pdpc_decisions: 95
Data source: pdpc.gov.sg/All-Commissions-Decisions
This data as json
| _id | _item_id | description | tags | date | pdf-url | nature | title | url | timestamp | pdf-content | decision | _commit | financial_penalties |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 95 | 5d92512ede365ee5b4833ccf184f1d162cd75ac5 | A financial penalty of $5,000 was imposed on Singapore Accountancy Commission for failing to put in place reasonable security arrangements to prevent the unauthorised access of 6,541 Singapore Chartered Accountant Qualification programme personnel and candidates’ personal data. | [
"Protection",
"Financial Penalty",
"Professional",
"Scientific and Technical",
"Unintended recipient",
"Email attachments"
] |
03 Aug 2020 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Singapore-Accountancy-Commission---22062020.pdf | Protection | Breach of the Protection Obligation by Singapore Accountancy Commission | https://www.pdpc.gov.sg/all-commissions-decisions/2020/08/breach-of-the-protection-obligation-by-singapore-accountancy-commission | 2020-08-03 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-1911-B5296 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Singapore Accountancy Commission SUMMARY OF THE DECISION 1. On 18 November 2019, Singapore Accountancy Commission (the “Organisation”) notified the Personal Data Protection Commission (the “Commission”) that a folder containing personal data of 6,541 Singapore Chartered Accountant Qualification programme personnel and candidates was mistakenly enclosed in emails sent to 41 unintended recipients between 12 June 2019 and 22 October 2019. The folder comprised information such as names, National Registration Identification Card numbers, dates of birth, contact details, education and employment information and Singapore Chartered Accountant Qualification examination results. Following the incident, 41 unintended recipients confirmed deletion of the email and folder they each received. 2. The Organisation admitted to a lack of robust processes to protect personal data when sending emails. The staff involved in the sending of the emails were not informed of the Organisation’s personal data policies as part of their induction training. The Organisation’s data protection policies and procedures were not translated into security arrangements for protection of personal data. There were, for example, no second-tier or supervisory checks or technical measures to reduce the risk of sending content with personal data to unintended parties at the time of the incident. 3. Following the incident, the Organisation undertook remediation. This included training sessions on cybersecurity and personal data protection for all employees and revision of policies and procedures on handling of personal data. 4. In the circumstances, the Deputy Commissioner for Personal Data Protection found that the Organisation did not adopt reasonable steps to protect personal data in its possession or under its control against unauthorised access. The Organisation was in breach of the Protection Obligation under section 24 of the Personal Data Protection Act 2012 (the “PDPA”). 5. The Organisation had made an admission of breach of the Protection Obligation under the PDPA, cooperated with the Commission’s investigation and taken prompt remedial actions. 6. On account of the above, the Organisation is directed to pay a financial penalty of $5,000 within 30 days from the date of this direction, failing which interest at the rate specified in the Rules of Court in respect of judgment debts shall accrue and be payable on the outstanding amount of such financial penalty until the financial penalty is paid in full. In view of the remedial actions taken by the Organisation, the Commission will not issue any other directions. | Financial Penalty | 1020 | {
"sum": 5000,
"max": 5000
} |
Links from other tables
- 2 rows from _item in pdpc_decisions_version