Fines are also at an all-time high. A total of S$1.28 million in fines has been issued so far this year, most of which came from fines imposed earlier this year because of a major data breach by public healthcare group SingHealth. The findings were published by the Data Protection Excellence (DPEX) Centre, the research and education arm of data protection software firm Straits Interactive.


The study noted that there was, in general, an “upward trend” in the number of organisations involved in enforcement cases. There were a total of 18 cases in 2017, although the 23 cases in 2016 was somewhat higher. A spokesperson from Straits Interactive said that no figures were available before 2016 because enforcement of the PDPA began only in April 2016. The Act came into force in 2014.

Of the S$1.28 million in fines issued for PDPA breaches so far this year, S$1 million related to the SingHealth data breach. In January, both SingHealth and its IT vendor Integrated Health Information Systems were fined a total of S$1 million after hackers broke into SingHealth’s IT systems to steal the personal data of 1.5 million patients.

Even after excluding the fine issued to SingHealth, the study found that the amount of fines issued so far this year — S$280,000 — is double the amount last year, which stood at S$141,500. The total amount of fines issued between 2016 and 2018 — at S$339,000 — was also less than one-third of the amount of fines issued this year, the report said.


The study found that 80 per cent of the 90 organisations that received warnings or fines from the PDPC between 2016 and this year had breached a protection obligation. A protection obligation refers to the reasonable security measures that an organisation is expected to take to protect personal data that is in its possession or under its control.It is one of nine obligations set out for organisations under the PDPA. The other obligations include receiving consent from individuals to obtain and use their personal data, as well as ensuring that personal data is retained by the organisation only for as long as necessary.


The study found that breaches in protection obligation occurred mostly due to negligence or employee error, rather than malicious activity, which made up only about 15 per cent of enforcement cases.The other two most common protection obligations breached are the lack of data protection policies by organisations (17 per cent) and not obtaining the consent of individuals (16 per cent).


It found that the top five sectors guilty of PDPA breaches were finance (14 per cent), retail (14 per cent), volunteer welfare organisations (10 per cent), professional services (9 per cent), and food and beverage (9 per cent). Untrained employees, inadequate security controls and weak passwords were among the top 10 common causes of PDPA breaches flagged by the study.

Read more at Todaysonline

Open chat