Singapore commission clarifies reasonable security standards

Singapore commission clarifies reasonable security standards

Singapore’s data watchdog has warned a freelance tuition website over a design fault that exposed tutors’ educational certificates.

The Personal Data Protection Commission issued a warning to Tutor City yesterday for its failure to put in place reasonable security arrangements to protect personal data it held.

The commission had received a complaint last June over the publication of the educational certificates of 50 of the website’s 13,000 freelance tutors. The certificates, which contained information such as the tutors’ names, educational history and national ID numbers, appeared on an unencrypted, publicly accessible web page.

The commission’s investigation showed that the certificates appeared on search engine results due to the lack of any measures taken to prevent automatic indexing of the image directory by web users.

Tutor City instructed a freelance web developer to design and develop the website, but held sole control over its operations since its completion in 2011, the commission’s decision said. It did not take any steps to align the website with the 2012 Act after it entered into force on 2 July 2014. 

Tutor City received a notification of the breach in June last year, and restricted access to the files and deleted all publicly accessible images of the certificates the same day.

The commission’s decision took into account the number of affected individuals and the type of personal data at risk of unauthorised access, as well as the fact that Tutor City retained full possession and control over the personal data collected by the website.

“Although a developer was previously engaged for website development, [Tutor City] admitted that the developer did not process any personal data on behalf of the organisation,” it said. “Accordingly, the developer was not a data intermediary and Tutor City retained full responsibility for the IT security of the website as well as the personal data contained therein.”

It added that the failure to review the website’s security standards once Singapore’s data protection legislation came into force in 2014 showed Tutor City’s “fundamental lack of care … over the personal data in its possession.”

The commission rejected Tutor City’s arguments that it did not need to review its website security as it had not anticipated being hacked. A failure to anticipate hacking “is not an acceptable reason for failure to comply” with the legislation, it said: “An organisation is required to put in place security arrangements to protect personal data in its possession or control whether or not they believe that there is a likelihood of being hacked on the basis that they are small organisations.”

Charmian Aw at Reed Smith in Singapore said: “Overall the decision is well-considered, and provides useful practical guidance to organisations in the context of what is expected of them in implementing data security for their websites.”

“For instance, it sheds light on how an organisation contracting professional services to build its website retains responsibility to ensure that a certain standard of security is implemented … ignorance is simply no excuse where it fails to protect personal data in its possession or control,” Aw said.

Chong Kin Lim, a partner at Drew & Napier in Singapore, said: “The [commission] made it clear in this case that an organisation should not take the security of its business for granted simply because of the smaller scale of their business … Good data protection policies and practices should be adopted by all organisations, regardless of their size.”

“Organisations should not have a myopic view of data protection as a cumbersome roadblock to business efficacy, but rather see it as a defensive shield for their businesses against ubiquitous data protection threats and cyberattacks,” Lim said.

Tutor City did not respond to a request for comment.


  • Tutor City decision 23 April