The decisions published by the Personal Data Protection Commission (PDPC) in September 2020 highlight the need for organisations to undertake the following measures:

1. Impose contractual data protection obligations on vendors that will possess or access personal data and supervise those vendors’ work.  Vendor contracts executed before the Personal Data Protection Act 2012 (PDPA) fully took effect in July 2014, but which continue in force after such date, should be reviewed (and where necessary, revised) to ensure vendors put in place adequate measures to comply with the PDPA
2. Implement a password management policy which requires passwords which are strong, complex and changed periodically.
3. Conduct properly-scoped testing of new or updated IT features, including simulating possible scenarios arising from their deployment and use.
4. Cease retaining personal data that are no longer necessary for the purposes of their collection or for legal or business purposes.
5. If a data breach occurs, voluntarily and fully cooperate with authorities and promptly implement remedial actions.

‍Cases

       A. Singapore Medical Association (SMA)

An unauthorised user hacked an SMA corporate email account and sent emails containing the personal data of 68 individuals to an external email address.  SMA was found to have breached the PDPA for failing to adopt reasonable steps to protect personal data in its possession or control against risk of unauthorised access.  In particular, SMA failed to conduct periodic security reviews of its IT system and to consider the need for security enhancement measures (such as anti-brute force measures) when handling financial information.  In addition, there was no periodic change to account passwords.  The PDPC issued a warning to SMA with no further directions, as SMA had taken actions to address the gaps in its security arrangements.

      B. Civil Service Club (CSC) and Singapore Telecommunications Limited (Singtel)

The CSC and Singtel cases both involved unintended access to personal data via online platforms developed by third-party vendors.

Singtel was found not to have breached the PDPA as (1) it imposed contractual data protection obligations on its vendor, conducted audits to ensure the effectiveness of its vendor’s IT controls and processes and conducted annual mandatory PDPA and cybersecurity training for its vendor’s employees and (2) it conducted reasonably-scoped pre-launch tests for updates to its online platform.

Conversely, the PDPC imposed a financial penalty of S$20,000 on CSC for failing to put in place reasonable security arrangements in its dealings with its vendor, leading to unauthorised access of 1,770 members’ personal data.  While CSC’s contract with its vendor was executed before the PDPA took effect, the vendor’s work for CSC continued after the PDPA fully came into force.  CSC was therefore responsible for revising its vendor contract to impose data protection obligations on its vendor.  CSC also failed to review and update its software systems design and to implement technical and other measures to protect personal data on its IT system and online portal.

      C. Grabcar Pte Ltd (Grabcar)

Due to an erroneous deployment of a prior update on its mobile application, the profile data of 5,651 GrabHitch drivers and booking details were exposed to the risk of unauthorised access.  Upon discovering the incident, Grabcar rolled back the updates and notified the affected individuals.  It also put measures in place to prevent future unauthorised transfers, conducted automated tests and reviewed relevant applications and codes and testing and governance procedures.

Grabcar breached its obligation to put in place reasonable security arrangements to protect personal data as it failed to conduct properly-scoped testing of its application updates to simulate possible scenarios for detecting anticipated errors.  As it is Grabcar’s fourth PDPA breach, the PDPC imposed a financial penalty of S$10,000 and directed Grabcar to implement a data protection by design policy for its mobile applications.

     D. Singapore Red Cross Society (RCS)

Hackers exploited a weak administrator password to gain unauthorised access to almost 4,300 individuals’ personal data stored in a database accessible via the RCS website.  After discovering the incident, RCS took immediate steps to remove the database, put in place additional security measures and inform various public authorities and all affected individuals of the incident.  RCS fully cooperated with authorities and admitted (1) its failure to supervise the IT vendor which developed the database and failure to conduct regular security reviews  on its IT systems and (2) its retention of around 900 individuals’ data without any legal or business purpose.  

The PDPC found that RCS breached the protection and retention limitation obligations under the PDPA.  However, due to the RCS’s upfront voluntary admission and comprehensive remedial actions, the PDPC reduced the financial penalty to S$5,000 on an exceptional basis.

For More Information

OrionW regularly advises clients on Data Protection matters.  For more information about the PDPA, or if you have questions about this article, please contact us at info@orionw.com.

Disclaimer: This article is for general public information only and does not constitute legal advice.

‍