Insights

New Singapore Personal Data Protection Regulator’s Decisions and Undertakings on 10 March 2023

Legal Development 13 March 2023 13 March 2023
Asia Pacific
Data Protection & Privacy

The Singapore Personal Data Protection Commission (“PDPC”) published its latest enforcement decisions and voluntary undertakings last Friday (10 March 2023).

In total, there were 2 enforcement decisions (Eatigo case and Sembcorp Marine case) and 1 voluntary undertaking (Putien Restaurant case) published.

In this client update, we summarise the decisions and undertakings and present our key takeaways.

Key takeaways:

There are several key takeaways from these recent decisions and undertaking:

For an organisation to effectively safeguard the personal data in its possession or control, it must first know what its personal data assets are. The surest way to ensure such visibility is to maintain a comprehensive personal data asset inventory. The Eatigo case demonstrates the consequences of not maintaining a proper personal data asset inventory.
In responding to the PDPC’s queries in an investigation, organisations are advised to respond timely and adequately to the PDPC’s queries (including those in the PDPC’s notices to produce specified information and documents (NTPs)). In the Eatigo case, the PDPC appeared to be frustrated by Eatigo’s inadequate responses to the PDPC’s queries which led to the PDPC expanding substantial time and resources when engaging with Eatigo. This led to the PDPC mentioning this as an aggravating factor when determining the financial penalty imposed.
In certain circumstances, the PDPC may accept a voluntary undertaking in lieu of a full investigation as seen in the Putien Restaurant case. A benefit of a voluntary undertaking is that it does NOT amount to an admission of breach of the Personal Data Protection Act 2012 (“PDPA”). Although the PDPC has the full and complete discretion to accept (or reject) a voluntary undertaking, organisations under investigation by the PDPC may consider it appropriate to enter into a voluntary undertaking to potentially ‘enjoy’ the benefit of a non-admission of breach of the PDPA and the non-imposition of a financial penalty (as compared to a full blown PDPC investigation).
The Protection Obligation is still the most breached obligation of the PDPA. Nevertheless, if an organisation can demonstrate that it had appropriate (and reasonable) security arrangements in place prior to an incident, the PDPC will more likely than not consider that the organisation has complied with its Protection Obligation. This appears to be the case in the Sembcorp Marine decision; the organisation took robust steps to ensure that it had good cybersecurity policies and practices in place and that these were carried out on a regular basis; these were considered by the PDPC in deciding the outcome of its investigation.

Name of Decision / Undertaking

Summary of Incident

Type of Potential Breach of the PDPA

Complaint / Self-reported

Number of affected individuals; Types of personal data affected

Outcome

Eatigo International Pte. Ltd.

Personal data breach

A cache of personal data that was suspected to be from Eatigo’s database was being offered for sale on an online forum.

Protection Obligation

Eatigo was held to have failed to maintain the affected database in its personal data asset inventory.

This led to the omission of extant security arrangements to the affected database.

Complaint by a third party

2.74 million individuals

Personal data affected were:

name
email address
telephone number
gender
password in MD5 hash; and
Facebook ID number and token which provide access to users’ Facebook accounts and their Eatigo’s accounts

Breach of the Protection Obligation

Fine of SGD62,400

Sembcorp Marine Ltd

Personal Data breach

Sembcorp was the subject of a data breach involving an exploitation of the Log4J zero-day vulnerability which affected millions of computers worldwide in late 2021/early 2022.

Protection Obligation

The PDPC held that Sembcorp Marine had made reasonable security arrangements to protect personal data it possessed and/or controlled because:

Good practices in relation to its ICT systems were adopted including
- a cybersecurity testing programme,
- regular vulnerability assessment and penetration testing,
- and cyber security monitoring

Self-reported

25,925 individuals

Personal data affected included:

name
address
email address
NRIC number
telephone number
passport number
photograph
date of birth
bank account details
salary
medical screening results

No breach of the PDPA

Putien Restaurant Pte. Ltd.

Personal Data Breach

Putien suffered a ransomware attack that encrypted personal data of 350 employees.

A threat actor used stolen administrator account credentials to access Putien's network through a remote desktop protocol port. As a result, its servers containing personal data were accessed and encrypted by ransomware.

Protection Obligation

The PDPC noted that there was no evidence of exfiltration of personal data.

Putien took immediate remedial action to address the cause of the personal data breach including:

development of IT security policies and procedures
implementation of IT security measures
conduct of IT audit reviews
conduct of cyber/data protection awareness training for key employees who handle personal data

A voluntary undertaking was submitted by Putien to the PDPC.

Self-reported

350 individuals

Personal data affected:

full names
contact numbers
NRIC
work permit
passport numbers
birth certificate and education certificate images
bank account numbers

Voluntary Undertaking; no admission of breach of the PDPA

To discuss what this latest development in data protection enforcement decisions and undertakings may mean to you, please reach out to the author below:

End

Authors:

Zhen Guang Lam

Senior Associate

Themes:

Data Protection & Privacy

Stay up to date with Clyde & Co

Subscribe here