Securiti leads GigaOm's DSPM Vendor Evaluation with top ratings across technical capabilities & business value.

View

How to Manage Employees’ Data Under Singapore’s Personal Data Protection Act (PDPA)

Published August 16, 2021 / Updated November 30, 2024
Author

Muhammad Faisal Sattar

Data Privacy Legal Manager at Securiti

FIP, CIPT, CIPM, CIPP/Asia

Listen to the content

Singapore enacted the Personal Data Protection Act (the "PDPA") in 2012, which came into force in different phases; the provisions concerning data protection were enforced on 2nd July 2014. The PDPA applies to any organization that deals with the collection, use, and/or disclosure of personal data (stored in electronic and non-electronic forms) from individuals in Singapore, whether the organization is located in Singapore or not. ​​Recruitment companies, employment agencies, head-hunters, and other similar organizations are also subject to the Data Protection Provisions of the PDPA.

This article provides a guide to the Human Resource Management Team (HRM Team) of an organization aiming to comply with the PDPA. Following are the key obligations under the PDPA that an HRM Team must consider while handling personal data of job applicants and current and former employees.

Collecting Personal Data of Job Applicants and Employees:

As per Sections 13 and 14 of the PDPA, an organization must obtain the consent of the individual before collecting, using, or disclosing his/her personal data for a purpose. However, in the employment context, an employer can process its employees' data without consent if:

  1. Such processing is reasonable for managing or terminating the employment relationship. This includes using an employee's bank details for payroll processing, administering staff benefits, and monitoring their use of company-issued devices; or
  2. The processing is for evaluative purposes, which include determining the suitability of an individual for employment, a promotion, or termination of employment.

When an individual voluntarily provides his personal data to an organization in the form of a job application, he may be deemed to consent to the organization collecting, using, and disclosing the personal data for the purpose of assessing his job application.

If the individual is subsequently employed, it would be reasonable for the employer to continue to use the personal data provided by the individual/employee in the job application form for the purpose of managing the employment relationship with the individual.

If the employer wishes to use the personal data for purposes for which consent may not be deemed or to which there is no applicable exception under the PDPA, the employer must then inform the employee of those purposes and obtain his/her consent.

Social Networking Sources and Data Collection:

The PDPA does not require organizations or recruitment agencies to obtain the consent of the individual when collecting or using personal data that is publicly available. Where the personal data is not publicly available but is voluntarily made available by the individual on a job-search portal for being contacted for prospective job opportunities, the individual may be deemed to have consented to the collection, use, and disclosure of his personal data for such purpose. So it would be right to state that where social networking sources (e.g., Facebook, Twitter, or Linkedin) are publicly available, the PDPA does not prohibit organizations from collecting personal data about the individual without his consent.

The Securiti Consent Management Solution offers organizations a complete consent orchestration platform with customizable endpoints, configurable workflows, and comprehensive record keeping. This solution can help organizations easily honor consumer consent and maintain compliance with privacy regulations.

Securiti can help organizations map data to their owners, create privacy notices and incorporate sensitive data intelligence to ensure that all data protection principles are complied with.

Notification and Purpose Limitation Obligations:

As per Sections 18 and 20 of the PDPA, an employer must notify the job applicant or employee of the purpose(s) for which the employer intends to collect, use, or disclose his/her personal data on or before such collection, use, or disclosure, and may only collect, use, and disclose personal data for such purposes. An employer also needs to inform employees of the purpose for managing and terminating the employment relationship. This can be done by way of drafting relevant provisions in the employment contracts.

However, this obligation won't apply if:

  1. The individual is deemed to have consented to the collection, use, or disclosure, as the case may be under the PDPA; or
  2. The employer collects, uses, or discloses the personal data without the consent of the individual in accordance with section 17 of the PDPA (that is, in the circumstances like managing and terminating the employment relationship, or processing for the evaluative purposes.

Section 18 of the PDPA requires organizations to only use collected data for the purpose it was intended for. Employers must refrain from asking applicants for personal data that is not relevant to the job. Also, an employer has an obligation to make a reasonable effort to ensure that the personal data collected is accurate and complete.

Securiti has a privacy notice creation and management solution with pre-built expert-made templates which can be synced with your data maps to ensure your privacy policies are always up-to-date. The solution utilizes automation and data intelligence to continuously scan data stores, automatically update any changes to the collection, processing, sharing, selling, or retention of personal data, and updates the privacy notice automatically, in real-time, ensuring consistent compliance.

Retention Limitation Obligation:

Section 25 allows organizations to only retain information that is necessary to store or if there is a valid business or legal purpose of storing the personal data. After an organization has decided which job applicant to hire, the personal data that the organization had collected from the other job applicants should only be kept for as long as it is necessary for business or legal purposes.

Securiti enables employers to maintain track of employees' data and consent with its data mapping automation tool. This tool will allow employers to know where the employee's data is in the data stores, what purpose it is being used for, and what consent they have from the employees.

Data Protection Obligations and Data Protection Impact Assessment:

As per Section 24 of the PDPA, employers must protect the personal data of employees in their possession or under their control in order to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal, or similar risks.
The HRM team of an organization should consider adopting security arrangements that fit the nature of the personal data held by their organization and the possible harm that might result from a security breach.

As good practice, organizations should conduct risk assessments (e.g., Data Protection Impact Assessments) to assess the risks to the personal data they possess or control to determine appropriate security to control or mitigate these risks.

Securiti incorporates AI to enable Assessment Automation (PIAs, DPIAs, Readiness Assessments, Transfer Impact Assessments) to trigger and conduct risk-based assessments. It can further enable organizations to mitigate data exposures, remediate misconfigurations and discover risks within your organization.

Data Breach Management:

As per Section 26C of the PDPA, once an employer has credible grounds to believe that a data breach has occurred (whether through self-discovery, alert from the public, or notification by your data intermediary), then the employer is required to take reasonable and expeditious steps to assess whether the data breach is notifiable under the PDPA.

And where the employer assesses that a data breach is a notifiable data breach, the employer must notify the PDPC as soon as it is practicable. On or after notifying the PDPC, the employer must also notify each affected employee affected by a notifiable data breach in any manner that is reasonable in the circumstances.

Securiti's Data Breach Management Solution swiftly identifies compromised data and impacted data subjects in a security incident. It utilizes built-in privacy research to help organizations deliver breach notifications within hours of a security incident.

Data Sharing with Vendors and Cross-Border Transfers:

While sharing an employee's personal data with external third parties and vendors such as HR services, security contractors, or medical insurance services, the employer must assess their privacy practices and their third-party/vendor's compliance with the PDPA' 's requirements.

Under Section 26 of the PDPA, an employer who transfers personal data of employees out of Singapore is required to take the following appropriate steps to:

  • Ensure that it complies with the obligations under the PDPA;
  • Ensure that the recipient is bound by legally enforceable obligations to provide the personal data a standard of protection that is comparable to the PDPA. Employers may consider using binding contracts for inter-corporate transfers and binding corporate rules for intra-corporate transfers.
  • Ensure that the employee whose personal data is to be transferred gives consent to such transfer

Securiti's Vendor Management Solution allows organizations to assess their vendor's risk based on a predefined risk score. Securiti also offers cross-border data transfer risk assessments to help organizations identify and review data transfers outside Singapore.

Rights of employees:

Under sections 16, 21, and 22, current and former employees are given rights over their personal data which can be exercised, and the employer is required to fulfill these requests in a stipulated time frame. These rights include:

  1. Employees may withdraw their consent to the collection, use, or disclosure of their personal data by the employer at any time.
  2. Employees have the right to request access to their personal data. An employee may request to access any CCTV footage that they appear in.
  3. Employees have the right to request the correction of their personal data.

Securiti's DSR Automation Solution helps organizations simplify the process of fulfilling Data Subject Requests submitted by the employee. This automated system helps enterprises swiftly process data subject requests and enable coordination between stakeholders for reviews and approvals.

Employees' Monitoring:

Employers can collect, use and disclose evaluative data without the consent of the individual. This can include monitoring an employee's emails and their use of computer network resources. However, employers should provide notices to employees if the CCTVs are in place at workstations and if they are monitoring their use of computer network resources. The employer may decide not to reveal the exact location of the CCTVs if the purpose is to covertly monitor the premises for security reasons. Employers should also conduct risk assessments and have sufficient technical measures in place for monitoring and to enable BYOD equipment for accessing or storing organization-collected personal data while respecting the personal data of their employees.

Securiti's helps keep privacy notices up-to-date with the help of robotic automation. The solution can help your organization build privacy notices in minutes, centralize management and reduce risks of errors.

Operationalizing PDPA Compliance

HRM Team is required to meet the aforesaid requirements of the PDPA. To achieve compliance, organizations need to operationalize their processes.

This can be done in the following ways:

  • Disclose how your organization collects, processes, retains, shares, and processes data through transparent policies.
  • Don't request submission of the applicant's NRIC in the recruitment process until he/she accepts the position.
  • Develop formal policies and procedures within your organization for the collection and handling of data.
  • Update your organization's privacy policies as needed and share them with employees and consumers.
  • Ensure privacy policies and notices are easily accessible and understandable to your workforce.
  • Review and update processes.
  • Maintain proper documentation.

Performing these tasks through manual methods increases the risk of human error, not to mention increased costs and time taken. Organizations need to incorporate automation that can simplify the compliance process.

Securiti's Sensitive Data Intelligence Solution can help your organization to discover, analyze, and protect large datasets. It offers you a 360 solution to all your compliance needs. See a demo of our Sensitive Data Intelligence solution and let Securiti help you on your road to PDPA compliance.

Securiti also offers automated data mapping, DSR rights fulfillment, data breach management, and security controls to help you comply with the obligations required by the PDPA.


Frequently Asked Questions (FAQs)

PDPA (Personal Data Protection Act) is Singapore’s law that protects personal data, including employee information. It ensures companies handle data responsibly, keep it secure, and inform employees about how their information is used.

Yes, the Singapore Personal Data Protection Act (PDPA) applies to employees. Employers must comply with PDPA regulations when collecting, using, or disclosing personal data, including that of their employees.

The employee data protection policy in Singapore outlines how employers handle the personal data of their employees. It includes provisions related to data collection, consent, data security, and employee rights regarding their personal information.

Securiti for Workday

Security | PrivacyOps | Governance | Compliance

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


Share


More Stories that May Interest You

Videos

View More

Mitigating OWASP Top 10 for LLM Applications 2025

Generative AI (GenAI) has transformed how enterprises operate, scale, and grow. There’s an AI application for every purpose, from increasing employee productivity to streamlining...

View More

DSPM vs. CSPM – What’s the Difference?

While the cloud has offered the world immense growth opportunities, it has also introduced unprecedented challenges and risks. Solutions like Cloud Security Posture Management...

View More

Top 6 DSPM Use Cases

With the advent of Generative AI (GenAI), data has become more dynamic. New data is generated faster than ever, transmitted to various systems, applications,...

View More

Colorado Privacy Act (CPA)

What is the Colorado Privacy Act? The CPA is a comprehensive privacy law signed on July 7, 2021. It established new standards for personal...

View More

Securiti for Copilot in SaaS

Accelerate Copilot Adoption Securely & Confidently Organizations are eager to adopt Microsoft 365 Copilot for increased productivity and efficiency. However, security concerns like data...

View More

Top 10 Considerations for Safely Using Unstructured Data with GenAI

A staggering 90% of an organization's data is unstructured. This data is rapidly being used to fuel GenAI applications like chatbots and AI search....

View More

Gencore AI: Building Safe, Enterprise-grade AI Systems in Minutes

As enterprises adopt generative AI, data and AI teams face numerous hurdles: securely connecting unstructured and structured data sources, maintaining proper controls and governance,...

View More

Navigating CPRA: Key Insights for Businesses

What is CPRA? The California Privacy Rights Act (CPRA) is California's state legislation aimed at protecting residents' digital privacy. It became effective on January...

View More

Navigating the Shift: Transitioning to PCI DSS v4.0

What is PCI DSS? PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards to ensure safe processing, storage, and...

View More

Securing Data+AI : Playbook for Trust, Risk, and Security Management (TRiSM)

AI's growing security risks have 48% of global CISOs alarmed. Join this keynote to learn about a practical playbook for enabling AI Trust, Risk,...

Spotlight Talks

Spotlight 14:21

AI Governance Is Much More than Technology Risk Mitigation

AI Governance Is Much More than Technology Risk Mitigation
Watch Now View
Spotlight 12:!3

You Can’t Build Pipelines, Warehouses, or AI Platforms Without Business Knowledge

Watch Now View
Spotlight 47:42

Cybersecurity – Where Leaders are Buying, Building, and Partnering

Rehan Jalil
Watch Now View
Spotlight 27:29

Building Safe AI with Databricks and Gencore

Rehan Jalil
Watch Now View
Spotlight 46:02

Building Safe Enterprise AI: A Practical Roadmap

Watch Now View
Spotlight 13:32

Ensuring Solid Governance Is Like Squeezing Jello

Watch Now View
Spotlight 40:46

Securing Embedded AI: Accelerate SaaS AI Copilot Adoption Safely

Watch Now View
Spotlight 10:05

Unstructured Data: Analytics Goldmine or a Governance Minefield?

Viral Kamdar
Watch Now View
Spotlight 21:30

Companies Cannot Grow If CISOs Don’t Allow Experimentation

Watch Now View
Spotlight 2:48

Unlocking Gen AI For Enterprise With Rehan Jalil

Rehan Jalil
Watch Now View

Latest

View More

From Trial to Trusted: Securely Scaling Microsoft Copilot in the Enterprise

AI copilots and agents embedded in SaaS are rapidly reshaping how enterprises work. Business leaders and IT teams see them as a gateway to...

The ROI of Safe Enterprise AI View More

The ROI of Safe Enterprise AI: A Business Leader’s Guide

The fundamental truth of today’s competitive landscape is that businesses harnessing data through AI will outperform those that don’t. Especially with 90% of enterprise...

Understanding Data Regulations in Australia’s Telecom Sector View More

Understanding Data Regulations in Australia’s Telecom Sector

1. Introduction Australia’s telecommunications sector plays a crucial role in connecting millions of people. However, with this connectivity comes the responsibility of safeguarding vast...

Data Security Governance View More

Data Security Governance: Key Principles and Best Practices for Protection

Learn about Data Security Governance, its importance in protecting sensitive data, ensuring compliance, and managing risks. Best practices for securing data.

ROPA View More

Records of Processing Activities (RoPA): A Cross-Jurisdictional Analysis

Download the whitepaper to gain a cross-jurisdictional analysis of records of processing activities (RoPA). Learn what RoPA is, why organizations should maintain it, and...

Managing Privacy Risks in Large Language Models (LLMs) View More

Managing Privacy Risks in Large Language Models (LLMs)

Download the whitepaper to learn how to manage privacy risks in large language models (LLMs). Gain comprehensive insights to avoid violations.

Comparison of RoPA Field Requirements Across Jurisdictions View More

Comparison of RoPA Field Requirements Across Jurisdictions

Download the infographic to compare Records of Processing Activities (RoPA) field requirements across jurisdictions. Learn its importance, penalties, and how to navigate RoPA.

Navigating Kenya’s Data Protection Act View More

Navigating Kenya’s Data Protection Act: What Organizations Need To Know

Download the infographic to discover key details about navigating Kenya’s Data Protection Act and simplify your compliance journey.

Gencore AI and Amazon Bedrock View More

Building Enterprise-Grade AI with Gencore AI and Amazon Bedrock

Learn how to build secure enterprise AI copilots with Amazon Bedrock models, protect AI interactions with LLM Firewalls, and apply OWASP Top 10 LLM...

DSPM Vendor Due Diligence View More

DSPM Vendor Due Diligence

DSPM’s Buyer Guide ebook is designed to help CISOs and their teams ask the right questions and consider the right capabilities when looking for...

What's
New