Learning from the Enforcement case of a professional body for failing to protect the data of its members: Singapore Accountancy Commission

Learning from the Enforcement case of a professional body for failing to protect the data of its members: Singapore Accountancy Commission

21 Dec, 2020

In any Data Protection Management Programme, an organisation should have a data protection governance framework and perform its due care in assessing risks, protecting personal data, sustaining the effort and to have a plan in responding to a data incident. In the case of the protection breach by the Singapore Accountancy Commission, the organisation failed to adequately protect personal data and have a satisfactory induction programme to provide sufficient and sustained protection of personal data.

The Singapore Accountancy Commission (the “Organisation”) mistakenly enclosed a folder containing personal data of 6,541 Singapore Chartered Accountant Qualification programme personnel and candidates and emailed it to 41 unintended recipients between 12 June 2019 and 22 October 2019. The folder comprised information including names, National Registration Identification Card (NRIC) numbers, date of birth, contact details, education and employment information and Singapore Chartered Accountant Qualification examination results. Following the incident, all 41 unintended recipients confirmed the deletion of the email and folder they each received.

This appears to be human negligence as it was reported that the Organisation admitted to “a lack of robust processes to protect personal data when sending emails”. The staff who made the error in attaching the folder to and sending out the email was “not informed of the Organisation’s personal data policies as part of their induction training”. Even as the Organisation had its data protection policies and procedures documented, they were not translated into secure arrangements for the protection of personal data.

Following the incident, the Organisation took immediate remediation action which included training sessions on cybersecurity and personal data protection for all employees and revision of policies and procedures on the handling of personal data. A second-tier supervisory check or technical measures to reduce the risk of sending content with personal data to unintended parties could also be set up. This would exemplify what a privacy or data protection management programme would term as a “sustained” effort to maintain awareness, knowledge and demonstrates the application of the learning to data protection.

In the circumstances, the Deputy Commissioner for Personal Data Protection found that the Organisation did not adopt reasonable steps to protect personal data in its possession or under its control against unauthorised access and was in breach of section 24 of the Personal Data Protection Act 2012 (the “PDPA”).

In consideration that the Singapore Accountancy Commission admitted to the breach of the Protection Obligation under the PDPA, cooperated with the Commission’s investigation and took prompt remedial actions, the Organisation was directed to pay a financial penalty of $5,000.

Adapted from:
Breach of the Protection Obligation by Singapore Accountancy Commission,


by Leong Wai Chong, GRCP, CIPM

Become a DPEX Community member to access
data protection resouces and discussions on pertinent topics now.

Access online / in-person courses and view past training records

Join lively discussions on pertinent data protection topics

Gain access to data protection research and video resources

Receive value-added data protection updates from the region

  Related Articles
Recommendations of Public Sector Data Security Re…

In the wake of major breaches, the Public Sector Data Security Review Committee…

Care in Using Zoom Video Conferencing

Wikipedia tells us that Zoom Video Communications was founded in 2011 by Eric Y…

Did you know that Facebook can track your online …

Businesses usually set up websites and provide apps because they want to sell g…