Skip to content

Case Notes

Case Notes

This case related to DPP4 - Security of personal data

Case No.:2023DB02

A staff member of a sports organisation accidentally uploaded and transmitted the personal data of event participants – DPP 4 – security of personal data


A sports organisation reported to the PCPD that a staff member accidentally uploaded a file with the names, phone numbers and email addresses of 308 event participants to the organisation’s website and sent it to participants via email while distributing competition information.

Remedial Measures

Upon receiving the notification from the sports organisation, the PCPD initiated a compliance check. The organisation informed the PCPD that it had enhanced personal data handling procedures in response to the incident. These measures included requiring staff to properly name files containing personal data for easy identification of files containing participants’ personal data, reducing the likelihood of selecting the wrong file. Furthermore, managerial staff should review files containing personal data before uploading or emailing them. The organisation held a meeting with all employees to explain these procedures and urged staff to comply.

Lesson learnt

Data breach incidents are often caused by human errors. It is essential for data users to continuously make employees aware of the importance of data protection and provide them with training on proper personal data handling. Establishing clear and effective procedures and guidelines for handling personal data is essential, along with implementing measures (such as regular reminders and audits) to ensure adherence to these procedures.

(Uploaded in February 2024)

Category : Provisions/DPPs/COPs/Guidelines : Topic/Subject Matter :