Singapore: PDPC issues corrective action order on Chapel of Christ for failure to implement internal and technical measures
The Personal Data Protection Commission ('PDPC') published, on 15 April 2021, its decision and corrective action on the Chapel of Christ the Redeemer ('the Organisation') incident which affected 815 members. In particular, the PDPC noted that the Organisation's member registry file was available through a sub-directory webpage, that the Organisation had set up no access control to the files and directories of the website, and had not developed any internal policies and practices to ensure compliance with the Personal Data Protection Act 2012 (No. 26 of 2012) ('PDPA'). Furthermore, the PCPD clarified that following the incident, the Organisation established internal policies and practices, set up directories, made files password protected, and set up a three month retention policy.
In its assessment of the above, the PDPC found that the Organisation was in breach of Section 12 of the PDPA, for failure to develop internal policies and practices to ensure compliance with the PDPA, and Section 24 of the PDPA, for failing to make reasonable security arrangements for the protection of data. In its conclusion, the PDPC highlighted that the Organisation undertook prompt remedial measures, and cooperated fully with the investigation. For this reason, the PDPC did not impose a financial penalty and issued a corrective action to develop and implement internal data protection policies and practices to comply with the provisions of the PDPA within 90 days, and notify the PDPC once it has done so within ten days.