The Personal Data Protection Act (PDPA) has been in the limelight in the past few weeks.
If you are an employer, alarm bells should be going off as you have to pay attention to your obligations under PDPA.
If you are an employee, listen up as you have a big part to play in ensuring that you and your employer complies. At the very least, you have to be extremely careful how you handle the personal data of your customers.
How you dispose of your rough and scratch papers can get you in trouble
In one notable and recent case, an employee had accidentally used rough papers containing personal information of customers as fillers to cover the base of a hamper. The hamper was subsequently delivered to a third party. The third party complained to the Personal Data Protection Commission (PDPC) of the personal data showing on the form. The PDPC made it very clear that the company had breached their obligations under the PDPA by failing to protect personal data of their customers.
It is noteworthy that the PDPC has the power to impose a financial penalty of such amount not exceeding $1 million for the disclosure of personal data. Due to the sheer heavy penalties, compliance of the PDPA is something which the employers have to watch carefully.
What can employers learn from the above incident? How can they protect themselves?
Companies are required to implement PDPA policies to protect customer data
Companies should implement detailed policies to assist employees in the protection of customers personal data.
These policies should take into account the following:
- Sensitivity of customer’s personal data;
- The purpose that data is used;
- How employees must handle data in the day to day running of the company;
- Are the steps taken by employees sufficient and are they in line with the PDPC Guidelines
The steps taken should be sufficient to protect personal data and to ensure that employees are not only paying lip service to the policies. It is not enough for companies to rely on firm practices or culture. They need to transcribe these policies in their Employee handbooks and/or contracts so that employees would have a clear reference point.
Another measure is to invest in staff training.
Staff training on data privacy is one of the things that is an important safeguard and requirement
In another recent case, the company was faulted for not providing training to its employees despite having PDPA policies in place. Companies should conduct regular staff training to raise awareness of its obligations and provide specific guidance on the proper handling of consumer personal data. It is proposed that the training should cover the following areas:
- Review company’s guidelines and policies and assist in its implementation;
- Steps to take in the event information has been accidentally or mistakenly disclosed;
- Procedure to handle requests by third parties for the disclosure of information; and
- Process of investigating and responding to complaints from the public.
This list is not exhaustive but a good starting point. Employers must continue to educate and remind employees of their PDPA obligation and be persistent with the training. Afterall, personal data protection is relatively new. It has not been infused into the Singapore DNA yet.
Ignore the PDPA at the risk of your company!
A failure to stay on top of the PDPA may be fatal for companies and employees losing their jobs due to careless and costly mistakes!
Take immediate steps to review, remind and be ready. Stay updated and safeguard your business today!
Have a question on PDPA?
If you have a legal question on the PDPA, you may wish to get a Quick Consult one of our practicing lawyers. A Quick Consult lets you speak with a lawyer with the right expertise and experience 15 minutes on the phone to give you legal guidance on your legal dilemma. It is designed to be fast, easy and affordable.
This article is written by Anil Lalwani from Lalwani Law Chambers.
Disclaimer: The information contained in this article is provided for general information only. Nothing contained in this article is intended to constitute or substitute legal advice, nor does it create a solicitor-client relationship. We urge you to always seek professional legal advice even if the information in our article appears to address your queries and questions. If in doubt, seek professional legal advice at the earliest.
You may be interested in these articles: