The Personal Data Protection Commission (“The Commission”) had been notified of a ransomware attack in NUInternational Singapore Pte. Ltd. and Newcastle Research and Innovation Institute Pte. Ltd. (collectively called “the Infringing Organisations”) on 17 September 2020 and 13 November 2020 respectively. Following a thorough investigation by the PDPC, directions have been ordered against the Infringing Organisations for failing to discharge Transfer Limitation Obligation under section 26 of the Personal Data Protection Act (“PDPA”).
Context
The ransomware attack had occurred on 30 August 2020 and affected (a) a database in the United Kingdom, managed by the parent company of the Infringing Organisations (which contained 1,083 records of Singapore-based individuals) and (b) a database in Malaysia, hosted by a related company of the Infringing Organisations (which contained 194 records of Singapore-based individuals). Such personal data included, inter alia, the names and user identifications of staff members, undergraduates and/or postgraduates students of the Organisations.
Details of Infringement
As per section 26 of the PDPA, no organisation shall transfer any personal data to a country or territory outside Singapore except in accordance with the requirements explicitly prescribed by the PDPA, which mandates that the Infringing Organisations ought to have ensured a similar standard of protection as to that which is granted under the PDPA (the “Transfer Limitation Obligation”).
In particular, as per Regulation 9 and 10 of the Personal Data Protection Regulations 2014 (“Transfer Regulations 2014”) which was in force at the time of the incident (and has been since reviewed and amended in 2021), the Infringing Organisations ought to have had either intra-group agreements or binding corporate rules that ensures that data transferred out of the Singapore jurisdiction meets the stringent standards as set out in the PDPA. However, the investigations by the PDPA revealed that the Infringing Organisations did not have the intra-group agreements or binding corporate rules or any other legally binding instrument which makes the recipient countries “bound by legally enforceable obligations to provide to the transferred personal data a standard of protection” that is comparable to the protection provided in PDPA.
The Infringing Organisations argued that they had met the requirements as per the Transfer Limitation Obligation as they had adhered to the personal data protection laws of the United Kingdom, which applied to the parent organisation which had been subject to the ransomware attack. Further, the Infringing Organisations argued that 44 out of 1,083 individuals had given consent for their personal data being transferred of Singapore in their employment contracts, which would be in line with the PDPA. However, the PDPC was not convinced by the Infringing Organisations’ stance on this matter. They clarified that their argument on consent would only apply if the Infringing Organisations had provided a summary in writing to the individuals affected with respect to how their personal data would be protected when transferred to the United Kingdom.
Decision
After careful consideration, the PDPC issued the directions to the Infringing Organisations as follows:
- The Infringing Organisations are to put in place an intra-group agreement or binding corporate rules in compliance with section 26 of the PDPA in relation to any personal data transferred out of Singapore.
- Alternatively, in the event that the Infringing Organisations are to rely on the consent of the parties whose personal data is affected instead, the Infringing Organisations shall review and modify their consent and notification processes as necessary for compliance with section 26 of the PDPA and Regulation 10(3) of the Personal Data Protection Regulations 2021 (formerly Regulations 9(3)(a) in 2014 version) relating to transferring any personal data outside Singapore.