Engaging external IT vendors – an organisation’s duties under the Personal Data Protection Act 2012 (“PDPA”) 聘用外部咨询科技(IT)供应商:一个机构在《个人数据保护法令2012》(“PDPA”)下的对应义务

12 June 2023|In Legal Updates


On 31 January 2022, Kingsforce Management Services Pte Ltd (“Kingsforce”) notified the Personal Data Protection Commission (“PDPC”) of the sale of data from its jobseeker database on RaidForums, which occurred on or about 27 December 2021 (the “Incident”).
Kingsforce Management Services Pte Ltd (“Kingsforce”) 于2022 年1月31日正式通知新加坡个人数据保护委员会(“PDPC”)涉及该机构的发生于2021年12月27日左右的数据泄露事件。具体而言,Kingsforce存取的求职者的个人数据库遭到盗取并被黑客放在RaidForums的平台上出售。

External cyber security investigators identified outdated website coding technology, with critical vulnerabilities, as the cause of the Incident.

Kingsforce admitted work had not been completed on the website at launch owing to contractual disputes with its developer. Kingsforce subsequently engaged IT maintenance vendors in an effort to ensure the security of the website. However, maintenance had been ad-hoc and limited to troubleshooting functionality issues like bugs, glitches, and/or when a page failed to load.

In this case, the PDPC found that Kingsforce had failed to make reasonable security arrangements to protect the personal data in its possession, and accordingly, that Kingsforce had breached Section 24 of the PDPA.

Duties under the PDPA

In its decision, the PDPC set out an organisation’s duties under the PDPA when it engages an external IT vendor:

  1. to provide clarity and emphasise the need for personal data protection to their IT vendors by: (i) making it a part of their contractual terms, and (ii) reviewing the requirements specifications to ensure that personal data protection is reflected in the design of the end-product;
    通过规定的方式向其外部咨询科技供应商明确和强调个人数据保护的必要性,具体方式为: (i)将该规定作为合同条款的一部分,以及(ii)审查需求规格以确保个人数据保护的功能体现在了最终产品的设计中;
  2. post-execution of the contract, an organisation is expected to exercise reasonable oversight over its vendor during the course of the engagement to ensure that the vendor is protecting the personal data by adhering to the stipulated requirements; and
  3. to periodically conduct web application vulnerability scanning and assessments post-deployment of its website.

To learn more, please read the PDPC’s decision here.

IMPORTANT NOTICE: This memorandum is only intended as a guide and does not purport to be an exhaustive or conclusive discussion of the matters set out herein and should not be relied on as a substitute for definitive legal advice. Reference should always be made to the applicable statutes, the relevant subsidiary legislations and other applicable guidelines. This memorandum is not to be transmitted to any other person nor is it to be relied upon by any other person or for any other purpose or quoted or referred to in any public document or filed with any governmental or other authorities without our consent in writing. This memorandum is limited to the laws of Singapore. In issuing this memorandum, we do not assume any obligation to notify or inform you of any developments subsequent to its date that might render its contents untrue or inaccurate in whole or in part at such later time. If you would like to discuss the implications of these legal developments on your business or obtain advice, please do not hesitate to approach your usual contact at Insights Law LLC or you may direct the inquiry to our key contacts stated above.