This decision clarifies the legitimate interests exception, which was introduced on 1 February 2021.
On 31 May 2021, the Personal Data Protection Commission (“Commission“) received a complaint that RedMart Limited (“Organization“) was collecting images of the physical National Registration Identity Card (“NRICs“) and other identification documents of suppliers making deliveries to its warehouses (“Incident“).
While the Commission initially found that the Organization failed to obtain consent and inform its suppliers of the purpose for collecting images of the physical NRICs and other identification documents (“ID Photographs“), the Commission subsequently assessed that the Organization met the requirements to rely on the legitimate interests exception (LIE) and complied with the proposed directions.
There are two main takeaways from this decision:
- First, a timely reiteration that the collection of ID Photographs should not be a condition for entry
- Second, that organizations that seek to rely on the LIE need to examine the benefits and adverse effects of collecting the personal data and the measures implemented to mitigate or eliminate the adverse effects identified, if any
In further detail
Investigations revealed that the Organization operated two warehouses, which were used to store goods and produce sold by the Organization. The warehouses were regularly visited by suppliers delivering goods and produce (“Visitors“), and the Organization implemented measures to regulate such Visitors’ access to the warehouses, such as taking photographs of the Visitors’ NRICs or other identification documents.
The Commission found that the Organization could have relied on two possible grounds as the legal basis for collecting the ID Photographs: (i) consent and (ii) the LIE.
The Commission reiterated that the collection of ID Photographs should not be a condition for entry. Where Visitors enter the warehouses to make deliveries as part of their employment or business, it is not a product or service that they chose to access, and such consent is not valid consent. The Commission also found that the Organization failed to inform the Visitors of the purpose for collecting the ID Photographs.
The Commission noted that to rely on the LIE, the Organization would have had to conduct and document an assessment, taking into consideration the Organization’s interests in collecting the ID Photographs and the adverse effects on the Visitors. The Organization would also have had to implement reasonable measures to eliminate, mitigate or reduce the likelihood of such adverse effects occurring, and provide the Visitors with reasonable access to information about the Organization’s collection of the ID Photographs.
The Commission also noted that the collection of ID Photographs or full NRIC numbers had not been required by law in such a situation, and that it was incumbent on the Organization to justify why the collection of ID Photographs had been a reasonable practice. Considering that the Organization had taken some steps to remediate the Incident, the Commission directed the Organization to (i) evaluate whether collecting ID Photographs from Visitors is reasonably necessary and (ii) if so, whether its intends to rely on the LIE for such collection.
Reliance on the LIE
The Organization informed the Commission of its intention to rely on the LIE as the basis for such collection going forward. The Organization provided the Commission with a copy of an internal assessment it carried out on 22 July 2022 for its reliance on the LIE.
The Organization identified that its collection of the ID Photographs exposed Visitors to the risks of unauthorized use and disclosure of their personal data and detailed the measures it had implemented to eliminate or mitigate these adverse effects.
The Organization assessed the benefits of collecting the ID Photographs to be “significant” considering the potential harm that could be caused to the public by a food contamination incident. The Organization also assessed that its implementation of the above measures rendered the “adverse impact from users” to be “low.”
The Commission’s decision
The Commission accepted the Organization’s interest in deterring food security incidents as legitimate, and that there may be a legitimate interest served in implementing enhanced identification requirements to regulate access to high-risk areas.
The Commission was satisfied that the Organization had met the requirements for reliance on the LIE. Noting that the Organization has already complied with the directions and carried out a LIE assessment, no further directions were issued.
* * * * *
For further information and to discuss what this development might mean for you, please get in touch with your usual Baker McKenzie contact.
© 2023 Baker & McKenzie.Wong & Leow. All rights reserved. Baker & McKenzie.Wong & Leow is incorporated with limited liability and is a member firm of Baker & McKenzie International, a global law firm with member law firms around the world. In accordance with the common terminology used in professional service organizations, reference to a “principal” means a person who is a partner, or equivalent, in such a law firm. Similarly, reference to an “office” means an office of any such law firm. This may qualify as “Attorney Advertising” requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.