The Personal Data Protection Commission of Singapore has recently fined two companies operating in the healthcare sector (a healthcare provider, SingHealth, and its IT provider, IHiS) its highest ever fines of SGD 250,000 and SGD 750,000 respectively, for their failure to put into place adequate data security measures that exacerbated the effects of a cyberattack last year. These fines reflect the fact that the data breach was the worst in Singapore’s history, affecting some 1.5 million patients (in a jurisdiction with around 5.6 million residents). The breach arose after an attacker gained access to the healthcare database by infecting a user’s workstation, obtained login credentials to the database and was able to repeatedly access and copy data.
Drawing on domestic legislation in addition to guidance from supervisory authorities in the EU, Canada and Australia, the PDPC engaged in a detailed analysis of the organisation’s security and operational procedures, including those around its outsourcing arrangements between SingHealth and IHiS. The PDPC’s mature approach provides a valuable lesson to organisations wishing to take similar measures to protect the security of personal data under the GDPR.
Security roles and responsibilities
Similarly to under the GDPR (where there is a standard to take measures ‘appropriate’ to the risk of the processing and nature of the personal data), in Singapore, both organisations controlling personal data and their outsourced service providers have a duty (and concurrent liability) to take ‘reasonable’ security measures.
The PDPC considered the data security framework that SingHealth had in place, centring its analysis around the responsibilities of their staff and the outsourcing arrangements. The government-owned IT service provider, IHiS was responsible for hiring and managing IT personnel for most functions, who were deployed to SingHealth. Effectively, these exercised the functions of identifying and reporting suspicious incidents and to provide information to SingHealth’s Board of Directors and Risk Oversight Committee on IT security measures and updates.
The PDPC considered that, because of the outsourcing arrangements, it was not clearly apparent whether SingHealth or IHiS is responsible for the actions of Group Information Security Officer and reporting CISO Cluster Information Security Officer, who worked at SingHealth but were deployed by IHiS. However, the PDPC drew from an earlier decision that considered that where the data processing activities are carried out by an organisation’s external vendor, “the organisation has a supervisory or general role for the protection of the personal data, while the data intermediary has a more direct and specific role in the protection of personal data arising from its direct possession of or control over the personal data”.
In particular, the PDPC considered that SingHealth failed to put in place the necessary operational and governance measures to support IHiS’ services, such as, for example, ensuring that the CISO had a team within SingHealth to provide support during the CISO’s absence. Moreover, focusing on IHiS’ responsibility, the PDPC specifically considered the provider’s responsibility in terms of its practical, rather than organisational, measures – such as its use of anti-virus and anti-malware software, network firewalls and running scripts to monitor the confidentiality and integrity of the SCM database, among other detection methods. It found these did not meet the requisite standard.
A similar standard could prove useful in outsourcing arrangements under the GDPR, particularly where responsibility for preventing security breaches is to be assigned between two parties that can both be responsible for data security failures. This also brings into play what contractual measures can be introduced to pass liability with such parties (such as, for example, where the outsourcing organisation may expect its IT provide to take care of all the relevant arrangements).
Liability and contractual measures
The PDPC’s analysis largely concerned arrangements between SingHealth and IHiS, which it held was a ‘data intermediary’ (effectively a data processor under Singaporean legislation). Along this vein, the PDPC suggested that several of the issues in responsibility, particularly among the CISO and GCIO, could have been solved by the parties signing relevant contractual clauses. The PDPC suggested such clauses should include a variety of measures, many largely similar to those under the GDPR, such as:
- controls around the use, return, destruction or deletion of the personal data;
- a prohibition on sub-contracting;
- the right of the data user (controller) to audit and inspect how the data processor handles and stores personal data.
The third provision, whilst not expressly required by the GDPR, is a best practice in many controller-processor contracts. In practice, IHiS (including its cloud systems) were subject to an annual audit that was brought to the attention of SingHealth’s senior management. Typically, these provisions serve as a means for ensuring compliance with the above obligations, and also serves to demonstrate that the data controller has done its due diligence on suppliers, which itself is required by the GDPR.
Notably, the PDPC placed less emphasis on the obligations to assist the data user/controller with complying with data subject rights and data protection impact assessments – as such provisions, beyond the rights to notice access and correction – are not per se in place in Singapore.
However, the PDPC’s recommendations also included novel suggestions, such as:
- requirements for the immediate reporting of any sign of abnormalities (e.g. the PDPC suggests this could occur where an audit trail shows unusual frequent access of the personal data entrusted to the data processor by a staff member at odd hours) or security breaches by the data processor.
This appears to be a pre-cursor to breach notification, and is a significantly higher obligation than most best practice security provisions in controller-processor agreements in the EU (aside from perhaps those with IT Support providers) and will impose obligations on processors to monitor their relevant systems.
The PDPC held that these measures were largely met by the presence of an outsourcing contract in place committing IHiS to take appropriate data security measures and the presence of relevant policies, including standard sub-contractor agreements. The PDPC’s suggestions are a welcome intervention, particularly where controller-processor contracts, in practice, in the EU are beginning to include further provisions on notification, e.g. for the processor to specify where the data processing can no longer be performed to the obligations on limiting the scope of the personal data to be processed by the processor, no doubt heavily influenced by the Privacy Shield onward transfer requirements.
Essentially, the PDPC be concluded was that although IHiS did not have adequate security monitoring in place, SingHealth should also have identified those procedures were not sufficient or that there was insufficient governance in place. The PDPC’s decision, whilst noticeably profound in the level of the fines and its detail, is not exceptional in its content – with many European supervisory authorities increasingly examining controller’s outsourcing arrangements as a key area of compliance. For example, just last week, the Dutch supervisory authority announced it would be requesting from 30 organisations in the media, energy and trade sectors what agreements they have in place with third parties processing personal data on their behalf. In this background, the decision can prove useful guidance in tackling the nature of increasingly ubiquitous contracts with IT providers, as organisations look to offload the risk associated with data security.