Singapore: SAP Asia Ordered To Pay Financial Penalty Having Failed To Protect Personal Data Of Its Former Employees

A decision of the Personal Data Protection Commission ("PDPC") demonstrates the importance of conveying specific business requirements clearly to external vendors and conducting preliminary testing of any supplied products before use, lest an organisation be held in breach of its data protection obligations under the Personal Data Protection Act ("the Act").

The PDPC found that SAP Asia ("SAP") did not take reasonable security measures when it revealed former employees' personal data to unintended recipients.

On 1 April 2020, the PDPC received word that SAP had inadvertently revealed the payroll data of 43 former employees to unintended recipients ("the Incident"). Before the Incident, SAP sought an external vendor to develop a Programme that would generate and email multiple payslips to multiple former employees simultaneously, in one execution of the Programme. However, this need was not effectively conveyed to the vendor, and the new Programme was developed on the mistaken assumption that only one payslip had to be generated for one employee at a time.

On 31 March 2020, a staff member of SAP chose all 43 former employees in a single selection under the mistaken assumption that the Programme could generate multiple payslips. This oversight resulted in 29 former employees receiving not only their own payslips, but also those of the other former employees. All 43 former employees had their personal data (including name, NRIC/FIN number, bank account number, monthly basic salary, and other related information) inappropriately disclosed in this Incident.

To arrest the problem, SAP immediately contacted its 43 former employees via phone and e-mail to ensure that payslips that did not concern them were deleted. SAP also returned to individually e-mailing payslips to former employees without using the Programme. Finally, SAP agreed on continuous process improvements with the vendor with clear communicated requirements.

The PDPC noted that SAP was expected to communicate clearly to the vendor that the Programme would need to auto-generate multiple payslips. However, this was not done, and the vendor consequently developed the Programme to generate only single payslips.

The PDPC also found that SAP failed to conduct a pre-launch testing of the Programme. The PDPC cited its handbook, "How to Guard Against Common Types of Data Breaches", to note that such testing is important to single out potential data breaches before new IT systems are used in real-time.

In light of the above, SAP was found to have breached its protection obligations due to the inadvertent disclosure of its former employees' personal data during the Incident. A financial penalty of S$13,500 was imposed on 30 July 2021, with no further directions necessary given the remedial measures already taken.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.