An interesting case relating to Singapore’s Personal Data Protection Act (PDPA) came before the Singapore High Court in September last year. An individual had left his former employer, an investment company, to join a competitor firm. At this new firm, he sent an email to a client of his former employer’s, another individual, whom he had come to know when he was with his former employer. In that email, he referenced a particular fund into which the client had made certain investments. Both his former employer and the client brought a lawsuit against the relevant individual, claiming that he had contravened the PDPA by using the client’s personal data without the latter’s consent.
The High Court decided that the client’s distress alone, or the mere loss of control over his personal data, did not entitle him to bring a lawsuit under the PDPA. An appeal has been filed by the client and is pending.
Quite apart from these conclusions reached by the court, the case also offers useful takeaways for employers looking to safeguard company information when an employee leaves. We discuss these below.
Have robust confidentiality obligations in your employment contracts
While no express reference was made to any of the contracts amongst the various parties, the High Court did acknowledge that the client’s disclosure of his personal data to the investment company was in confidence. It also considered that the former employee’s use of the client’s name to obtain his personal email address from his LinkedIn page was unlawful.
If a company wants to hinder employees from stealing commercially sensitive information, such as its clients’ details, it should ensure that its employment agreements require that such customer information be treated confidentially. Customer information might include anything that an employee learns about a client and their dealings with the company, such as their contact details, account information, transactions, preferences, and even the fact that they are a customer of the company, by their inclusion in a client list.
In contrast, information about a customer that is gathered from a publicly available source, such as a website or social media page, would likely not warrant its confidentiality. However, a company may nonetheless want to set ground rules for the use of social media by its employees, such as through a social media code of conduct or acceptable use policy, with dos and don’ts on how employees should interact with customers and even the public on such platforms. It could also contain restrictions on how employees should post on websites associated with the company, such as where the company’s name or logo is used.