Enforcement decisions of the Personal Data Protection Commission (PDPC) from 2023-2024 reiterate the importance of having robust security measures and data protection policies to comply with the Personal Data Protection Act 2012 (PDPA).
The PDPC reiterated that the obligations in the PDPA, including the obligation to implement appropriate security measures to protect personal data (Protection Obligation), apply equally to all organisations handling personal data, including social enterprises. That said, the degree of compliance may vary from organisation to organisation, because organisations must implement security arrangements that are reasonable and appropriate in the circumstances. In this regard, the PDPC held a telecommunications service provider to a higher security standard due to the nature of its business. Similarly, a data intermediary handling high volume of web traffic containing personal data on behalf of e-commerce retailers was also held to a higher standard.
Moreover, not having technical expertise in securing personal data does not excuse an organisation from complying with the Protection Obligation. The duty to comply with the Protection Obligation also does not cease when an organisation outsources its IT needs to a third party, because organisations should have reasonable oversight over their service provider. Accordingly, the PDPC found an organisation to have fallen short of the Protection Obligation and fined it S$18,000 for merely relying on its IT vendor contract for the provision of monthly IT system maintenance without ensuring that the vendor actually provided those services.
The Protection Obligation also requires an organisation to carefully screen its IT vendor to ensure it is competent to carry out the contracted service. In one case, the PDPC fined an organisation S$28,000 for breaching the Protection Obligation because, among other breaches, it failed to verify whether its IT vendor’s competence in maintaining its computer systems.
Several PDPC decisions emphasised the need for a sufficiently robust password policy (e.g., requiring passwords to have a minimum number of characters, level of complexity and validity period) to ensure that IT systems are not vulnerable to common hacking attempts such as brute force attacks. That said, the PDPC faulted an organisation for allowing the use of an easily guessable password even though it meets the complexity requirements. Moreover, having a common password without expiry across all users within an organisation is a breach of the Protection Obligation.
Apart from having a sufficiently robust password policy, the PDPC also expects organisations to implement two-factor authentication (2FA) or multi-factor authentication (MFA), particularly if they handle sensitive or large volumes of personal data (unless non-implementation is supported by a good explanation, considering costs, circumstances and level of data protection risks, among others).
Organisations must conduct periodic security reviews to detect vulnerabilities, assess security implications and risks and ensure that security arrangements remain adequate and appropriate. In this regard, one organisation was faulted for failing to update firewall patches for several years and using servers operating with end-of-life operating systems. Another organisation was meted out a penalty of $82,000 for a breach involving highly sensitive data of more than 140,000 individuals, resulting from its failure to patch its computer systems for almost 3 years and failure to conduct regular monitoring for software patches.
The PDPC recognises the ever-evolving cybersecurity threats that put personal data at risk of exfiltration and exposure. Accordingly, the PDPC has been consistently strict on the implementation and enforcement of the Protection Obligation. As such, companies handling personal data should be aware of the standards required to ensure the safety and integrity of personal data they process and put in place appropriate security measures to meet those standards.
OrionW regularly advises clients on data protection matters. For more information about data protection or how to comply with the Personal Data Protection Act 2012, or if you have questions about this article, please contact us at info@orionw.com.
Disclaimer: This article is for general information only and does not constitute legal advice.
