I took a bit more time with this one because it is interesting — notwithstanding what appears to be a data breach when one customer was able to see the details of another on a member page, the Personal Data Protection Commission in Singapore accepted that there was no breach of the Personal Data Protection Act. To summarize, the PDPC believed that this was a one-off affair. To highlight again, this was a situation of no breach; we are not saying that the organisation was warned or criticized for the incident.
Obviously, this decision hold several clues as to how to respond to a data breach or to the PDPC effectively.
Thing One: Focus on policies, processes and systems#
It goes without saying that one of the best things you could do when faced with a data breach is to ascertain the extent and then adopt countermeasures before the PDPC makes a decision. It can in certain circumstances, mean the difference between a financial penalty and a warning.
However an organisation can step forward and change the narrative by removing the focus on the data breach incident and instead focus on the data policies and processes created to manage data protection.
Compare this decision with _Re Full House Communications Pte Ltd  SGPDPC 8_, where an organisation was found to have breached the PDPA when it exposed the personal data of attendees by showing them on laptops in front of them. If it sounds lame, that is because it is.
In this decision, personal data was exposed when a customer failed to input information into a membership system properly, causing the system to show the personal data wrongly.
Whereas Re Full House Communications Pte Ltd focused on the breach of protection obligations in the PDPA, this decision devotes a substantial section on the data protection policies put in place by the organisation. This lent considerable force to the PDPC’s finding that the incident was one-off.
Thing Two: A Detailed Data Protection Policy pays dividends#
Of course, you cannot help the PDPC to find that the data protection was of a reasonable standard if you had not put in place any measures.
It goes without saying too that if you had a cut-and-paste data protection policy, it is not going to help you as well. When your data protection policy is being scrutinized, having one that is not adapted to the organisation’s unique activities only exposes gaps.
To the organisation’s credit here, the measures put in place and highlighted by the PDPC in its decision cover a wide spectrum of areas:
- Several layers of technical safeguards such as automatic refreshes and manual refreshing of forms
- Standard operating procedures and training for staff
When data protection policies are detailed and adapted to the circumstances, an organisation wastes no time in being caught off guard in scrambling to figure out what it had done for data protection; they will be ready for any individual or the PDPC to examine. It thus pays to sit down and think about these issues first instead of waiting for questions to arrive.
Thing Three: The PDPC shows a softer side#
The structure of the Personal Data Protection Commission is modeled after the Competition Commission of Singapore, but it does not mean that the PDPC is out to get organisations for non-compliance. The PDPC has focused a lot of effort on providing resources and assistance to organisations and part of that outreach of showing that the PDPC is on their side is to issue decisions from time to time that does not punish but appears to praise organisations for good practices.
It’s a bit odd for me as an individual, but I do appreciate it.
My original worries when I read the first paragraph was that someone was getting lax treatment from the PDPC, but I do think they were unfounded upon closer scrutiny because this appears really to be reasonably one-off as you can see above.
If there was one instance to keep the PDPC on its toes, I guess it will not be this one 😛