BackgroundThe Personal Data Protection Commission (the “Commission”) received a data breach notification on 24 July 2019 from Employment & Employability Institute Pte Ltd (“e2i”). e2i had disclosed personal data of its jobseekers via an email (“Email”) sent erroneously to one external party. The aforesaid personal data was contained in an Excel Spreadsheet (“Spreadsheet”) attached to the Email. The Spreadsheet contained the name, NRIC number, email address, date of birth, citizenship, race, gender, qualifications and employer name of 101 jobseekers. Additionally, 24 sets of actual salary information and 77 sets of desired salary information belonging to the same 101 jobseekers were also disclosed.
It was established that the inadvertent disclosure occurred due to an e2i employee selecting the wrong recipient from the dropdown list. The Email was meant for an internal colleague. However, as the external party bore the same first name as the internal colleague, the wrong recipient was picked.
Remedial Actionse2i communicated with the external party to delete the Email and the Spreadsheet. Additionally, e2i reminded all employees to password protect all files containing personal data for both internal and external correspondence. Guidelines on protecting personal data were also emailed to all employees.
The Commission considered the circumstances of the case and accepted an undertaking from e2i to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 15 November 2019 (the “Undertaking”).
The Undertaking provides that e2i was to:
(a) review its procedures for the sending of internal and external correspondences including emails which contain personal data of its jobseekers by all relevant employees;
(b) review the training of employees involved in correspondences that may comprise or touch on the personal data of jobseekers on how to handle and protect the data adequately;
(c) propose an implementation plan for fulfilling the above;
(d) once the Commission approves the proposed implementation plan, comply with every obligation set out in the implementation plan;
(e) appoint individuals of sufficient authority to oversee compliance with the Undertaking and to report the status of compliance to the Commission; and
(f) provide a status report to the Commission at a time requested by the Commission confirming whether e2i has fulfilled each of the specific measures set out in the implementation plan.
e2i has since provided the Commission with the status report referred to at para 6(f) above on 2 January 2020. The Commission has reviewed the matter and determined that e2i has complied with the terms of the Undertaking.
Please click here to view the Undertaking.