Well-Known Software & Technology Company Fined For Mistakenly Disclosing Payroll Information – Privacy
Singapore: Well-known software and tech company fined for mistakenly disclosing payroll information
To print this article, simply register or connect to Mondaq.com.
In its ruling of July 30, 2021, the Personal Data Protection Commission (“PDPC”) fined the well-known software and technology company, SAP Asia Pte. Ltd. (“SAP”) $ 13,500 for its violation of its personal data protection obligations under section 24 of the Personal Data Protection Act (“PDPA”). The decision follows a complaint received by the PDPC on April 1, 2020 that SAP had mistakenly disclosed the payroll information of some of its former employees to several unintentional recipients.
SAP was working on a new system with an external supplier to automate the issuance of the final payslip for former employees through its external supplier. Previously, its external supplier had been hired for the automatic issuance of payslips to all employees of the company through its HR system, with the exception of employees who had already left the company. Its HR system was not able to automate this process initially and therefore it was done manually by its HR department, who then emailed it personally to former employees. However, as SAP wanted to automate this part of the process as well, it asked its external supplier to develop such automation within the HR system for this purpose in April 2019.
SAP intended to use the program to simultaneously generate multiple individual payslips and send them individually to the appropriate former employee in a single run of the program. However, due to poor communication between SAP and its external vendors, the program did not work as expected by SAP. Instead of generating multiple payslips for multiple former employees, the program generated multiple payslips and issued them to multiple former employees at the same time. When SAP first (and only) ran the program on March 31, 2020, 43 former employees ended up receiving another 42 former employee payslips in addition to their own payslips. Even though 13 of the 43 former employees did not receive the email due to invalid email addresses, 29 payslips were nonetheless disclosed in error.
On April 1, 2020, SAP notified all 43 employees of the error and instructed them to delete payslips that were not theirs. SAP also followed up by telephone with these former employees to ensure that they had deleted these payslips. 39 of the 43 employees confirmed having deleted these payslips. In addition, SAP has also disabled the program and reverted to manual generation and emailing of payslips to former employees while continuing to develop the program so that it can continue without further problems.
The PDPC found that SAP did not accurately provide adequate specifications on how to develop the program with external vendors. In addition, he also found that SAP did not perform pre-launch testing of the program to ensure that its program was functioning properly.
However, as SAP took swift action to alleviate the impact of its action and cooperated during investigations, the PDPC ordered that SAP only pay a fine of $ 13,500, and no further instructions were issued. was taken against SAP.
The content of this article is intended to provide a general guide on the subject. Specialist advice should be sought regarding your particular situation.
POPULAR POSTS ON: Singapore Privacy