The Organisation did not have sufficiently robust retention policies.
The Personal Data Protection Commission (the “Commission”) received a data breach notification on 11 September 2021 from Jade E-Services Singapore Pte. Ltd. (“Organisation”) following an incident where a marketing email was wrongly sent, because of an employee’s lapse. The marketing email was sent to the email addresses belonging to 456,868 individuals who had withdrew their consent to receive such marketing emails. The recipients included 165 individuals who had previously requested for their account to be terminated.
It was established that the Organisation lacked sufficiently robust processes to identify and correct any human error by their employees in the use of its system.
The Organisation also did not have sufficiently robust retention policies. This resulted in the retention of email addresses of individuals who had unsubscribed to the Organisation’s newsletter and did not have any account with the Organisation.
After the incident, as part of a remediation plan, the Organisation:
- immediately stopped any further sending of automated emails that had yet to be processed.
- corrected the system settings.
- implemented an additional layer of approval for all automated emails that have been modified by an employee to prevent erroneous changes.
- sent apology emails to individuals who had received the erroneous emails; and
- issued social media communications to inform all customers of the incident.
Having considered the circumstances of the case, including the remedial steps taken by the Organisation to improve its personal data protection practices, the Commission accepted an undertaking from the Organisation to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 3 December 2021 (the “Undertaking”).
The Undertaking provided that the Organisation was to complete the implementation of its remediation plan to develop and implement an automated feature to trigger anonymisation of email addresses belonging to customers who had unsubscribed from receiving from the Organisation’s newsletter and did not have any account with the Organisation.
The Organisation has since updated the Commission that implementation of its remediation plan has been completed. The Commission has reviewed the matter and determined that the Organisation has complied with the terms of the Undertaking.