In the first decision issued by Singapore’s Personal Data Protection Commission (PDPC) on the Legitimate Interests Exception, the PDPC determined that deterring food security incidents is a valid legitimate interest and reiterated the steps that organisations must take to rely on that exception.

What is the Legitimate Interests Exception?

Under the Legitimate Interests Exception, an organisation does not require an individual’s consent to collect, use or disclose personal data which is in the legitimate interests of the organisation or another person, provided that an assessment is first conducted to ensure that there are legitimate interests to support the collection, use or disclosure of personal data and which outweigh any adverse effect on individuals (Assessment).  The Legitimate Interests Exception was added as a new ground for collecting, using or disclosing personal data without consent when the Personal Data Protection Act 2012 (PDPA) was amended in November 2020 (see also our previous article on the amendments to the PDPA).

Brief Facts of the Case

The PDPC received a complaint in May 2021 regarding RedMart Limited (RML), an online grocery retailer, taking photographs of physical identity cards (NRICs)and other identification documents (ID Images) of suppliers delivering goods and produce (Suppliers) to RML’s warehouses without obtaining the consent of, or providing notice to, the Suppliers.

Because there were no allegations that the ID Images, which were captured using RML-issued tablets, were accessed by unauthorised persons or otherwise misused, the main issue was whether the ID Images were collected in accordance with the PDPA.

In its preliminary decision in July 2022, the PDPC directed RML to justify the reasonableness of, and the legal basis for, its collection of ID Images.

RML stated that the collection of ID Images was in the national interest to ensure food safety at its warehouses and also a necessary security measure to facilitate investigations of food safety incidents.  Accordingly, RML argued that it could rely on the PDPA consent requirement exception allowing organisations to collect personal data which are in the national interest (National Interest Exception) or which are necessary for investigations or proceedings (Investigations Exception).  RML also argued that Suppliers voluntarily agreed to the collection of their ID Images and that such collection was reasonable for purposes of ensuring food safety.

In addition, RML notified the PDPC that it would rely on the Legitimate Interests Exception, and submitted its Assessment to the PDPC.

PDPC’s Findings

The PDPC did not accept RML’s National Interest Exception argument because the purpose of ensuring food safety at RML’s warehouses was a not a national security or national defence concern which is contemplated under the National Interest Exception.

The PDPC also did not accept RML’s Investigations Exception argument because that exception only applies to the collection of personal data for ongoing investigations, not possible future investigations.

Finally, the PDPC ruled that Suppliers could not be deemed to have given their consent to the collection of their ID images because such collection was a condition of entry into RML’s warehouses. It was also not apparent to Suppliers that photos of their IDs would be taken and stored.

However, the PDPC accepted RML’s reliance on the Legitimate Interests Exception because:

• ensuring public food safety is a legitimate interest that benefits not only RML and its reputation, but also benefits consumers/the public;
• RML has a legitimate interest in deterring and investigating potential food security incidents by implementing enhanced security measures through the collection of ID Images and correctly identifying Suppliers who access areas in warehouses where food susceptible to contamination and tampering is stored;
• in its Assessment, RML had determined that any adverse effects to Suppliers arising from the collection of ID Images was low and RML had identified measures to eliminate or mitigate those adverse effects and risks of unauthorised access to, or use or disclosure of, the ID Images; and
• RML agreed to post notices to inform Suppliers that it is relying on the Legitimate Interests Exception when collecting ID Images.

Key Takeaway

The amendments to the PDPA have expanded the grounds on which organisations can rely to collect, use and disclose personal data without individuals’ consent, including the Legitimate Interests Exception, thereby providing organisations more flexibility in processing personal data for justifiable purposes.  However, this case is a good reminder for organisations to ensure that before relying on the Legitimate Interests Exception, they should conduct the required assessment, notify individuals about the collection, use and disclosure of their personal data and implement measures to eliminate or mitigate any adverse effects to individuals.  

For More Information

OrionW regularly advises clients on data protection matters.  For more information about how to comply with the Personal Data Protection Act 2012, or if you have questions about this article, please contact us at info@orionw.com.

Disclaimer: This article is for general information only and does not constitute legal advice.

‍