The Personal Data Protection Commission (the PDPC) released a decision on 21 March 2017 regarding an employer's responsibility for the actions of an employee, which formed the basis of breaches of the Personal Data Protection Act (the PDPA).
The complainant (the Complainant) in the decision was an ex-employee of the organisation (the Employer), and the personal assistant to another employee and director (the Employee) of the Employer.
The Complainant and the Employee were both part of a chat group on the social media platform, Whatsapp, along with other employees of the Employer. On the Whatsapp chat group, the Complainant and the Employee expressed the disappointment that they had with each other during the Complainant's employment with the Employer. In expressing his disappointment, the Employee also disclosed highly sensitive personal information of the Complainant, namely details about the Complainant's history with drugs and infidelity, (the Personal Data) to the participants of the group chat, without the Complainant's consent and without the Complainant being notified of the purpose of disclosure.
Employers should note that "personal data" refers to data, whether true or not, about an individual who can be identified (a) from that data; or (b) from that data and other information the organisation has or is likely to have access to. In other words, "Personal data" is not intended to be narrowly construed, and covers all types of data that can help identify an individual, regardless of whether such data is true or false, even office gossip, as this decision demonstrates.
The Complainant claimed that the Personal Data was previously disclosed to the Employee in the context of the Employee being her employer, teacher and coach. As such, the Employer should be responsible for the conduct of the Employee.
The PDPC was tasked with determining whether the Employer was responsible under the PDPA, and whether there were breaches of the PDPA.
The Employer was held responsible for the Employees actions despite the Employer arguing that:
- the Personal Data was disclosed to the Employee in his personal capacity;
- the Personal Data was only known to the Employee and not the Employer; and
- the Employer did not authorise the disclosure of the Personal Data.
The PDPC pointed to section 53(1) of the PDPA, which provides that "any act or conduct engaged in by a person in the course of his employment shall be treated as done or engaged in by his employer as well as by him, whether or not it was done or engaged in with the employer's knowledge or approval".
The PDPC held that the disclosure of the Personal Data on the Whatsapp group chat was made in the context of an ongoing dispute between an employer and an ex-employee, with the intent to discredit the ex-employee. As such, the Employee was acting in the course of his employment when he disclosed the Personal Data on the Whatsapp group chat. Further, the PDPC stated that the Employer's knowledge or approval is immaterial under section 53(1) of the PDPA.
This was important as the main obligations in the PDPA would not have applied if the Personal Data had been disclosed in the Employee's own "personal or domestic capacity" under Section 4(1)(a) of the PDPA.
PDPA Breaches and Potential Penalties
Affirming the strict liability imposed by section 53(1) of the PDPA, the PDPC found that the Employer was in breach of sections 13 and 20 of the PDPA, given that Personal Data was disclosed without the Complainant's consent, without the Complainant receiving prior notification of the purpose of disclosure and without any applicable exception under the PDPA.
Accordingly, the PDPC was empowered under Section 29 of the PDPA to issue such directions as it deemed fit to ensure compliance with the PDPA, including directing the Employer to pay a financial penalty of such amount not exceeding S$1 million.
However, the PDPC was mindful of the specific circumstances of this case, and instead calibrated its enforcement action by issuing a warning to the Employer because of the fact that the disclosure was made in the context of a dispute between an employer and ex-employee, and made in what essentially was the Employer's chat group for work (and not to the public at large).
Nevertheless, employers should distinguish that the exact number of individuals that were privy to the unauthorised disclosure was immaterial in the PDPC's determination that the Employer was in breach of the PDPA. There is no minimum threshold and any unauthorised disclosure, even to the limited audience of a private Whatsapp messaging group is potentially a breach of the PDPA.
Further, given the difficulty controlling the spread of information on social media, employers should be wary that this disclosure of the Personal Data on the Whatsapp group could just as easily have become an unauthorised disclosure to the public at large. In such an event, the imposition of a financial penalty by the PDPC would have been a likely outcome.
While it may generally be easier to regulate your employees' conduct in the office, it may not be as straightforward when it comes to regulating conduct on social media, given that there are many social media platforms and it may not be possible to keep an eye on each and every social media platform. This may seem problematic, since under the PDPA an employer's knowledge and approval is immaterial in order for an employer to be held responsible for their employees' conduct on such social media platforms.
However, the key practical tip for employers to reduce the risk of being held responsible for PDPA breaches due to its employees' actions is to raise awareness with their employees with respect to handling personal data. Employees should be reminded that personal data is broadly defined under the PDPA and that any unauthorised disclosure of personal data, not just disclosures to the general public, are potentially breaches of the PDPA. Employers may wish to consider personal data training sessions, and also circulating a personal data policy to its employees.