New Singapore Personal Data Protection Regulator Voluntary Undertaking on 20 July 2023
-
Legal Development 24 July 2023 24 July 2023
-
Asia Pacific
-
Data Protection & Privacy
The Singapore Personal Data Protection Commission (“PDPC”) published its latest round of enforcement decisions and voluntary undertakings on 20 July 2023 consisting of 1 voluntary undertaking (Employment and Employability Institute case).
In this client update, we summarise the undertaking and present our key takeaways.
Key takeaways:
There are several key takeaways from this recent undertaking:
- Where the PDPC is investigating more than one case involving the same organisation, it may consider the cases together when deciding what actions to take against the organisation. This was the case here – the undertaking was made by Employment and Employability Pte. Ltd. (“e2i”) in respect of 2 separate data breaches which the PDPC was notified within a short span of time (1st data breach notified on 25 March 2021 (“i-vic Incident”); 2nd data breach notified on 2 June 2021 (“e2i Website Incident”). As the PDPC was alerted of the 2nd data breach during its investigation in the 1st data breach, the regulator considered both cases involving e2i together.
- It is critical for organisations to ensure that its vendors have the necessary cybersecurity frameworks and systems in place for data protection. In the i-vic Incident, the PDPC received a data breach notification from e2i which involved its data intermediary i-vic. Personal data from 2 email accounts of an i-vic employee was downloaded by a malicious actor. It was found that i-vic had put in place reasonable security arrangements despite the data breach. However, e2i had failed to stipulate reasonable data protection requirements when selecting i-vic as its data intermediary and in its contract with i-vic. e2i also lacked sufficiently robust processes to protect the personal data in its possession or control. Nevertheless, a reason that the PDPC accepted the undertaking as it was satisfied that notwithstanding e2i’s failure to stipulate personal data protection requirements in its contract with i-vic, e2i had engaged i-vic on account of i-vic’s good personal data protection policies and processes.
- Where there is no evidence to suggest that there has been unauthorised access or data exfiltration, it appears this could be a factor in the PDPC’s decision-making on whether to accept an undertaking. In the e2i Website Incident, The PDPC accepted the undertaking as this was consistent with the PDPC’s practice with respect to other personal data breaches similar to the one that affected e2i’s website, where there was no evidence to suggest that there has been unauthorised access or data exfiltration.
| Name of Decision / Undertaking | Summary of Incident | Type of Potential Breach of the PDPA | Complaint / Self-reported | Number of affected individuals; Types of personal data affected | Outcome |
| Employment and Employability Institute Pte. Ltd. |
2 Personal Data breaches Data Breach No. 1 (DP-2103-B8132) Personal data from 2 email accounts of an i-vic employee was downloaded by a malicious actor. i-vic is e2i’s outsourced contact centre and data intermediary. Data Breach No. 2 (DP-2106-B8424) When an individual registers for a course, talk or event organised by e2i on e2i’s website, the website would automatically populate and display an individual’s personal data once an individual’s NRIC number is inserted into the website. If an individual uses the person’s NRIC number on e2i’s website, there would be the risk of unauthorised disclosure of personal data by e2i if such use had not been duly authorised. |
Protection Obligation Data Breach No. 1 (DP-2103-B8132) The PDPC held that i-vic (as e2i’s data intermediary) had put in place reasonable security arrangements despite the data breach. However, e2i had failed to stipulate reasonable data protection requirements when selecting i-vic as its data intermediary, and in its contract with i-vic. e2i also lacked sufficiently robust processes to protect personal data during transmission. There were at least 18 occasions where e2i’s employees had sent large volumes of personal data to i-vic without any encryption or protection, which was against e2i’s SOP. Data Breach No. 2 (DP-2106-B8424) Although personal data of 102,151 individuals was at risk of being disclosed, the impact of the breach was limited as: (i) there was no evidence of exfiltration of the personal data; and (ii) e2i promptly took remediation action after being alerted by the PDPC of the complaint received. |
Data Breach No. 1 (DP-2103-B8132) Self-reported Data Breach No. 2 (DP-2106-B8424) Complaint |
Data Breach No. 1 (DP-2103-B8132) 31,002 individuals Types of affected personal data:
102,151 individuals
|
Voluntary Undertaking; no admission of breach of the PDPA |
To discuss what this latest development in data protection enforcement decisions and undertakings may mean to you, please reach out to the author below:
End
