In August 2020, the Personal Data Protection Commission (PDPC) published decisions finding eight organisations to be in breach of the protection obligation under Section 24 of the Personal Data Protection Act 2012 (No. 26 of 2012) (PDPA). These decisions serve as reminders to organisations of the importance of adopting reasonable security measures to protect personal data in their possession or control against unauthorised access, collection, use, disclosure, copying, modification disposal or similar risks (Protection Obligation).
These recent cases reveal several causes which led to PDPA violations: inadequate code reviews, pre-launch testing and/or periodic security reviews of IT systems (or technology-based features or services), insufficient employee training on data protection policies and practices, failure to communicate data protection requirements to contractors and lack of stringent password policies or measures for user or administrative access. Penalties ranged from warnings to a S$32,000 financial penalty.
The table below summarises the recent PDPC decisions, each of which involved a failure to implement reasonable security measures to protect personal data in violation of the Protection Obligation.
To ensure compliance with the Protection Obligation, an organisation should ensure that its security measures are reasonable and adequate, taking into account the nature of the personal data it possesses or controls, how it processes personal data and the potential harm that may result from any data breach.
When using IT systems to process personal data, particularly systems that connect with the Internet, an organisation should ensure that it has robust technological measures in place in respect of those systems, including ensuring that the scope of its system test is broad enough to detect errors and vulnerabilities which may arise from their intended operation (for example, by conducting a sufficient number of test cases and testing for various scenarios) and carrying out periodic security testing of those systems. An organisation should also ensure that its employees and contractors are sufficiently informed of the data protection obligations under the PDPA.
OrionW regularly advises clients on Data Protection matters. For more information about the PDPA, or if you have questions about this article, please contact us at info@orionw.com.
Disclaimer: This article is for general public information only and does not constitute legal advice.
