The protection of personal data is of utmost importance. With cyber threats increasing, organizations must take adequate measures to ensure that personal data is protected from unauthorized access or misuse. In Singapore, the Personal Data Protection Act (PDPA) sets out the obligations that organizations must adhere to in the handling of personal data. Recently, the National Skin Centre in Singapore was fined for a data breach that exposed the personal data of over 8,000 patients. In this blog post, we will explore the details of the National Skin Centre data breach penalty, the obligation that was breached, and what organizations can learn from this incident to improve their own data protection practices.
The National Skin Centre (NSC) is a government-run hospital that provides specialized dermatological services. In July 2021, it was discovered that the personal data of over 8,000 patients had been exposed due to a data breach. The personal data involved included names, identification numbers, addresses, and medical histories. The breach occurred when an unauthorized individual gained access to an NSC employee's email account. The employee's account had been compromised due to weak password practices and failure to enable two-factor authentication.
The NSC reported the breach to the Personal Data Protection Commission (PDPC) in accordance with the mandatory breach notification requirements under the PDPA. Upon investigation, the PDPC found that the NSC had breached its obligation under the PDPA to protect personal data by failing to implement adequate security measures to prevent unauthorized access to personal data. As a result, the NSC was fined SGD 5,000 for non-compliance with the PDPA.
Which Obligations were Breached?
Under the PDPA, organizations have an obligation to protect personal data in their possession or control by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal, or similar risks. This includes implementing measures to prevent the unauthorized access of personal data, such as the use of strong passwords, two-factor authentication, and encryption. Organizations are also required to conduct regular checks and audits to ensure that personal data is being protected adequately.
In the case of the NSC data breach, the organization breached its obligation under the PDPA to protect personal data by failing to implement adequate security measures to prevent unauthorized access to personal data. The NSC's employee's email account was compromised due to weak password practices and failure to enable two-factor authentication. This allowed an unauthorized individual to gain access to the personal data of over 8,000 patients.
What Can We Learn from This?
The National Skin Centre data breach penalty provides valuable lessons for organizations to improve their own data protection practices:
Implement adequate security measures: Organizations should implement adequate security measures, such as strong passwords, two-factor authentication, and encryption, to prevent unauthorized access to personal data. It is important to regularly review and update these measures to ensure that they remain effective in the face of evolving cyber threats.
Conduct regular checks and audits: Organizations should conduct regular checks and audits to ensure that personal data is being protected adequately. This includes conducting regular vulnerability assessments, penetration testing, and security assessments. By doing so, organizations can identify and address security gaps in a timely manner, reducing the risk of data breaches.
Invest in employee training: Organizations should invest in employee training to promote good data protection practices. Employees should be educated on the importance of data protection, as well as best practices for creating strong passwords, enabling two-factor authentication, and detecting and reporting potential security threats. Regular training can help to reinforce these practices and reduce the risk of human error leading to data breaches.
Take prompt action in the event of a data breach: Organizations should have a robust incident response plan in place in the event of a data breach. This includes conducting a thorough investigation to determine the scope of the breach, notifying affected individuals and relevant authorities, and implementing remedial measures to prevent future breaches.
By taking prompt action, organizations can minimize the impact of a breach and demonstrate their commitment to protecting personal data.
The National Skin Centre data breach penalty serves as a reminder of the importance of protecting personal data and adhering to the obligations set out under the PDPA. Organizations must implement adequate security measures, conduct regular checks and audits, invest in employee training, and take prompt action in the event of a breach to ensure that personal data is protected from unauthorized access or misuse. By doing so, organizations can demonstrate their commitment to data protection and reduce the risk of costly penalties and reputational damage.
Personal Data Protection Commission. (2021, December 3). Summary Decision - NSS [PDF file]. Retrieved from https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Summary-Decision---NSS---03122021.pdf