The PDPA gets Personal
This post is part of a series relating to the amendments to the Personal Data Protection Act in Singapore in 2020. Check out the main post for more articles!
There’s a new hue to the shift from openness to accountability in the PDPA. We are used to the idea of expecting more from organisations. However, individuals (who aren’t public servants or acting in a personal capacity) who mishandle personal data will be criminally liable under a new section in the upcoming PDPA.
As the PDPC and Ministry puts it, it’s an offence relating to egregious mishandling of personal data. The types of mishandling are:
- Knowing or reckless unauthorised disclosure of personal data
- Knowing or reckless unauthorised use of personal data for a wrongful gain or a wrongful loss to any person; and
- Knowing or reckless unauthorised re-identification of anonymised data.
Anyone convicted of an offence is liable to a fine not exceeding $5,000 or to imprisonment for a term not exceeding two years or both.
Leveling the Public and Private sectors
One of the most controversial areas of the PDPA is the exclusion of the public sector. This can create an impression of differing standards in data protection standards in the public and private sector. In response, the Government has taken steps to level up its data protection.
One of the more aggressive moves by the Government to show its accountability was to enact the Public Sector (Governance) Act. In sections 7 and 8 of the same act, the egregious mishandling of personal data by public servants is also criminalised in very similar terms as the amendments.
As such, the PDPA amendments level the playing field. An employee who egregiously mishandles personal data will also be penalised in the same way, whether he is in the private or public sector. At least in this respect, the differences between the public and private sectors is less pronounced.
The amendments are also essential to plug a hole for companies doing work for the Government. If you mishandle government data, you are liable under the PSGA if you are a public servant. However, non-public servants, such as contractors, are not liable under the PSGA if they mishandle government data. So after the amendments are passed, no one will be left out.
Do employees have anything to fear?
From its inception, the PDPA targets organisations for compliance, not its employees. Section 4(1)(b), which do not impose obligations on the employee, and section 11(2), which states that an organisation is responsible for its personal data, confirms this.
This makes sense. Employees need their employer’s support to carry out the organisation’s data protection obligations. The decisions consistently rebuke the argument that employees did their jobs as the employer ideally expects them to. Employees need practical and relevant training, and they are best provided by the organisation.
Do the amendments mean that employees face more exposure under the revised PDPA? Realistically, the answer is no. The provisions place a very high threshold on the mens rea or mental element of the offence. The offender either did this intentionally or recklessly. Negligent acts are not enough. Furthermore, the use of the information must not be authorised by the company.
As such, the paradigm case for this section is the rogue employee who makes use of the company’s data to make a profit. An employee who ignores data protection training and then commits the mistake training was meant to prevent, may not be criminally liable under this provision. Arguing that such an employee intentionally caused a data breach will be challenging.
Interestingly, we can find this sort of employee in Hazel Florist & Gifts  SGPDPC 9. Even though the employee who caused the data breach refused to attend training or follow SOP, the PDPC still blamed the organisation for failing to make her do so.
Would I use the new criminal liabilities to encourage my colleagues to take data protection seriously? Ultimately, it’s not right to scare people for something unlikely to happen. In any case, the reality is that most employees do want to comply once they have the right tools. When they fail to comply, it's generally because they are not in the right environment, and this environment is completely within the control of the organisation. The “stick” in this case is good but does not seem necessary.
The amendments imposing personal liability on individuals appear to be mainly an effort to align the public officers with other individuals. Like the public sector, liability is narrow and targeted at the most egregious conduct. In that light, the amendments are essential for a consistent regime in the private and public sector.
Love.Law.Robots. – A blog by Ang Hou Fu