18 September, 2016
FOCUS: Proper preparation can protect a data controller in the event of an inadvertent breach, as was indicated when the Singapore regulator found that an organisation had not broken the law when a data breach occurred.
Singapore's Personal Data Protection Commission recently investigated a data protection breach involving the central depository of the Singapore Exchange (CDP) and Toh-Shi Printing. Account information for some customers had been sent to other customers by mistake.
Both CDP, as the data controller, and Toh-Shi as the data intermediary were investigated by the Commission, which looked at whether reasonable security arrangements were in place as required by the Personal Data Protection Act. While the intermediary's arrangements were lacking, the Commission said that those of the data controller were acceptable.
Putting the right systems in place for both before and after a data security incident is vital and can mean that there is no breach of the law, and hence no liability, even if a data leak does take place.
Toh-Shi is an external vendor, responsible for printing account statements for the CDP. Under its contract Toh-Shi is required to protect the confidentiality of the CDP's customers, and to put necessary measures in place to protect the data.
However, a misalignment of pages during the printing and sorting process led to pages from some customers' account statements being mixed with those of other customers. This was in fact spotted before the account statements were sent out – but then an operator accidentally threw out the correct versions and posted the wrong ones.
Toh-Shi alerted the Commission of the breach in June 2014. At the same time, the CDP contacted the affected account holders and offered them the option of changing their account numbers.
The Singapore Exchange also ran its own investigation, and issued a news release on the same day as the breach to inform customers, and to apologise for the incident.
The Commission was satisfied with how, as data controller, the CDP had put in place an agreement obliging Toh-Shi to take the necessary action and precautionary measures needed to protect account holders' data during the printing process. Data was also transferred in a secure format between the depository and Toh-Shi, the Commission said. It therefore did not find the CDP in breach of the data protection act.
The cause of the breach, it said, was the data intermediary, Toh-Shi. Inadequate operational processes were in place to ensure data was sent to the correct recipient, and better processes or technology solutions could have been used to prevent this instance of human error, it said. The company was fined S$5,000 (£2,800).
The lesson from this is clear: it is vital to have good, thorough processes in place to avoid data protection breaches, and to develop systems for responding when they occur.
The Commission is prepared to acknowledge proper efforts made in advance of a breach and will take this into account in an investigation, so work put into hardening systems and processes to enhance data security and incident response will not go unrewarded.
For further information, please contact:
Mohan Pillay, Partner, Pinsent Masons
mohan.pillay@pinsentmasons.com