|
|
|
Personal Data Protection Updates
On 3 August 2020, the Personal Data Protection Commission released 8 decisions concerning breaches to the Personal Data Protection Act ("PDPA").
At TRS, we have summarised these cases for your convenience as follows:
| Organisation(s) / Key Lapse | Penalty | Category of Key Lapse
|
| Technical | Process | People
|
MCST 3400
– NAS accessible from web
|
Warning
|
X
|
|
|
MDIS Corporation Pte Ltd
– Website containing personal data indexed by search engine
|
S$10,000
|
X
|
|
|
The Central Depository (Pte) Limited
– Dividend cheques mailed to outdated addresses
|
S$32,000
|
X
|
|
|
FWD Singapore Pte Ltd
– Letters mailed to incorrect recipients
|
Warning
|
X
|
|
|
Jean Yip Salon Pte Ltd
– Employee system publicly accessible via internet
|
Warning
|
X
|
|
|
Actstitude Pte Ltd
– Website containing resumes indexed by search engine
|
Warning
|
X
|
|
|
Zero1 Pte Ltd and IP Tribe Pte Ltd
– Invoices emailed to unintended recipients
|
Warning
|
X
|
|
|
Singapore Accountancy Commission
– Folder containing personal data emailed to unintended recipients
|
S$5,000
|
|
|
X
|
| Total (August 2020) | 7 | 0 | 1
|
Learning Points:
The lack of in-house IT expertise has resulted in many companies being reliant on their outsourced IT functions.
Having outsourced their IT function, Managements tend to trust that the IT services procured are sufficient.
However, when a data breach occurs, the organisation itself can still be liable for the breach, especially if it did not provide sufficient oversight/instructions to the vendor.
While it is not required for Management to have expert IT knowledge, the following are essential for organisations to remain accountable and compliant with their obligations under the PDPA:
-
Be aware of and clearly spell out your security requirements in the contract with your IT vendor.
-
Ensure your IT vendor is aware that you intend to use its services to handle personal data so that the system design can take that into account and provide sufficient protection to the personal data.
-
Require your IT vendor to produce a report documenting the security and vulnerability testing performed before the system is deployed.
-
Consider retaining your IT vendor for regular system maintenance.
-
Consider engaging an IT vendor to perform periodic vulnerability assessment of your system and penetrating testing for web-facing platforms.
You may also contact us at infotrs@trsforensics.com for a non-obligatory discussion on your data protection and/or cybersecurity needs.
|
|
Singapore | Malaysia | China
|
The content of this newsletter is for general information only and
does not constitute advice to you. Readers are encouraged to contact us,
TRS,
at infotrs@trsforensics.com
to obtain advice tailored to their particular circumstances. All discussions will be confidential and non-obligatory.
Further information on our privacy policy can be found
here.
Copyright © TRS Group of Companies. All rights reserved.
90, Lorong 23 Geylang
Agrow Building, #05-01
Singapore 388393
|