pdpc_undertakings_version: 2
This data as json
| _id | _item | _version | _commit | id | organisation | url | timestamp | description | pdf-url | pdf-content | _item_full_hash |
|---|---|---|---|---|---|---|---|---|---|---|---|
| 2 | 2 | 1 | 1002 | 2 | Employment & Employability Institute Pte Ltd | https://www.pdpc.gov.sg/Undertakings/Undertaking-by-Employment-Employability-Institute-Pte-Ltd | 2020-09-10 | Background The Personal Data Protection Commission (the “Commission”) received a data breach notification on 24 July 2019 from Employment & Employability Institute Pte Ltd (“e2i”). e2i had disclosed personal data of its jobseekers via an email (“Email”) sent erroneously to one external party. The aforesaid personal data was contained in an Excel Spreadsheet (“Spreadsheet”) attached to the Email. The Spreadsheet contained the name, NRIC number, email address, date of birth, citizenship, race, gender, qualifications and employer name of 101 jobseekers. Additionally, 24 sets of actual salary information and 77 sets of desired salary information belonging to the same 101 jobseekers were also disclosed. It was established that the inadvertent disclosure occurred due to an e2i employee selecting the wrong recipient from the dropdown list. The Email was meant for an internal colleague. However, as the external party bore the same first name as the internal colleague, the wrong recipient was picked. Remedial Actions e2i communicated with the external party to delete the Email and the Spreadsheet. Additionally, e2i reminded all employees to password protect all files containing personal data for both internal and external correspondence. Guidelines on protecting personal data were also emailed to all employees. Undertaking The Commission considered the circumstances of the case and accepted an undertaking from e2i to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 15 November 2019 (the “Undertaking”). The Undertaking provides that e2i was to: (a) review its procedures for the sending of internal and external correspondences including emails which contain personal data of its jobseekers by all relevant employees; (b) review the training of employees involved in correspondences that may comprise or touch on the personal data of jobseekers on how to handle and protect the data adequately; (c) propose an implementation plan for fulfilling the above; (d) once the Commission approves the proposed implementation plan, comply with every obligation set out in the implementation plan; (e) appoint individuals of sufficient authority to oversee compliance with the Undertaking and to report the status of compliance to the Commission; and (f) provide a status report to the Commission at a time requested by the Commission confirming whether e2i has fulfilled each of the specific measures set out in the implementation plan. e2i has since provided the Commission with the status report referred to at para 6(f) above on 2 January 2020. The Commission has reviewed the matter and determined that e2i has complied with the terms of the Undertaking. Please click here to view the Undertaking. | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Undertakings/Undertaking---e2i-2020.pdf | APPENDIX A LEGALLY BINDING UNDERTAKING TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Personal Data Protection Commission by: Employment and Employability Institute Pte Ltd UEN: 200704772C Registered Address: 30 Cecil Street, #19-08, Prudential Tower, Singapore 049712 By signing this Undertaking, Employment and Employability Institute Pte Ltd acknowledges the matters stated herein and agrees to be bound by the terms of this Undertaking. 1. DEFINITIONS 1.1. In this Undertaking: (a) “Commission” means the Personal Data Protection Commission. (b) “Commissioner” means the Protection. (c) “Commission’s Letter” means the letter dated 17 October 2019 from the Commission to Employment and Employability Institute Pte Ltd concerning its investigation under the PDPA, including the appendices thereto. (d) “Data Protection Provisions” means Parts III to VI of the PDPA. (e) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012). (f) “Time Frame” has the meaning given to it in paragraph 3.2. (g) “E2i” means Employment and Employability Institute Pte Ltd, a company incorporated in Singapore (UEN: 200704772C). Commissioner for Personal Data Page 1 of 5 2. ACKNOWLEDGEMENTS 2.1. E2i hereby acknowledges the following matters: (a) The Commission has carried out an investigation into certain acts and practices of E2i, which infringes one or more provisions of the Data Protection Provisions. (b) The facts and circumstances relating to the Commission’s investigation, as well as the Commission’s investigation findings and concerns arising therefrom, are set out in the Commission’s Letter, a copy of which has been furnished to E2i. (c) E2i agrees that it has been given the opportunity to submit representations to the Commission in relation to the facts, allegations and the Commission’s investigation findings, as well as the form of binding undertaking, as set out in the Commission’s Letter. (d) As a result of any non-compliance with the PDPA by an organisation, there are a number of enforcement options under the PDPA, including the option to give a direction under section 29 of the PDPA. (e) The Commission recognises that E2i has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, E2i was cooperative in the course of the investigation and was responsive to requests for information. (f) Having carefully considered all the relevant facts and circumstances, the view is taken that this is an appropriate case in which a binding undertaking may be accepted. 3. UNDERTAKINGS 3.1. In consideration of the powers under section 29 of the PDPA not being exercised to give a direction in relation to the matters set out in the Commission Letter, E2i hereby undertakes as follows. 3.2. E2i undertakes to take all necessary steps to implement and give effect to the conditions set out below, and to procure and ensure that it takes all necessary steps to implement and give effect to the following within the time frame approved by the Commission under paragraph (c): (a) review and update its procedure for the sending of internal and external correspondences including emails which contain personal data of its jobseekers by all relevant employees; (b) review the training provided for its employees involved in correspondences that may comprise or touch on the personal data of its Page 2 of 5 jobseekers, particularly in the steps necessary on how to handle and protect personal data adequately; 3.3. (c) provide, within fourteen (14) days of the date of acceptance of this Undertaking, a proposed plan of implementation for fulfilling (a) to (b) above, for the Commission’s approval. The proposed plan of implementation shall state specific measures that E2i has taken and/or proposes to take to fulfil (a) to (b) above, as well as the time frame within which E2i expects to complete each of the specific measures (to the extent that these measures have yet to be completed). The overall time frame within which E2i proposes to complete all of the specific measures (the “Time Frame”) shall not exceed sixty (60) days beginning from the date of acceptance of this Undertaking. The proposed plan of implementation shall also explain how each of the specific measures proposed would achieve the objectives of (a) to (b) above. E2i shall make such amendments to the proposed plan of implementation as may be required by the Commission, in order to address any further concerns that the Commission may have. In deciding whether to approve the plan of implementation, the Commission will consider whether the specific measures would adequately address and achieve the objectives of (a) to (b) above; and (d) comply and procure that E2i complies with each and every obligation set out in the approved plan of implementation, which is hereby incorporated into and forms part of this Undertaking, within the specified time frames; (e) appoint an individual of sufficient authority to oversee E2i’s compliance with the terms of the Undertaking and to report to the Commission, and to appoint a replacement in the event of the appointee’s departure from the organisation; and (f) provide a status report to the Commission within fourteen (14) days from the end of the Time Frame approved by the Commission under paragraph (c) confirming whether E2i has fulfilled each of the specific measures set out in the approved plan of implementation, and provide details as to when each of the specific measures was completed. In addition, E2i undertakes to provide, and will ensure that its provides all necessary assistance that the Commission may require to verify the completion of the specific measures under the plan of implementation, including (without limitation) granting the Commission and its representatives physical access to E2i’s premises, providing information and documentation to the Commission, and arranging for meetings and/or interviews with E2i staff, contractors and/or consultants. Page 3 of 5 4. COMMENCEMENT, TERM AND TERMINATION 4.1. This Undertaking shall take effect upon the acceptance by the Commission of E2i’s fully executed Undertaking. 5. GOVERNING LAW 5.1. This Undertaking shall be governed by Singapore law. Each party irrevocably submits to the exclusive jurisdiction of the Singapore courts any dispute or claim arising in any way out of or in connection with this Undertaking (including a dispute regarding the existence, validity or termination of this Undertaking), and waives any right to oppose any such Singapore action or proceedings on any jurisdictional basis, and agrees not to oppose the enforcement against it in any other jurisdiction of any judgment or order duly obtained from a Singapore court. 6. VARIATION 6.1. This Undertaking may be varied only with the express written agreement of the Commission. 7. OTHER MATTERS 7.1. E2i acknowledges that the Commission may publish and make publicly available this Undertaking, and without limitation to the foregoing, the Commission may issue public statements referring to this Undertaking and/or its contents in whole or in part. 7.2. For the avoidance of doubt, nothing in this Undertaking shall constrain or fetter the exercise of any statutory powers including, but not limited to, the powers under section 29 and section 50 of the PDPA in respect of the findings herein, should there be a failure by E2i to comply with any term of this Undertaking or if there are reasonable grounds for suspecting that any of the information provided by E2i in connection with the investigation in this case was incomplete, false or misleading in a material particular. Furthermore, nothing in this Undertaking shall fetter or constrain the Commissions rights in any manner, nor be construed as creating any expectation that the Commission will take or not take any particular course of action in the future, should E2i be suspected or found to have contravened its obligations under the PDPA after the signing and acceptance of this Undertaking. 7.3. It is further acknowledged that the acceptance of this Undertaking is on a oneoff and exceptional basis, and is strictly confined to the particular facts of the present case, on the basis of the information provided by E2i. The acceptance of this Undertaking shall not be construed as establishing any precedent, shall not create any legitimate expectations on the part of any parties (whether or not a party to this Undertaking), and shall not bind the Commission in respect of any other case involving a breach or suspected breach of the PDPA. All of the Commission’s rights in the foregoing respects are expressly reserved. Page 4 of 5 7.4. For the avoidance of doubt, acceptance of this Undertaking does not derogate from any rights and remedies available to any other person arising from conduct described in this Undertaking. SIGNED By ) Name: ______________________________ ) Designation: _________________________ ) for and on behalf of ) Employment and Employability Institute Pte Ltd ) Date: ______________________________ ) ACCEPTED By ) Name: ______________________________ ) Designation: _________________________ ) for and on behalf of ) Personal Data Protection Commission ) Date: _______________________________ ) Page 5 of 5 | 90a6facdd45ab35f77a4c83a15b89e62c52c758e |
Links from other tables
- 7 rows from item_version in pdpc_undertakings_changed