New Singapore Personal Data Protection Regulator’s Decision on 22 June 2023

The Singapore Personal Data Protection Commission (“PDPC”) published its latest enforcement decision on 22 June 2023 consisting of 1 enforcement decision (Fullerton Healthcare and Agape CP Holdings case).

In this client update, we summarise the decision and present our key takeaways.

Key takeaways: 

There are several key takeaways from this recent decision:

1.    The incident solely involved and affected Agape CP Holdings’ (“Agape”) online drive and not Fullerton Healthcare’s (“FHG”) own systems and servers. However, as Agape was FHG’s data intermediary, FHG (as the data controller) had the same obligations under the PDPA as if the personal data was processed by FHG itself.

Specifically, in the context of an organisation’s (data controller’s) relationship with its data intermediary, the data controller has a supervisory or general role for the protection of the personal data, while the data intermediary has a more direct and specific role in the protection of personal data arising from its direct possession or control over the personal data. This means that a data controller may be found in breach of the Protection Obligation, even though its data intermediary may not be found in breach, and vice versa. 

2.    In this case, FHG engaged Agape as its data intermediary to carry out Agape’s services using the personal data provided by FHG. Under the Protection Obligation, FHG was required to exercise reasonable oversight of Agape’s data processing activities. The PDPC considered that FHG had conducted high-level IT due diligence review of Agape prior to its decision to onboard Agape as a vendor, and that FHG’s written agreement with Agape required the latter to comply with the PDPA including obligations to take all appropriate and reasonable administrative, physical and technical safeguards and security arrangements. However, FHG failed to exercise reasonable oversight through regular monitoring of Agape’s personal data handling processes throughout the engagement, including how Agape stored and granted Agents’ access to the customer data. 

3.    Given that FHG was aware that access to the customer data would have to be granted to a third party that was offsite for the provision of the services, FHG should have made reasonable enquiries to ascertain how the customer data was to be stored and transmitted, and how access to the customer data would be controlled. Had FHG made these enquiries and discovered the true state of affairs, they would have no doubt required Agape to implement stricter controls to regulate Agents’ access and use of the customer data. By failing to make such enquiries, FHG failed to appreciate the reality of how Agape was storing, transmitting, and retaining the customer data, and failed to exercise reasonable oversight over Agape’s data processing activities. 

4.    In quantifying the fines imposed, no weight was placed on Agape’s status as a social enterprise. The standard of security arrangements expected under the Protection Obligation will depend on the volume and nature of personal data in the organisation’s possession or control, regardless of whether the organisation is a for-profit business, a charity, or a social enterprise. 

To discuss what this latest development in data protection enforcement decisions may mean to you, please reach out to the author below: