New Singapore Personal Data Protection Regulator Voluntary Undertaking on 20 July 2023

  • Legal Development 2023年7月24日 2023年7月24日
  • 亚太地区

  • 数据保护与隐私权

The Singapore Personal Data Protection Commission (“PDPC”) published its latest round of enforcement decisions and voluntary undertakings on 20 July 2023 consisting of 1 voluntary undertaking (Employment and Employability Institute case).

In this client update, we summarise the undertaking and present our key takeaways.

Key takeaways: 

There are several key takeaways from this recent undertaking:

  1. Where the PDPC is investigating more than one case involving the same organisation, it may consider the cases together when deciding what actions to take against the organisation. This was the case here – the undertaking was made by Employment and Employability Pte. Ltd. (“e2i”) in respect of 2 separate data breaches which the PDPC was notified within a short span of time (1st data breach notified on 25 March 2021 (“i-vic Incident”); 2nd data breach notified on 2 June 2021 (“e2i Website Incident”). As the PDPC was alerted of the 2nd data breach during its investigation in the 1st data breach, the regulator considered both cases involving e2i together. 
  2. It is critical for organisations to ensure that its vendors have the necessary cybersecurity frameworks and systems in place for data protection. In the i-vic Incident, the PDPC received a data breach notification from e2i which involved its data intermediary i-vic. Personal data from 2 email accounts of an i-vic employee was downloaded by a malicious actor. It was found that i-vic had put in place reasonable security arrangements despite the data breach. However, e2i had failed to stipulate reasonable data protection requirements when selecting i-vic as its data intermediary and in its contract with i-vic. e2i also lacked sufficiently robust processes to protect the personal data in its possession or control. Nevertheless, a reason that the PDPC accepted the undertaking as it was satisfied that notwithstanding e2i’s failure to stipulate personal data protection requirements in its contract with i-vic, e2i had engaged i-vic on account of i-vic’s good personal data protection policies and processes. 
  3. Where there is no evidence to suggest that there has been unauthorised access or data exfiltration, it appears this could be a factor in the PDPC’s decision-making on whether to accept an undertaking. In the e2i Website Incident, The PDPC accepted the undertaking as this was consistent with the PDPC’s practice with respect to other personal data breaches similar to the one that affected e2i’s website, where there was no evidence to suggest that there has been unauthorised access or data exfiltration. 
Name of Decision / Undertaking Summary of Incident Type of Potential Breach of the PDPA Complaint / Self-reported Number of affected individuals; Types of personal data affected Outcome
Employment and Employability Institute Pte. Ltd.

2 Personal Data breaches

Data Breach No. 1 (DP-2103-B8132)

Personal data from 2 email accounts of an i-vic employee was downloaded by a malicious actor. i-vic is e2i’s outsourced contact centre and data intermediary.

Data Breach No. 2 (DP-2106-B8424)

When an individual registers for a course, talk or event organised by e2i on e2i’s website, the website would automatically populate and display an individual’s personal data once an individual’s NRIC number is inserted into the website. If an individual uses the person’s NRIC number on e2i’s website, there would be the risk of unauthorised disclosure of personal data by e2i if such use had not been duly authorised.

Protection Obligation 

Data Breach No. 1 (DP-2103-B8132)

The PDPC held that i-vic (as e2i’s data intermediary) had put in place reasonable security arrangements despite the data breach. However, e2i had failed to stipulate reasonable data protection requirements when selecting i-vic as its data intermediary, and in its contract with i-vic. e2i also lacked sufficiently robust processes to protect personal data during transmission. There were at least 18 occasions where e2i’s employees had sent large volumes of personal data to i-vic without any encryption or protection, which was against e2i’s SOP. 

Data Breach No. 2 (DP-2106-B8424)

Although personal data of 102,151 individuals was at risk of being disclosed, the impact of the breach was limited as: (i) there was no evidence of exfiltration of the personal data; and (ii) e2i promptly took remediation action after being alerted by the PDPC of the complaint received.

Data Breach No. 1 (DP-2103-B8132)

Self-reported

Data Breach No. 2 (DP-2106-B8424)

Complaint

Data Breach No. 1 (DP-2103-B8132)

31,002 individuals

Types of affected personal data:

  • NRIC
  • Partial NRIC number
  • Date of birth
  • Mobile Number
  • Landline
  • Email Address
  • Residential Address
  • Highest Qualification
  • Employment Details – containing salary, employment status, occupation or company name


Data Breach No. 2 (DP-2106-B8424)

102,151 individuals

  • Name
  • Citizenship
  • Union member status
  • Gender
  • Race
  • Highest education level
  • Unemployed since
  • Unemployment duration (months)
  • Reason for unemployment
  • Education level detail (field of study, qualification name/title, institution, date of completion)
  • Work experience (From, to, company name, industry, job title, job duties, masked last drawn salary/month)
  • Background and health (Ex-offender, bankruptcy, colour blindness, medical illness, drug abuse)
  • Partially masked NRIC
  • Partially masked date of birth
  • Partially masked email address
  • Partially masked postal code
  • Partially masked contact number (Home/HP)
Voluntary Undertaking; no admission of breach of the PDPA

 

 

To discuss what this latest development in data protection enforcement decisions and undertakings may mean to you, please reach out to the author below:

结束

掌握其礼的最新消息

注册您的邮箱,获取其礼最新消息!