A financial penalty of S$13,500 was imposed.
The Personal Data Protection Commission Singapore has imposed a fine on SAP Asia for failing to put in place reasonable security arrangements to protect personal data of its former employees. This resulted in an unauthorised disclosure of the personal data to unintended recipients.
On 1 April 2020, the Personal Data Protection Commission (“the Commission”) received a complaint that SAP Asia Pte. Ltd. (“the Organisation”) had disclosed the payroll information of some of its former employees to the wrong email recipients (“the Incident”).
The Commission found prior to the incident, SAP Asia had engaged an external vendor to provide IT solutions for its human resources and payroll system. SAP Asia’s process of issuing payslips to its employees had been automated as part of the HR System. However, when payslips needed to be issued to individuals who had already left the employment of SAP Asia (e.g. final payslips,
reimbursements of expenses etc), this could not be done via the HR System.
Such payslips needed to be separately generated by the SAP Asia’s human resources department and emailed to the former employees at their personal email addresses. The SAP Asia was keen to automate the process of issuing payslips to former employees as part of the HR System, and sometime around April 2019, requested the Vendor to develop a new programme within the HR System for this purpose.
SAP Asia had intended to use the programme to generate and email multiple payslips to multiple former employees simultaneously in one execution of the Multiple Payslip Issuance . However, as this intention was not properly communicated to the vendor, and the programme was designed on the incorrect.
Similar to the above precedents, in the present case, SAP Asia’s representative only conducted two test scenarios as part of UAT, and both only involved Single Payslip Issuance. The failure to test Multiple Payslip Issuance as part of UAT meant that the testing was
inadequate to simulate the Organisation’s intended use of the Programme, and the Programme’s incapability of handling Multiple Payslip Issuance was not picked up at the testing stage as it should have.
For the above reasons, the Organisation was determined to have breached the Protection Obligation in respect of the former employees’ personal data disclosed in the Incident.