.1]) the Commissioner will take into account factors such as the seriousness and impact of the organisation’s breach and will consider if the organisation had acted deliberately, wilfully or if the organisation had known or ought to have known of the risk of a serious contravention and failed to take reasonable steps to prevent it. 36 In adopting this view, the Commissioner agrees with the ICO’s Guidance About the Issue of Monetary Penalties Prepared and Issued Under section 55C(1) of the Data Protection Act 1998 (“ICO Guidance on Monetary Penalties”) (at [34] to [37]): The Commissioner’s aim in imposing a monetary penalty The Commissioner’s underlying objective in imposing a monetary penalty notice is to promote compliance with the DPA or with PECR. The penalty must be sufficiently meaningful to act both as a sanction and also as a deterrent to prevent non-compliance of similar seriousness in the future by the contravening person and by others. This applies both in relation to the specific type of contravention and other contraventions more generally. Here, the Commissioner will have regard to the general approach set out in paragraphs 42 to 46 below. The Commissioner will seek to ensure that the imposition of a monetary penalty is appropriate and the amount of that penalty is reasonable and proportionate, given the particular facts of the case and the underlying objective in imposing the penalty. 37 With the foregoing principles in mind, the Commissioner took into account the following aggravating and mitigating factors in assessing the breach and determining the directions to be imposed: Aggravating factors (a) the Organisation routinely collects and processes the personal data of a large number of individuals in the course of its business but did not have adequate data protection policies or practices in place; (b) the Personal Data Sets in collected and stored in the Database, such as the individual’s nationality, passport number and passport expiry date, are of a sensitive nature particularly when disclosed as a whole. In this regard, attention is drawn to the decision in Re: Singapore Management University Alumni Association [2018] SGPDPC 6 (“SMU AA”) at [20] where it was stated that “the use of an NRIC Number generation tool would make it relatively easy for a motivated hacker to systematically query the webpage and, if successful, he would have been able to definitively link the NRIC Number to the full name, address and other personal data of the member, potentially resulting in significant harm to the individual, such as through identity theft or an unauthorised person impersonating the affected member”; (c) the Organisation demonstrated a blatant lack of regard for its data protection obligations prior to the Incident. Despite the fact that the PDPA came into full force on 2 July 2014 and advisory guidelines and/or guides which are relevant to the contravention were available, the Organisation only appointed a DPO more than three years after the PDPA came into full force and appears to have ignored or not given these guidelines and/or guides the appropriate weight; (d) as a result of the Organisation’s lack of regard for its data protection obligations, the personal data of at least 295,151 of the Organisation’s passengers were exposed to the risks of unauthorised disclosure; Mitigating factors (e) the Organisation had cooperated fully in the investigation and was forthcoming and transparent in admitting its mistakes in contributing to the unauthorised disclosure; (f) remedial actions were taken and the Organisation took increased efforts to heighten employees’ awareness of the Organisation’s data protection obligations under the PDPA; (g) there was no evidence to suggest any actual unauthorised access and/or exfiltration of data leading to loss or damage; and (h) there was limited disclosure to possibly one individual who would have had to enter a Returning Passenger’s passport number that matched the passport number in the Database. 38 The Organisation submitted representations, after being informed of the proposed decision in this case, requesting a warning in lieu of a financial penalty or otherwise to reduce the quantum of the financial penalty imposed. In support of this, the Organisation made the following representations: (a) The Organisation asserted that the revamped Booking Site was only operational in or around October 2017, and the auto-retrieval and auto-population feature was only accessible to users (other than the authorised counter staff) from October 2017 to 14 November 2017. Thus, the Personal Data Sets were only at risk of unauthorised disclosure for this period of time; (b) The Organisation did not deliberately nor wilfully breach the PDPA and upon notification of the Incident, the Organisation took remedial actions 9 and was cooperative during the investigations, and (c) The risk of unauthorised disclosure is low as an individual would need to possess the exact passport number to trigger the auto-complete feature which would disclose the corresponding Personal Data Set. 39 With respect to the issue raised in paragraph 38(a), the Commissioner accepted the clarifications as to the period of time for which the Personal Data Sets were at risk of unauthorised disclosure, and the quantum of the financial penalty has been adjusted accordingly. 40 With regards to paragraph 38(b), the remedial actions taken by the Organisation and the fact that the Organisation was cooperative during the investigations, have already been taken into account as mitigating factors at paragraphs 37(e) and 37(f) above in determining the appropriate quantum of the financial penalty. Also, the deliberateness or wilfulness of the Organisation in breaching the PDPA is not a relevant consideration in this case where it was 9 Including those set out in paragraph 10. found that the Organisation failed to put in place the necessary security arrangements to protect the Personal Data Set. 41 With regards to paragraph 38(c) above, these are matters that had already been taken into consideration in assessing the financial penalty and as set out at paragraphs 37(g) and 37(h) above . 42 Having considered all the relevant factors of this case, the Commissioner hereby direct the Organisation to pay a financial penalty of S$54,000 within [30] days from the date of this direction, failing which, interest, at the rate specified in the Rules of Court in respect of judgment debts, shall be payable on the outstanding amount of such financial penalty. YEONG ZEE KIN DEPUTY COMMISSIONER FOR COMMISSIONER FOR PERSONAL DATA PROTECTION ",Financial Penalty,22d8a5e1622926675d2f3bece9bfea120e5cb7a8,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,145,145,1,952,"A financial penalty of $16,000 was imposed on Genki Sushi for failing to put in place reasonable security arrangements to protect personal data of its employees. The incident resulted in the data being subjected to a ransomware attack.","[""Protection"", ""Financial Penalty"", ""Accommodation and F&B"", ""Food"", ""F&B""]",2019-08-02,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Genki-Sushi---220719.pdf,Protection,Breach of the Protection Obligation by Genki Sushi,https://www.pdpc.gov.sg/all-commissions-decisions/2019/08/breach-of-the-protection-obligation-by-genki-sushi,2019-08-02,"PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC 26 Case No DP-1809-B2684 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Genki Sushi Singapore Pte. Ltd. … Organisation DECISION Genki Sushi Singapore Pte. Ltd. [2019] SGPDPC 26 Genki Sushi Singapore Pte. Ltd. [2019] SGPDPC 26 Tan Kiat How, Commissioner — Case No DP-1809-B2684 22 July 2019 Background 1 On 7 September 2018, Genki Sushi Singapore Pte. Ltd. (the “Organisation”) notified the Personal Data Protection Commission (the “Commission”) that a server on the Organisation’s network which stored the personal data of its employees, among other information, had been the target of a ransomware attack. This attack resulted in the unauthorised encryption of the employee personal data hosted on that server and the Organisation being subjected to a ransom demand (the “Incident”). The Commission commenced an investigation in order to determine whether the Organisation had failed to comply with its obligations under the Personal Data Protection Act 2012 (the “PDPA”). Material Facts 2 The Organisation is a sushi chain restaurant. As part of its internal operations, it used an off-the-shelf payroll software application, “TimeSoft”, which was developed and licensed to it by Times Software Pte Ltd (“Times”). The TimeSoft application included a web portal and a database. The web portal was used by (a) employees to view their electronic payslips and (b) supervisors at the various restaurants to confirm the attendance of their employees during 1 Genki Sushi Singapore Pte. Ltd. [2019] SGPDPC 26 the designated hours. The database contained the personal data of the Organisation’s former and current employees (“Employee Data Files”). The TimeSoft application was hosted on a local server belonging to the Organisation (the “Server”). The Server also contained financial data files (e.g. financial statements and details on the Organisation’s dealings with its vendors). 3 On 30 August 2018, the Organisation’s IT personnel discovered that the Server was unresponsive. Following internal investigations, the Organisation confirmed that the Server had been subjected to a ransomware attack, resulting in most of its hosted files (including the Employee Data Files) being encrypted with a “.bip” extension and their contents being inaccessible to the Organisation. A ransom payment was demanded from the Organisation in exchange for the decryption key. Based on its investigations, the Organisation suspected that the Server was infected by the “Dharma” variant of ransomware that had been installed on the Server through its internet link. 4 The Incident resulted in the unauthorised modification of the Organisation’s data (including the Employee Data Files) as the encryption by the ransomware replaced the original plaintext with ciphertext (which was unreadable without the proper cipher to decrypt it). The following types of personal data belonging to approximately 360 current and former employees of the Organisation were affected by the unauthorised modification: (a) name; (b) NRIC number, if the employee was a Singaporean; (c) Foreign Identity Number (“FIN”) and application date, if the employee was a foreigner; 2 Genki Sushi Singapore Pte. Ltd. 5 [2019] SGPDPC 26 (d) bank account information, i.e., bank and branch information; (e) gender; (f) marital status; (g) date of hire; (h) date of birth; and (i) salary details. The Incident also affected the following types of personal data for some of the Organisation’s current or former employees (who had these types of data stored in the Server): (a) passport number; (b) address; (c) telephone number; (d) mobile phone number; (e) names of relatives; (f) emergency contact person’s name and relationship with the employee; and 3 Genki Sushi Singapore Pte. Ltd. (g) 6 [2019] SGPDPC 26 country of birth. There was no evidence of the encrypted personal data files being subjected to exfiltration or unauthorised disclosure. 7 Upon discovery of the Incident, the Organisation immediately took the following steps to contain and mitigate the effects of the Incident: (a) isolated the Server from its larger IT network; (b) performed anti-virus scans on each computer in the Organisation’s office and restaurants; (c) attempted, albeit unsuccessfully, to remove the ransomware and decrypt the infected data files using third party security tools; and (d) to the best of its ability, notified its affected employees of the Incident. In this regard, all full-time employees and most parttime employees were notified by 7 September 2018. The Organisation was unable to notify its affected former employees due to their contact details being encrypted by the ransomware. 8 The Organisation subsequently also took the following steps to prevent the recurrence of the Incident: (a) replaced the Server with a new server that was isolated in a “demilitarised zone” within the Organisation’s IT network; 4 Genki Sushi Singapore Pte. Ltd. (b) [2019] SGPDPC 26 introduced the following safeguards to protect the personal data in the new server: (i) encrypting the TimeSoft application’s database; (ii) setting the server’s firewall security policy to allow traffic only via Hyper Text Transfer Protocol Secure or through required service ports; (iii) enabling an intrusion prevention system on the firewall; (iv) installing TrendMicro OfficeScan XS anti-virus software on the new server, with the intent of subsequently upgrading this software to TrendMicro Deep Security after improvements to the Organisation’s overall enterprise IT structure are completed; (v) (c) enabling audit logging on the new server; engaged an external vendor to provide security operation centre services, whereby the vendor would monitor the network and server logs and look out for any potential malicious activities on the new server; and (d) engaged an IT security vendor to assist with updating the Server’s operating system, managing patches for the Server, and conducting regular IT vulnerability assessments. Findings and Basis for Determination 9 The main issue for determination is whether the Organisation breached section 24 of the PDPA. Section 24 of the PDPA requires an organisation to 5 Genki Sushi Singapore Pte. Ltd. [2019] SGPDPC 26 protect personal data in its possession or under its control by taking reasonable security steps or arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks. 10 As a preliminary point, it is noted that, during the material time, the Organisation was responsible for the maintenance of the Server, while Times was in charge of providing technical support for the TimeSoft application, such as maintaining its web portal and database, as well as troubleshooting the application. Times provided its technical support on an ad hoc basis via remote access granted by the Organisation. During this process, the Organisation’s IT personnel would supervise the activities of Times to ensure that there was no unauthorised access to, or collection of, the personal data hosted on the Server. Accordingly, Times did not have any control or possession of the personal data hosted on the Server. In any event, the Incident did not relate to the scope of Times’ services rendered to the Organisation. As such, the Commissioner found that only the Organisation was in possession and control of the personal data, including the Employee Data Files, hosted on the Server during the material time. 11 To determine whether the Organisation was in breach of section 24, the relevant question is whether it had put in place reasonable security arrangements to safeguard the personal data hosted on the Server. The Commission’s Advisory Guidelines on Key Concepts in the PDPA (revised 27 July 2017) (at [17.2]) provide the following examples of factors that are taken into consideration in assessing the reasonableness of an organisation’s security arrangements: (a) the nature of the personal data; 6 Genki Sushi Singapore Pte. Ltd. (b) [2019] SGPDPC 26 the form in which the personal data has been collected (e.g. physical or electronic); and (c) the possible impact to the individual concerned if an unauthorised person obtained, modified or disposed of the personal data. 12 In assessing the security arrangements adopted by the Organisation, the Commissioner considered that the Employee Data Files included sensitive personal data in the form of NRIC numbers, FINs, passport numbers, bank account details and salary details. In this regard, it bears repeating what was stated in Re Aviva Ltd [2018] SGPDPC 4 at [17]: “All forms or categories of personal data are not equal; organisations need to take into account the sensitivity of the personal data that they handle. In this regard, the Commissioner repeats the explanation in Re Aviva Ltd [2017] (at [18]) on the higher standards of protection that should be implemented for sensitive personal data: The Advisory Guidelines on Key Concepts in the PDPA states that an organisation should “implement robust policies and procedures for ensuring appropriate levels of security for personal data of varying levels of sensitivity”. This means that a higher standard of protection is required for more sensitive personal data. More sensitive personal data, such as insurance, medical and financial data, should be accorded a commensurate level of protection. In addition, the Guide to Preventing Accidental Disclosure When Processing and Sending Personal Data expressly states that documents that contain sensitive personal data 7 Genki Sushi Singapore Pte. Ltd. [2019] SGPDPC 26 should be “processed and sent with particular care”.” [Emphasis added.] 13 It should also be borne in mind that NRIC numbers are of special concern as they are “a permanent and irreplaceable identifier which can be used to unlock large amounts of information relating to the individual” (Re Habitat for Humanity Singapore Ltd [2018] SGPDPC 9 at [19]) 14 The standard of security arrangements expected in relation to IT systems was elaborated upon in Re The Cellar Door Pte Ltd and Global Interactive Works Pte Ltd [2016] SGPDPC 22 (“Re The Cellar Door”) at [29]; “reasonable security arrangements” for IT systems must be sufficiently robust and comprehensive to guard against a possible intrusion or attack: “Another important aspect of a “reasonable security arrangement” for IT systems is that it must be sufficiently robust and comprehensive to guard against a possible intrusion or attack. For example, it is not enough for an IT system to have strong firewalls if there is a weak administrative password which an intruder can “guess” to enter the system. The nature of such systems require there to be sufficient coverage and an adequate level of protection of the security measures that are put in place, since a single point of entry is all an intruder needs to gain access to the personal data held on a system. In other words, an organisation needs to have an “all-round” security of its system. This is not to say that the security measures or the coverage need to be “perfect”, but only requires that such arrangements be “reasonable” in the circumstances.” [Emphasis added.] 8 Genki Sushi Singapore Pte. Ltd. 15 [2019] SGPDPC 26 In this case, the Organisation had failed to put in such “all-round” security of its system which is accessible via the Internet by all of its branches, and which contained sensitive personal data of its employees, e.g. NRIC/FIN and passport numbers, bank account details. The Commission’s investigations revealed the following significant gaps in the security measures implemented in relation to the Server during the Incident: (a) first, the Organisation initially did not have a firewall for the Server and, even after a firewall had been installed following its recent IT migration pursuant to its business re-organisation, it failed to configure the Server’s firewall to filter out unauthorised traffic and close unused ports; (b) second, the Organisation did not conduct periodic penetration tests to assess the overall security of its IT infrastructure and bolster the effectiveness of its defensive mechanisms and determine what measures (including patches) may be required to fix vulnerabilities; and (c) Third, the Organisation failed to ensure that the Server and the TimeSoft application were regularly patched. 16 As regards the failure in paragraph 15(a), although the Server was kept in a secure physical location with physical access only granted to authorised personnel, the same level of precaution had not been implemented for virtual or remote access. There was no firewall for a while, and even when installed, the Server’s firewall was not configured to block any unused ports or unauthorised traffic at all material times. In other words, the Server’s firewall was ineffective at filtering out any external threats. 9 Genki Sushi Singapore Pte. Ltd. 17 [2019] SGPDPC 26 In its response to the Commission’s queries, the Organisation had explained that the lack of configuration for the firewall was because the Organisation had recently undergone a full IT migration and its IT team was waiting for the IT infrastructure to be refreshed before configuring the appropriate firewall settings. Pending this refresh, it had not configured any firewall setting as the Organisation did not have any server firewall before the IT migration and therefore no pre-existing configuration it could use for the firewall in the interim period. Thus, there was effectively no firewall in place during the relevant period. 18 The Commissioner reiterates what was said in Re The Cellar Door (at [30(a)] and [30(b)]) that “a firewall is fundamental to the security of the server to protect against an array of external cyber threats” and “leaving unused ports on a server open increases the risk of an external hacker exploiting the services running on these ports”. In this case, the firewall was not configured to close any ports. 19 As regards the failures in paragraphs 15(b) and 15(c), the Organisation admitted that it did not conduct any penetration tests on the Server within the last 12 months prior to the Incident. The Organisation was also unable to provide evidence that it had done any patching on the Server during the same period. This suggests that the Organisation did not have any processes in place to ensure regular security testing and patching of its IT systems. 20 The Commissioner emphasises that regular security testing and patching are important security measures. Patching is one of the common tasks that all system owners are required to perform in order to keep their security measures current against external threats. Moreover, as stated in the Commission’s Guide 10 Genki Sushi Singapore Pte. Ltd. [2019] SGPDPC 26 to Securing Personal Data in Electronic Medium (revised 20 January 2017) at [16.3] and [16.4]: “Vulnerabilities discovered [in software] are often published, hence cyber attackers are well aware of vulnerabilities available for exploiting. It is therefore important for organisations to keep their software updated or patched regularly to minimise their vulnerabilities.” 21 Generally, organisations should, to the extent possible, test and apply updates and security patches as soon as they are available to the relevant components (e.g. network devices, servers, database products, operating systems, applications, software libraries, programming frameworks and firmware) of the Organisation’s IT system. There should also be processes and people responsible to monitor new patches and updates that become available with respect to such components. In this regard, the arrangement with Times for maintenance and technical support of the TimeSoft application was inadequate. 22 The failures highlighted above contributed to a system that had a number of vulnerabilities and gaps that a hacker could easily exploit. In this case, the ransomware may have successfully exploited these gaps to reach the Employee Data Files and the other files on the Server. For a server that held sensitive personal data, the security measures implemented by the Organisation were inadequate. In fact, the standard of protection provided was not even sufficient for non-sensitive personal data. 23 For the reasons above, the Commissioner finds the Organisation in breach of section 24 of the PDPA. 11 Genki Sushi Singapore Pte. Ltd. [2019] SGPDPC 26 Representations by the Organisation 24 In the course of settling this decision, the Organisation made representations on the amount of financial penalty which the Commissioner intended to impose. The Organisation raised the following factors for the Commissioner’s consideration: (a) There was no evidence that the personal data had been subjected to exfiltration, unauthorised disclosure or modification; (b) The Organisation did not pay the ransom amount to positively discourage and disincentivise unauthorised and criminal behaviour by the ransomware attacker; and (c) The Incident occurred during the period where the Organisation’s new management was in the midst of the IT migration and the strengthening of the IT infrastructure. 25 The Commissioner has decided to maintain the financial penalty set out at [29] for the following reasons: (a) As explained at [4], there had been unauthorised modification to personal data belonging to approximately 360 current and former employees of the Organisation. In determining the quantum of financial penalty, the Commissioner had already taken into consideration that there was no evidence of the encrypted Employee Data Files being subjected to exfiltration or unauthorised disclosure. 12 Genki Sushi Singapore Pte. Ltd. [2019] SGPDPC 26 (b) Notwithstanding that there was criminal activity on the part of the ransomware attacker, the finding of section 24 breach relates to the Organisation’s own failings to put in place reasonable security measures. As such, whether the ransom amount is paid is not a mitigating factor. (c) A transition to a new management team does not lower the standard expected of an organisation to protect personal data in its possession and/or control. Notwithstanding that the Organisation was in the midst of IT migration and strengthening of IT infrastructure, it was obliged to put in place reasonable security measures to protect the Employee Data Files at all times. These are therefore not mitigating factors. In any event, as stated at [15], the Commission’s investigations revealed that the Organisation did not have adequate security measures in place for the Server even before the IT migration. The Commissioner’s Directions 26 Given the Commissioner’s findings that the Organisation is in breach of section 24 of the PDPA, the Commissioner is empowered under section 29 of the PDPA to issue the Organisation such directions as he deems fit to ensure its compliance with the PDPA. This may include directing the Organisation to pay a financial penalty of such amount not exceeding $1 million. 27 In determining the directions, if any, to be imposed on the Organisation in this case, the Commissioner took into account the following mitigating factors: 13 Genki Sushi Singapore Pte. Ltd. (a) [2019] SGPDPC 26 the Organisation voluntarily notified the Commission of the breach; (b) the Organisation fully cooperated with the Commission’s investigations; and (c) the Organisation took prompt action to mitigate the effects of the breach. 28 The Commissioner also took into account, as an aggravating factor, that the failure to make reasonable security arrangements to protect the personal data led to a loss of control over the Employee Data Files, which contained sensitive personal data. 29 Taking into account the above mitigating and aggravating factors, the Commissioner hereby directs the Organisation to pay a financial penalty of $16,000 within 30 days from the date of this direction, failing which interest, at the rate specified in the Rules of Court in respect of judgment debts, shall accrue and be payable on the outstanding amount of such financial penalty until it is paid in full. 30 The Commissioner has not set out any further directions for the Organisation given the remediation measures already put in place. YEONG ZEE KIN DEPUTY COMMISSIONER FOR COMMISSIONER FOR PERSONAL DATA PROTECTION 14 ",Financial Penalty,2ce401cead0de35fee05185836541ed0903e6dff,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,146,146,1,952,"Directions, including a financial penalty of $5,000, were imposed on Championtutor for breaches of the PDPA. The organisation failed to appoint a data protection officer and did not have written policies and practices necessary to ensure its compliance with the PDPA.","[""Accountability"", ""Financial Penalty"", ""Education"", ""Tuition"", ""Education""]",2019-08-02,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Championtutor---220719.pdf,Accountability,Breach of the Openness Obligation by Championtutor,https://www.pdpc.gov.sg/all-commissions-decisions/2019/08/breach-of-the-openness-obligation-by-championtutor,2019-08-02,"PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC 25 Case No DP-1710-B1269 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And ChampionTutor Inc. … Organisation DECISION ChampionTutor Inc [2019] SGPDPC 25 Tan Kiat How, Commissioner — Case No DP-1710-B1269 22 July 2019 Background 1 On 31 October 2017, the Personal Data Protection Commission (the “Commission”) received a complaint from a former tutor (“Complainant”) who had registered with ChampionTutor Inc (“Organisation”), stating that he found a URL link1 (“URL Link”) to the Organisation’s tutor list (“Tutor List”) through a Google search. (the “Incident”). The Commission proceeded to investigate the Incident in order to determine whether the Organisation had complied with its obligations under the Personal Data Protection Act 2012 (“PDPA”). Material Facts 2 The Organisation is a home tuition agency in Singapore with more than 10 years’ experience matching students and tutors. While the service is free for students, tutors are required to pay a commission to the Organisation for each tuition assignment they accepted. 1 https://www.championtutor.com/certs_tutor/1certs1397642794.pdf ChampionTutor Inc 3 [2019] SGPDPC 25 In the course of investigations by the Commission, it was found that the Tutor List contained name, contact number and email address (“Disclosed Information”) of a total of 4,899 individuals, including the Complainant (“Affected Individuals”). 4 It also emerged in the course of investigations that the Organisation had not appointed any data protection office (“DPO”) and had failed to develop and put in place any internal data protection policies. Findings and Basis for Determination 5 The issues to be determined by the Commissioner in this case are as follows: (a) Whether the Disclosed Information is “business contact information” as defined under section 2(1) of the PDPA; and (b) Whether the Organisation had complied with the obligations to appoint a data protection officer (“DPO”) and develop and implement data protection policies and practices under sections 11(3) and 12 respectively of the PDPA. Whether the Disclosed Information is “business contact information” 6 Under section 2(1) of the PDPA, “business contact information” is defined as “an individual’s name, position name or title, business telephone number, business address, business electronic mail address or business fax number and any other similar information about the individual, not provided by the individual solely for his personal purposes” (emphasis added). Section 4(5) of the PDPA provides that the substantive data protection obligations found in 2 ChampionTutor Inc [2019] SGPDPC 25 Parts III to VI of the PDPA (the “Data Protection Provisions”) shall not apply to business contact information (“BCI”). 7 The purpose for which the contact information is provided is key in determining whether it is considered BCI. In this regard, the Affected Individuals provided the Disclosed Information to the Organisation for the purposes of being contacted for tuition assignments. 8 Under section 2(1) of the PDPA, “business” is defined as including “the activity of any organisation, whether or not carried on for the purposes of gain, or conducted on a regular, repetitive or continuous basis, but does not include an individual acting in his personal or domestic capacity”. Tutors carry out a business of providing tuition services. In this regard, the tutors registered with the Organisation are freelancers, and are paid directly by the student. For each tuition assignment accepted, tutors are required to pay the Organisation a onetime commission.2 Tutors are also responsible for reporting their earnings as a freelance tutor to the tax authority yearly.3 The Inland Revenue Authority of Singapore’s “Tax Guide for Tuition Industry” provides guidance for tutors providing tuition services and tuition agencies assigning tutors to students with respect to reporting business income for tax purposes.4 2 See https://www.championtutor.com/faq.html which provides that agency commission is calculated at 50% of the first payment cycle (4 weeks) 3 See https://www.championtutor.com/faq.html 4 https://www.iras.gov.sg/IRASHome/uploadedFiles/IRASHome/Businesses/Starter%20Guide %20for%20Self%20Employed%20Tuition%20Centre%20or%20Agency%20Operators.pdf 3 ChampionTutor Inc 9 [2019] SGPDPC 25 Based on the foregoing, the Commissioner finds that the tuition services offered by the Organisation’s tutors falls within the definition of “business” under section 2(1) of the PDPA. Therefore, the Contact Details provided by the Affected Individuals for the purposes of being contacted for tuition assignments is BCI, and the Data Protection Provisions do not apply. Whether ChamptionTutor complied with its obligations under sections 11 and 12 of the PDPA 10 The Organisation’s admission that it had not appointed a DPO at the material time is a breach of section 11(3) of the PDPA. In this regard, section 11(3) requires organisations to designate one or more individuals (typically referred to as a DPO) to be responsible for ensuring that they comply with the PDPA. The importance of appointing a DPO in ensuring the proper implementation of an organisation’s data protection policies and practices, as well as compliance with the PDPA was emphasized in Re M Stars Movers & Logistics Specialist Pte Ltd [2017] SGPDPC 15 at [31] to [37]. 11 Section 12 of the PDPA requires organisation to develop and implement policies and practices that are necessary for the organisation to meet its obligations under the PDPA, and to communicate information about such policies and practices to its employees (among other obligations). 12 At the material time, the Organisation had a privacy policy to inform tutors and students on how it collects, use, disclose, manage and safeguard personal information provided by them in the course of accessing and using the Organisation’s website. 13 The Organisation did not employ full-time staff but employed part-time home-based tuition coordinators to liaise with tutors and students, process e4 ChampionTutor Inc [2019] SGPDPC 25 invoices and follow up on payment. These part-time coordinators had access to personal data of the tutors and students in the course of their work. However, the Organisation did not have any internal data protection policies which specify the rules and procedures on the collection, use and disclosure of personal data. This omission meant that part-time tuition coordinators were not provided with any form of guidance with the PDPA and amounts to a breach of section 12 of the PDPA. An organisation that relies wholly on part-time staff needs to pay especial attention to ensuring that its policies can be easily accessible and that it has an effective system for promoting awareness and training part-time staff on its data protection policies and practices. The Commissioner’s Directions 14 Given the Commissioner’s findings that the Organisation is in breach of sections 11(3) and 12 of the PDPA, the Commissioner is empowered under section 29 of the PDPA to issue the Organisation such directions as it deems fit to ensure compliance with the PDPA. This may include directing the Organisation to pay a financial penalty of such amount not exceeding S$1 million. 15 In assessing the breach and determining the directions, if any, to be imposed on the Organisation in this case, the Commissioner took into account as a mitigating factor that the Organisation had cooperated with investigations and was forthcoming in its response. 16 Having considered all the relevant factors of this case, the Commissioner hereby directs the Organisation to do the following: (a) Pay a financial penalty of S$5,000.00 within 30 days from the date of the Commissioner’s direction, failing which, interest at the rate 5 ChampionTutor Inc [2019] SGPDPC 25 specified in the Rules of Court5 in respect of judgment debts, shall accrue and be payable on the outstanding amount of the financial penalty until the financial penalty is paid in full; and (b) Within 60 days from the date of the Commissioner’s directions, develop and implement an internal data protection policy and appoint a DPO. YEONG ZEE KIN DEPUTY COMMISSIONER FOR COMMISSIONER FOR PERSONAL DATA PROTECTION 5 Cap 322, R5, 2014 Rev Ed. 6 ",Financial Penalty,a7bc8b98d073c9ff692b042e0c3cd60c12941780,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,147,147,1,952,"A financial penalty of $24,000 and $12,000 was imposed on CDP and Toppan Security Printing respectively for failing to put in place reasonable security arrangements to protect the data of CDP’s account holders from unauthorised disclosure. The incident resulted in other account holders’ data being printed on another account holder’s notification letter. An application for reconsideration was made by Toppan Security Printing. Upon reconsideration, directions in the decision were varied.","[""Protection"", ""Protection"", ""Financial Penalty"", ""Financial Penalty"", ""Transport and Storage"", ""Admin and Support Services""]",2019-08-02,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Updated-as-of-15-Nov-2019-Decision---CDP-and-Toppan---220719.pdf,"Protection, Protection",Breach of the Protection Obligation by CDP and Toppan Security Printing,https://www.pdpc.gov.sg/all-commissions-decisions/2019/08/breach-of-the-protection-obligation-by-cdp-and-toppan-security-printing,2019-08-02,"PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC 24 Case No DP-1706-B0895 and DP-1707-B0908 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And 1. The Central Depository (Pte) Limited 2. Toppan Security Printing Pte Ltd …Organisation(s) DECISION Editorial note: An application for reconsideration was filed against the decision in Re Central Depository (Pte) Limited & Anor [2019] SGPDPC 24. Pursuant to this application, the Commissioner has decided to reduce the financial penalty imposed on the Organisation from $18,000 to $12,000. As the application did not give rise to significant legal or factual issues, a separate decision on the application will not be published. Re The Central Depository (Pte) Limited & Anor. [2019] SGPDPC 24 Tan Kiat How, Commissioner – Case No DP-1706-B0895 – Case No DP-1707B0908 22 July 2019 1. Organisations may employ vendors to carry out the printing and mailing of documents containing the personal data of their customers on their behalf. The process may involve both the organisations and vendors, which requires a concerted effort to protect personal data. This case presents the issue of division of responsibility in protecting personal data under the PDPA in such circumstances. Background and Material Facts 2. This case concerns the unauthorised disclosure of personal data of 1,358 account holders of the Central Depository (Pte) Limited (“CDP”) when their personal data was wrongly printed in the notification letters of other account holders and sent out. The incident occurred on or about 27 June 2017. 3. The exposed data included the name and/or CDP securities account number (“exposed primary identifiers”) which constitute personal data of the individual. In some notification letters, additional information on the securities owned by the Re Central Depository (Pte) Limited & Anor [2019] SGPDPC 24 individual (eg name of security and total amount of dividends or distribution for the security) was also disclosed. These, when combined with the exposed primary identifiers, also constitute personal data of the individual. Parties 4. CDP provides integrated clearing, settlement and depository facilities for customers in the Singapore securities market. Toppan Security Printing Pte Ltd (“TSP”) was engaged by CDP to carry out secure printing and dispatch of documents, including notification letters of CDP’s customers. Part of TSP’s engagement with CDP included developing the necessary bespoke software to print the relevant documents. The printing process between CDP and TSP 5. There were three categories of notification letters to be printed depending on the type of investment(s) held by the account holder – (i) Distribution Reinvestment Plan – “DRP” or “D Type”, (ii) Scrip Dividend Scheme – “SRP” or “S Type”, and (iii) “Others” – “Others” or “O Type”. In this case, only the “DRP” or “D Type” notification letters are relevant because the data breach only affected this category of notification letters. Notification letters are sent to account holders to notify them of changes to and movements in their accounts. 6. During investigations, CDP and TSP represented to the Personal Data Protection Commission (“PDPC”) that the notification letters were printed in the following manner: (a) CDP sent the raw data in files over an encrypted channel to TSP. According to CDP, each file may have contained raw data for all 3 types of notification letters. 3 Re Central Depository (Pte) Limited & Anor (b) [2019] SGPDPC 24 TSP decrypted the files for processing. The processing included the pre-processing, layout and printing stages. (c) The file provided by CDP contained the raw data in a plain text file. The data for a single account consisted of multiple lines. Each line comprised a label, which identified the type of data, and the corresponding data. To illustrate, a sample of the raw data would be supplied in the following manner: D00001ABC TRUST 1234567 CO 8X D000029876-54321- MR ABC 12346 123 DEF ST D00004Taxable 3298625 Income 20 D00004Tax Exempt 1944945 Income 60 D00004Capital 0777978 DEF 65432 EST 1 Y SINGAPORE Y SINGAPORE Y SINGAPORE 24 D00004Other Gains 0583483 68 D00005660503272 D000029876-12345- MS JKL 64321 GHI RD D00004Taxable 0000012 Income 40 D00004Tax 321 Exempt 78945 6 0000005 Income 60 D00004Capital 0000001 01 D00004Other Gains 0000000 90 D00005000001991 D00001LMN TRUST 8765432 CO 1X D000029876-00019- MR QLM 24689 98 WXY ST 98745 6 4 Re Central Depository (Pte) Limited & Anor D00004Taxable 0000125 Income 41 D00004Tax Exempt [2019] SGPDPC 24 0000015 Income 60 D00004Capital 0000012 01 D00004Other Gains 0000002 90 D00005000015592 The raw data above is purely for illustrative purposes and the information is fictitious. As can be seen from the above table, the labels were designated “D00001”, “D00002”, “D00004” and “D00005”. For the lines with D00001, D00002 and D00005 labels, there was only one such line per account, while there could be more than just one line with D00004 labels for each account. The type of data that correspond to each of the labels is as follows: Label Type of data D00001 name of the security. D00002 account number, account holder name and mailing address D00004 information on credits to the account for the security. The data corresponding to the D00004 label can be further categorised into Taxable Income, Tax Exempt Income, Capital and Other Gains, such that there could be up to 4 lines with the D00004 label for each account. D00005 total value of the D00004 lines for each individual account At the pre-processing stage, TSP’s program would carry out checks on the raw data to determine the integrity of the data and format the data into a consistent structure (‘formatted data’), primarily to insert D00001 lines where multiple account holders have invested in the same security. 5 Re Central Depository (Pte) Limited & Anor (d) [2019] SGPDPC 24 At the layout stage, a program extracts the formatted data and populates the data in each of the notification letters in the following layout: (e) The final stage is the printing stage where the notification letters are printed as laid out and populated in the layout stage. 7. Before the deployment of the printing process, TSP had carried out user acceptance tests (“UAT”) on behalf of CDP, and the test results were presented to and approved by CDP. The data breach incident 8. Prior to the data breach incident in June 2017, TSP had carried out successful print runs for S Type notification letters. 6 Re Central Depository (Pte) Limited & Anor 9. [2019] SGPDPC 24 However, as indicated at paragraph 2 above, when the D Type notification letters were printed the first time, they were printed incorrectly. This occurred as the raw data only contained one D00004 line for some accounts instead of the four D00004 lines of data for which the layout stage of TSP’s system was programed. 10. Where only one D00004 line was present, the notification letter should have appeared in a format similar to the following sample letter 11. Instead each incorrectly printed notification letter included data which did not belong to that account. An example of a notification letter (using fictitious information) that was printed and sent out follows: 7 Re Central Depository (Pte) Limited & Anor 12. [2019] SGPDPC 24 A comparison between the sample notification letter which was correctly printed as shown in paragraph 10 above and an example of the incorrectly printed letter shown in paragraph 11 above shows that the information marked out within the larger oval ought not to have been printed. The information in the 3rd, 4th and 5th columns, which has been marked out, shows information relating to another individual, including his name (ie John Smith), securities account number (ie 987600019-24689) and the security invested in (ie LMN Trust Holdings). Also the total marked out within the smaller oval is also incorrect. 13. The incorrectly printed notification letters resulted from the programming of TSP’s system at the layout stage to expect exactly four lines of D00004 data for each account, instead of allowing it to accept up to a maximum of four lines of D00004 data. As will be discussed below, this was due to TSP misunderstanding each account to always consist of four D00004 lines (i.e. the categories of Taxable 8 Re Central Depository (Pte) Limited & Anor [2019] SGPDPC 24 Income, Tax Exempt Income, Capital and Other Gains). However, in reality each account may consist of between one to four D00004 lines. The manner in which this error resulted in the incorrectly printed notification letters is described as follows: (a) Taking the below table of raw data as an example, at the layout stage, the program had correctly read the 1st and 2nd lines, which had the D00001 and D00002 labels respectively. Line No. 1 2 3 4 5 6 7 8 D00001ABC TRUST CO D000029876-5432112346 D00004Taxable Income D00005329862520 D00001LMN TRUST CO D000029876-0001924689 D00004Taxable Income D00005000012541 (b) 12345678X MR ABC 123 DEF ST 654321 Y Singapore 98 WXY ST 987456 Y Singapore 329862520 87654321X MR QLM 000012541 The program did the same for the 3rd line which had a D00004 label (i.e. for the Taxable Income category). (c) However, as the raw data did not include any D00004 lines for the “Tax Exempt Income”, “Capital” and “Other Gains” categories, the layout program instead assigned lines 4 (which was the total credits to the account), 5 (the name of the security for the next account) and 6 (and the account holder name and residential address of the said next account) to these D00004 categories in respect of the first account. (d) The program then ignored the 7th line from the D00004 label of the next account. (e) Accordingly, when the printing was subsequently triggered, the notification letter that was printed had contained the data of the 9 Re Central Depository (Pte) Limited & Anor [2019] SGPDPC 24 D00001, D00002 and D00004 labels from the next account. It also skipped the printing of the notification letter for that next account, since parts of the data had been merged with the current notification letter and the trailing data field was ignored. (f) This error was repeated for the other notification letters of the affected account holders. 14. Following the incident, CDP had issued apology letters to the affected account holders, and halted its engagement with TSP in respect of its print services. Findings and Assessment Issues for determination 15. The issues to be determined by the Commissioner are as follows: (a) What obligations did CDP and TSP each owe under the Personal Data Protection Act 2012 (“PDPA”) in respect of the personal data of the affected account holders; (b) Whether CDP complied with its obligation under section 24 of the PDPA in respect of the data breach incident that occurred; (c) Whether TSP complied with its obligation under section 24 of the PDPA in respect of the data breach incident that occurred. 10 Re Central Depository (Pte) Limited & Anor [2019] SGPDPC 24 CDP’s and TSP’s obligations to protect personal data under the PDPA Relevant provisions under the PDPA 16. Section 24 of the PDPA provides that an organisation shall protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification or similar risks (the “Protection Obligation”). 17. This obligation is also conferred on the data intermediary under Section 4(2) of the PDPA. Further, Section 4(3) of the PDPA provides that an organisation shall have the same obligation under the PDPA in respect of the personal data processed on its behalf and for its purposes by a data intermediary as if the personal data were processed by the organisation itself. 18. The duties of an organisation and data intermediary under section 24 of the PDPA has been examined in precedents, e.g. Re Singapore Cricket Association and Another [2018] SGPDPC 19. This case gives occasion to re-state that duty. Relationship between CDP and TSP in complying with Section 24 of the PDPA 19. In this case, CDP is the organisation and TSP is the data intermediary in respect of the personal data of the account holders. Both CDP and TSP are obliged under the PDPA to protect the personal data of account holders pursuant to Section 24 of the PDPA stated above. 20. The overlap in obligation for organisation and data intermediary to protect personal data means, in practical terms, that organisations and their data intermediaries would necessarily have to work together in formulating the right protective measures and processes. 11 Re Central Depository (Pte) Limited & Anor 21. [2019] SGPDPC 24 This is especially pertinent in this case because both CDP and TSP had roles in developing the system or process by which the notification letters were printed. Amongst other things, CDP was the one which determined the format of the raw data and the specifications for which TSP would build its program around to generate the notification letters which required the processing of personal data and the printing and dispatch of those notification letters. 22. Hence, both CDP and TSP had the obligation to ensure that the printing system and process they developed would sufficiently protect the personal data it was handling and processing. As part of this, there needed to be proper testing of the system and implementation of exception handling and checks to prevent errors from compromising the security of the personal data. In the Commissioner’s view, this responsibility fell on both CDP and TSP. 23. One of the ways in which organisations can develop a system which protects personal data is by adopting a Data Protection by Design approach in which organisations consider the protection of personal data from the earliest possible design stage of any project and throughout the project’s operational lifestyle. This may be very relevant to organisations which are looking to develop any new processes that deals with personal data (as in this case). This is a design approach that is advocated in the PDPC’s Guide to Developing a Data Protection Management Programme.1 Whether CDP complied with its obligations under section 24 of the PDPA 24. CDP’s duty under section 24 was to make reasonable arrangements to protect the personal data to be processed on its behalf. As explained at paragraphs 21 and 22 above, CDP had the responsibility in the development, testing and 1 https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Other-Guides/guide-to-developing-adpmp---011117.pdf at p22 12 Re Central Depository (Pte) Limited & Anor [2019] SGPDPC 24 implementation of exception handling of the system to ensure that they would adequately protect personal data. In the Commissioner’s view, this entails: (a) Providing clear specifications and representative test data that covered the full range of data to be processed and the various processing scenarios. Specific to the present context, this meant making clear that there was a range in the number of D00004 lines (ie between 1 to 4 lines) per account in the data file supplied by CDP. In Re Singapore Cricket Association and Another [2018] SGPDPC 19, the Deputy Commissioner had found that the provision of proper and clear instructions to a developer of a website that holds personal data should form part of the protection obligations of the organisation. In failing to do so, the Singapore Cricket Association was found in breach of Section 24 of the PDPA. The same principles apply here. (b) Advising on the scope of the UAT since the test is based on test data provided by CDP. CDP would therefore need to supply test data that covered the full range of scenarios for processing in order for there to be proper UAT testing. Again, this included supplying test data that allowed for a range of D00004 lines to be tested. (c) Ensuring that the requirements that it provided anticipated and catered for processes that could handle exceptions and could verify that the processing was carried out correctly. 25. The Commissioner finds that CDP did not discharge its duty under section 24 of the PDPA: (a) CDP did not provide reasonably clear specifications to TSP. CDP knew that some of its D Type letters had just 1 D00004 line instead of 13 Re Central Depository (Pte) Limited & Anor [2019] SGPDPC 24 4. However, the specifications that CDP provided to TSP did not make this clear: i. There was no explicit statement by CDP making clear to TSP that the number of D00004 lines may vary. ii. Instead, what was indicated in CDP’s specification was that the D00004 lines was “repetitive”. This could be understood to mean that there would be more than one D00004 line, and since CDP had only provided TSP with samples which had four D00004 lines at that stage, TSP misunderstood this to mean that they would always occur four times, ie four D00004 lines for each notification letter. Had there been more clarity from CDP on what it meant at that point, the issue may have been averted. (b) CDP did not ensure that the UAT carried out was robust enough to test for variations in the number of D00004 lines that may be encountered in actual cases. This is because CDP had only supplied test data that had exactly four D00004 lines per account, for both initial tests as well as UAT, and, as such, did not detect any problems with variations to the number of D00004 lines of data. The test data supplied also gave the mistaken impression that there were exactly four D00004 lines of data for each notification letter. A wider range of test data would have allowed for broader scoping of the UAT, which is lacking in this case. (c) CDP did not specify exceptional scenarios and how the printing system would handle exceptions or verify that processing was correct. 14 Re Central Depository (Pte) Limited & Anor i. [2019] SGPDPC 24 As the organisation with primary and supervisory responsibility to protect personal data,2 CDP did not ensure that the printing system could detect and raise alerts when an exception or error was encountered. ii. As will be examined below, TSP’s layout program did not detect that there was only one line of D00004 data supplied in respect of some accounts, instead of the four D00004 lines it was hard coded to read, and to trigger an alert. Instead, it continued to extract or ignore the subsequent lines erroneously. TSP’s layout program had therefore lacked the capability to handle exceptions or issues arising from the data supplied. iii. Additionally, CDP also did not satisfy itself during UAT that TSP’s system had the means to verify that the data was processed correctly throughout all the stages of the process. 26. Having regard to the above, the Commissioner finds CDP to be in breach of section 24 of the PDPA. Whether TSP complied with its obligations under section 24 of the PDPA 27. The Commissioner likewise finds that TSP has did not discharge its duty under section 24 of the PDPA. First, TSP ought to have ensured that the software it used correctly processed and printed out the relevant data. Giving TSP the benefit of doubt and assuming that it had processed them correctly, TSP would have understood the requirements to mean that there were always four lines of D00004 data. TSP’s layout program did not detect that in this case, there was only one line 2 See Re The Management Corporation Strata Title Plan No. 3696 and Another [2017] SGPDPC 11 and Re The Cellar Door and Another [2016] SGPDPC 22 15 Re Central Depository (Pte) Limited & Anor [2019] SGPDPC 24 of D00004 data; and it went on to read the subsequent lines as though they were D00004 data. If the program was hardcoded correctly to expect 4 lines of D00004 data, it ought to have recognised that some accounts only contained one line of D00004 data and the system ought to have raised an alert in cases of deviation. 28. The program read the subsequent lines incorrectly as if they were D00004 data as the program did not check for four occurrences of D00004 labels per account but assumed that this was always the case. Thus, even based on TSP’s misunderstanding that there will always be four D00004 lines per account, TSP’s program was not designed to detect an exception to this (albeit mistakenly) expected feature. The incorrect processing of the data by TSP’s program at the layout stage was what caused the notification letters to be printed and sent wrongly. There was a lack of exception and error handling such that it cannot be said that TSP had implemented a reasonable security arrangement that would protect personal data. 29. The incident may have been prevented if the developers of the program had co-ordinated and adopted the same interpretation of the requirements. In this regard, TSP’s program incorporated 2 checksum tests at the pre-processing stage. One checksum test was a check that the value of the D00005 data for each account correctly totalled the value of the D00004 lines for each account. The second checksum test calculated the total value of the D00005 data of all the accounts sent to TSP for printing. The pre-processing stage of TSP’s system would then check if the data it received is accurate by comparing the total value of the D00005 data of all accounts CDP sent to TSP with the total value stored in the very last line of the file as a separate record. However, these checksum tests at the pre-processing stage were ineffective to address the unauthorised disclosure in this matter; it was merely a check on the integrity of the file received by TSP. 30. Ultimately, TSP did not implement the proper capability to detect or handle exceptions or errors in the processing and printing of the notification letters. It is 16 Re Central Depository (Pte) Limited & Anor [2019] SGPDPC 24 fundamental to the protection of personal data that the system handling personal data is able to detect and carry out exception and error handling. Otherwise, this may lead to a system failure which poses risks of a data leak or data breach (as in this case). 31. It is timely for the Commissioner to refer to the PDPC’s Guide to Printing Processes for Organisations3, which states that organisations should consider the following, amongst other things, for their printing process: “Appropriate juncture for the check(s) i.e. performed at a suitable stage for corrective actions to be able to reverse and/or eliminate any potential error(s). Intensity and extent of check(s) should be proportionate to the volume and sensitivity of the personal data present in the printing process.” 32. TSP did not carry out a proper test on the system. It ought to have tested for variations in the number of D00004 lines that is provided to verify whether TSP’s program is able to handle those variations such as different number of lines for the D00004 labels. These variations may occur due to inadvertence or mistake, and TSP ought to test whether its program is able to handle them. 33. For the reasons above, the Commissioner finds TSP to be in breach of section 24 of the PDPA. 3 https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Other-Guides/Guide-to-PrintingProcesses-for-Organisations-030518.pdf 17 Re Central Depository (Pte) Limited & Anor [2019] SGPDPC 24 Directions 34. The Commissioner is empowered under section 29 of the PDPA to give the Organisations such directions as it deems fit to ensure the Organisations’ compliance with the PDPA. This may include directing the organisations to pay a financial penalty of such amount not exceeding S$1 million as the Commissioner thinks fit. 35. Pursuant to section 29(2) of the PDPA, and the investigation and assessment of this matter having been completed, the Commissioner is satisfied that CDP and TSP did not make reasonable security arrangements and are in breach of section 24 of the PDPA. 36. Having carefully considered all the relevant factors of this case, the Commissioner hereby directs: (a) That CDP pays a financial penalty of S$24,000 within 30 days from the date of the directions, failing which interest shall be payable on the outstanding amount of such financial penalty; (b) That TSP pays a financial penalty of S$18,000 within 30 days from the date of the directions, failing which interest shall be payable on the outstanding amount of such financial penalty. 37. In assessing the breach and determining the directions to be imposed on CDP in this case, the Commissioner took into account the following aggravating and mitigating factors: (a) CDP is the central depository for financial market account information in Singapore. Individual account holders must be able to rely on CDP to protect their personal data. 18 Re Central Depository (Pte) Limited & Anor (b) [2019] SGPDPC 24 The personal data that was disclosed comprised of financial information of the individual, which is sensitive personal data. (c) That said, CDP took steps to prevent recurrence following the data breach incident. (d) 38. CDP also promptly notified the affected individuals and the PDPC. CDP submitted representations on the proposed decision in this case by way of a letter dated 8 April 2019. In its representations, CDP acknowledged that the specifications, test data and test scope provided to TSP could have been, and should be, improved. However, it was of the view that it had not breached section 24 of the PDPA. 39. In this regard, CDP asserts that TSP ought to have reviewed the specifications, test data and user acceptance tests (“UAT”) for both the S Type and D type letters, instead of just the D Type letters, as the specifications for the print programme would have been similar. According to CDP, it had provided a S Type letter template to TSP which consisted of a maximum of two D00004 lines and provided UAT test data for S Type letters which consisted of one D00004 line. CDP asserts that “[f]rom this TSP ought to have been aware that the actual data sent by CDP for printing may vary from the templates/test data provided”. Also, CDP asserts that it has specified in the specification that the number of the D00004 lines would be “repetitive”, i.e. “not a fixed number of lines of crediting details but with variations within this type of crediting details”. Further, CDP asserts that it had used the word “always” to indicate if a value or the number of lines is fixed or static and it did not indicate that the number of D00004 lines “always” consisted of 4 lines. 40. The Commissioner agrees that TSP is also liable for unauthorised disclosure of personal data in the wrongly printed notification letters and has already found 19 Re Central Depository (Pte) Limited & Anor [2019] SGPDPC 24 TSP to be in breach of section 24 of the PDPA. Nevertheless, CDP’s representations do not absolve CDP of its shortcomings in respect of this incident. CDP’s use of the word “repetitive” in its specifications was ambiguous when considered together with the fact that the test data provided to TSP for the D Type letters all contained four D00004 lines per account. This led TSP to assume that “repetitive” meant four D00004 lines for each account. It did not help that even though the test data provided had some records with four D00004 lines and others with fewer D00004 lines, the records with four D00004 lines were associated with D Type letters. Even though CDP intended for the dataset to be applicable for all types of letters, its omission to inform TSP led TSP to make the assumption that D Type letters always had four D00004 lines. CDP could have expressly instructed TSP that the test data provided was to be treated as applying across all the various types of letters and not merely the individual types of letters to which the test data corresponded. 41. CDP also asserted that it had requested TSP to conduct an additional visual check on the notification letters and that if TSP had done so, they would have caught the error. In relation to this, CDP referred to a Document Management Services Agreement (“DMSA”) entered into between CDP and TSP to support its assertion. However, a review of the DMSA does not reveal a specific requirement to conduct a visual check of the letters that are sent out. In the circumstances, the Commissioner did not accept CDP’s representations that it had instructed TSP to conduct a visual check of the notification letters. 42. Finally, CDP requested that, should the Commissioner maintain his finding that CDP was in breach of section 24 of the PDPA, the financial penalty imposed be reduced. In this regard, CDP made 2 submissions. First, CDP acknowledged that the disclosed personal data was sensitive but asserted that the potential harm to the affected individuals was relatively limited and not likely to lead to any loss or prejudice. The Commissioner agrees that there is no evidence of financial loss or damage. The absence of financial loss or damage has already been taken into consideration in determining the financial penalty imposed in this case. 20 Re Central Depository (Pte) Limited & Anor 43. [2019] SGPDPC 24 Secondly, CDP also referred to its prompt notification of the error to affected individuals and to the PDPC, as well as to the proactive and prompt steps CDP took to remediate the matter. The Commissioner accepts these points and has included them in paragraph 37(d) above. 44. In the circumstances, the Commissioner maintains his finding that CDP was in breach of section 24 of the PDPA. However, taking into account CDP’s representations, the Commissioner has decided to reduce the financial penalty from the initial quantum of $30,000 to the amount stated in paragraph 36(a) above. 45. In assessing the breach and determining the directions to be imposed on TSP in this case, the Commissioner took into account the following aggravating and mitigating factors: (a) The personal data that was disclosed comprised of financial information of the individual, which is sensitive personal data. (b) TSP was cooperative and willing to provide information on a timely basis to the Commission; (c) TSP took steps to prevent recurrence following the data breach incident. 46. The Commissioner hereby directs CDP to carry out the following within 60 days: (a) For CDP’s data protection officer (appointed under section 11(3) of the PDPA) to be given authority to assess the data protection requirements in developing new printing processes that involves personal data; and 21 Re Central Depository (Pte) Limited & Anor (b) [2019] SGPDPC 24 For CDP to provide the full range of expected processing scenarios in the test script during development testing and UAT for all types of printing jobs (except for ad-hoc printing jobs) which are being carried out by TSP as at the date of this direction. YEONG ZEE KIN DEPUTY COMMISSIONER FOR COMMISSIONER FOR PERSONAL DATA PROTECTION 22 ","Financial Penalty, Financial Penalty",850caf449162034d53605762c40ce355aee93042,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]"