An interesting case relating to Singapore’s Personal Data Protection Act (PDPA) came before the Singapore High Court in September last year. An individual had left his former employer, an investment company, to join a competitor firm. At this new firm, he sent an email to a client of his former employer’s, another individual, whom he had come to know when he was with his former employer. In that email, he referenced a particular fund into which the client had made certain investments. Both his former employer and the client brought a lawsuit against the relevant individual, claiming that he had contravened the PDPA by using the client’s personal data without the latter’s consent.
The High Court decided that the client’s distress alone, or the mere loss of control over his personal data, did not entitle him to bring a lawsuit under the PDPA. An appeal has been filed by the client and is pending.
Quite apart from these conclusions reached by the court, the case also offers useful takeaways for employers looking to safeguard company information when an employee leaves. We discuss these below.
Have robust confidentiality obligations in your employment contracts
While no express reference was made to any of the contracts amongst the various parties, the High Court did acknowledge that the client’s disclosure of his personal data to the investment company was in confidence. It also considered that the former employee’s use of the client’s name to obtain his personal email address from his LinkedIn page was unlawful.
If a company wants to hinder employees from stealing commercially sensitive information, such as its clients’ details, it should ensure that its employment agreements require that such customer information be treated confidentially. Customer information might include anything that an employee learns about a client and their dealings with the company, such as their contact details, account information, transactions, preferences, and even the fact that they are a customer of the company, by their inclusion in a client list.
In contrast, information about a customer that is gathered from a publicly available source, such as a website or social media page, would likely not warrant its confidentiality. However, a company may nonetheless want to set ground rules for the use of social media by its employees, such as through a social media code of conduct or acceptable use policy, with dos and don’ts on how employees should interact with customers and even the public on such platforms. It could also contain restrictions on how employees should post on websites associated with the company, such as where the company’s name or logo is used.
Ensure that these confidentiality obligations continue even after an employee has left the company
If a company wishes to protect its confidential information even after its employee has left, it may do so by including clauses in the employment contract which stipulate that the employee is obliged to treat such information as confidential and not to disclose the same, even after the employee has ceased to be employed by the company.
The company should spend some time, and perhaps seek legal advice, in crafting such a clause, as there is a chance that such a clause might be interpreted by the Court as a restrictive covenant, in which case the clause may not be enforced unless the company is able to convince the Court that the same is reasonable.
Adopt comprehensive employee exit protocols
As part of an employee’s exit process, the company should implement a standard protocol which requires the return of all company information including customer data. In some employment termination scenarios, it may be suitable to remind the employee of their obligations to keep customer data confidential, or even to obtain explicit confirmations that they have destroyed all confidential records and will not use any customer information in future that may have been acquired during their employment with the company.
On the flipside, if you are a company that has just hired a new employee, there are also pre-emptive steps to take, to avoid taking on liability from that employee’s wrongdoing, such as data theft from their previous firm.
Set company rules to govern employee behaviour
This is one way in which the company can protect itself against any employee wrongdoing, whether deliberate or inadvertent. It is possible for a company to be liable for an employee’s contravention of the PDPA so long as this was during the course of their employment. In other words, an employee’s conduct could give rise to the company being subject to an investigation by the Personal Data Protection Commission for a breach of the PDPA by the employee during the course of their employment. If found guilty, the company has to comply with the Commission’s directions, which may include payment of a regulatory fine, which, at present, could be up to SGD 1 million. The company could also be sued by an aggrieved individual, provided that the individual has suffered loss or damage directly as a result of the contravention. As such, a company should specify clearly what types of employee activities are objectionable, for instance, by making them subject to disciplinary action.
Conduct employee training on data protection
A company should implement training for all newly on-boarded staff on what customer data can and cannot be used for. If a client has only consented to their personal data being used for anti-money laundering, “know your customer” checks, or other regulatory compliance purposes, that same data should not then be used for marketing. The company could also implement an appropriate standard operating procedure for dealing with a customer who subsequently objects to being contacted by it. This helps reduce the risk of any non-compliance by the company with its data protection obligations.