Applicability of Data Protection Law in Singapore: Employment and Agency Relationship Exemption

The Employment and Agency Relationship Exemption in Singapore's Personal Data Protection Act 2012 (PDPA2012) provides limited exemptions for employees acting in the course of their employment and data intermediaries processing data on behalf of another organization.

Text of Relevant Provisions

PDPA2012 Art. 4(1b):

"Parts 3, 4, 5, 6, 6A and 6B do not impose any obligation on —(b) any employee acting in the course of his or her employment with an organisation;"

PDPA2012 Art. 4(2):

"Parts 3, 4, 5, 6 (except sections 24 and 25), 6A (except sections 26C(3)(a) and 26E) and 6B do not impose any obligation on a data intermediary in respect of its processing of personal data on behalf of and for the purposes of another organisation pursuant to a contract which is evidenced or made in writing."

Analysis of Provisions

Exemption for Employees:

The employee exemption in Article 4(1)(b) is strictly limited to actions performed "in the course of employment," which are acts that further the employer's business interests. Actions motivated by personal reasons, such as a personal dispute or private gain, fall outside this scope. In such cases, the employee is not covered by the exemption and can be held personally liable as an "Organisation" under the PDPA.

The distinction is critical: the exemption applies only to acts performed in the course of employment (i.e., acts connected to and furthering the employer's business purposes), not merely acts performed during employment (i.e., acts that happen while the person is employed). An employee who processes personal data for personal purposes, even if using employer resources or during work hours, cannot rely on this exemption.

Source: Personal Data Protection Act 2012, Art. 4(1)(b); Reed, Michael v Bellingham, Alex (Attorney-General, intervener) [2022] SGCA 60

Data Intermediary Exemption:

The exemption for a Data Intermediary under Article 4(2) is partial, not absolute. A Data Intermediary remains directly liable for specific obligations, namely:

• Section 24: Protection Obligation (duty to protect personal data in its possession or control by making reasonable security arrangements)
• Section 25: Retention Limitation Obligation (duty to cease retaining documents containing personal data when retention is no longer necessary)
• Sections 26C(3)(a) and 26E: Certain Data Breach Notification Obligations

If a Data Intermediary processes personal data beyond the scope of its written contract with the principal organisation, it is treated as a full "Organisation" for that processing and becomes subject to all PDPA obligations, not just the limited obligations listed above.

Source: Personal Data Protection Act 2012, Art. 4(2); PDPC, Advisory Guidelines on Key Concepts in the Personal Data Protection Act

Implications

For Businesses:

• Organizational Accountability: Organizations must implement and enforce robust data protection policies since employees acting within the scope of their employment are exempt from personal liability. However, organizations must monitor for employee actions outside the scope of employment, as those actions may create direct liability for the employee.
• Employee Liability Risk: Employees should understand that the exemption does not provide blanket immunity. Personal use of employer data, unauthorized disclosures motivated by personal disputes, or data processing for personal gain may result in personal liability under the PDPA.
• Data Intermediary Contracts: Businesses must establish clear, written contracts with data intermediaries that precisely define the scope of processing. The contract should delineate responsibilities and make clear that intermediaries remain liable for protection, retention, and breach notification obligations even while acting as intermediaries.