On 23 April 2019, Singapore’s Personal Data Protection Commission (commission) issued two separate grounds of decision against PAP Community Foundation and Tutor City.

In both cases, the commission issued warnings to the organisations for breaching the protection obligation under section 24 of the Personal Data Protection Act (PDPA), but no financial penalty was imposed.

PAP Community Foundation (PCF)

The facts of this case were as follows:

  • PCF provides kindergarten services, and organises various school trips.
  • In connection with a particular school trip, a teacher at PCF sent a photograph of a consolidated attendance list to a WhatsApp chat group comprising parents of students of the school. The attendance list contained the personal data of 15 students and their parents, including the contact and National Registration Identity Card (NRIC) numbers of five of the parents.
  • A parent alerted the teacher of this unauthorised disclosure and the teacher quickly deleted the message within the group chat. The same parent lodged a complaint with the commission.

The commission’s findings were as follows:

  • It was evident that PCF did not have specific policies or procedures to guide its employees (including its teachers) on the use and disclosure of personal data in their communications with parents of students who were enrolled at the preschools.
  • Given the frequency of interaction between PCF’s staff and the parents, such policies and training should reasonably be expected to be put in place to guide the staff on how to comply with PCF’s data protection obligations.
  • While PCF had provided data protection training to its staff, mere training alone cannot be a substitute for data protection policies and procedures.
  • To its credit, however, PCF had acted swiftly to address their inadequate policies. This carried mitigating value. In particular, the commission noted that PCF had taken the following remedial measures:
    • Immediate suspension of all WhatsApp chat groups following the disclosure;
    • Expedited implementation of rules pertaining to the use of social media and WhatsApp chat groups;
    • Roll-out of data protection policies including document retention and information security policies; and
    • Development of a practical employee handbook and conducting refresher training for its employees.

Tutor City (TC)

The facts of this case were as follows:

  • TC provides matching services between freelance tutors and prospective clients who are parents of students in need of tuition services in Singapore.
  • It was discovered that the personal data belonging to 50 individuals were published on TC’s website and made publicly accessible without the relevant individuals’ authorisation.
  • As part of TC’s website’s features, tutors interested in using TC’s service were given the option of voluntarily uploading up to three different educational certificates to assist TC in matching the needs of the students in question to suitable tutors. However, these certificates were not intended to be made publicly accessible.
  • TC had instructed a freelance web developer to design and develop its website. All uploaded certificates were stored in sub-folder within the website’s server, without any form of access controls. This caused the certificates to be indexed and searchable on search engines like Google.

The commission’s findings were as follows:

  • TC retained full responsibility over the security of its website. The standard expected from organisations contracting professional services to build their websites or other online portals is set out in the commission’s Guide to Building Websites for SMEs. The commission noted that according to a Cyber Security Agency report, almost 40 per cent of the cyberattacks reported in 2017 targeted such small and medium enterprises (SMEs).
  • TC’s claim that it lacked the IT knowledge or tech-saviness is not a defence against its failure to take any steps to comply with the protection obligation under the PDPA. The lack of access controls is something inherently within an organisation’s power to implement, and system design as well as human errors are common causes of personal data breaches.
  • Ultimately, it is up to each organisation to determine what security arrangements are the most suitable for its purposes, taking into account factors such as the sensitivity of the personal data in question, size of its database and operational realities. In this regard, the commission highlighted that proper housekeeping and putting in place maintenance processes to ensure regular security patching and regular archival of old data were among some of the protection measures that an organisation should consider adopting.
  • Nonetheless, the commission decided to issue a warning (sans any financial penalty), noting that TC took the following steps to prevent a reoccurrence of the incident:
    • It deleted all images stored in the image directory to its website; and
    • It added a .htaccess file to the image director that restricted access to only the administrator.