Privacy Ninja

A Review of PDPC Undertakings July 2021 Cases

PDPC Undertakings July 2021, two cases to emphasize the importance of employee training in PDPA

A Review on PDPC Undertakings July 2021 Cases

In 2014, the Singapore government has enacted the Personal Data Protection Act of 2012 (PDPA). This law governs the collection, use, and disclosure of personal data by all private organizations. The new 2020 amendment of the PDPA has introduced some new guidelines to further improve the enforcement of said law. Thus, businesses must always be kept abreast of developments, regulations, and novel rulings of the PDPC (Committee).

In this article, we will review two of the most recent decisions of the PDPC, particularly the remediation plan proposed by the subject organizations, and how you can take them into consideration for your own business, especially with your employees.

Let’s take a look at these two cases from PDPC Undertakings July 2021:

July 12: Assisi Hospice, erroneous disclosure via email

A simple mistake, an in-house employee error

Let’s begin with the facts of this case. In September 22, 2020, the PDPC received a data breach notification from Assisi, Hospice concerning an erroneous disclosure of its patients’ data via 43 separate emails. These emails were sent to a single unintended external party from the month of January to September. The private data were contained in an Excel spreadsheet list which is updated periodically, to serve as reference for after hours on-call employees.

The erroneous sending of emails was attributed to an Assisi employee’s negligence. Notably, the recipient’s email address was not even an official work email account. It is therefore established that said employee did not follow Assisi’s personal data protection policy to password-protect the Patient List.

Remedial Actions and Undertaking

The PDPC has accepted the undertaking executed by Assisi to improve its compliance with the PDPA by implementing, among others, the following remedial steps;

  • reminded all employees to password-protect email attachments containing personal data and to send the password in a separate channel or email thereafter.
  • reminded all employees to not send any email containing sensitive and/or confidential data to non-work email accounts; and 
  • reviewed every department’s work processes in relation to the management of personal data. Its data protection officer would also commence sending emails on a quarterly basis to remind its employees of the existing personal data protection policies.  

The undertaking likewise provided that Assisi is to set alerts in its email system to alert the sender whenever there is sensitive information in the email body or an attachment thereto that is not password protected.

Also Read: The Top 4W’s of Ethical Hacking

The second case on PDPC Undertakings July 2021, features a compromised website due to employee’s lack of sufficient technical knowledge,

A superior cybersecurity and robust data protection policy is only as good as how your employees implement them.

July 12: Thye Hua Kwan Moral Charities Limited, hacked website

Poor cybersecurity hygiene leads to malicious website access

In April 11, 2020, Thye Hua Moral Charities Limited (THKMC) notified PDPC of a data breach following their website hacking incident. Investigations showed that cybercriminals had gained access to the web content management system of THKMC by altering a web configuration file left in an unprotected public directory.

The cause was primarily attributed to the employee tasked with the administration of the website. He lacked the sufficient technical knowledge and awareness of basic website security features and cyber security hygiene. As a result, the personal data of about 550 THKMC volunteers was placed at risk, although no evidence of data loss has been particularly reported.

Remedial actions and undertaking

In their proposed remediation plan, THKMC has avowed to incorporate the following steps, among others:

  • implemented mandatory annual cyber security training and online quiz for all THKMC staff. Staff from the IT department are also required to attend relevant training courses to upgrade their knowledge and competency in cyber security;
  • implemented periodic unannounced phishing exercises to test the alertness of staff to cyber threats

The PDPC has accepted THKMC’s remedial plans and undertaking to improve its personal data protection practices and compliance with the PDPA.

Conclusion

A thing to note on the above-cited PDPC cases is how these incidents are directly traced to human error. A superior cybersecurity and robust data protection policy is only as good as how your employees implement them. The most sophisticated software or programs can be rendered ineffective once an employee in charged of them lacks the sufficient technical knowledge and training.

Thus, it is extremely important to keep abreast on recent decisions of the PDPC, such as these PDPC Undertakings: July 2021. By allowing open-source remedial plans from organization who has contravened the PDPA of Singapore, the Committee is also providing valuable information for the perusal of other businesses. This gives them an idea on which points to improve in order to ensure strict adherence to a better cybersecurity protocol.

Also Read: Protecting Data Online in the New Normal

Privacy Ninja provides GUARANTEED quality and results for the following CORE SERVICES:

DPO-As-A-Service (Outsourced DPO Subscription)
Vulnerability Assessment & Penetration Testing (VAPT)
PDPA Obligations for Organizational Compliance (SkillsFuture Credit Eligible)

OTHER SERVICES:

PDPA Compliance Audit
Dig
ital Transformation Consultancy
Data Protection Trustmarks Certification Readiness Consultancy

PDPA Data Protection Software
Smart Contract Audit

LIKE & SUBSCRIBE:
Facebook
LinkedIn
Twitter
YouTube
Podcast

0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Powered by WhatsApp Chat

× How can we help you?