Number of S’pore organisations in breach of personal data protection laws hits new high: Study

SINGAPORE — The number of organisations breaching Singapore’s Personal Data Protection Act (PDPA) has jumped to a new annual high, well before the year is over, based on findings published on Tuesday (Sept 17).

By the end of August, 26 organisations had been fined or warned over PDPA breaches, up from 23 organisations recorded in all of last year.

Fines are also at an all-time high. A total of S$1.28 million in fines has been issued so far this year, most of which came from fines imposed earlier this year because of a major data breach by public healthcare group SingHealth.

The findings were published by the Data Protection Excellence (DPEX) Centre, the research and education arm of data protection software firm Straits Interactive.

The centre based its findings on information found on the website of the Personal Data Protection Commission (PDPC), which is the agency responsible for administering and enforcing the Act.

UPWARD TREND 

The study noted that there was, in general, an “upward trend” in the number of organisations involved in enforcement cases. There were a total of 18 cases in 2017, although the 23 cases in 2016 was somewhat higher.

A spokesperson from Straits Interactive said that no figures were available before 2016 because enforcement of the PDPA began only in April 2016. The Act came into force in 2014.

Of the S$1.28 million in fines issued for PDPA breaches so far this year, S$1 million related to the SingHealth data breach.

In January, both SingHealth and its IT vendor Integrated Health Information Systems were fined a total of S$1 million after hackers broke into SingHealth's IT systems to steal the personal data of 1.5 million patients, including that of Prime Minister Lee Hsien Loong.

Even after excluding the fine issued to SingHealth, the study found that the amount of fines issued so far this year — S$280,000 — is double the amount last year, which stood at S$141,500.

The total amount of fines issued between 2016 and 2018 — at S$339,000 — was also less than one-third of the amount of fines issued this year, the report said.

‘PROTECTION OBLIGATION’ BREACHED THE MOST

The study found that 80 per cent of the 90 organisations that received warnings or fines from the PDPC between 2016 and this year had breached a protection obligation.

A protection obligation refers to the reasonable security measures that an organisation is expected to take to protect personal data that is in its possession or under its control.

It is one of nine obligations set out for organisations under the PDPA. The other obligations include receiving consent from individuals to obtain and use their personal data, as well as ensuring that personal data is retained by the organisation only for as long as necessary.

ERROR OR NEGLIGENCE

The study found that breaches in protection obligation occurred mostly due to negligence or employee error, rather than malicious activity, which made up only about 15 per cent of enforcement cases.

The other two most common protection obligations breached are the lack of data protection policies by organisations (17 per cent) and not obtaining the consent of individuals (16 per cent).

FINANCE AND RETAIL THE TOP SECTORS HIT

It found that the top five sectors guilty of PDPA breaches were finance (14 per cent), retail (14 per cent), volunteer welfare organisations (10 per cent), professional services (9 per cent), and food and beverage (9 per cent).

Untrained employees, inadequate security controls and weak passwords were among the top 10 common causes of PDPA breaches flagged by the study.

TODAY has sought comment from PDPC on the study’s findings.