Singapore: HMI Institute of Health Science in breach of its protection obligation under PDPA

The organization's lack of technical expertise would not discharge its obligation to protect personal data.

27 Dec 2024 4 minute read

- Share by email
- Share on
- Twitter
- LinkedIn
- Facebook
- Google plus
- Get link
- Get QR Code
- Download
- Print

In brief

In its recent decision in In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And HMI Institute of Health Science Pte. Ltd. [2024] SGPDPCS 5, the Personal Data Protection Commission (PDPC) found that the HMI Institute of Health Science Pte. Ltd. (HMI) breached of its obligations to protect personal data under section 24 of the Personal Data Protection Act (PDPA) for failing to exercise reasonable oversight over its vendor engaged to decommission its Students' Career Portal.

The PDPC imposed a fine of SGD 10,000 on HMI and directed HMI to report to the PDPC on the completion of various remedial actions.

In more detail

Background facts

HMI is a healthcare training provider in Singapore.

On 2 May 2024, HMI received a complaint regarding a personal data breach incident ("Incident") that involved a Microsoft Excel file ("Excel") containing the personal data of 761 individuals that HMI had inadvertently made public on the internet. The data disclosed included a combination of the individuals' names, addresses, NRIC numbers, dates of birth and other personal information.

HMI notified the PDPC of the Incident upon receiving the complaint.

Decision under the Expedited Decision Procedure

HMI voluntarily and unequivocally admitted to the following facts:

The affected individuals had provided their data to HMI via the Students' Career Portal ("Portal"), which was part of HMI's website from 2017 to 2019.
In December 2019, HMI decided to decommission the Portal.
Apart from checking and confirming that the Portal was no longer accessible at its original URL address, HMI did not follow up with the vendor to ensure that the Portal had been properly decommissioned.
The Excel continued to reside in the web directory of HMI's website with no access control to prevent indexing by online search engines. This led to the Excel being indexed and made publicly accessible via an online search using relevant keywords.

Following the Incident, HMI promptly took several remedial actions, including removing the Excel in its web directory; liaising with internet search engines to ensure that all web links to the Excel had been removed; implementing an internal checklist for all future commissioning, onboarding and decommissioning of IT solutions; and establishing additional protocols to monitor its website content.

Under the Expedited Decision Procedure, HMI admitted to a breach of section 24 of the PDPA as it did not have adequate policies and processes to exercise reasonable oversight over the vendor tasked with decommissioning the Portal. Section 24 of the PDPA provides that organizations must protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, etc., or similar risks, as well as the loss of any storage medium or device on which personal data is stored.

The PDPC held that HMI's own lack of technical expertise and reliance on the vendor to decommission the Portal is not an adequate defense for its failure to take the necessary steps to comply with section 24 of the PDPA. Further, HMI could have exercised reasonable oversight by verifying with its vendor that the personal data it had collected had been properly deleted following the decommissioning of the Portal. As noted by the PDPC, the exercise of reasonable vendor oversight did not require technical expertise.

Accordingly, the PDPC required HMI to pay a financial penalty of SGD 10,000 and directed HMI to report to the PDPC on the completion of various remedial actions, such as putting in place a well-documented vendor management policy and relevant processes for effective management and supervision of its IT vendors.

In deciding on the above penalty and directions, the PDPC also took into account the fact that this was HMI's second contravention of the PDPA. In 2019, HMI had also breached the protection obligation under section 24 of the PDPA when a file server belonging to HMI was affected by a ransomware attack, leading to the encryption of various files containing personal data of HMI's staff and trainees.

Enforcement of the PDPC: Expedited Decision Procedure

The Expedited Decision Procedure allows the PDPC to conduct and complete investigations in a shorter time period while achieving the same enforcement outcomes.

To invoke the Expedited Decision Procedure process, an organization must request the PCPC in writing in the early stages of investigations. In the request, the organization must provide the following:

An upfront voluntary admission of liability
Relevant facts of the incident
Written confirmation of willingness to comply with any direction or penalty notice issued by the PDPC.

The PDPC will review the information provided to decide whether to accept the organization's request. If the PDPC so accepts, a legally binding written agreement between the PDPC and the organization will be executed.

The PDPC has the discretion to discontinue with the Expedited Decision Procedure and proceed with a full investigation instead at any time before the conclusion of a case.

For more detailed information on this decision, please visit the official website of the PDPC: https://www.pdpc.gov.sg/all-commissions-decisions/2024/11/breach-of-the-protection-obligation-by-hmi-institute-of-health-science

* * * * *

For further information and to discuss what this development might mean for you, please get in touch with your usual Baker McKenzie contact.

* * * * *

© 2024 Baker & McKenzie. Wong & Leow. All rights reserved. Baker & McKenzie. Wong & Leow is incorporated with limited liability and is a member firm of Baker & McKenzie International, a global law firm with member law firms around the world. In accordance with the common terminology used in professional service organizations, reference to a "principal" means a person who is a partner, or equivalent, in such a law firm. Similarly, reference to an "office" means an office of any such law firm. This may qualify as "Attorney Advertising" requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.

Contact Information

Andy Leck
Principal
Singapore/Yangon
Read my Bio
andy.leck@bakermckenzie.com

Ren Jun Lim
Principal
Singapore
Read my Bio
ren.jun.lim@bakermckenzie.com

Ken Chia
Principal
Singapore
Read my Bio
ken.chia@bakermckenzie.com

Sanil Khatri
Local Principal
Singapore
Read my Bio
sanil.khatri@bakermckenzie.com

Daryl Seetoh
Local Principal
Singapore
Read my Bio
daryl.seetoh@bakermckenzie.com

Copyright © 2025 Baker & McKenzie. All rights reserved. Ownership: This documentation and content (Content) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms). The Content is protected under international copyright conventions. Use of this Content does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All Content is for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulations and practice are subject to change. The Content is not offered as legal or professional advice for any specific matter. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any Content. Baker McKenzie and the editors and the contributing authors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The Content may contain links to external websites and external websites may link to the Content. Baker McKenzie is not responsible for the content or operation of any such external sites and disclaims all liability, howsoever occurring, in respect of the content or operation of any such external websites. Attorney Advertising: This Content may qualify as “Attorney Advertising” requiring notice in some jurisdictions. To the extent that this Content may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. Reproduction: Reproduction of reasonable portions of the Content is permitted provided that (i) such reproductions are made available free of charge and for non-commercial purposes, (ii) such reproductions are properly attributed to Baker McKenzie, (iii) the portion of the Content being reproduced is not altered or made available in a manner that modifies the Content or presents the Content being reproduced in a false light and (iv) notice is made to the disclaimers included on the Content. The permission to re-copy does not allow for incorporation of any substantial portion of the Content in any work or publication, whether in hard copy, electronic or any other form or for commercial purposes.