In its decision dated 30th July 2021, the Personal Data Protection Commission (“the PDPC”) has fined well-known software and technology company, SAP Asia Pte. Ltd. (“SAP”) $13,500 over its breach of its personal data protection obligations under Section 24 of the Personal Data Protection Act (“PDPA”). The Decision follows a complaint received by the PDPC on 1st April 2020. that SAP had erroneously disclosed the payroll information of some of its former employees to several unintended recipients.
SAP was working on a new system with external vendor to automate the issuance of the final payslip of former employees through its external vendor. Previously, its external vendor had been engaged for the automatic issuance of payslips to all employees of the company through its HR System, except for the employees who had already left the company. Its HR System was unable to automate this process initially, and therefore, this had been manually done by its Human Resources Department, which would then email it to the former employees personally. However, as SAP wanted to automate this part of the process as well, it requested its external vendor to develop such an automation within the HR System for the said purpose in April 2019.
SAP had intended to use the programme to generate multiple individual payslips simultaneously and send them out to the appropriate former employee individually with one execution of the programme. However, due to miscommunication between SAP and its external vendors, the programme did not function in the way SAP expected. Instead of generating multiple payslips to multiple former employees, the programme generated multiple payslips and issued them to multiple former employees at the same time. When SAP executed the programme for the first (and only) time on 31 March 2020, 43 former employees ended up being sent 42 other payslips of former employees in addition to their own payslips. Even though 13 of 43 former employees did not receive the email due to invalid email addresses, 29 payslips were nonetheless erroneously disclosed.
On 1 April 2020, SAP informed all 43 employees about the error and requested that they delete the payslips which were not theirs. SAP also followed up with these former employees over the telephone to ensure that they had deleted these payslips. 39 of 43 employees confirmed that they had deleted these payslips. Further, SAP also disabled the programme and reverted to manually generating and emailing payslips to former employees while continuing to develop the programme so that it may proceed without any further problems.
The PDPC found that SAP had failed to accurately provide adequate specifications as to how to develop the programme with external vendors. Further, it also found that SAP had not conducted pre-launch testing of the programme to ensure proper functioning of its programme.
However, that SAP took prompt action to lighten the impact of its action, and was cooperative during the investigations, the PDPC directed that SAP only had to pay a fine of $13,500, and no further directions were made against SAP.
By: Denise Mirandah
A version of this article first appeared on the GALA Blog. For more information, please visit http://blog.galalaw.com/.