12 June 2023

Engaging external IT vendors – an organisation’s duties under the Personal Data Protection Act 2012 (“PDPA”) 聘用外部咨询科技(IT)供应商:一个机构在《个人数据保护法令2012》(“PDPA”)下的对应义务

Background
背景

On 31 January 2022, Kingsforce Management Services Pte Ltd (“Kingsforce”) notified the Personal Data Protection Commission (“PDPC”) of the sale of data from its jobseeker database on RaidForums, which occurred on or about 27 December 2021 (the “Incident”).
Kingsforce Management Services Pte Ltd (“Kingsforce”) 于2022 年1月31日正式通知新加坡个人数据保护委员会(“PDPC”)涉及该机构的发生于2021年12月27日左右的数据泄露事件。具体而言,Kingsforce存取的求职者的个人数据库遭到盗取并被黑客放在RaidForums的平台上出售。

External cyber security investigators identified outdated website coding technology, with critical vulnerabilities, as the cause of the Incident.
经过外部网络安全调查员调查后发现,Kingsforce的网站编码技术过时,存在关键性的漏洞,从而导致上述数据泄露事件的发生。

Kingsforce admitted work had not been completed on the website at launch owing to contractual disputes with its developer. Kingsforce subsequently engaged IT maintenance vendors in an effort to ensure the security of the website. However, maintenance had been ad-hoc and limited to troubleshooting functionality issues like bugs, glitches, and/or when a page failed to load.
Kingsforce承认,由于其与IT开发商的合同纠纷,Kingsforce的网站在正式推出时的部分工作并没有得到适当完成。Kingsforce随后聘请了外部咨询科技维护供应商,以确保网站的安全。然而,后续的维护工作是临时性的,且仅限于问题排除性质,譬如错误、故障和/或页面无法加载的情况的临时性维护。

In this case, the PDPC found that Kingsforce had failed to make reasonable security arrangements to protect the personal data in its possession, and accordingly, that Kingsforce had breached Section 24 of the PDPA.
在本案中,PDPC认为Kingsforce没有做出合理的安全维护安排来保护其拥有的个人数据的安全性,因此,Kingsforce违反了PDPA的第24节项下的规定。

Duties under the PDPA
有关机构在《个人资料保护法令2012》(“PDPA”)下的义务

In its decision, the PDPC set out an organisation’s duties under the PDPA when it engages an external IT vendor:
在PDPC的判决中,PDPC规定了一个机构在聘用外部IT咨询科技供应商时在PDPA下的对应义务:

  1. to provide clarity and emphasise the need for personal data protection to their IT vendors by: (i) making it a part of their contractual terms, and (ii) reviewing the requirements specifications to ensure that personal data protection is reflected in the design of the end-product;
    通过规定的方式向其外部咨询科技供应商明确和强调个人数据保护的必要性,具体方式为: (i)将该规定作为合同条款的一部分,以及(ii)审查需求规格以确保个人数据保护的功能体现在了最终产品的设计中;
  2. post-execution of the contract, an organisation is expected to exercise reasonable oversight over its vendor during the course of the engagement to ensure that the vendor is protecting the personal data by adhering to the stipulated requirements; and
    在合同签署后,有关机构应当在合同执行过程中对其供应商进行合理的监督,以确保供应商遵守规定的要求以确保个人数据的安全性;以及
  3. to periodically conduct web application vulnerability scanning and assessments post-deployment of its website.
    在有关机构官网正式推出后,定期进行网络应用程序漏洞扫描和评估。

To learn more, please read the PDPC’s decision here.
如果您想了解更多的信息,请点击本链接阅读PDPC针对相关数据泄露事件的具体决定


IMPORTANT NOTICE: This memorandum is only intended as a guide and does not purport to be an exhaustive or conclusive discussion of the matters set out herein and should not be relied on as a substitute for definitive legal advice. Reference should always be made to the applicable statutes, the relevant subsidiary legislations and other applicable guidelines. This memorandum is not to be transmitted to any other person nor is it to be relied upon by any other person or for any other purpose or quoted or referred to in any public document or filed with any governmental or other authorities without our consent in writing. This memorandum is limited to the laws of Singapore. In issuing this memorandum, we do not assume any obligation to notify or inform you of any developments subsequent to its date that might render its contents untrue or inaccurate in whole or in part at such later time. If you would like to discuss the implications of these legal developments on your business or obtain advice, please do not hesitate to approach your usual contact at Insights Law LLC or you may direct the inquiry to our key contacts stated above.

重要提示:本备忘录仅用于参考,并不视作对本文所载事项的详尽或结论性的讨论,且不应被依赖作为替代明确的法律意见。应参考所适用的法规、有关附属法例、及其他适用的原则。未经本所书面同意,本备忘录不得向任何其他人传送,任何人也不得就任何目的依赖本备忘录,并于任何公共文件引述或专署,或提交给任何政府或有关当局。本备忘录仅限于新加坡的法律。本所就这份备忘录的发行,对较后时间日期发生的任何进展导致本备忘录所呈现的全部或部分不实或不准确的内容不承担任何义务。如果您想了解这些法律发展对您业务的影响或咨询意见,请随时与您智诚法律(新加坡)的联系人联系,或直接联系上述的主要联系人。