Section 24 of the Personal Data Protection Act ("PDPA"), which came into full force in July 2014, imposes a positive obligation on organisations to put in place "reasonable security arrangements" to protect personal data in their possession or risk a fine of up to $1 million.
However, the advisory guidelines issued by the Personal Data Protection Commission ("the Commission") do not state the minimum standards that organisations must meet. Indeed, the Commission has stated that there is no "one size fits all". It is up to each organisation to decide what is "reasonable", given the nature of the personal data and the possible harm.
In first half of 2017, the Commission has released a number of decisions, in which organisations were found liable for failing to meet their protection obligations. A study of these decisions shows that the Commission takes the protection obligation very seriously. It will not accept token data protection guidelines or measures.
National University of Singapore
The decision in the first case (released on 26 April 2017) involved a residential college freshman orientation camp at the National University of Singapore ("NUS"). The camp was organised by a group of student leaders, who had recruited other student volunteers to participate as counsellors. The student leaders compiled personal data of the student volunteers in an online spreadsheet using Google Sheets ("the Spreadsheet").
To restrict access to the Spreadsheet, a URL link was generated using Google's "Share with specific people" function, which required a user to log in with his or her Google account. However, an unknown party subsequently changed the setting from "Share with specific people" to "Share using a link." As a result, any person who possessed the URL link was able to access the Spreadsheet with the student volunteers' personal data.
NUS accepted responsibility for the student leaders' actions, but represented that it had implemented safeguards in the form of data protection training and guidelines:
(a) Data Protection Training: In 2014, NUS had conducted classroom training for selected student leaders. This was replaced by e-training on the PDPA, which was available to all students on the Integrated Virtual Learning Environment portal used by NUS students. However, NUS had not made it compulsory for the student leaders to undergo the e-training; and
(b) Data Protection Guidelines: NUS had issued guidelines for the students organising various events in the name of NUS. These guidelines included a section titled "Responsible Usage and Access of Personal Data," which reminded students to "observe proper use and access to prevent potential data leakage and unauthorized/accidental access."
The Commission decided that the general guidelines and procedures provided by NUS were insufficient safeguards. The Commission focused on the lack of formalised training for the student leaders, which meant that the students were not equipped with the mind-set, knowledge, skills and tools to protect personal data.
Drawing on decisions in similar data privacy regimes in Hong Kong and Canada, the Commission noted that while security policies and procedures are essential, they are only effective when "properly and consistently implemented and followed by employees." Formalised training would play an important part in ensuring that the student leaders did not merely pay lip service to the PDPA obligations.
The NUS decision was followed by a case involving Asia-Pacific Star Pte. Ltd. ("APS"), (released on 31 May 2017), a company which provides ground-handling services. In this case, an APS employee on gate duty for Tiger Airways flight TR2466 had disposed of a partially printed flight manifest (which contained personal data) in a rubbish bin in the gate hold room. A complaint was made that passengers in the waiting area could access the flight manifest.
APS represented that this was an isolated incident, and that it had reasonable security arrangements in place. All APS employees were required to comply with a Code of Conduct and Data Protection Policy. In addition, all new employees received a briefing on the requirement to comply with the PDPA during their employee induction programme.
The Commission disagreed with APS's representations. It felt that the Code of Conduct and Data Protection Policy were merely guidelines, which had not been not contextualised to APS's ground operations. For example, there was no specific procedure for the staff on gate duty to dispose of sensitive documents.
Further, as in the NUS case, the Commission held that APS could not simply expect its employees to implement the organisation's policies. It should have had customised training and regular refresher training for APS employees who routinely handled passengers’ personal data, or put in place measures to ensure that the polices were followed.
A similar case, released on 20 June 2017, involved Hazel Florists Pte. Ltd. ("Hazel Florists"), a gift hamper company. Hazel Florist had tasked a new employee to pack a gift hamper using loose paper strips, shredded newspapers and outdated flyers as "filler material" for the base. When the employee ran out of filler material, she decided to use discarded order forms that she found in a box. These order forms, which were meant for disposal, contained the personal data of previous customers.
Hazel Florists had specifically instructed the employee to use the designated filler material to line the hamper. It also had a data protection policy, which all new staff were expected to read upon commencing employment.
Again, the Commission decided that this did not meet the test of "reasonable security arrangements," because Hazel Florists' data protection policy merely restated the data protection obligations in the PDPA in very general terms, but did not provide specific practical guidance on how to handle personal data. Moreover, Hazel Florists did not ensure that the policy had been explained to the employees.
The Commission also faulted Hazel Florists for allowing the employee to work unsupervised even though she appeared unreceptive to training, since this meant it was unable to ensure that she followed the instruction to use the designated filler material.
The last case, also released on 20 June 2017, involved DataPost Pte. Ltd. ("DataPost"), which was responsible for printing and sending financial statements to OCBC Bank customers. DataPost had a system where an operator would sort the statements into envelopes and place them in a "reject bin" to be checked by two other employees before being placed in the "main bin.' At each stage, a quality control form had to be filled out.
Unfortunately, a DataPost employee inadvertently placed statements belonging to three different customers into the same envelope, and then placed the envelope in the main bin instead of the reject bin. As a result, the envelope was posted and a customer received the personal data of two other customers.
DataPost explained that its internal process required three levels of checks as a safeguard. DataPost's internal policy also required employees to treat envelopes in the reject bin with extra care, and stated that it was mandatory for such envelopes to be subjected to second- and third-level checks.
However, the Commission decided that DataPost’s safeguards were insufficient given the sensitive nature of the information involved. The Commission criticised DataPost’s safeguards as over-reliant on the first operator strictly adhering to procedure, and correctly performing each of his functions, in order for the second- and third-level checks to be triggered. In this case, the Commission also decided to impose a financial penalty on DataPost.
From the Commission's decisions against NUS, APS, Hazel Florist and DataPost, it is clear that companies will not satisfy their PDPA guidelines simply by issuing data protection policies or guidelines. For personal data of a less sensitive nature, a company should at a minimum ensure that:
(1) it provides its employees with specific procedures or instructions, instead of general guidelines;
(2) it institutes formalised and compulsory training on data protection; and
(3) it puts in place safeguards or supervisors to ensure that employees carry out their instructions.
For information of a more sensitive nature, the Commission will also evaluate the effectiveness of actual safeguards against human error, and will not hesitate to make a finding against the company if it decides that these measures should have been better designed.
It is telling that in all the cases above, the Commission made findings against the organisations. This shows a clear disconnect between the practices currently adopted by many companies and the expectations of the Commission. Given that the PDPA provides for serious financial penalties, especially where sensitive information is involved, companies should be careful to review their own processes.