BE AWARE OF YOUR DATA PROTECTION OBLIGATIONS WHEN ENGAGING THIRD PARTY VENDORS
Organisations who engage external vendors to develop websites for them have to be aware of the data protection obligations owed under the Personal Data Protection Act (“PDPA”). This is especially so in relation to client’s personal data, as exemplified in the recent decision by the Personal Data Protection Commission (“PDPC”) in EU Holidays Pte. Ltd. [2019] SGPDPC 38 (“EU Holidays”).
I. Background
On 14 January 2019, the PDPC received a complaint that the personal data of EU Holidays Pte. Ltd’s ( “Organisation”) customers were accessible through the Organisation’s website ([1] EU Holidays).
Prior to the complaint, the Organisation had engaged an IT vendor to develop the Organisation’s new website with e-commerce capabilities, pursuant to a quotation of services dated 16 May 2019 (“Contract”). This was to allow customers to make online reservations for tour packages, and information received from the customers were stored in two web directories ([2] EU Holidays).
However, the Contract did not specify any requirements in respect of the storage and protection of the customers’ personal data ([3] EU Holidays).
On or around 5 January 2019, a member of the public discovered that copies of tax invoices containing customers’ personal data were exposed to unauthorized access and disclosure through links to the two web directories, prompting the complaint to the PDPC ([4]-[5] EU Holidays).
II. Discussion of the PDPC’s Findings
The definition of “personal data” in the Personal Data Protection Act (“PDPA”) is as follows:
““personal data” means data, whether true or not, about an individual who can be identified —
(a) from that data; or
(b) from that data and other information to which the organisation has or is likely to have access;”
It was undisputed in EU Holidays that the information leaked (e.g., the customers’ names, addresses and passport details) constituted “personal data” ([5] EU Holidays). Thus, the key issues in EU Holidays were whether the Organisation had thereby contravened s 12 and s 24 of the PDPA.
Need for internal policies and practices. s 12 PDPA requires organisations to develop and implement policies and practices necessary to meet their obligations under the PDPA, and to communicate such policies and practices to their staff.
As the Organisation did not have any internal data protection policies to guide employees on handling personal data, the PDPC found that the Organisation had breached s 12 PDPA ([15] EU Holidays).
Reasonable security. On the other hand, s 24 PDPA (“Protection Obligation”) imposes an obligation on organisations to protect personal data in their possession by taking reasonable security steps or arrangements.
The PDPC also found that the Organisation had breached this obligation as amongst others, they had failed to include any requirements in the Contract as to how the personal data disclosed should be stored or protected ([10] EU Holidays).
Data intermediary? Did it matter that the website was developed by a third party? Could the IT vendor be said to be a “data intermediary”?
In this regard, the PDPA defines a “data intermediary” as follows:
““data intermediary” means an organisation which processes personal data on behalf of another organisation but does not include an employee of that other organisation;”
The PDPA non-exhaustively defines “processing” in relation to personal data as follows:
““processing”, in relation to personal data, means the carrying out of any operation or set of operations in relation to the personal data, and includes any of the following:
(a) recording;
(b) holding;
(c) organisation, adaptation or alteration;
(d) retrieval;
(e) combination;
(f) transmission;
(g) erasure or destruction;”
Since the IT vendor was only engaged to develop the website and provide maintenance and technical troubleshooting services thereafter, and did not process the personal data disclosed on behalf of the Organisation, the PDPC found that the IT vendor was not a “data intermediary”. As such, the PDPC found that Organisation was solely responsible for protecting the personal data disclosed ([8] EU Holidays).
“Vicariously” liable. In any event, even if the IT vendor was a data intermediary, s 4(3) PDPA would have rendered the Organisation liable, as it provides that an “organisation shall have the same obligation under this Act in respect of personal data processed on its behalf and for its purposes by a data intermediary as if the personal data were processed by the organisation itself.”
However, it is important to note that the PDPC has previously found that an organisation which included a clause in its contract with a data intermediary, instructing the data intermediary to take necessary actions and precautionary measures to protect personal data, was not liable for a breach of the Protection Obligation when the data intermediary failed to comply with the same (See [17] (1) Central Depository (Pte) Limited; (2) Toh-Shi Printing Singapore Pte Ltd [2016] SGPDPC 11).
III. Some observations
EU Holidays is a reminder that when it comes to dealing with personal data, parties should pause and give careful thought as to how the personal data is handled. Where third parties are involved, regardless of whether they are data intermediaries or not, parties would do well to consider how the personal data is being handled, and if there are sufficient (and indeed, effective) mechanisms in place to ensure that the obligations under the PDPA are met.
As emphasized in [11] EU Holidays, where parties have engaged, or intend to engage, IT vendors to build their websites, it is important to ensure that the need for personal data protection should not only be emphasized to the IT vendors, but should also be made as part of the contractual terms.
Lastly, also highlighted in [11] EU Holidays is the importance to have regard to the PDPC’s Guide on Building Websites for SMES when it comes to building corporate websites or other online portals. This is because s 49 PDPA makes it clear that the PDPC may issue written advisory guidelines from time to time, indicating the manner in which they will interpret the provisions of the PDPA.
Tags: Personal Data Protection Act; Personal Data; Data Intermediary; Protection Obligation; Third Party; Website Developers
This publication is not intended to be, nor should it be taken as, legal advice; it is not a substitute for specific legal advice for specific circumstances. You should not take, nor refrain from taking, actions based on this publication. Chancery Law Corporation is not responsible for, and does not accept any responsibility for, any loss or damage that may arise from any reliance based on this publication.