New Singapore Personal Data Protection Regulator Voluntary Undertaking on 20 July 2023

The Singapore Personal Data Protection Commission (“PDPC”) published its latest round of enforcement decisions and voluntary undertakings on 20 July 2023 consisting of 1 voluntary undertaking (Employment and Employability Institute case).

In this client update, we summarise the undertaking and present our key takeaways.

Key takeaways: 

There are several key takeaways from this recent undertaking:

  1. Where the PDPC is investigating more than one case involving the same organisation, it may consider the cases together when deciding what actions to take against the organisation. This was the case here – the undertaking was made by Employment and Employability Pte. Ltd. (“e2i”) in respect of 2 separate data breaches which the PDPC was notified within a short span of time (1st data breach notified on 25 March 2021 (“i-vic Incident”); 2nd data breach notified on 2 June 2021 (“e2i Website Incident”). As the PDPC was alerted of the 2nd data breach during its investigation in the 1st data breach, the regulator considered both cases involving e2i together. 
  2. It is critical for organisations to ensure that its vendors have the necessary cybersecurity frameworks and systems in place for data protection. In the i-vic Incident, the PDPC received a data breach notification from e2i which involved its data intermediary i-vic. Personal data from 2 email accounts of an i-vic employee was downloaded by a malicious actor. It was found that i-vic had put in place reasonable security arrangements despite the data breach. However, e2i had failed to stipulate reasonable data protection requirements when selecting i-vic as its data intermediary and in its contract with i-vic. e2i also lacked sufficiently robust processes to protect the personal data in its possession or control. Nevertheless, a reason that the PDPC accepted the undertaking as it was satisfied that notwithstanding e2i’s failure to stipulate personal data protection requirements in its contract with i-vic, e2i had engaged i-vic on account of i-vic’s good personal data protection policies and processes. 
  3. Where there is no evidence to suggest that there has been unauthorised access or data exfiltration, it appears this could be a factor in the PDPC’s decision-making on whether to accept an undertaking. In the e2i Website Incident, The PDPC accepted the undertaking as this was consistent with the PDPC’s practice with respect to other personal data breaches similar to the one that affected e2i’s website, where there was no evidence to suggest that there has been unauthorised access or data exfiltration. 
Name of Decision / UndertakingSummary of IncidentType of Potential Breach of the PDPAComplaint / Self-reportedNumber of affected individuals; Types of personal data affectedOutcome
Employment and Employability Institute Pte. Ltd.2 Personal Data breachesData Breach No. 1 (DP-2103-B8132)Personal data from 2 email accounts of an i-vic employee was downloaded by a malicious actor. i-vic is e2i’s outsourced contact centre and data intermediary.Data Breach No. 2 (DP-2106-B8424)When an individual registers for a course, talk or event organised by e2i on e2i’s website, the website would automatically populate and display an individual’s personal data once an individual’s NRIC number is inserted into the website. If an individual uses the person’s NRIC number on e2i’s website, there would be the risk of unauthorised disclosure of personal data by e2i if such use had not been duly authorised.Protection Obligation Data Breach No. 1 (DP-2103-B8132)The PDPC held that i-vic (as e2i’s data intermediary) had put in place reasonable security arrangements despite the data breach. However, e2i had failed to stipulate reasonable data protection requirements when selecting i-vic as its data intermediary, and in its contract with i-vic. e2i also lacked sufficiently robust processes to protect personal data during transmission. There were at least 18 occasions where e2i’s employees had sent large volumes of personal data to i-vic without any encryption or protection, which was against e2i’s SOP. Data Breach No. 2 (DP-2106-B8424)Although personal data of 102,151 individuals was at risk of being disclosed, the impact of the breach was limited as: (i) there was no evidence of exfiltration of the personal data; and (ii) e2i promptly took remediation action after being alerted by the PDPC of the complaint received.Data Breach No. 1 (DP-2103-B8132)Self-reportedData Breach No. 2 (DP-2106-B8424)ComplaintData Breach No. 1 (DP-2103-B8132)31,002 individualsTypes of affected personal data:NRICPartial NRIC numberDate of birthMobile NumberLandlineEmail AddressResidential AddressHighest QualificationEmployment Details – containing salary, employment status, occupation or company name
Data Breach No. 2 (DP-2106-B8424)102,151 individualsNameCitizenshipUnion member statusGenderRaceHighest education levelUnemployed sinceUnemployment duration (months)Reason for unemploymentEducation level detail (field of study, qualification name/title, institution, date of completion)Work experience (From, to, company name, industry, job title, job duties, masked last drawn salary/month)Background and health (Ex-offender, bankruptcy, colour blindness, medical illness, drug abuse)Partially masked NRICPartially masked date of birthPartially masked email addressPartially masked postal codePartially masked contact number (Home/HP)
Voluntary Undertaking; no admission of breach of the PDPA