Singapore’s Personal Data Protection Commission has on 21 March 2017 issued a warning to a local firm for disclosing a former employee’s personal information in a company WhatsApp group.
A director at the firm, Executive Coach International, had shared highly sensitive information about the former employee with 58 members of a chat group comprising staff and volunteers. The firm provides life and executive coaching services to individuals and corporate clients.
The case is the first in Singapore to find that sharing personal data via a private, members-only instant messaging group is still a breach of the Personal Data Protection Act if the relevant individual has not consented to the disclosure. It is a reminder that all forms of unauthorised disclosure – not merely those to the public at large – will place an organisation at risk. Particularly with chat platforms, both employers and employees can be lulled into the false belief that communications are private and secured, and are more casual with sharing personal or confidential information as a result. This should be approached with caution where work matters are concerned, particularly those involving clients’ or colleagues’ personal or confidential data. Company policy should specify to employees that chat platforms (whether Whatsapp or intranet messengers) should only be used to share non-sensitive information. Another difficulty with large chat groups is that it is easy to forget who its participants are. Employees should be alive to the distinction between data which can be shared freely amongst their colleagues; and information which a client or colleague means to share only with a limited group of people (for instance, a specific employee or his team).
Another interesting feature of the case is the nature of “personal data” disclosed – “personal data” is often considered to be hard data – such as names, credit card numbers, passwords, and so on. However, the “personal data” shared by the employer in this case comprised details of the employee’s “drug problem” and “issue with infidelity in her amorous relationship”. These may seem like idle gossip, but they also fall under the wide definition of “personal data” in the Singapore Act – “data, whether true or not, about an individual who can be identified from that data and/or other information to which the organisation has or is likely to have access”. Aside from personal issues, the definition captures other non-intuitive forms of data including political opinions, hobbies, and location data. Companies should consider reviewing their systems to determine if there is “personal data” of this nature which they are collecting but have not made arrangements to protect.
To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.