BackgroundOn 28 August 2017, the Personal Data Protection Commission (the “Commission”) received a data breach notification from JK TruData Solutions Pte Ltd (“JK TruData”) regarding a print job request via email (the “Email”) that it had received from NEC Asia Pacific Pte Ltd (“NEC”). The Email enclosed personal data that had been received by NEC from the common end customer (“Customer”) of both NEC and JK TruData (the “Incident”). JK TruData informed the Commission that it was not the intended recipient of the Email.
The Commission’s investigations showed that NEC employed a two-step process when sending relevant data to appointed printing vendors: (a) first, NEC would send the relevant data to the printing agent via an automated email function; (b) thereafter, NEC would follow up manually with an email to confirm the receipt of the automated email; NEC’s SOP required the staff doing this to check that the recipient was correct before sending the email, and for all confidential data to be encrypted. In this Incident, a mistake was made at the second step – an NEC employee sent the follow-up email (with the same content and attachment contained in the automated email without any encryption) to JK TruData instead of the correct printing agent.
Although the Commission’s investigation findings suggested that NEC had not fully complied with its obligations under the PDPA, the Commission recognised that there was limited impact from the disclosure. The Commission found that disclosure of personal data had been limited to two authorised printing vendors of the Customer, one of which was JK TruData themselves, who were already bound in contract to the Customer to keep such information confidential. JK TruData also was already familiar with the types of personal data contained within the attachment and there was no further disclosure by NEC beyond JK TruData. The Deputy Commissioner also recognised that the incident did not arise as a result of the lack of controls but that the controls put in place by NEC were not sufficiently robust. In addition, NEC had made efforts to address the concerns raised in this case and to improve the personal data protection practice.
UndertakingThe Commission considered the circumstances of the case and accepted an undertaking from NEC to improve its compliance with the PDPA (the “Undertaking”). In particular, the Commission noted that there was limited impact from the disclosure as JK TruData was contractually obliged to keep confidential any personal data received. The Incident was also an isolated incident caused by human error and not a systemic problem.
The Undertaking provided that NEC was to:
(a) engage an external consultant to review its confirmation process to prevent future recurrence of the issue. In particular, to further consider automating the email sending process;
(b) enhance the PDPA training for its staff handling personal data;
(c) implement adequate safeguards are taken for transmission of personal data to third parties;
(d) propose an implementation plan for fulfilling the above; and
(e) provide a status report to the Commission at a time requested by the Commission confirming whether NEC has fulfilled each of the specific measures set out in the implementation plan.
NEC has since provided the Commission with the implementation plan and status report referred to at para 5(d) & (e) above. The Commission has reviewed the matter and determined that NEC has complied with the terms of the Undertaking.
Please click here to view the Undertaking.