Learning from the Enforcement case of a professional body for failing to protect the data of its members: Singapore Accountancy Commission

In any Data Protection Management Programme, an organisation should have a data protection governance framework and perform its due care in assessing risks, protecting personal data, sustaining the effort and to have a plan in responding to a data incident. In the case of the protection breach by the Singapore Accountancy Commission, the organisation failed to adequately protect personal data and have a satisfactory induction programme to provide sufficient and sustained protection of personal data.

The Singapore Accountancy Commission (the “Organisation”) mistakenly enclosed a folder containing personal data of 6,541 Singapore Chartered Accountant Qualification programme personnel and candidates and emailed it to 41 unintended recipients between 12 June 2019 and 22 October 2019. The folder comprised information including names, National Registration Identification Card (NRIC) numbers, date of birth, contact details, education and employment information and Singapore Chartered Accountant Qualification examination results. Following the incident, all 41 unintended recipients confirmed the deletion of the email and folder they each received.

This appears to be human negligence as it was reported that the Organisation admitted to “a lack of robust processes to protect personal data when sending emails”. The staff who made the error in attaching the folder to and sending out the email was “not informed of the Organisation’s personal data policies as part of their induction training”. Even as the Organisation had its data protection policies and procedures documented, they were not translated into secure arrangements for the protection of personal data.

Following the incident, the Organisation took immediate remediation action which included training sessions on cybersecurity and personal data protection for all employees and revision of policies and procedures on the handling of personal data. A second-tier supervisory check or technical measures to reduce the risk of sending content with personal data to unintended parties could also be set up. This would exemplify what a privacy or data protection management programme would term as a “sustained” effort to maintain awareness, knowledge and demonstrates the application of the learning to data protection.

In the circumstances, the Deputy Commissioner for Personal Data Protection found that the Organisation did not adopt reasonable steps to protect personal data in its possession or under its control against unauthorised access and was in breach of section 24 of the Personal Data Protection Act 2012 (the “PDPA”).

In consideration that the Singapore Accountancy Commission admitted to the breach of the Protection Obligation under the PDPA, cooperated with the Commission’s investigation and took prompt remedial actions, the Organisation was directed to pay a financial penalty of $5,000.

Adapted from:
Breach of the Protection Obligation by Singapore Accountancy Commission,
https://www.pdpc.gov.sg/Commissions-Decisions
by Leong Wai Chong, GRCP, CIPM