A law firm found to have breached personal data protection obligations was fined $8,000 by the Personal Data Protection Commission in the first such reported case involving a law firm.

An administrative staff member of Matthew Chiong Partnership had mistakenly sent out two e-mails meant for a client to an incorrect address on two separate occasions.

A third e-mail was mistakenly sent by the firm's managing partner and data protection officer to the complainant with an attachment which wrongly contained the names of two other clients of the law firm.

"The (law firm) failed to implement reasonable security arrangements, and the incident could not be considered as a one-off inadvertent disclosure," ruled Mr Tan Kiat How, Commissioner of Personal Data Protection, in decision grounds issued last week. He rejected "the excuse that this was a one-off mistake" by the 50-year-old staff member and the managing partner of the firm.

The Singapore-registered law firm provides estate planning services and handles property transactions. None of the parties was named in the decision grounds.

The two e-mails sent by the same staff member within a month in 2017 collectively contained the complainant's and his sister's residential address, their NRIC numbers, and the name of the bank in relation to the mortgage of a property.

Following the two incidents, the managing partner apologised to the complainant and his sister and offered to refund the legal costs and absorb all disbursements in handling the property transactions.

But on Sept 29, 2017, the managing partner sent an e-mail to the complainant and the sister enclosing two attachments, one of which reflected the full names of two other clients who were unrelated to the complainant's property transaction.

The commissioner found the information inadvertently sent amounted to personal data within the meaning of section 2(1) of the Personal Data Protection Act (PDPA).

He noted the same staff member had committed the errors within one month despite being told of the mistake, which showed "that a culture of care and responsibility towards the handling of the personal data had not been sufficiently ingrained within the organisation".

"Since the organisation is in the business of providing legal services and handles large volumes of personal data on a day-to-day basis, the organisation and its staff members should be vigilant in its handling of personal data," said Mr Tan.

He found the law firm did not have adequate security arrangements to protect clients' data and breached its protection obligations under section 24 of the PDPA.

The investigations also showed the firm had not implemented policies to protect personal data as required under section 12 of the PDPA.

The commissioner took into account various mitigating grounds raised by the law firm, which included waiving all legal costs incurred in the matter in which it advised the complainant.

In addition to imposing the $8,000 financial penalty, the commissioner directed the firm to implement within 60 days a data protection policy and internal guidelines that comply with the PDPA, as well as organise training for staff handling personal data on the obligations under the PDPA and the firm's data protection policies.