“Testing, Testing and more Testing...” - A study on PDPC Enforcement Cases

After a couple of months’ hiatus, Singapore’s Personal Data Protection Commission published a total of eight enforcement decisions on their website. This article provides summaries of two enforcement decisions that resulted in the two highest financial penalties in this set of enforcement decisions and the learning points for all DPOs and privacy professionals to heed.

As the title of this article suggests, these two decisions set the expectations by the regulator on what organisations need to do when rolling out new information systems or solutions that involve the collection, usage, disclosure and storage of personal data.

MDIS Corporation Pte Ltd [2020] SGPDPC 11

WHAT HAPPENED: PDPC acted upon two complaints in 2019 from an individual who did a vanity search of her NRIC that she was able to access an Excel spreadsheet containing personal data of course participants who had signed up for courses with MDIS Corporation. This spreadsheet contained personal data of 304 individuals such as name, NRIC, citizenship and email addresses. The spreadsheet was linked to an online form on MDIS’ website.

WHAT WENT WRONG: PDPC discovered that MDIS did not have written contracts with the developer of the website and that there was no evidence of communication of data protection requirements being done to MDIS to the website vendor. PDPC also determined that when MDIS did a pre-launch testing of the website, which included the online form, there was no scoping of the test to discover risks. The scope also omitted security testing. 

REGULATOR’S DECISION: A financial penalty of $10,000 was imposed.

IMPORTANT LESSONS FOR PRIVACY PROFESSIONALS AND DPOs:

This case reiterates the importance of the need to have in place data processing contracts with third party vendors, especially if there is going to be processing of personal data by the third party vendor.

The case also highlights the need for information security to be made part of testing of a solution, especially if the solution involves the collection, use, disclosure or storage of personal data. This is what is called a Data Protection Impact Assessment and having a data protection by design approach, especially when rolling out information systems and/or solutions involving personal data.

The Central Depository (Pte) Limited [2020] SGPDPC 12

WHAT HAPPENED: The CDP notified PDPC that dividend cheques of some of their account holders had been mailed to outdated addresses, resulting in disclosure of their personal data to other individuals. The personal data that was disclosed in the cheque mailers included (1) Name, (2) NRIC, (3) CDP Account No (4) Name of security, (5) Quantity of security held and (6) dividend account.   

WHAT WENT WRONG: The root cause was a coding error in the CDP’s Dividend Cheque Module when the company did a migration from one software solution to another for their post trading processing. PDPC found that the CDP did not conduct sufficient test scenarios such as the scenario of change of address and that they had not conducted testing in a “simulated real world usage” of the new system; In addition, they did not and have a sufficient number of test cases to conduct proper tests. The PDPC held that if these were done, there would have been a “reasonable change” that the coding error in the Dividend Cheque Module may have been detected and could have been rectified.  

REGULATOR’S DECISION: A financial penalty of $32,000 was imposed. This penalty is largely because personal data of a financial and sensitive nature was involved. PDPC also held that the risk of actual financial loss to the affected individuals was an aggravating factor as they would have been deprived of use of the funds in the dividend cheques they would have otherwise had access to if the cheques were banked in.  

IMPORTANT LESSONS FOR PRIVACY PROFESSIONALS AND DPOs:

• Similar to the enforcement decision on MDIS, this case shows that there is a need for rigorous and comprehensive testing to be done, especially if the system or solution in question involves personal data of a sensitive nature and would have a significant impact on the affected individuals. In this case, the personal data involved included financial and government-issued identification numbers like the NRIC.
• This case illustrates the need for a Data Protection Impact Assessment to be carried out when there is a migration from one software solution to another. 

In both of these cases, the role of the DPO here would be that he/she should be involved in such projects involving information systems to ensure that data protection risks are flagged out during the testing phase. 

While these two cases did not mention the functions that were involved in these projects, it is important for project managers who are leading such projects to make your DPO a part of your project team.   

Written by: Josiah Poh (CIPM, CIPP/A, CIPT, CIPP/E, FIP), Senior Manager (Consultancy & Legal), Data Protection Officer, Straits Interactive Pte Ltd

The views and opinions expressed in this article are summarised as interpreted by the author and may not necessarily reflect the official view or position of DPEXNetwork nor the PDPC.