Personal Data Breach: Can Bosses Shift the Blame?

As data protection rules tighten under Singapore’s Personal Data Protection Act (PDPA), questions about responsibility between employers and employees are growing sharper.

When a staff member mishandles personal data, can the employer blame them, or even deduct their salary?

The answer lies at the intersection of vicarious liability, employment law, and a curious legal phrase from English case law—“a frolic of his own.”

When the Employer Is Accountable

Under the PDPA, organisations are accountable for how personal data is collected, used and disclosed—even if a breach occurs because of an employee’s actions.

Section 4(1)(b) of the PDPA specifically states that employees, acting within the scope of their duties, do not bear direct legal obligations under the Act—that responsibility lies squarely with the organisation.

This framework reflects the doctrine of vicarious liability, a common law principle where an employer is held responsible for wrongful acts committed by employees in the course of employment.

In Siemens Industry Software Inc. v Inzign Pte Ltd (2023), the High Court held that an employer was vicariously liable for its employee downloading unauthorised software.

As explained in legal commentary, the threshold is whether the act is sufficiently connected to the employee’s job functions, even if it was unauthorised or careless.

The Limits of Liability: “A Frolic of His Own”

However, vicarious liability is not without limits. Courts recognise a boundary where an employee’s actions are so far removed from their duties that they are considered entirely personal.

This is what the law calls “a frolic of his own”—conduct that severs the connection between the wrongful act and the employer’s business.

For example, a hospital administrative staff member uses the medical records system to view a celebrity patient’s personal details, purely to satisfy personal curiosity. This is not only a PDPA breach but also a frolic, as it has no work purpose.

That said, PDPC past decisions suggests that liability may still attach unless employers have implemented reasonable safeguards to prevent misconduct. As a respected interpretation notes, employers are deemed vicariously liable for employee breaches unless there is evidence they took steps to prevent the infringing acts.

This aligns with the PDPA’s Protection and Accountability obligations, which require organisations to implement security measures and formal data protection frameworks—including policies, training, and supervisory controls.

Can Employers Deduct Wages for PDPA Breaches?

Even when an employee’s negligence or wilful misconduct leads to a breach, the Employment Act restricts how wages may be deducted. Employers may only make deductions allowed by law or pursuant to a court order—not as an internal penalty for a PDPA infringement.

This means that an employer cannot lawfully dock an employee’s pay to offset regulatory fines or reputational damage arising from a data breach. While financial penalties are off the table, employers may still take disciplinary action such as warnings, retraining, or termination—provided fair processes are followed.

Building a Culture That Prevents Breaches

The most effective defence for employers lies in prevention. That involves clear, written data protection policies, regular PDPA training sessions, strict access controls on a “need-to-know” basis, and documented enforcement of disciplinary measures. Such safeguards are not only best practice—they can be vital evidence in demonstrating that an organisation took all reasonable steps to prevent a breach.

Employees, too, play a critical role. While they may be shielded from direct PDPA liability in most cases, breaches can still damage their professional standing. In cases of wilful misconduct—especially where a “frolic” is involved—they may face dismissal or even personal legal action.

Looking Ahead: Shared Responsibility in a Data-Driven Economy

As Singapore strengthens its data protection regime, the interplay between vicarious liability and the “frolic of his own” defence will remain a focal point for both legal practitioners and compliance officers.

The law places primary accountability on employers but expects employees to act within their training and responsibilities.

Ultimately, the safest path forward lies in a culture of shared responsibility—where employers build robust systems and policies, and employees uphold them with professionalism.

In the digital economy, protecting personal data is not only a statutory duty but also a cornerstone of trust between businesses and the public.

Disclaimer

The information contained herein is provided for general informational purposes only. While every reasonable effort has been made to ensure the accuracy of the information, inadvertent errors or omissions may occur. No representations or warranties, express or implied, are made regarding the accuracy, completeness, or suitability of the information provided. The authors expressly disclaim any and all liability arising from, or in connection with, any errors or omissions. Recipients are advised to seek independent legal counsel for advice pertaining to their individual circumstances.