The Personal Data Protection Commission (the “Commission”) was notified by Singhealth Polyclinics (“SHP”) on 31 May 2021 that its courier service provider had misplaced a package containing the GIRO applications forms submitted by its patients. Personal data of 87 individuals were affected, namely, names, telephone numbers, NRIC numbers, bank account numbers and transaction payment limits.
It was established that, SHP did not have processes in place to confirm deliveries of packages by its courier service provider. The loss of package was only discovered 3 weeks after the incident when SHP checked with the relevant banks on the status of the GIRO applications.
After the incident, as part of a remediation plan, SHP:
(a) conducted a process review and decided to utilize courier companies with real-time tracking for deliveries of package with confidential information;
(b) worked with relevant banking institutions to provide confirmation of receipt of any SHP parcel within the next working day; and
(c) rolled out additional processes to reduce the risk of loss of hardcopy documents.
Having considered the circumstances of the case, including the remedial steps taken by SHP to improve its data protection practices, the Commission accepted an undertaking from SHP to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 5 August 2021 (the “Undertaking”).
The Undertaking provided that SHP has to complete the implementation of its remediation plan by conducting the process review and changing its processes for the handling of GIRO applications. In addition, SHP would also conduct the necessary training for its employees and ensure their compliance with the changes in its policies.
SHP has since updated the Commission that it has completed the implementation of its remediation plan. The Commission has reviewed the matter and determined that SHP has complied with the terms of the Undertaking.