- Sect 24
Whether the Organisation had, pursuant to section 24 of the Personal Data Protection Act 2012 (“PDPA”), put in place reasonable security arrangements to protect the
Personal Data from unauthorised disclosure. Section 24 requires an organisation to protect personal data in its possession or under its control by making reasonable security
arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.
As an organization, such as an MCST has a primary role and duty to protect personal data in its possession or control under s24 of the PDPA, even though it had engaged a data intermediary to protect the personal data. Data intermediary, also has a duty to protect personal data in its possession under s24 of the PDPA.
- Section 12(a) required the Organisation to develop and implement policies and practices to comply with the PDPA. If employee had previously attended formal training on the
requirements of the PDPA and had briefed on the Organisation’s protection of personal data is a good mitigating factor.