A Review of PDPC Undertakings July 2021 Cases

A Review on PDPC Undertakings July 2021 Cases

In 2014, the Singapore government has enacted the Personal Data Protection Act of 2012 (PDPA). This law governs the collection, use, and disclosure of personal data by all private organizations. The new 2020 amendment of the PDPA has introduced some new guidelines to further improve the enforcement of said law. Thus, businesses must always be kept abreast of developments, regulations, and novel rulings of the PDPC (Committee).

In this article, we will review two of the most recent decisions of the PDPC, particularly the remediation plan proposed by the subject organizations, and how you can take them into consideration for your own business, especially with your employees.

Let’s take a look at these two cases from PDPC Undertakings July 2021:

July 12: Assisi Hospice, erroneous disclosure via email

A simple mistake, an in-house employee error

Let’s begin with the facts of this case. In September 22, 2020, the PDPC received a data breach notification from Assisi, Hospice concerning an erroneous disclosure of its patients’ data via 43 separate emails. These emails were sent to a single unintended external party from the month of January to September. The private data were contained in an Excel spreadsheet list which is updated periodically, to serve as reference for after hours on-call employees.

The erroneous sending of emails was attributed to an Assisi employee’s negligence. Notably, the recipient’s email address was not even an official work email account. It is therefore established that said employee did not follow Assisi’s personal data protection policy to password-protect the Patient List.

Remedial Actions and Undertaking

The PDPC has accepted the undertaking executed by Assisi to improve its compliance with the PDPA by implementing, among others, the following remedial steps;

• reminded all employees to password-protect email attachments containing personal data and to send the password in a separate channel or email thereafter.
• reminded all employees to not send any email containing sensitive and/or confidential data to non-work email accounts; and 
• reviewed every department’s work processes in relation to the management of personal data. Its data protection officer would also commence sending emails on a quarterly basis to remind its employees of the existing personal data protection policies.  

The undertaking likewise provided that Assisi is to set alerts in its email system to alert the sender whenever there is sensitive information in the email body or an attachment thereto that is not password protected.

This is where hiring an outsourced DPO can help. Aside from the fact that it is mandatory under the PDPA, an outsourced Data Protection Officer (DPO) oversees data protection responsibilities and ensures that organizations comply with the Personal Data Protection Act (PDPA). Furthermore, every Organization’s DPO should be able to curb any instances of PDPA noncompliance as it is the officer responsible for maintaining the positive posture of an organization’s cybersecurity.

Also Read: The Top 4W’s of Ethical Hacking

The second case on PDPC Undertakings July 2021, features a compromised website due to employee’s lack of sufficient technical knowledge,

July 12: Thye Hua Kwan Moral Charities Limited, hacked website

Poor cybersecurity hygiene leads to malicious website access

In April 11, 2020, Thye Hua Moral Charities Limited (THKMC) notified PDPC of a data breach following their website hacking incident. Investigations showed that cybercriminals had gained access to the web content management system of THKMC by altering a web configuration file left in an unprotected public directory.

The cause was primarily attributed to the employee tasked with the administration of the website. He lacked the sufficient technical knowledge and awareness of basic website security features and cyber security hygiene. As a result, the personal data of about 550 THKMC volunteers was placed at risk, although no evidence of data loss has been particularly reported.

Remedial actions and undertaking

In their proposed remediation plan, THKMC has avowed to incorporate the following steps, among others:

• implemented mandatory annual cyber security training and online quiz for all THKMC staff. Staff from the IT department are also required to attend relevant training courses to upgrade their knowledge and competency in cyber security;
• implemented periodic unannounced phishing exercises to test the alertness of staff to cyber threats

The PDPC has accepted THKMC’s remedial plans and undertaking to improve its personal data protection practices and compliance with the PDPA.

Conclusion

A thing to note on the above-cited PDPC cases is how these incidents are directly traced to human error. A superior cybersecurity and robust data protection policy is only as good as how your employees implement them. The most sophisticated software or programs can be rendered ineffective once an employee in charged of them lacks the sufficient technical knowledge and training.

Thus, it is extremely important to keep abreast on recent decisions of the PDPC, such as these PDPC Undertakings: July 2021. By allowing open-source remedial plans from organization who has contravened the PDPA of Singapore, the Committee is also providing valuable information for the perusal of other businesses. This gives them an idea on which points to improve in order to ensure strict adherence to a better cybersecurity protocol.

Also Read: Protecting Data Online in the New Normal