Company Liable For Director’s Actions In Corporate Chat Room
A senior member of Executive Coach International shared personal views about an ex-employee, in a company sponsored WhatsApp chat room. The PDPC found the comments constituted an unauthorized use and disclosure of personal information (used without consent), for the purposes of discrediting the ex-employee (who departed on ‘unamicable’ terms).
Executive Coach stated the director was acting in a personal capacity, and it neither approved, nor had any knowledge of the director’s actions. The PDPC found that although the dispute may have been personal, the context of the exchange was an ongoing dispute between an employer and its ex-employee, thus the organization was liable.
Given the extenuating circumstances (not a public chat room, the individual actions of the director), the PDPC decided to formally warn Executive Coach, but not issue a fine.
jbho: a reminder that mum is always the word when it comes to former employees. Interesting that this was addresses as a privacy matter as opposed to an employment or disparagement matter. Fascinating to watch this nascent privacy regime mature (and quite quickly at that!)
Also a reminder that if you are going to sponsor social channels for employees, you should have some clear guidelines on how to use.
Updated Guidance On Anonymization And Health Care Reminders
The PDPC has updated Anonymization guidelines (chapter 3) of its Advisory Guidelines On The Personal Data Protection Act For Selected Topics. Updates include more detailed examples for acceptable use and disclosure of anonymized data, as well as additional guidance on assessing the risk of re-identification.
The PDPC has also updated its Advisory Guidelines for the Healthcare Sector, and added examples of how and when it’s okay to send appointment or other service reminders by phone or text message.
jbho: I don’t see any material changes, but the examples are good. The PDPC continues to publish some of the best guidance that’s out there.
PDPC Updates Guidance On Security, Disposal, And Website Design
The PDPC has published revisions to three security guides:
• Guide to Securing Personal Data in Electronic Medium
• Guide to Disposal of Personal Data on Physical Medium
• Guide on Building Websites for SMEs
The updates add examples illustrating good information handling practices under the PDPA, including using out-of-the-box and 3rd-party software, as well as how to configure software features when handling personal information.
The PDPC also added a new Guide to Preventing Accidental Disclosure When Processing and Sending Personal Data to help prevent breaches, as well as:
• Preventing personal information from being sent to wrong recipients
• Minimizing the risk and impact of accidental disclosures to wrong recipients
• Understanding Lessons Learned from case studies
• Using checklists to implement best practices
jbho: the PDPC puts out some great materials, and are worth the read if securing data falls under your remit.
New TV Series on Personal Data Protection
The PDPC has launched a TV Show to introduce personal data protection topics to general audiences.
jbho: Talk about government support for privacy!
PDPC Updates Guidance On Consent
The Personal Data Protection Commission (PDPC) recently updated guidance on Consent and Do Not Call provisions (revised on 15 July 2016).
Chapter 12 has been revised to provide further clarity on the withdrawal of consent requirements, including how organisations are to facilitate and effect withdrawal of consent requests.
The section on Do Not Call Provisions in the Advisory Guidelines on Key Concepts has been incorporated into the Advisory Guidelines on the Do Not Call Provisions.
jbho: just in case you are following this