Search for:

Singapore: In the matter of an investigation under Section 50(1) of the Personal Data Protection Act 2012 and RedMart Limited

By and 5 Mins Read

This decision clarifies the legitimate interests exception, which was introduced on 1 February 2021.

In brief

On 31 May 2021, the Personal Data Protection Commission (“Commission“) received a complaint that RedMart Limited (“Organization“) was collecting images of the physical National Registration Identity Card (“NRICs“) and other identification documents of suppliers making deliveries to its warehouses (“Incident“).

While the Commission initially found that the Organization failed to obtain consent and inform its suppliers of the purpose for collecting images of the physical NRICs and other identification documents (“ID Photographs“), the Commission subsequently assessed that the Organization met the requirements to rely on the legitimate interests exception (LIE) and complied with the proposed directions. 

Key takeaways

There are two main takeaways from this decision:

  • First, a timely reiteration that the collection of ID Photographs should not be a condition for entry
  • Second, that organizations that seek to rely on the LIE need to examine the benefits and adverse effects of collecting the personal data and the measures implemented to mitigate or eliminate the adverse effects identified, if any

In further detail

Preliminary decision

Investigations revealed that the Organization operated two warehouses, which were used to store goods and produce sold by the Organization. The warehouses were regularly visited by suppliers delivering goods and produce (“Visitors“), and the Organization implemented measures to regulate such Visitors’ access to the warehouses, such as taking photographs of the Visitors’ NRICs or other identification documents.

The Commission found that the Organization could have relied on two possible grounds as the legal basis for collecting the ID Photographs: (i) consent and (ii) the LIE.

Consent

The Commission reiterated that the collection of ID Photographs should not be a condition for entry. Where Visitors enter the warehouses to make deliveries as part of their employment or business, it is not a product or service that they chose to access, and such consent is not valid consent. The Commission also found that the Organization failed to inform the Visitors of the purpose for collecting the ID Photographs.

The LIE

The Commission noted that to rely on the LIE, the Organization would have had to conduct and document an assessment, taking into consideration the Organization’s interests in collecting the ID Photographs and the adverse effects on the Visitors. The Organization would also have had to implement reasonable measures to eliminate, mitigate or reduce the likelihood of such adverse effects occurring, and provide the Visitors with reasonable access to information about the Organization’s collection of the ID Photographs.

The Commission also noted that the collection of ID Photographs or full NRIC numbers had not been required by law in such a situation, and that it was incumbent on the Organization to justify why the collection of ID Photographs had been a reasonable practice. Considering that the Organization had taken some steps to remediate the Incident, the Commission directed the Organization to (i) evaluate whether collecting ID Photographs from Visitors is reasonably necessary and (ii) if so, whether its intends to rely on the LIE for such collection.

Reliance on the LIE

The Organization informed the Commission of its intention to rely on the LIE as the basis for such collection going forward. The Organization provided the Commission with a copy of an internal assessment it carried out on 22 July 2022 for its reliance on the LIE.

The Organization identified that its collection of the ID Photographs exposed Visitors to the risks of unauthorized use and disclosure of their personal data and detailed the measures it had implemented to eliminate or mitigate these adverse effects.

The Organization assessed the benefits of collecting the ID Photographs to be “significant” considering the potential harm that could be caused to the public by a food contamination incident. The Organization also assessed that its implementation of the above measures rendered the “adverse impact from users” to be “low.”

The Commission’s decision

The Commission accepted the Organization’s interest in deterring food security incidents as legitimate, and that there may be a legitimate interest served in implementing enhanced identification requirements to regulate access to high-risk areas.

The Commission was satisfied that the Organization had met the requirements for reliance on the LIE. Noting that the Organization has already complied with the directions and carried out a LIE assessment, no further directions were issued.

* * * * *

For further information and to discuss what this development might mean for you, please get in touch with your usual Baker McKenzie contact.

LOGO_Wong&Leow_Singapore

© 2023 Baker & McKenzie.Wong & Leow. All rights reserved. Baker & McKenzie.Wong & Leow is incorporated with limited liability and is a member firm of Baker & McKenzie International, a global law firm with member law firms around the world. In accordance with the common terminology used in professional service organizations, reference to a “principal” means a person who is a partner, or equivalent, in such a law firm. Similarly, reference to an “office” means an office of any such law firm. This may qualify as “Attorney Advertising” requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.

Categories:
Author

Ken Chia is a member of the Firm’s IP Tech, International Commercial & Trade and Competition Practice Groups. He is regularly ranked as a leading TMT and competition lawyer by top legal directories, including Chambers Asia Pacific and Legal 500 Asia Pacific. Ken is an IAPP Certified International Privacy Professional (FIP, CIPP(A), CIPT, CIPM) and a fellow of the Chartered Institute of Arbitrators and the Singapore Institute of Arbitrators.

Author

Andy Leck is the head of the Intellectual Property and Technology (IPTech) Practice Group and a member of the Dispute Resolution Practice Group in Singapore. He is a core member of Baker McKenzie's regional IP practice and also leads the Myanmar IP Practice Group. Andy is recognised by reputable global industry and legal publications as a leader in his field. He was named on "The A-List: Singapore's Top 100 lawyers" by Asia Business Law Journal 2018. In addition, Chambers Asia Pacific notes that Andy is "a well-known IP practitioner who is highlighted for his record of handling major trade mark litigation, as well as commercial exploitation of IP rights in the media and technology sectors. He's been in the industry for a long time and has always been held in high regard. He is known to be very fair and is someone you would like to be in the trenches with you during negotiations." Furthermore, Asian Legal Business acknowledges Andy as a leading practitioner in his field and notes that he “always gives good, quick advice, [is] client-focused and has strong technical knowledge for his areas of practice.” Andy was appointed by the Intellectual Property Office of Singapore (IPOS) as an IP Adjudicator to hear disputes at IPOS for a two-year term from April 2021. He has been an appointed member of the Singapore Copyright Tribunal since May 2010 and a mediator with the WIPO Arbitration and Mediation Center. He is also appointed as a Notary Public & Commissioner for Oaths in Singapore. He previously served on the International Trademark Association’s Board of Directors and was a member of the executive committee.

Related Posts

Write A Comment