Love.Law.Robots. by Ang Hou Fu

Employee

Feature image

A recent disciplinary case in Singapore, [Law Society of Singapore v Mohammed Lutfi bin Hussin](https://www.elitigation.sg/gd/s/2022SGHC182) , highlights a common pitfall in legal practice. A lawyer failed to witness the signing of conveyancing documents personally but attested to doing so. Few people may pay attention to a routine conveyancing transaction. Still, this time, the transaction was tainted by fraud: a mortgagor had submitted false documents to a mortgagee to obtain a higher loan. The lawyer’s license was suspended for three years for claiming to have witnessed the signing when he didn’t.

There’s an uncharacteristic lack of remorse on the lawyer’s part compared to other disciplinary cases. Here’s how he described his practice, which seems rather ordinary at first glance:

This was a routine purchase of the Property by [a buyer] financed by a loan taken from a bank. The transaction could be carried out without my seeing [the Buyer]. My staff are fully capable of dealing with routine transactions such as [the Buyer’s] purchase of the Property. If anything out of the ordinary crops up, they will inform me and I will then see [the Buyer] and sort out whatever problem has arisen. There were no issues at all relating to [the Buyer’s] purchase and for that reason, I did not have to see him.

In contrast, here’s what the Court of 3 Judges (in charge of lawyer discipline) thought of that:

[The lawyer] had put in place a “system” pursuant to which he entrusted his non-legally trained staff to carry out conveyancing transactions, including witnessing the execution of conveyancing documents, so that he did not have to meet his own clients, unless he deemed it necessary. Under this “system”, he presupposed that everything was in order until and unless his staff flagged any issues. In relation to [the Buyer’s] conveyancing transaction, nothing out of the ordinary was brought to his attention. He therefore assumed that all was in order and never met [the Buyer], notwithstanding the fact that the latter had engaged him as his conveyancing solicitor.

It’s important to note that witnessing someone sign a document isn’t likely to have stopped the fraudulent transaction. The nub of the issue was that the lawyer had claimed to do something he did not. The Court recognized that some might call this “technical dishonesty”.

But what’s the point of witnessing someone sign a document? The main idea is that it prevents fraud. Anyone can put anyone’s signature anywhere. The lawyer ensures the signor’s identity, understands the document, and there are no signs of duress or misunderstanding.

Who wants to do an E-Will?COVID-19 offers an opportunity to relook at one of the oldest instruments in law — wills. Is it enough to make them an electronic transaction?Love.Law.Robots.HoufuA similar problem persists in the area of wills and testaments.

Post-pandemic, though, alternatives are apparent but with questionable legality. If a lawyer witnesses a signing through Zoom, does it count? If e-Signature can be used, what value does being in person add? Banks don’t use lawyers to prevent fraud all the time too. Document submission, such as income and particulars, can now be received directly through the relevant government agency and authenticated fairly securely by the applicant. The wonders of SingPass!

The question is, would the lawyer have escaped sanction if there was actually a “system” in place? The Court describes this as a “non-system” because the lawyer had abdicated his responsibilities to non-legally trained staff. But what if the lawyer had implemented a system to train his staff on when to escalate, use checklists, verify the work, and carry out audits? Would that be enough? Or is the point that no matter what, the lawyer must be physically present?

We aren’t going to find out because everyone understands that witnessing a signing has to be personal. Furthermore, this is a strict requirement promulgated by legislation, so it’s non-negotiable.

These issues are essential because conveyancing is a prime example of volume work in the legal profession. If a lawyer has to be physically present at every stage of the transaction, this would slow down the process and make it expensive. The practice would be harder to justify in the face of more efficient and cost-effective solutions. More people would believe its objective is to maintain a monopoly for lawyers. Even lawyers may be hard-pressed to find efficient ways to do business and inadvertently find themselves on the wrong side of the law.

For now, legal innovators trying to automate manual processes or implement a “system” would have to be careful if they involved any attestation. It’s the law; you can’t change it, and breaking it would get you in hot soup, no matter how dissatisfied you would be.

The Importance of Being AuthorisedA recent case shows that practising law as an unauthorised person can have serious effects. What does this hold for other people who may be interested in alternative legal services?Love.Law.Robots.HoufuAn earlier post explored another common pitfall.

#Law #Lawyers #E-signature #Employee #LawSociety #Singapore #SupremeCourtSingapore #tech

Author Portrait Love.Law.Robots. – A blog by Ang Hou Fu

Feature image

This post is part of a series relating to the amendments to the Personal Data Protection Act in Singapore in 2020. Check out the main post for more articles!

There’s a new hue to the shift from openness to accountability in the PDPA. We are used to the idea of expecting more from organisations. However, individuals (who aren’t public servants or acting in a personal capacity) who mishandle personal data will be criminally liable under a new section in the upcoming PDPA.

As the PDPC and Ministry puts it, it’s an offence relating to egregious mishandling of personal data. The types of mishandling are:

  1. Knowing or reckless unauthorised disclosure of personal data
  2. Knowing or reckless unauthorised use of personal data for a wrongful gain or a wrongful loss to any person; and
  3. Knowing or reckless unauthorised re-identification of anonymised data.

Anyone convicted of an offence is liable to a fine not exceeding $5,000 or to imprisonment for a term not exceeding two years or both.

Leveling the Public and Private sectors

One of the most controversial areas of the PDPA is the exclusion of the public sector. This can create an impression of differing standards in data protection standards in the public and private sector. In response, the Government has taken steps to level up its data protection.

One of the more aggressive moves by the Government to show its accountability was to enact the Public Sector (Governance) Act. In sections 7 and 8 of the same act, the egregious mishandling of personal data by public servants is also criminalised in very similar terms as the amendments.

As such, the PDPA amendments level the playing field. An employee who egregiously mishandles personal data will also be penalised in the same way, whether he is in the private or public sector. At least in this respect, the differences between the public and private sectors is less pronounced.

The amendments are also essential to plug a hole for companies doing work for the Government. If you mishandle government data, you are liable under the PSGA if you are a public servant. However, non-public servants, such as contractors, are not liable under the PSGA if they mishandle government data. So after the amendments are passed, no one will be left out.

Do employees have anything to fear?

From its inception, the PDPA targets organisations for compliance, not its employees. Section 4(1)(b), which do not impose obligations on the employee, and section 11(2), which states that an organisation is responsible for its personal data, confirms this.

This makes sense. Employees need their employer’s support to carry out the organisation’s data protection obligations. The decisions consistently rebuke the argument that employees did their jobs as the employer ideally expects them to. Employees need practical and relevant training, and they are best provided by the organisation.

Do the amendments mean that employees face more exposure under the revised PDPA? Realistically, the answer is no. The provisions place a very high threshold on the mens rea or mental element of the offence. The offender either did this intentionally or recklessly. Negligent acts are not enough. Furthermore, the use of the information must not be authorised by the company.

As such, the paradigm case for this section is the rogue employee who makes use of the company’s data to make a profit. An employee who ignores data protection training and then commits the mistake training was meant to prevent, may not be criminally liable under this provision. Arguing that such an employee intentionally caused a data breach will be challenging.

Interestingly, we can find this sort of employee in Hazel Florist & Gifts [2017] SGPDPC 9. Even though the employee who caused the data breach refused to attend training or follow SOP, the PDPC still blamed the organisation for failing to make her do so.

Would I use the new criminal liabilities to encourage my colleagues to take data protection seriously? Ultimately, it’s not right to scare people for something unlikely to happen. In any case, the reality is that most employees do want to comply once they have the right tools. When they fail to comply, it's generally because they are not in the right environment, and this environment is completely within the control of the organisation. The “stick” in this case is good but does not seem necessary.

Conclusion

The amendments imposing personal liability on individuals appear to be mainly an effort to align the public officers with other individuals. Like the public sector, liability is narrow and targeted at the most egregious conduct. In that light, the amendments are essential for a consistent regime in the private and public sector.

#Privacy #Singapore ##PDPAAmendment2020 #Employee #Government #PersonalDataProtectionAct

Author Portrait Love.Law.Robots. – A blog by Ang Hou Fu