Breach Of The Protection Obligation By Schools

In this article, we use a recent case to highlight the importance of implementing protection obligations and hiring an outsourced DPO to help you to ensure compliance with PDPA when you are collecting clients’ personal data. This applies to tuition centers, healthcare organizations and other organizations that collect personal data in the provision of their services.

On July 2, 2021, School A alerted the Personal Data Protection Commission that a parent of a student is able to view and access a student report produced by the Organization via internet search engines.

Following that, the Organization requested that this matter be resolved under the Commission's expedited breach decision procedure. It also admitted to violating the Personal Data Protection Act (the "PDPA" section 24). The Deputy Commissioner for Personal Data Protection orders the Organization to pay a $10,000 financial penalty within 30 days of receiving the notice accompanying this decision

To protect clients’ personal data and prevent unwanted access, an organisation storing personal data in website directory/folders must implement protection obligations procedure to safeguard data. 

Furthermore, no clear business needs were stated that the Organization was depending on the sister firm to implement security solutions to protect personal data. When an organisation receives IT services from another member of the group, it should ensure that the latter is obligated by formal agreements or group regulations to secure personal data while providing the services.

Implementing PDPA can be a daunting experience, an organisation should consider hiring an outsourced DPO Singapore to ensure that the organisation implements both policies and procedures that comply with PDPA. This is because any data breach or non-compliance may lead to an organization being fined. 

Is Protection Of The Data The Most Important Obligation?

 

In an article dated 2nd November by "The Straits Times", it was reported that of all the breaches till October 2021 more than 67% of the cases are related to a breach in protection obligation. This means companies did not put in place security arrangement to protect data in their possession. This lack of security protection led to unauthorized access of these data where hackers may collect, use and disclose them.

In today's highly digitalized business environment, many companies collect personal data in order to serve their customers better. This purpose to serve customers better may turn into a problem if the data are not properly protected and secured.

It is therefore important that companies build trust with their customers by ensuring they implement proper data protection strategies.

This may be as simple as as building password and limiting access to the data. However, as your data size grow due to expansion this may no longer be sufficient and will call for a detail analysis of the data life cycle so that you can implement the right data protection strategies to secure the data.

You can go the PDPC website to access the wealth of resources available there or speak to us to see how we may assist you.

Remember that data can give you the business edge, protect them wisely.

What Are The Learning Points From A Personal Data Protection Breach In An Organization?

        It has been reported on PDPC website that non-profit Company A has been fined a total sum of 14,000 due to hacked databases that were made available for download on hacking forums and Telegram channels.

This fine has been a result of data protection infringements under the Personal Data Protection Act (PDPA) as Company A has failed to implement safety measures to protect personal data of 5,131 members and non-members under the Protection Obligation.

 

The types of data that were affected included information on names, encrypted passwords, e-mail addresses, telephone numbers and birth dates of the users.

 

On January 14^th, PDPC also noted the Company had no written policies and practices and the company did not appoint a data protection officer (DPO).

 

In light with this incident, we would like to share the importance of PDPA and how it can affect your business.

 

Why is PDPA important?

 

All data collected that is identifiable to an individual in which any business handles need to be well protected.

 

With the advancements of technology, this trend has been growing exponentially and are becoming more relevant to business owners.

 

The failure to comply with the Act will result in serious consequences to businesses as seen above.

Why is PDPA important for my business?

 

In today’s digital world, companies are collecting more and more personal data evidently. We collect these data to help us grow our business through digital marketing.

 

With this, it is therefore, important for companies to have in place policies and practices to handle these data asset.

 

More importantly, we should have in place strategies to protect these data.

  

WHAT IS THE KEY LEARNING FROM THIS CASE STUDY?

 

On 19 November 2020 and 20 November 2020, Company A SG and company B notified the Personal Data Protection Commission of a data breach incident whereby an unauthorised third party had gained access to business servers of the Company A Group and managed to ex-filtrate information, including personal data of the employees of the Organisations.

As the main Human Resources functions of Company ASG are conducted by Company A US.Company A transfers the personal data of its employees to Company A US which are then stored in company A Us’s servers.

On 12 November 2020, the Company A Group information technology team noticed anomalies in its systems. Subsequent investigations revealed that, from September to November 2020, a threat actor had accessed the Company A Group server in the USA.

As a preliminary point, Company A US is responsible for maintaining the security and integrity of the Company A Group system including its servers and implementing the appropriate safeguards. However, the data protection obligations in the Personal Data Protection Act 2012 (“PDPA”) do not apply to Company A USas it does not process personal data in Singapore.

Whether Company A SG complied with the Transfer Limitation Obligation

-          It is determined that Company A SG had not complied with the Transfer Limitation Obligation

-          At the material time, Company A US and certain other Company A group entities had put in place a binding intra-group contract called the Global Data Transfer Agreement dated 1 September 2020 (“GDTA”), which governs the terms on which the various Company A group entities transfer personal data to each other.

-          The GDTA contained provisions that required Company A SG to provide any personal data transferred from Singapore a comparable standard of protection to that under the PDPA at the time of the Incident.

In light of Company A SG breach of the Transfer Limitation Obligation, the Commission is empowered under section 48I of the PDPA to issue Company A SG such directions as it deems fit to ensure compliance with the PDPA. This may include directing Company A SG to pay a financial penalty of such amount not exceeding $1 million as the Commission thinks fit.

Company A SG’s breach of the Transfer Limitation obligation was technical and a failure of legal formalities that were not substantive in nature.