COVID-19: Privacy considerations for conducting “virtual” corporate meetings

As nations rush to inoculate the population, the effect of COVID-19 pandemic will remain with us, at least for the near future.  Companies will still need to conduct Work from Home (WFH) and that would involve having virtual corporate meetings.

One of the disruptions will be regarding conducting corporate meetings, in particular, annual general meetings (AGMs), which is part of every company’s corporate governance requirements. In Singapore, under the Companies Act, all companies are required to hold an AGM every year and make an annual return (AR) to the local regulator. In Singapore, the relevant regulator is the Accounting and Corporate Regulatory Authority (ACRA) for private companies and SGX RegCo for listed companies.

In Singapore, there are these 2 pieces of written laws that deal with this issue:

1. Covid-19 (Temporary Measures) Act 2020: Temporary measures for alternative arrangements for the conduct of meetings, these include convening, holding or conducting the meeting by “electronic communication, video-conferencing, tele-conferencing or other electronic means”.

2.    Companies (Amendment No. 2) Regulations 2020: These regulations were passed by ACRA to grant the following extensions of time:

a. “A 60-days extension of time to all listed and non-listed companies whose annual general meetings (“AGMs”) are due during the period 16 April 2020 to 31 July 2020 (both dates inclusive). Companies that had previously been granted extension of time to hold their AGMs within this period have also been given a further 60 days of extension from the last date of extension.

b. A 60-days extension of time to all listed and non-listed companies whose annual returns (“AR”) are due to be filed during the period 1 May 2020 to 31 August 2020 (both dates inclusive). Companies that had previously been granted extension of time to file their ARs within this period have also been given a further 60 days of extension from the last date of extension”.

The foregoing is the new regulatory landscape for corporate governance requirements.

However, the conducting of meetings virtually do have data protection/privacy issues as well and this article will discuss the data protection/privacy issues that companies will need to consider when conducting these shareholder meetings virtually (hereinafter “Virtual Shareholder Meetings”).

These issues will be discussed on the 4-stage information lifecycle, each of which will be discussed in turn:

Stage 1: Collection

Before conducting Virtual Shareholder Meetings, companies will need to bear in mind the kind or types of personal data that they will be collecting from their shareholders. While these types of personal data will include the shareholder personal details such as name, address, contact number/email address and their shareholdings, shareholders may also provide personal data of their proxies.

As it is likely that the companies will be recording the Virtual Shareholder Meeting for record purposes as well as for the preparation of the meeting minutes, they need to be mindful that they will be collecting the video footage or voice of their shareholders during the Virtual Shareholder Meeting.

These purposes must be made known in its notification to their shareholders accordingly. This notification of purposes could be set out in the notice of meeting and reiterated before the commencement of the meeting. Where shareholders may request not to be recorded but still participate in the Virtual Shareholder Meeting, companies will need to put in place workaround procedures that they can accede to their shareholders’ requests.

Companies will also need to ensure that there is express consent being provided by the shareholders to be recorded during the meeting, especially if they ask questions to the board of directors/senior management during the meeting. ACRA/SGX RegCo has provided some guidance on how companies can enable its shareholders/issuers to ask questions.

Stage 2: Usage/Processing

Companies will need to ensure that the usage/processing of the personal data collected during the Virtual Shareholder Meeting is consistent with the purposes of collection. These purposes will include the preparation of minutes and making AR under their local regulation such as the Companies Act in Singapore to their regulator like the ACRA in Singapore.

From an operational perspective, the companies will need to put in place procedures either for their internal corporate secretarial departments or their outsourced service providers to ensure that the recordings of Virtual Shareholder Meetings, both voice or in text format are only used by those who are authorised or on a “need to know” basis.

Stage 3: Disclosure/Transfer

Like any other meeting of such a nature, sensitive shareholder/corporate matters may be discussed during the Virtual Shareholder Meeting, especially if there are heated discussions between the shareholders and the directors/management. These can all be captured during the recordings. It is therefore imperative that companies have procedures/contractual provisions in place with the person/service provider making the recordings not to disclose or make copies of the meeting recordings to any persons who do not need to know. The ambit of disclosure will also include disclosing on social media as well.

Companies, when conducting the Virtual Shareholder Meetings, will probably also use a software platform like Zoom, Microsoft Teams or Google Meets to conduct the meetings. If this is done, companies need to conduct due diligence on these software platform providers and ensure that their terms of service do contain clauses on whether the software platform allow their staff to “listen in” when the platform is being used and whether the platform do automatically make recordings remotely as a form of “back-up”.

Here are some useful technical/operational tips from a recent April 2020 article by law firm Bird and Bird ATMD LLP entitled “COVID-19 & Corporate Governance: Telecommuting, Meetings and Security during the New Normal” when using/managing the Virtual Shareholder Meeting through the use of a software platform:

The software platform to be used should have latest software patches being installed prior to the Virtual Shareholder Meeting.

Companies must be familiar with the software platform functionalities prior to the conducting of the Virtual Shareholder Meeting. It should conduct pre-meeting trials/tests with its board of directors/senior management prior to conducting the meeting.

Ensure that there is secured and restricted access to the Virtual Shareholder Meetings using passwords, user registration, unique IDs for each meeting, and limiting the distribution of meeting particulars.

Companies must monitor the list of shareholder participants during the Virtual Shareholder Meeting and conduct verification exercises of the identities of each shareholder participant prior to admitting them into the meeting. Companies could set some rules of engagement prior to the start of the meeting that each shareholder keeps his/her video camera on throughout the Virtual Shareholder Meeting and to display his/her name that is in the company’s records.

Companies should only enable file-sharing or recording functions if needed.

When presenting during the Virtual Shareholder Meeting using the shared screen function, Companies must ensure that its presenters exercise caution when using screen-sharing functions to avoid unintended disclosures of information.

Should the Virtual Shareholder Meeting involve the conducting of voting, ensure that functionality is reliable, and user identities and votes can be verified.

Where documents to be laid before the meeting are transmitted electronically via e-mail, ensure an updated e-mail address is provided and that the documents are password protected.

All data protection laws do, in one way or another, allow data subjects to have access to their personal data. Therefore, companies must have in place procedures to handle their investors’/shareholders’ access to their personal data, especially if the shareholders did raise a query to the board of directors/shareholders during the meeting and their voice was recorded.

Stage 4: Storage/Disposal

While it is generally expected that all companies must keep corporate records of its shareholder meetings, there is a shelf-life to such corporate records and this shelf-life must be documented within a retention schedule set out in a document retention policy for instance. Companies must ensure that there is a disposal/deletion process at the end of the documented shelf-life.

For the recordings of a Virtual Shareholder Meeting, companies will need to ensure that there are access controls in place to these recordings. If such recordings are stored by a third party service provider (e.g. the meeting software platform), companies must ensure that there are contracts in place with this third-party provider and that these contracts are operationalised with procedures by the departmental owner of the contract.

It is hoped that all that has been stated above provide some thoughts for companies, internal legal/corporate secretarial departments and/or third party corporate service providers as they ensure that their corporate governance requirements are being met and in line with data protection requirements.

It is recommended that companies who want to conduct a Virtual Shareholder Meeting do a data protection impact assessment (DPIA) prior to rolling this new process out.

The DPIA, under Singapore’s PDPA at least, can be in the form of assessing the various risks in the 4 stages of the information life-cycle, some of which have been documented above. By doing this DPIA, companies can tackle and put in the controls to the various data protection risks that arise in each of the stages. This is where the company’s trained DPO can help assist companies to ensure that they do not infringe any of the data protection obligations/principles.

Whilst this article covers virtual shareholder meetings, these same issues can also come up in all meetings that are being conducted virtually as well, especially those meetings with clients/customers.

Written by: Josiah Poh, LLB(Hons), ACIS, CIPM, CIPP/A, CIPT, FIP
Senior Manager (Consultancy & Legal)
Data Protection Officer
Straits Interactive Pte Ltd

The views and opinions expressed in this article are those of the author and do not necessarily reflect the official view or position of DPEXNetwork.