In its decision dated July 30, 2021, the Personal Data Protection Commission (“PDPC”) fined the well-known software and technology company, SAP Asia Pte. Ltd. (“SAP”) in the amount of $13,500 for its breach of personal data protection obligations under Section 24 of the Personal Data Protection Act (“PDPA”). The decision follows a complaint the PDPC received on April 1, 2020. That SAP had mistakenly disclosed payroll information for some of its former employees to several unintended beneficiaries.
Context
SAP was working on a new system with an external vendor to automate the issuance of the final payroll to former employees through its external vendor. Previously, the external vendor was set to automatically issue push notifications to all employees of the company through its HR system, except for employees who have already left the company. Her HR system wasn’t able to automate this process initially, therefore, this was done manually by the HR department, which would email it to former employees in person. However, since SAP wanted to automate this part of the process as well, it asked its third-party vendor to develop such automation within the HR system for the aforementioned purpose in April 2019.
SAP intended to use the software to simultaneously generate several individual payment statements and send them to the appropriate prior employee individually with a single implementation of the software. However, due to poor communication between SAP and its external suppliers, the program did not work the way SAP expected. Instead of creating multiple payrolls for multiple ex-employees, the software created multiple payrolls and issued them to multiple ex-employees at the same time. When SAP implemented the program for the first (and only) time on March 31, 2020, 43 ex-employees ended up sending 42 more payrolls to former employees in addition to their own. Although 13 out of 43 former employees did not receive the email due to invalid email addresses, 29 pay slips were detected in error.
On April 1, 2020, SAP notified all 43 employees of the error and asked them to delete payroll that did not belong to them. SAP also followed up on these former employees by phone to ensure they had deleted these payroll. 39 out of 43 employees confirmed that they deleted these payroll. Furthermore, SAP also disabled the software and reverted to manually generating and emailing payroll to former employees while continuing to develop the software so that it could move forward without any further issues.
resolution
The PDPC found that SAP had failed to accurately provide appropriate specifications on how to develop the software with external vendors. Furthermore, I also found that SAP did not perform pre-launch testing of the software to ensure proper functioning of its software.
However, SAP took immediate action to mitigate the impact of its work, was cooperative during the investigations, and the PDPC directed that SAP only had to pay a fine of $13,500, and no further directives were issued against SAP.
A version of this article first appeared on the GALA Blog. For more information, please visit http://blog.galalaw.com/.
.
