The Protection Obligation under Singapore’s Personal Data Protection Act (the “PDPA”) remains as the most breached provision of the PDPA, and understandably so, as it forms one of the essential blocks in preventing the unauthorized disclosure of personal data.
Recent enforcement decisions by the Personal Data Protection Commission (the “Commissioner”) clarify the standards that the PDPC imposes on organizations in their implementation of the Protection Obligation. This article highlights the key takeaways from these enforcement decisions. DPOs, legal counsels and senior executives should familiarize themselves with the requirements expounded in the cases.
A case concerning Eatigo International Pte Ltd (“Eatigo”) involved a data leak from Eatigo’s database, that contained personal data of approximately 2.76 million individuals. Here, the PDPC emphasized that for organizations with substantial personal data assets, the maintenance of an accurate and up-to-date personal data asset inventory is a pre-requisite for complying with the Protection Obligation. An oversight in failing to be aware of what personal data it possesses will inevitably result in the organization’s omission to extend the extant security arrangements required.
Organizations that handle a high volume of personal data should also implement reasonable security monitoring to protect the personal data. This could take the form of conducting periodic security audits which include a reasonable vulnerability assessment of the organization’s IT infrastructure, or putting in place security monitoring for exfiltration of sizeable volumes of data based on pre-set limits.
Cooperation with the Commissioner during the breach investigation stage should not be looked upon lightly as well. Unfortunately for Eatigo, the Commissioner was of the view that Eatigo had provided dilatory, uncooperative and evasive responses to its request for information. This was taken into account as an aggravating factor when imposing the financial penalty of $62,400 on Eatigo. Organizations are advised to ensure that their key stakeholders have adequate level of knowledge on the organization’s internal matters so as to expediently and comprehensively render satisfactory responses to the Commissioner.
It should be noted however that unauthorized disclosure of personal data does not automatically equate to a breach of the Protection Obligation. In a case concerning Sembcorp Marine Ltd (“Sembcorp”), threat actors had exfiltrated personal data by exploiting a zero-day vulnerability present in an application. The personal data affected was sensitive in nature, including the NRIC number, passport number, bank account details, and medical screening results of individuals. However, the Commissioner considered that because Sembcorp had, after discovering the vulnerability (before the data exfiltration occurred), promptly implemented good practices in its technology systems to try to resolve the issue, such as applying security patches and implementing workarounds recommended by their vendors, it had fulfilled its Protection Obligation of making reasonable security arrangements to protect the data in its possession. Notwithstanding the eventual data leak, no enforcement action was taken by the Commissioner.
Fundamentally, organizations have to pay heed to their obligations under the PDPA. An obvious difference between the two cases was the level of effort and care applied by the respective organizations toward their Protection Obligation requirement, which resulted ultimately in two very contrasting outcomes.
JTJB Singapore Office