A local firm has been warned by the Personal Data Protection Commission after a staff member disclosed personal information of a former employee in a WhatsApp group.
The commission, which probed the case in 2015, found that a director at Executive Coach International had shared highly sensitive information about the former employee’s drug problem and “issue with infidelity” with more than 50 members of a closed WhatsApp group. The group comprised staff and volunteers. The firm provides life and executive coaching services to individuals and corporate clients.
The former employee said she had disclosed her personal details to the director in his capacity as her employer, teacher and coach.
Read also: Cyber attack likely mitigated, US Homeland Security says
Under the Personal Data Protection Act, it is an offence to collect, use or disclose personal data from an individual without consent. Breaches can draw penalties of up to $1 million or an order to ensure compliance, among other things.
This is the first case where a breach under the Act has been committed via an instant messaging platform. The firm argued that the director had disclosed the data in his personal capacity and not as an employee, adding that the data was known only to him.
The commission in its decision grounds issued last week said the company’s ignorance of what happened was immaterial under the Act, highlighting that the director was a senior member of the firm.
Read also: Some agencies delinked ahead of deadline
It added that the disclosures were made in the context of an ongoing spat arising from her unamicable departure from the company.
The director had expressed his disappointment with her and claimed she had tried to undermine his authority and convince others to leave the company.
This, the commission decided, meant the personal data was disclosed in the course of work by the director, and the “disclosure is treated as a disclosure by the organisation for which the organisation is responsible”.
It added the disclosures were internal and not to the public at large.
It ruled that a “calibrated” approach should be taken based on the circumstances of the case, and issued a warning to the company for breaching two sections of the Act.
Responding to queries from The Straits Times, a spokesman for the firm said yesterday that the company respected the commission’s decision and regretted the incident. The spokesman added: “Since the incident, strict internal measures have been implemented to ensure that it never happens again.”
This article was first published on Mar 29, 2017.
Get a copy of The Straits Times or go to straitstimes.com for more stories.
