pdpc_undertakings_version: 10
This data as json
| _id | _item | _version | _commit | id | organisation | url | timestamp | description | pdf-url | pdf-content | _item_full_hash |
|---|---|---|---|---|---|---|---|---|---|---|---|
| 10 | 10 | 1 | 1002 | 10 | Assisi Hospice | https://www.pdpc.gov.sg/Undertakings/Undertaking-by-Assisi-Hospice | 2021-07-12 | Background The Personal Data Protection Commission (the “Commission”) received a data breach notification on 22 September 2020 from Assisi Hospice (“Assisi”). Assisi had disclosed personal data of its patients (“Patients”) via 43 separate emails (“Emails”) sent erroneously to a single unintended external party from January to September 2020. The aforesaid personal data was contained in a list set out in an Excel spreadsheet (“List”) attached to the Emails and updated periodically. The List was meant to serve as easy reference for after hours on-call employees, especially if there are difficulties in accessing Patients’ data, such as when the system containing the electronic patients’ record is undergoing maintenance. The List included the names, addresses, contact numbers, NRIC numbers and disease classifications of 1593 Patients (cumulative number over the 43 occasions). The disease classifications are referenced from the International Classification of Diseases. It was established that the disclosure occurred due to an Assisi employee sending the Emails to an erroneous email address belonging to an external party. Notably, the erroneous email address was not an official work email account. The said employee had also not followed Assisi’s existing personal data protection policy to password protect the List. Remedial Actions After the incident, as part of the remediation plan, Assisi: (a) ceased the practice of distributing a soft-copy List containing personal data of the Patients to its after hours on-call employees (including via emails) and required such employees to refer to the electronic patient records instead; (b) reminded all employees to password protect email attachments containing personal data and to send the password in a separate channel or email thereafter. Where an email has no attachment, employees were required to mask personal data in the email body itself; (c) reminded all employees to use only work email accounts for communication of work-related items, and not to send any email containing sensitive and/or confidential data to non-work email accounts; and (d) reviewed every department’s work processes in relation to the management of personal data. Its data protection officer would also commence sending emails on a quarterly basis to remind its employees of the existing personal data protection policies. Undertaking Having considered the circumstances of the case, including the remedial steps taken by Assisi to improve its personal data protection practices, the Commission accepted an undertaking from Assisi to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 16 December 2020 (the “Undertaking”). The Undertaking provided that Assisi was to complete the implementation of its remediation plan, that is to set alerts in its email system to alert the sender whenever there is sensitive information like a NRIC number or FIN in the email body and/or whenever there is a NRIC number or FIN in an attachment that is not password protected. Assisi has since updated the Commission that implementation of its remediation plan has been completed. The Commission has reviewed the matter and determined that Assisi has complied with the terms of the Undertaking. Please click here to view the Undertaking. | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking-for-Assisi-Hospice.pdf | VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Info-communications Media Development Authority designated as the Personal Data Protection Commission under section 5(1) of the PDPA (hereinafter referred to as the “Commission”), by: Assisi Hospice UEN: 201208993Z Registered Address: 80 Raffles Place, #32-01, UOB Plaza, Singapore 048624 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “Commission’s Letter” means the letter dated 15 December 2020 from the Commission to the Organisation, concerning its investigation under the PDPA, including the appendices thereto; (b) “Data Protection Provisions” means the provisions in Parts III to VI of the PDPA; and (c) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012). 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) As referenced in the Commission’s Letter, the Commission has carried out investigations into certain acts and practices of the Organisation, which potentially infringe one or more of the Data Protection Provisions. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to give a direction under section 29 of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation is already implementing the remediation plan set out in clause 3 below. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be accepted. 2.2 The Organisation also acknowledges and agrees that the Commission may publish and make publicly available this Undertaking (which to avoid doubt, includes the Commission’s Letter), and without limitation to the foregoing, the Commission may issue public statements referring to this Undertaking and/or its contents in whole or in part. 3. UNDERTAKINGS 3.1 The Organisation undertakes that it has taken, or will take all necessary steps to implement its remediation plan, namely, to carry out the actions referred to in Schedule A in accordance to the stipulated timelines. 3.2 In addition, the Organisation undertakes to provide, and will ensure that it provides all necessary assistance that the Commission may require to verify the completion of the Organisation’s remediation plan in accordance with Schedule A referred to in clause 3.1, including (without limitation) granting the Commission and its representatives physical access to the Organisation’s premises, providing information and documentation to the Commission, and arranging for meetings and/or interviews with the Organisation’s staff, contractors and/or consultants. 4. COMMENCEMENT 4.1 This Undertaking shall take effect upon the acceptance by the Commission of the Organisation’s duly executed Undertaking. 5. THE COMMISSION’S STATUTORY POWERS 5.1 In order to provide the Organisation with an opportunity to complete all necessary steps to implement its undertakings set out in clause 3 above, the Commission will exercise its powers under section 50(3) of the PDPA to suspend the investigations referred to in clause 2 on the date the Undertaking takes effect as set out in clause 4.1. 5.2 The Organisation acknowledges that the Commission will verify the Organisation’s compliance with its undertakings set out in clause 3 above. 5.3 Clause 5.1 above shall be without prejudice to the Commission’s statutory powers to conduct or resume, at any time, the investigations referred to in clause 2 above if it thinks fit, including but not limited to the situation where the Organisation fails to comply with this Undertaking or part thereof in relation to any matter. 5.4 Nothing in this Undertaking, including the Commission’s acceptance of the Undertaking, is intended to, or shall, fetter or constrain the Commission’s rights and statutory powers (including but not limited to those under section 29 and section 50 of the PDPA) in any manner. Neither shall be construed as creating any anticipation or expectation that the Commission will take or not take any particular course of action in the future (whether in the present case or in respect of any other case concerning a breach or suspected breach of the PDPA). The acceptance of this Undertaking is strictly confined to the particular facts of the present case, and is made on the basis of the representations and information provided by the Organisation. The acceptance of an Undertaking in this case shall not be construed as establishing any precedent. 6. VARIATION 6.1 This Undertaking may be varied only with the express written agreement of the Commission. This document has been electronically signed by Info-communications Media Development Authority and Assisi Hospice. The Parties hereby affirm that the electronic signatures have been affixed with the due authorisation of each Party and that Parties intend for the electronic signatures to carry the same weight, effect and meaning as hand-signed wet-ink signatures. SIGNED, for and on behalf of ) Assisi Hospice ) By the following: ) Name: ______________________________________ ) Designation: _________________________________ ) Date: _______________________________________ ) ACCEPTED, for and on behalf of ) Personal Data Protection Commission ) By the following: ) Name: ______________________________________ ) Designation: Deputy Commissioner for Commissioner for Personal Data Protection ) Date: _______________________________________ ) SCHEDULE A Causes of Incident 1 Human error Remediation Plan Cease with immediate effect the distribution of softcopy patient list to after hours on-call staff. Target Completion Completed Staff to use electronic patient records for reference instead. 2 No enforcement of existing personal data protection policy comprising password policy with regard to the sending of confidential information via email Enhance data protection policy which comprises the following: Completed Ensure attachments in emails are password protected and to send password in a separate channel or a separate email (only when WhatsApp or SMS it not possible). Use only official work email accounts for communication of all work-related items. Do not send out any emails containing sensitive and/or confidential data to a noncorporate/personal email address i.e. Gmail or Yahoo. To mask personal data in body in emails without attachments. DPO to send quarterly emails to remind staff of the policies. 3 Failure of administrative officer to ensure work processes are in line with existing data protection policy Review every department’s detailed work process in relation to management of personal data. Completed 4 Absence of alerts to alert sender when email contains sensitive information Set alerts in Office 365 to alert sender whenever there is sensitive information like NRIC Number in an email body. Target completion date: 2 February 2021 | 6da64627482a4a49959e7ea17fd01c5d589ee8af |
Links from other tables
- 7 rows from item_version in pdpc_undertakings_changed