Protecting corporate data when an employee leaves
In September of last year, the Singapore High Court heard an intriguing case involving Singapore’s Personal Data Protection Act (PDPA). An employee had left his previous job, an investment business, to work for a rival. This employee wrote an email to a former employer’s client at his current job, another individual he had met while working for his old employer. In that email, he mentioned a specific fund in which the customer had placed contributions. Both his former employer and the client filed a lawsuit against the relevant individual, alleging that he violated the PDPA by utilizing the client’s personal data without his authorization.
According to the High Court, the client’s anguish, or the simple loss of control over his personal data, did not enable him to file a complaint under the PDPA. The client has filed an appeal, which is now pending.
Aside from the Court’s conclusions, the case provides valuable insights for firms trying to protect corporate information when an employee quits. That is why organizations must have the best practices in an instance that an employee resigns. Here are 5 best practices for protecting corporate data when an employee leaves:
Also Read: PDPA compliance for real estate agencies
Best practice for protecting corporate data when an employee leaves #1: Have robust confidentiality obligations in your employment contracts
While no explicit mention was made to any of the various parties’ contracts, the High Court did recognize that the client’s giving of his personal data to the investment business was done in confidence. It is also believed that the former employee’s use of the client’s name to get his LinkedIn profile’s personal email address was illegal.
If a firm wishes to prevent employees from stealing commercially sensitive information, such as client information, it should ensure that its employment contracts require such customer information to be maintained discreetly. Customer information can include whatever an employee learns about a client and their interactions with the firm, such as their contact information, account information, transactions, preferences, and simply the fact that they are a company customer due to their presence on a client list.
In contrast, information on a client obtained from a publicly accessible source, such as a website or social media page, is unlikely to be secret. However, a corporation may still wish to establish ground rules for its workers’ usage of social media, such as through a social media code of conduct or acceptable use policy, which includes dos and don’ts for how employees should engage with customers and even the general public on such platforms. It might also include rules on how workers should publish on company-related websites, such as when the company’s name or emblem is utilized.
Best practice for protecting corporate data when an employee leaves #2: Ensure that these confidentiality obligations continue even after an employee has left the company
If a firm wants to safeguard its secret information even after an employee leaves, it might include a clause in the employment contract requiring the employee to keep such information confidential and not reveal it, even after the individual has left the company.
The firm should take its time, and maybe seek legal help, in designing such a clause, as there is a risk that the Court would read it as a restrictive covenant, in which case the clause will not be enforced unless the company can convince the Court that it is fair.
Best practice for protecting corporate data when an employee leaves #3: Adopt comprehensive employee exit protocols
The organization should develop a common procedure requiring the return of all corporate information, including customer data, as part of an employee’s leaving process. In some employment termination scenarios, it may be appropriate to remind the employee of their obligations to keep customer data confidential or even to obtain explicit confirmations that they have destroyed all confidential records and will not use any customer information obtained during their employment with the company in the future.
On the other hand, if you are a corporation that has recently employed a new employee, there are some precautions you should take to prevent being held liable for that individual’s crime, such as data theft from their prior employer.
Best practice for protecting corporate data when an employee leaves #4: Set company rules to govern employee behavior
This is one approach for the corporation to defend itself from any employee misbehavior, whether intentional or unintentional. It is conceivable for a firm to be held accountable for an employee’s violation of the PDPA if it occurred during the course of their employment. In other words, an employee’s actions might lead to the organization being investigated by the Personal Data Protection Commission (PDPC) for a PDPA violation committed by the person while on the job.
If the corporation is found guilty, it must follow the Commission’s instructions, which may include paying a regulatory punishment of up to SGD 1 million. An aggrieved individual may also sue the firm if the individual has directly experienced loss or harm as a result of the violation. As a result, a corporation should make it clear what sorts of employee actions are unacceptable, for example, by subjecting them to disciplinary action.
Best practice for protecting corporate data when an employee leaves #5: Conduct employee training on data protection
A corporation should instruct all newly hired employees on what consumer data may and cannot be used for. If a client has solely agreed to the use of their personal data for anti-money laundering, “know your customer” checks or other regulatory compliance purposes, such data should not be used for marketing. In addition, the firm might put in place an acceptable standard operating procedure for dealing with a consumer who later objects to being contacted by it. This reduces the danger of the organization failing to meet its data protection requirements.