A recent decision by the Personal Data Protection Commission (“PDPC”) emphasised the importance for organisations to, at a minimum, engage a data protection officer and put protocols in place to ensure compliance with the Personal Data Protection Act (“PDPA”).
On 2 June 2021, the PDPC was notified that ACL Construction (S) Pte Ltd (the “Organisation”) was falsely being advertised for sale on the darkweb after its staff learnt that they were unable to log in to retrieve the Organisation’s files. The files included: (i) a quotation folder containing orders, bills and receipts; (ii) a common folder containing information and pictures relating to projects; and (iii) a drawing folder comprising technical illustrations.
The files had the names of the Organisation’s clients, the responsible contact person, and related business contact details. Such data was beyond the purview of the PDPA as these are considered business contact information and not personal data. However, the PDPC found that the Organisation did not engage or nominate any person as a Data Protection Officer to monitor its adherence to the PDPA. In addition, the Organisation failed to put in place any protocols for data protection. Accordingly, despite no personal data being compromised in the incident, the Organisation was still found to be in breach of its obligations of the PDPA.
The PDPC noted that following the incident, the Organisation had swiftly addressed the issue by nominating one of its employees to ensure that the Organisation discharges its responsibilities under the PDPA. However, given the Organisation’s relatively weak knowledge of its obligations under the PDPA, the PDPC instructed the Organisation to adhere to the following in place of a financial penalty: (i) to implement protocols to ensure compliance with the PDPA; and (ii) to implement mandatory education and training for its staff on how to adhere to the PDPA when managing personal data.