pdpc_undertakings_version: 17
This data as json
| _id | _item | _version | _commit | id | organisation | url | timestamp | description | pdf-url | pdf-content | _item_full_hash |
|---|---|---|---|---|---|---|---|---|---|---|---|
| 17 | 17 | 1 | 1002 | 17 | Singhealth Polyclinics | https://www.pdpc.gov.sg/Undertakings/Undertaking-by-SingHealth-Polyclinics | 2022-06-16 | Background The Personal Data Protection Commission (the “Commission”) was notified by Singhealth Polyclinics (“SHP”) on 31 May 2021 that its courier service provider had misplaced a package containing the GIRO applications forms submitted by its patients. Personal data of 87 individuals were affected, namely, names, telephone numbers, NRIC numbers, bank account numbers and transaction payment limits. It was established that, SHP did not have processes in place to confirm deliveries of packages by its courier service provider. The loss of package was only discovered 3 weeks after the incident when SHP checked with the relevant banks on the status of the GIRO applications. Remedial Actions After the incident, as part of a remediation plan, SHP: (a) conducted a process review and decided to utilize courier companies with real-time tracking for deliveries of package with confidential information; (b) worked with relevant banking institutions to provide confirmation of receipt of any SHP parcel within the next working day; and (c) rolled out additional processes to reduce the risk of loss of hardcopy documents. Undertaking Having considered the circumstances of the case, including the remedial steps taken by SHP to improve its data protection practices, the Commission accepted an undertaking from SHP to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 5 August 2021 (the “Undertaking”). The Undertaking provided that SHP has to complete the implementation of its remediation plan by conducting the process review and changing its processes for the handling of GIRO applications. In addition, SHP would also conduct the necessary training for its employees and ensure their compliance with the changes in its policies. SHP has since updated the Commission that it has completed the implementation of its remediation plan. The Commission has reviewed the matter and determined that SHP has complied with the terms of the Undertaking. Please click here to view the Undertaking. | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking-for-Singhealth-Polyclinics-2022.pdf | WRITTEN VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission or its delegates pursuant to section 48L(1) of the PDPA, by: SingHealth Polyclinics UEN: 52928775K Registered Address: 167 Jalan Bukit Merah #15-10 Connection One, Singapore 150167 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012); and (b) “Relevant Provisions” means the provisions in Parts 3, 4, 5, 6, 6A, 6B and 9, and section 48B(1) of the PDPA. 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) The Commission has carried out investigations into certain acts and practices of the Organisation, and has reason to believe that the Organisation has not complied, is not complying, or is likely not to comply with one or more of the Relevant Provisions. The relevant facts and circumstances are summarised at Schedule A. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to issue directions under sections 48I or 48J of the PDPA. Page 1 of 7 (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for information. The Commission further recognises that the Organisation appears ready to implement or is in the midst of implementing the steps set out in Schedule B. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be accepted. 2.2 The Organisation also acknowledges and agrees that the Commission may publish and make publicly available this Undertaking, and without limitation to the foregoing, the Commission may issue public statements referring to this Undertaking and/or its contents in whole or in part. 3. UNDERTAKINGS 3.1 The Organisation undertakes that it has taken, or will take all necessary steps, to carry out the actions or refrain from carrying out the actions referred to in Schedule B, and where applicable, in accordance with the stipulated timelines. 4. COMMENCEMENT 4.1 This Undertaking shall take effect upon the acceptance by the Commission of the Organisation’s duly executed Undertaking. 5. THE COMMISSION’S STATUTORY POWERS 5.1 In order to provide the Organisation with an opportunity to complete all necessary steps to implement its undertakings set out in clause 3 above, the Commission will exercise its powers under section 50(3)(ca) of the PDPA to suspend the investigations referred to in clause 2 on the date the Undertaking takes effect as set out in clause 4.1. 5.2 The Organisation acknowledges that the Commission will verify the Organisation’s compliance with its undertakings set out in clause 3 above, and if necessary, will exercise its powers under the Ninth Schedule of the PDPA to do so. 5.3 Clause 5.1 above shall be without prejudice to the Commission’s statutory powers to conduct or resume, at any time, the investigations referred to in clause 2 above if it thinks fit, including but not limited to the situation where the Page 2 of 7 Organisation fails to comply with this Undertaking or part thereof in relation to any matter. 5.4 Nothing in this Undertaking, including the Commission’s acceptance of the Undertaking, is intended to, or shall, fetter or constrain the Commission’s rights and statutory powers (including but not limited to those under sections 48I, 48J, 48L(4) and 50 of the PDPA) in any manner. Neither shall be construed as creating any anticipation or expectation that the Commission will take or not take any particular course of action in the future (whether in the present case or in respect of any other case concerning a breach or suspected breach of the PDPA). The acceptance of this Undertaking is strictly confined to the particular facts of the present case, and is made on the basis of the representations and information provided by the Organisation. The acceptance of an Undertaking in this case shall not be construed as establishing any precedent. 6. VARIATION 6.1 This Undertaking may be varied only with the express written agreement of the Commission. This document has been electronically signed. The Parties hereby affirm that the electronic signatures have been affixed with the due authorisation of each Party and that Parties intend for the electronic signatures to carry the same weight, effect and meaning as hand-signed wet-ink signatures. SIGNED, for and on behalf of ) SingHealth Polyclinics ) By the following: ) Name: ______________________________________ ) Designation: _________________________________ ) Date: _______________________________________ ) Page 3 of 7 ACCEPTED by ) ) Name: ______________________________________ ) Designation: Deputy Commissioner / Commissioner Personal Data Protection ) Date: _______________________________________ ) Page 4 of 7 SCHEDULE A SUMMARY OF FACTS 1. On 31 May 2021, the Organisation’s website notified the Commission that its courier service provider, Vroom Vroom Office Services (“Vroom”), had lost a package on 21 April 2021. The lost package, intended to be delivered to a bank on, contained GIRO application forms submitted to the Organisation for processing. 2. The Organisation did not discover the loss promptly due to inadequate processes to confirm completion of package deliveries with its courier service provider. The incident was only discovered 3 weeks when the Organisation checked with the bank on the status of the GIRO applications. 3. As a result of the loss of the package, the personal data of the Organisation’s 87 individuals including their name, telephone number, NRIC number, bank account number and transaction payment limits were compromised. Page 5 of 7 SCHEDULE B 1 Causes of Incident Remediation Plan SHP does not require any explicit confirmation for successful deliveries of all packages. A process review had been conducted and with effect from 30 June 2021, all packages with confidential information (including personal data) will require the use of [type of courier companies redacted for confidentiality] courier companies that utilise an online tracking system. Approved courier companies would have entered into Master Agreements for the delivery of the relevant courier services, which would include relevant obligations on the service provider to comply with personal data protection obligations. All SHP departmental representatives were briefed on the new workflow with a walkthrough of the online tracking system used by the approved courier companies. The confirmation of delivery will be almost in real time where SHP users can determine the delivery status of the dispatched packages online. The incident was also shared with all SHP departments and their PDPA coordinators for awareness and learning. 2 Vroom’s internal verification process was not robust as they implemented manual tracking of consignment notes. The window for the discovery of lost parcels was also too long, with SHP only receiving confirmation three (3) weeks after the incident. Target Completion Process review completed as of 30 June 2021. Use of [type of courier companies redacted for confidentiality] courier companies that utilise an online tracking system – ongoing. Post-review follow-up session with SHP departmental representatives on courier companies scheduled for September 2021. Completed as of 1 July 2021. SHP has rolled out [business process redacted for confidentiality] at its clinics, which eliminates the need to courier patients’ or their next-of-kin’s [type of document redacted for confidentiality], thereby removing the risk of such loss. In this regard, it will not be necessary to engage courier companies to deliver parcels with personal data. SHP has plans to roll out [business process redacted for confidentiality] at all clinics. This can further reduce the risk of losing the hardcopy documents during transmission. Completed as of 31 May 2021. In situations where [business process redacted for confidentiality] is inapplicable, SHP will engage courier companies with a more robust verification process for the delivery of parcels that contain personal data. Process review completed as of 30 June 2021. Ongoing – by end 1st half of 2022. Use of [type of courier companies redacted for Page 6 of 7 As stated in Item (1) above, SHP will only engage [type of courier companies redacted for confidentiality] courier companies that implement an electronic / online tracking system that allows for an almost real-time status update for the confirmation of package deliveries on the same day. To enhance the follow-up confirmation process, SHP worked with [name of financial institution redacted for confidentiality] such that [name of financial institution redacted for confidentiality] has to provide written acknowledgement of receipt of any SHP parcel within the next working day. confidentiality] courier companies that utilise an online tracking system – ongoing. Post-review follow-up session with SHP departmental representatives on courier companies scheduled for September 2021. Completed as of 11 June 2021. Page 7 of 7 | 2bced216336258bd3352aaacb04da91d11c52603 |
Links from other tables
- 7 rows from item_version in pdpc_undertakings_changed