News

Review of PDPC August Decisions

Aug 28 2020 | by OrionW

Review of August 2020 PDPC Decisions

In August 2020, the Personal Data Protection Commission (PDPC) published decisions finding eight organisations to be in breach of the protection obligation under Section 24 of the Personal Data Protection Act 2012 (No. 26 of 2012) (PDPA).  These decisions serve as reminders to organisations of the importance of adopting reasonable security measures to protect personal data in their possession or control against unauthorised access, collection, use, disclosure, copying, modification disposal or similar risks (Protection Obligation).

These recent cases reveal several causes which led to PDPA violations: inadequate code reviews, pre-launch testing and/or periodic security reviews of IT systems (or technology-based features or services), insufficient employee training on data protection policies and practices, failure to communicate data protection requirements to contractors and lack of stringent password policies or measures for user or administrative access.  Penalties ranged from warnings to a S$32,000 financial penalty.

The table below summarises the recent PDPC decisions, each of which involved a failure to implement reasonable security measures to protect personal data in violation of the Protection Obligation.

Organisation and Sector

Incident and Cause

Decision/Penalty

Singapore Accountancy Commission

Sector: Accountancy

Incident: Personal data of 6,541 individuals mistakenly enclosed in emails sent to 41 unintended recipients.

Cause: Failure to train staff on the organisation’s data protection policies and to implement technical measures to reduce the risk of sending personal data to unintended recipients.

S$5,000 financial penalty

Zero1 and its contractor / data intermediary, IP Tribe

Sector: Telecoms

Incident: Personal data of 118 individuals contained in invoices sent to incorrect recipients due to a coding error in the course of migrating to a new IT system.

Cause: Failure to conduct adequate pre-launch tests on its new IT system to simulate expected use and anticipate possible scenarios in order to detect functionality issues.

Warning issued

Actstitude

Sector: Media

Incident: Personal data of over 160 individuals contained in their resumes on Actstitude’s website were accessible over the Internet.

Cause: Failure to conduct adequate pre-launch vulnerability scans and to conduct periodic security testing.

Warning issued

Jean Yip Salon

Sector: Beauty

Incident: Personal data of 28 employees stored in the organisation’s internal employee system became available on the Internet.

Cause: Accidental grant of access to an internal employee system; failure to develop processes to deactivate unnecessary user accounts and to enforce a stringent password policy for access to user accounts.

Warning issued

FWD Singapore

Sector: Insurance

Incident: Personal data of 71 individuals contained in payment advice letters sent to incorrect recipients due to a system error.

Cause: Failure to detect error during the manual code review process and to conduct unit testing to a reasonable standard.

Warning issued

CDP

Sector: Finance

Incident: Dividend cheques containing personal data of 211 account holders were mailed to outdated addresses due to a coding error in a new IT system.

Cause: Failure to conduct adequate pre-launch tests on its new IT system to simulate expected use and anticipate possible scenarios in order to determine and address coding errors.

S$32,000 financial penalty, in view of the risk of fraud and financial loss arising from the breach

MDIS Corporation

Sector: Training

Incident: Spreadsheet containing personal data of 304 individuals provided for course registration accessible by the public through searches on Google.

Cause: Failure to communicate data protection requirements to its IT system contractors and to conduct thoroughly-scoped security testing of its IT system.

S$10,000 financial penalty, in view of the exposure to the risk of unauthorised disclosure for approximately 6 months

MCST 3400

Sector: Real Estate

Incident: Personal data of 562 individuals stored in an internal directory was accessible by any public user on the Internet.

Cause: Failure to conduct security reviews of its IT systems.

Warning issued, as data breach involved mostly contact information, the organisation took prompt remedial action, and there was no evidence of actual misuse of disclosed data

To ensure compliance with the Protection Obligation, an organisation should ensure that its security measures are reasonable and adequate, taking into account the nature of the personal data it possesses or controls, how it processes personal data and the potential harm that may result from any data breach. 

When using IT systems to process personal data, particularly systems that connect with the Internet, an organisation should ensure that it has robust technological measures in place in respect of those systems, including ensuring that the scope of its system test is broad enough to detect errors and vulnerabilities which may arise from their intended operation (for example, by conducting a sufficient number of test cases and testing for various scenarios) and carrying out periodic security testing of those systems.  An organisation should also ensure that its employees and contractors are sufficiently informed of the data protection obligations under the PDPA.

For More Information

OrionW regularly advises clients on Data Protection matters.  For more information about the PDPA, or if you have questions about this article, please contact us at info@orionw.com.

Disclaimer: This article is for general public information only and does not constitute legal advice.