BackgroundThe Personal Data Protection Commission (the “Commission”) received a data breach notification on 14 June 2018 from Grabcar Pte Ltd (“Grabcar”). Grabcar had inadvertently sent an email report on 6 June 2018 (the “Report”) to 9 fleet group partners. The Report contained the name, NRIC number, telephone number, and vehicle rental details of 110,931 Grabcar drivers.
Each fleet partner was supposed to receive a filtered copy of the report, containing only the information of the drivers under its fleet. However, the Report contained information of drivers that were not in the respective fleet partner’s fleet.
It was established that the inadvertent disclosure occurred due to an error in the script written by a software provider engaged by Grabcar. On 4 June 2018, Grabcar had requested the software provider to replicate the schedule for sending out the email report to accommodate a new version of the report. However, the software provider made a mistake in the script, which led to the email filter being set to “all”.
Remedial ActionsEach fleet partner was bound by confidentiality clauses in their partnership agreement with Grabcar, which required the fleet partner to protect personal data received from Grabcar. Upon discovering the inadvertent disclosure, Grabcar contacted the fleet partners and requested that they delete the email containing the Report. The fleet partners confirmed to Grabcar that they had done so, within 40 mins of the email being sent.
The Commission considered the circumstances of the case and accepted an undertaking from Grabcar to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 23 March 2020 (the “Undertaking”).
The Undertaking provides that Grabcar was to:
(a) review its change management process and to ensure that reasonable security checks are made before deploying such changes;
(b) propose an implementation plan for fulfilling the above;
(c) once the Commission approves the proposed implementation plan, comply with every obligation set out in the implementation plan;
(d) appoint individuals of sufficient authority to oversee compliance with the Undertaking and to report the status of compliance to the Commission; and
(e) provide a status report to the Commission at a time requested by the Commission confirming whether Grabcar has fulfilled each of the specific measures set out in the implementation plan.
Grabcar has since provided the Commission with the status report referred to at para 6(e) above. The Commission has reviewed the matter and determined that Grabcar has complied with the terms of the Undertaking.
Please click here to view the Undertaking.