A staff member of a sports organisation accidentally uploaded and transmitted the personal data of event participants – DPP 4 – security of personal data
Background
A sports organisation reported to the PCPD that a staff member accidentally uploaded a file with the names, phone numbers and email addresses of 308 event participants to the organisation’s website and sent it to participants via email while distributing competition information.
Remedial Measures
Upon receiving the notification from the sports organisation, the PCPD initiated a compliance check. The organisation informed the PCPD that it had enhanced personal data handling procedures in response to the incident. These measures included requiring staff to properly name files containing personal data for easy identification of files containing participants’ personal data, reducing the likelihood of selecting the wrong file. Furthermore, managerial staff should review files containing personal data before uploading or emailing them. The organisation held a meeting with all employees to explain these procedures and urged staff to comply.
Lesson learnt
Data breach incidents are often caused by human errors. It is essential for data users to continuously make employees aware of the importance of data protection and provide them with training on proper personal data handling. Establishing clear and effective procedures and guidelines for handling personal data is essential, along with implementing measures (such as regular reminders and audits) to ensure adherence to these procedures.
(Uploaded in February 2024)