Singapore’s Personal Data Protection Commission (“PDPC”) has issued its first decision on the Legitimate Interests Exception under the PDPA.
While the PDPA remains largely a consent-based regime, the Legitimate Interests Exception is one of the exceptions from consent available under the PDPA.
This RedMart decision illustrates how organisations may rely on the Legitimate Interests Exception to collect personal data, as well as the steps which must be taken by the organisation in order to rely on the Legitimate Interests Exception.
The decision concerned a complaint against RedMart Limited (“RedMart”) for collecting the photographs of identification documents (“ID Photographs”) of its suppliers delivering goods and produce to its warehouses without obtaining the consent of its suppliers. RedMart is an online grocery company, selling a range of dry household products.
In the PDPC’s preliminary decision, RedMart was given directions to assess its collection of the ID Photographs.
However, the PDPC was subsequently satisfied that RedMart had not breached the PDPA, as RedMart’s collection of ID Photographs had met the requirements under the Legitimate Interests Exception:
- RedMart had a legitimate interest in deterring food security incidents at the warehouses, in which there were areas storing dry food and fresh produce that were vulnerable to contamination and tampering;
- RedMart may have a legitimate interest in implementing enhanced identification requirements (collection of ID Photographs) in order to establish/verify the identifies of visitors to a high degree of fidelity and to regulate access to areas with higher risk of food security incidents – RedMart has an interest in deterring and investigating potential food security incidents which could cause harm to the public and damage to RedMart’s reputation; and
- RedMart had implemented a range of measures and enhanced access controls (e.g. restricting access to the tablets used for data collection, limiting access to the ID Photographs to designated personnel, retaining the ID Photographs on their database for a limited period only) to significantly lower the risks of unauthorised access, use and/or disclosure of information of a sensitive nature such as the ID Photographs.
Organisations intending to rely on the Legitimate Interests Exception must:
- establish a standardised process for conducting and assessing the basis upon which they will be relying on this exception; and
- ensure that appropriate measures are implemented to mitigate against any risks and adverse effects on individuals.
To recap, in order to rely on the Legitimate Interests Exception, organisations must:
- evaluate whether the collection of such data is reasonably necessary for the organisation’s legitimate interest;
- identify whether the collection of such data is likely to have an adverse effect on the individual(s), and if so, identify reasonable measures that could be implemented to eliminate, mitigate, or reduce the likelihood of occurrence of any such adverse effect(s);
- determine whether the organisation’s legitimate interest served by the collection of such data outweighs the adverse effect(s) to the individual(s) after implementing reasonable mitigation measures; and
- provide the individual(s) with reasonable access to information about the organisation’s collection, use or disclosure of such personal data (e.g. by way of disclosure in its public data protection policy).
The PDPC’s decision may be accessed here.
DLA Piper Singapore Pte. Ltd. is licensed to operate as a foreign law practice in Singapore. Where advice on Singapore law is required, we will refer the matter to and work with licensed Singapore law practices where necessary.