Background

On 21 May 2018 and 30 May 2018 respectively, the Personal Data Protection Commission (the “Commission”) received complaints from two individuals that HSBC Bank (Singapore) Limited (“HSBC”) had sent them a marketing email (the “Email”) without their consent (the “Incident”). HSBC reported the Incident to the Commission voluntarily on 25 May 2018.  
 
As reported by HSBC, the Email was a “test email”, and it had intended to send the Email only to HSBC’s employees to test their eDM (electronic direct mail) platform. However, due to incorrect configurations set on the eDM platform, The Email was sent to a significant number of email addresses (more than 100,000). This number included email addresses of individuals who had withdrawn their consent to receive marketing emails from HSBC.The individuals had received the Email twice, as it was sent once on two consecutive days. No personal data was disclosed in the Incident.  

Remedial Actions

HSBC rectified the configuration settings immediately upon finding out about the error. In addition, to prevent recurrence of similar incidents, HSBC introduced a checklist to ensure all procedures were adhered to prior to the sending of eDMs. It also cleaned up its existing database. 

Undertaking

The Commission considered the circumstances of the case and accepted an undertaking from HSBC to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 20 January 2020 (the “Undertaking”). 

The Undertaking provides that HSBC was to:

(a) review and update its procedure for the sending of eDMs using its emailing platform to ensure that any error or omission in setting or configuration does not result in the mass dispatch of eDMs to all email addresses stored in its database;
(b) review the training provided for its employees involved in the eDM process, particularly in the steps necessary to select and verify the correct email addresses;
(c) review the process of retaining and storing email addresses of both current and former customers who have withdrawn consent for the use of their personal data for the sending of marketing or any other EDMs to them, or whose banking accounts have become inactive under HSBC’s applicable terms.
(d) propose an implementation plan for fulfilling the above;
(e) once the Commission approves the proposed implementation plan, comply with every obligation set out in the implementation plan;
(f) appoint individuals of sufficient authority to oversee compliance with the Undertaking and to report the status of compliance to the Commission; and
(g) provide a status report to the Commission at a time requested by the Commission confirming whether HSBC has fulfilled each of the specific measures set out in the implementation plan.

HSBC has since provided the Commission with the status report referred to at para 5(g) above on 3 April 2020. The Commission has reviewed the matter and determined that HSBC has complied with the terms of the Undertaking.

Please click here to view the Undertaking.