This blog post highlights my article ‘Employer Liability and the Employee Exemption’ published in the PDP Digest 2022 relating to the allocation of data protection liability in the employment context. In that article, I discuss how the Personal Data Protection Act 2012 (‘PDPA’) allocates liability between an employer and an employee, when the employee does something that constitutes a breach of a data protection obligation under the PDPA (for example, where the employee discloses the personal data of an individual without having obtained prior consent from that individual, in breach of the Consent Obligation under section 13 of the PDPA).
In the PDPA, there are two provisions that serve to allocate liability between employers and employees for breaches of data protection obligation. First, there is section 4(1)(b) of the PDPA, which provides that the data protection provisions of the PDPA ‘do not impose any obligation on … any employee acting in the course of his or her employment with an organisation’. This is the ‘employee exemption’ provision. Second, there is section 53(1) of the PDPA, which provides that any act done or conduct engaged in in the course of an employee’s employment shall be regarded for the purposes of the PDPA as ‘done or engaged in by his or her employer as well as by the employee’. This is the ‘employer liability’ provision.
When an employee acts in breach of a data protection obligation under the PDPA, the central question that determines whether the employer or employee shall be liable is whether the employee was acting in the course of his or her employment. There have been several decisions issued by the Personal Data Protection Commission (the ‘PDPC’) where one or both of the employee exemption provision and the employer liability provision were applied. Significantly, the application of the employee exemption provision was also recently considered by the Singapore Court of Appeal in Reed, Michael v Bellingham, Alex [2022] 2 SLR 1156 (“Reed v Bellingham”) Below, I shall provide a summary of three useful points that may be derived from these cases.
(1) The context and intent of the employee’s conduct are relevant considerations in determining whether the employee acted in the course of his or her employment. In many cases involving the breach of a data protection obligation by an employee, it is obvious whether the employee was acting in the course of his or her employment. For example, if the employee was performing an integral function of his or her job, it is reasonably clear that the employee was acting in the course of his or her employment. In some cases, however, the employee may have done something which does not squarely fall within his or her “job description”. In these cases, it is helpful to consider the context and intent behind the employee’s conduct. The article provides a fuller treatment of this point.
(2) The employer’s knowledge or approval of its employee’s conduct is relevant to the determination of whether the employee acted in the course of his or her employment. Although the employer liability provision states that an employer may be held liable for the acts of its employee regardless of whether it knew or approved of the employee’s conduct, the fact that the employer did not know or approve of the employee’s conduct may nevertheless make it more likely that the employee’s conduct fell outside of the course of his or her employment. Thus, in the PDPC’s decision in Progressive Builders Private Limited [2021] SGPDPC 2, an employee who had shared certain work-related personal data in a private WhatsApp group chat was found not to have been acting in the course of his employment, because the employer was not aware of the WhatsApp group chat and had not instructed the employee to share the personal data in that group chat, and the employee had acted in breach of his contractual obligation of confidence in his employment contract by sharing the personal data in that group chat.
(3) The Court of Appeal in Reed v Bellingham affirmed a “fault based” approach to employer’s liability. According to the Court of Appeal, unlike vicarious liability under common law, the PDPA does not attribute strict liability to an employer for the acts of its employee; instead, the employer should be held liable only if it fails to act reasonably in the circumstances. Thus, where an employer has undertaken diligent efforts in implementing data protection policies and practices for its staff, such an employer should not be saddled with liability for the acts of a disobedient employee who deliberately avoids complying with those policies and practices. In such circumstances, the employee should not be taken as having acted in the course of his or her employment, and he or she should be the party held liable for breaching the data protection obligation in question.
The practical upshot of the foregoing discussion is that organisations should implement data protection policies to ensure that their employees operate in compliance with the data protection obligations, or else risk potential liability if their employees act in breach of the PDPA.
Keywords: Data Protection, Employment
AUTHOR INFORMATION
Benjamin Wong is a Lecturer at NUS Law, and an Advocate & Solicitor in Singapore.
Email: benjamin.wong@nus.edu.sg