The “Protection Obligation” of Singapore’s Personal Data Protection Act 2012 (PDPA) states that organisations must make reasonable security arrangements to protect the personal data in their possession or under their control from unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks. Three cases decided in June 2019 by the Personal Data Protection Commission (PDPC) highlight that training and testing are important components of the reasonable security arrangements required by the Protection Obligation.
The first case involves the transportation service, Grabcar Pte. Ltd. (Grabcar), and their carpooling service called GrabHitch. Two GrabHitch drivers disclosed their passengers’ personal information on a public and private Facebook group. Because the Grab App facilitates the transmission of personal data from the passengers to the drivers, Grabcar is required by the Protection Obligation to protect those data. However, the sole security measure Grabcar put in place was one sentence in the GrabHitch Drivers’ Code of Conduct prohibiting drivers from “posting passenger details in public forums” because doing so would violate the PDPA. The PDPC held that this security measure was not sufficient, and that Grabcar should have also conducted online PDPA training for GrabHitch drivers because drivers (being individuals) are not subject to the PDPA and may not be familiar with its provisions. Grabcar was ordered to review and amend their policies to give guidance to GrabHitch drivers on the handling of personal data and implement other reasonable security arrangements necessary to comply with the Protection Obligation.
In another case,[1] insurance provider AIA Singapore Private Limited (AIA) used a system to automatically generate letters for their customers. In fixing an earlier error in the system, AIA inadvertently introduced a new error that caused the system to incorrectly address multiple letters to the same address. As a result, one customer received 178 letters intended for other customers and another customer received 66 mistaken letters. The letters contained personal information of the policyholders or insured persons. The PDPC found that AIA failed to conduct sufficient testing before rolling out the fix for the earlier system error. The scope of the tests was too narrow: the tests only generated one letter at a time and only used a single address. In addition, after the letters were generated, AIA had no process or personnel responsible for checking the contents of the letters. Given the sensitive nature of insurance data, the PDPC determined that AIA should have instituted more controls to ensure the accuracy of the addresses of the letters. AIA was fined S$10,000 for breaching the Protection Obligation.
The third case highlights that data intermediaries must also comply with the Protection Obligation and that the consequences of failing to protect sensitive information can be severe. Ncode Consultant Pte. Ltd. (Ncode) developed and operated NTRIX, a school administration web application/portal used by Victoria School, among others. NTRIX manages a variety of information about students and parents, including personal information, and the PDPC found that Ncode was a data intermediary of Victoria School. Over a 10-week period, the school’s NTRIX account suffered 84 unauthorised logins by students who used their teachers’ login credentials to modify their examination data. The students exploited a common and well-known vulnerability in NTRIX to discover the teachers’ passwords, which were encoded in Base64, and then easily decoded them using public software. The PDPC found that Ncode did not implement adequate security measures to protect the personal data under their control, in violation of the Protection Obligation, by failing to use security scanning tools to detect the vulnerability and by failing to encrypt or hash the passwords to keep them secure. Although Ncode sought leniency because they cooperated with the investigation and there was no evidence of mass exfiltration of data, the Commissioner assessed a S$30,000 financial penalty because NTRIX handles the data of minors and Ncode should have easily detected the common and well-known vulnerability and fixed it.
Organisations that handle personal data must take care to implement appropriate security measures to protect personal data, in accordance with the Protection Obligation. More robust security measures must be implemented for sensitive personal data, such as insurance-related data and personal data of minors. Adequate training of personnel on the protection of personal data and thoroughly testing technologies that store, generate or otherwise process personal data are two important measures that must not be overlooked in organisations’ data security plans.
[1] AIA Singapore Pte. Ltd. [2019] SGPDPC, Personal Data Protection Commission, 20 June 2019
