Protecting Personal Data in Outsourcing Agreements

CNPupdate

Protecting Personal Data in Outsourcing Agreements

Monday 1 May 2017

Introduction

Since the Personal Data Protection Act (“PDPA”) came into full force, in July 2014, the Personal Data Protection Commission (“PDPC”) has been actively prosecuting organizations and individuals for breaches of the PDPA, releasing 22 decisions in 2016 alone.

This article looks at a recent PDPC decision, in The Cellar Door Pte Ltd and Global Interactive Works Pte. Ltd. ,1 which elaborates on the duties of organizations engaging data intermediaries to assist them in the handling and processing of personal data.

Responsibility of organizations engaging data intermediaries under the PDPA

The PDPA defines a data intermediary as an ‘organization’ (which, itself, is defined to include an individual) that processes personal data on behalf of some other organization (but excluding the employees of such other organization).2

Under the PDPA, an organization engaging a data intermediary to process personal data on its behalf and for its purposes is not relieved of responsibility but has the same obligations in respect thereof as if it were processing the data directly.3

The PDPC decision in The Cellar Door Pte Ltd and Global Interactive Works Pte. Ltd. (“Decision”)

Cellar Door Pte. Ltd. (“Cellar Door”) runs a business dealing with food and wine products.

In 2011, it engaged Global Interactive Works Pte. Ltd. (“GIW”) to host its customer database and business website (“Site”), on GIW’s servers. The engagement did not include the provision of maintenance services by GIW.

In or around September 2014, unauthorized postings of the personal data of various customers and users of the Site were discovered on an unrelated third party website, known as “Pastebin”. The circumstances behind this posting were never ascertained.

Following investigations, the PDPC prosecuted both Cellar Door and GIW, eventually concluding that (a) GIW was acting as a data intermediary for Cellar Door in relation to the personal data hosted on GIW’s servers; and (b) both Cellar Door and GIW had failed to comply with their respective obligations under the PDPA, in particular, under section 24.

Section 24 of the PDPA provides that an organization is obliged to protect personal data in its possession or control by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal or similar risks (“Protection Obligation”). Section 4(2) of the PDPA expressly extends the operation of Section 24 to data intermediaries.

Cellar Door and GIW were held to have breached the Protection Obligation by failing to implement adequate measures to protect the personal data that was in their possession or control.

In particular, the PDPC held that they had breached this obligation by failing to:

  1. carry out penetration testing or put in place plans to carry out penetration testing on GIW’s IT system to identify vulnerabilities;
  2. put in place an ongoing process to maintain the website and regularly update or patch it against the latest risks and vulnerabilities;
  3. put in place an incident-management policy or process that tracked identification of the technical issues through to their resolution; and
  4. implement “all-round” security measures, such as the installation of server firewalls, the closing of unused ports, the transference of login credentials in encrypted text and the adoption of a secure administrative password.

Whilst both Cellar Door and GIW were held to be in breach, the PDPC emphasised that Cellar Door had the primary responsibility of ensuring that the above measures were put in place to protect its personal data and it had not discharged this responsibility simply by engaging a data intermediary to provide hosting and database services.

In particular, the PDPC held, “It is incumbent on Cellar Door to take the necessary steps to ensure the overall protection of data, even though it may have engaged GIW to assist in certain data operations. For example, Cellar Door may put in place contractual arrangements which clearly define the scope of GIW’s responsibilities, and follow through with operational procedures and checks to ensure that GIW carries out its functions” (emphasis added).

In the event, the PDPC directed Cellar Door to immediately remedy the security defects in relation to the Site and imposed a financial penalty on each of Cellar Door and GIW of S$5,000 and S$3000 respectively.

Comments on the Decision

The Decision reiterates the importance of imposing contractual obligations on a data intermediary to put in place its own adequate security measures for the protection of personal data.

Based on the earlier cited extract from the Decision, however, the PDPC appears to have taken the view that merely imposing contractual obligations on a data intermediary to secure personal data is insufficient and that, to properly comply with the Protection Obligation, an organization should go further and take active steps to monitor or verify its data intermediary’s compliance with such contractual obligations.

At first glance, this seems to impose a rather onerous obligation on organizations, especially small and medium enterprises, that may not have the relevant technical experience or expertise to adequately assess or test their data intermediaries’ compliance, or the resources to engage suitably qualified personnel to do so. The Decision is also unclear as to the type and extent of “operational procedures and checks” that would be deemed adequate in this regard.

Subsequent to the Decision, the PDPC updated its “Guide on Building Websites for SMEs” (“Guidelines”), to suggest that merely imposing contractual obligations may suffice, i.e. stating as follows:

“Organizations should note that they may be held liable for the actions or omissions of its data intermediary that amounts to a breach of a Data Protection Provision. The organization should therefore ensure that its contract with its data intermediary imposes sufficient obligations on the data intermediary to ensure the organization’s own compliance with the PDPA” (emphasis added).

Whilst the Guidelines suggest that merely imposing contractual obligations would be sufficient and do not expressly require organizations to take further pro-active steps to actually verify their data intermediaries’ compliance with such provisions, it is submitted that it may be possible to reconcile the apparent different perspectives reflected in the Decision and in the Guidelines.

This would be by way of organizations seeking to engage data intermediaries to not only require such data intermediaries to generally undertake to take such steps or measures as may be necessary to protect the security and integrity of personal data that they may handle but to go further and contractually oblige these data intermediaries to devise and implement their own recommended means and/or methodologies to periodically:

  1. check and test the security and integrity of their computer servers and systems;
  2. keep abreast of, and ensure that their servers and systems are, at all times, properly patched or updated to protect against, the latest known threats, risks and/or vulnerabilities, and
  3. report to the engaging organization regarding their due compliance with the above mentioned matters,
  4. coupled with an express right on the part of the engaging organizations to conduct random inspections and/or audits to verify compliance by their data intermediaries.

Such an arrangement would not only put the primary onus back on the data intermediaries (who ought to be in the best position to do so) to take proper steps to protect their own computer systems and/or network, but would also allow the engaging organizations to assume a more pro-active role in monitoring and/or verifying their data intermediaries’ on-going compliance with the Protection Obligation.

This approach is also consistent with the position in the UK, where the Information Commissioner’s Office has expressly recommended that organizations have in place arrangements, such as regular reports or inspections, to allow them to check that their data intermediaries are processing personal data in an appropriate manner.4

Conclusion

While it is clear that organizations must impose adequate contractual obligations on their data intermediaries to protect personal data in their possession or control, the Cellar Door decision raises the question of whether merely imposing such obligations is enough or whether the engaging organization must go further and pro-actively assess or monitor compliance by its data intermediary, and, if so, to what extent.

It remains to be seen whether subsequent PDPC decisions will clarify these questions but, in the meantime, it would appear prudent for organizations to import some mechanism into their data intermediary contracts that would allow them to assume a more pro-active role in the process.

1 [2016] SGPDPC 22. 2 Section 2, PDPA. 3 Section 4(3), PDPA. 4 The Information Commissioner’s Office guideline, “Outsourcing – a guide for small and medium-sized businesses”

This update is provided to you for general information and should not be relied upon as legal advice.