Securiti launches Gencore AI, a holistic solution to build Safe Enterprise AI with proprietary data - easily

View

How to Manage Employees’ Data Under Singapore’s Personal Data Protection Act (PDPA)

Published August 16, 2021

Listen to the content

Singapore enacted the Personal Data Protection Act (the "PDPA") in 2012, which came into force in different phases; the provisions concerning data protection were enforced on 2nd July 2014. The PDPA applies to any organization that deals with the collection, use, and/or disclosure of personal data (stored in electronic and non-electronic forms) from individuals in Singapore, whether the organization is located in Singapore or not. ​​Recruitment companies, employment agencies, head-hunters, and other similar organizations are also subject to the Data Protection Provisions of the PDPA.

This article provides a guide to the Human Resource Management Team (HRM Team) of an organization aiming to comply with the PDPA. Following are the key obligations under the PDPA that an HRM Team must consider while handling personal data of job applicants and current and former employees.

Collecting Personal Data of Job Applicants and Employees:

As per Sections 13 and 14 of the PDPA, an organization must obtain the consent of the individual before collecting, using, or disclosing his/her personal data for a purpose. However, in the employment context, an employer can process its employees' data without consent if:

  1. Such processing is reasonable for managing or terminating the employment relationship. This includes using an employee's bank details for payroll processing, administering staff benefits, and monitoring their use of company-issued devices; or
  2. The processing is for evaluative purposes, which include determining the suitability of an individual for employment, a promotion, or termination of employment.

When an individual voluntarily provides his personal data to an organization in the form of a job application, he may be deemed to consent to the organization collecting, using, and disclosing the personal data for the purpose of assessing his job application.

If the individual is subsequently employed, it would be reasonable for the employer to continue to use the personal data provided by the individual/employee in the job application form for the purpose of managing the employment relationship with the individual.

If the employer wishes to use the personal data for purposes for which consent may not be deemed or to which there is no applicable exception under the PDPA, the employer must then inform the employee of those purposes and obtain his/her consent.

Social Networking Sources and Data Collection:

The PDPA does not require organizations or recruitment agencies to obtain the consent of the individual when collecting or using personal data that is publicly available. Where the personal data is not publicly available but is voluntarily made available by the individual on a job-search portal for being contacted for prospective job opportunities, the individual may be deemed to have consented to the collection, use, and disclosure of his personal data for such purpose. So it would be right to state that where social networking sources (e.g., Facebook, Twitter, or Linkedin) are publicly available, the PDPA does not prohibit organizations from collecting personal data about the individual without his consent.

The Securiti Consent Management Solution offers organizations a complete consent orchestration platform with customizable endpoints, configurable workflows, and comprehensive record keeping. This solution can help organizations easily honor consumer consent and maintain compliance with privacy regulations.

Securiti can help organizations map data to their owners, create privacy notices and incorporate sensitive data intelligence to ensure that all data protection principles are complied with.

Notification and Purpose Limitation Obligations:

As per Sections 18 and 20 of the PDPA, an employer must notify the job applicant or employee of the purpose(s) for which the employer intends to collect, use, or disclose his/her personal data on or before such collection, use, or disclosure, and may only collect, use, and disclose personal data for such purposes. An employer also needs to inform employees of the purpose for managing and terminating the employment relationship. This can be done by way of drafting relevant provisions in the employment contracts.

However, this obligation won't apply if:

  1. The individual is deemed to have consented to the collection, use, or disclosure, as the case may be under the PDPA; or
  2. The employer collects, uses, or discloses the personal data without the consent of the individual in accordance with section 17 of the PDPA (that is, in the circumstances like managing and terminating the employment relationship, or processing for the evaluative purposes.

Section 18 of the PDPA requires organizations to only use collected data for the purpose it was intended for. Employers must refrain from asking applicants for personal data that is not relevant to the job. Also, an employer has an obligation to make a reasonable effort to ensure that the personal data collected is accurate and complete.

Securiti has a privacy notice creation and management solution with pre-built expert-made templates which can be synced with your data maps to ensure your privacy policies are always up-to-date. The solution utilizes automation and data intelligence to continuously scan data stores, automatically update any changes to the collection, processing, sharing, selling, or retention of personal data, and updates the privacy notice automatically, in real-time, ensuring consistent compliance.

Retention Limitation Obligation:

Section 25 allows organizations to only retain information that is necessary to store or if there is a valid business or legal purpose of storing the personal data. After an organization has decided which job applicant to hire, the personal data that the organization had collected from the other job applicants should only be kept for as long as it is necessary for business or legal purposes.

Securiti enables employers to maintain track of employees' data and consent with its data mapping automation tool. This tool will allow employers to know where the employee's data is in the data stores, what purpose it is being used for, and what consent they have from the employees.

Data Protection Obligations and Data Protection Impact Assessment:

As per Section 24 of the PDPA, employers must protect the personal data of employees in their possession or under their control in order to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal, or similar risks.
The HRM team of an organization should consider adopting security arrangements that fit the nature of the personal data held by their organization and the possible harm that might result from a security breach.

As good practice, organizations should conduct risk assessments (e.g., Data Protection Impact Assessments) to assess the risks to the personal data they possess or control to determine appropriate security to control or mitigate these risks.

Securiti incorporates AI to enable Assessment Automation (PIAs, DPIAs, Readiness Assessments, Transfer Impact Assessments) to trigger and conduct risk-based assessments. It can further enable organizations to mitigate data exposures, remediate misconfigurations and discover risks within your organization.

Data Breach Management:

As per Section 26C of the PDPA, once an employer has credible grounds to believe that a data breach has occurred (whether through self-discovery, alert from the public, or notification by your data intermediary), then the employer is required to take reasonable and expeditious steps to assess whether the data breach is notifiable under the PDPA.

And where the employer assesses that a data breach is a notifiable data breach, the employer must notify the PDPC as soon as it is practicable. On or after notifying the PDPC, the employer must also notify each affected employee affected by a notifiable data breach in any manner that is reasonable in the circumstances.

Securiti's Data Breach Management Solution swiftly identifies compromised data and impacted data subjects in a security incident. It utilizes built-in privacy research to help organizations deliver breach notifications within hours of a security incident.

Data Sharing with Vendors and Cross-Border Transfers:

While sharing an employee's personal data with external third parties and vendors such as HR services, security contractors, or medical insurance services, the employer must assess their privacy practices and their third-party/vendor's compliance with the PDPA' 's requirements.

Under Section 26 of the PDPA, an employer who transfers personal data of employees out of Singapore is required to take the following appropriate steps to:

  • Ensure that it complies with the obligations under the PDPA;
  • Ensure that the recipient is bound by legally enforceable obligations to provide the personal data a standard of protection that is comparable to the PDPA. Employers may consider using binding contracts for inter-corporate transfers and binding corporate rules for intra-corporate transfers.
  • Ensure that the employee whose personal data is to be transferred gives consent to such transfer

Securiti's Vendor Management Solution allows organizations to assess their vendor's risk based on a predefined risk score. Securiti also offers cross-border data transfer risk assessments to help organizations identify and review data transfers outside Singapore.

Rights of employees:

Under sections 16, 21, and 22, current and former employees are given rights over their personal data which can be exercised, and the employer is required to fulfill these requests in a stipulated time frame. These rights include:

  1. Employees may withdraw their consent to the collection, use, or disclosure of their personal data by the employer at any time.
  2. Employees have the right to request access to their personal data. An employee may request to access any CCTV footage that they appear in.
  3. Employees have the right to request the correction of their personal data.

Securiti's DSR Automation Solution helps organizations simplify the process of fulfilling Data Subject Requests submitted by the employee. This automated system helps enterprises swiftly process data subject requests and enable coordination between stakeholders for reviews and approvals.

Employees' Monitoring:

Employers can collect, use and disclose evaluative data without the consent of the individual. This can include monitoring an employee's emails and their use of computer network resources. However, employers should provide notices to employees if the CCTVs are in place at workstations and if they are monitoring their use of computer network resources. The employer may decide not to reveal the exact location of the CCTVs if the purpose is to covertly monitor the premises for security reasons. Employers should also conduct risk assessments and have sufficient technical measures in place for monitoring and to enable BYOD equipment for accessing or storing organization-collected personal data while respecting the personal data of their employees.

Securiti's helps keep privacy notices up-to-date with the help of robotic automation. The solution can help your organization build privacy notices in minutes, centralize management and reduce risks of errors.

Operationalizing PDPA Compliance

HRM Team is required to meet the aforesaid requirements of the PDPA. To achieve compliance, organizations need to operationalize their processes.

This can be done in the following ways:

  • Disclose how your organization collects, processes, retains, shares, and processes data through transparent policies.
  • Don't request submission of the applicant's NRIC in the recruitment process until he/she accepts the position.
  • Develop formal policies and procedures within your organization for the collection and handling of data.
  • Update your organization's privacy policies as needed and share them with employees and consumers.
  • Ensure privacy policies and notices are easily accessible and understandable to your workforce.
  • Review and update processes.
  • Maintain proper documentation.

Performing these tasks through manual methods increases the risk of human error, not to mention increased costs and time taken. Organizations need to incorporate automation that can simplify the compliance process.

Securiti's Sensitive Data Intelligence Solution can help your organization to discover, analyze, and protect large datasets. It offers you a 360 solution to all your compliance needs. See a demo of our Sensitive Data Intelligence solution and let Securiti help you on your road to PDPA compliance.

Securiti also offers automated data mapping, DSR rights fulfillment, data breach management, and security controls to help you comply with the obligations required by the PDPA.


Frequently Asked Questions (FAQs)

Yes, the Singapore Personal Data Protection Act (PDPA) applies to employees. Employers must comply with PDPA regulations when collecting, using, or disclosing personal data, including that of their employees.

The employee data protection policy in Singapore outlines how employers handle the personal data of their employees. It includes provisions related to data collection, consent, data security, and employee rights regarding their personal information.

Securiti for Workday

Security | PrivacyOps | Governance | Compliance

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


Share


More Stories that May Interest You

What's
New