Securiti leads GigaOm's DSPM Vendor Evaluation with top ratings across technical capabilities & business value.

View
Contact Us See a demo

How to Manage Employees’ Data Under Singapore’s Personal Data Protection Act (PDPA)

singapore employee data banner
Published August 16, 2021 / Updated November 30, 2024
Author

Muhammad Faisal Sattar

Data Privacy Legal Manager at Securiti

FIP, CIPT, CIPM, CIPP/Asia

Listen to the content

Singapore enacted the Personal Data Protection Act (the "PDPA") in 2012, which came into force in different phases; the provisions concerning data protection were enforced on 2nd July 2014. The PDPA applies to any organization that deals with the collection, use, and/or disclosure of personal data (stored in electronic and non-electronic forms) from individuals in Singapore, whether the organization is located in Singapore or not. ​​Recruitment companies, employment agencies, head-hunters, and other similar organizations are also subject to the Data Protection Provisions of the PDPA.

This article provides a guide to the Human Resource Management Team (HRM Team) of an organization aiming to comply with the PDPA. Following are the key obligations under the PDPA that an HRM Team must consider while handling personal data of job applicants and current and former employees.

Collecting Personal Data of Job Applicants and Employees:

As per Sections 13 and 14 of the PDPA, an organization must obtain the consent of the individual before collecting, using, or disclosing his/her personal data for a purpose. However, in the employment context, an employer can process its employees' data without consent if:

  1. Such processing is reasonable for managing or terminating the employment relationship. This includes using an employee's bank details for payroll processing, administering staff benefits, and monitoring their use of company-issued devices; or
  2. The processing is for evaluative purposes, which include determining the suitability of an individual for employment, a promotion, or termination of employment.

When an individual voluntarily provides his personal data to an organization in the form of a job application, he may be deemed to consent to the organization collecting, using, and disclosing the personal data for the purpose of assessing his job application.

If the individual is subsequently employed, it would be reasonable for the employer to continue to use the personal data provided by the individual/employee in the job application form for the purpose of managing the employment relationship with the individual.

If the employer wishes to use the personal data for purposes for which consent may not be deemed or to which there is no applicable exception under the PDPA, the employer must then inform the employee of those purposes and obtain his/her consent.

Social Networking Sources and Data Collection:

The PDPA does not require organizations or recruitment agencies to obtain the consent of the individual when collecting or using personal data that is publicly available. Where the personal data is not publicly available but is voluntarily made available by the individual on a job-search portal for being contacted for prospective job opportunities, the individual may be deemed to have consented to the collection, use, and disclosure of his personal data for such purpose. So it would be right to state that where social networking sources (e.g., Facebook, Twitter, or Linkedin) are publicly available, the PDPA does not prohibit organizations from collecting personal data about the individual without his consent.

The Securiti Consent Management Solution offers organizations a complete consent orchestration platform with customizable endpoints, configurable workflows, and comprehensive record keeping. This solution can help organizations easily honor consumer consent and maintain compliance with privacy regulations.

Securiti can help organizations map data to their owners, create privacy notices and incorporate sensitive data intelligence to ensure that all data protection principles are complied with.

Notification and Purpose Limitation Obligations:

As per Sections 18 and 20 of the PDPA, an employer must notify the job applicant or employee of the purpose(s) for which the employer intends to collect, use, or disclose his/her personal data on or before such collection, use, or disclosure, and may only collect, use, and disclose personal data for such purposes. An employer also needs to inform employees of the purpose for managing and terminating the employment relationship. This can be done by way of drafting relevant provisions in the employment contracts.

However, this obligation won't apply if:

  1. The individual is deemed to have consented to the collection, use, or disclosure, as the case may be under the PDPA; or
  2. The employer collects, uses, or discloses the personal data without the consent of the individual in accordance with section 17 of the PDPA (that is, in the circumstances like managing and terminating the employment relationship, or processing for the evaluative purposes.

Section 18 of the PDPA requires organizations to only use collected data for the purpose it was intended for. Employers must refrain from asking applicants for personal data that is not relevant to the job. Also, an employer has an obligation to make a reasonable effort to ensure that the personal data collected is accurate and complete.

Securiti has a privacy notice creation and management solution with pre-built expert-made templates which can be synced with your data maps to ensure your privacy policies are always up-to-date. The solution utilizes automation and data intelligence to continuously scan data stores, automatically update any changes to the collection, processing, sharing, selling, or retention of personal data, and updates the privacy notice automatically, in real-time, ensuring consistent compliance.

Retention Limitation Obligation:

Section 25 allows organizations to only retain information that is necessary to store or if there is a valid business or legal purpose of storing the personal data. After an organization has decided which job applicant to hire, the personal data that the organization had collected from the other job applicants should only be kept for as long as it is necessary for business or legal purposes.

Securiti enables employers to maintain track of employees' data and consent with its data mapping automation tool. This tool will allow employers to know where the employee's data is in the data stores, what purpose it is being used for, and what consent they have from the employees.

Data Protection Obligations and Data Protection Impact Assessment:

As per Section 24 of the PDPA, employers must protect the personal data of employees in their possession or under their control in order to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal, or similar risks.
The HRM team of an organization should consider adopting security arrangements that fit the nature of the personal data held by their organization and the possible harm that might result from a security breach.

As good practice, organizations should conduct risk assessments (e.g., Data Protection Impact Assessments) to assess the risks to the personal data they possess or control to determine appropriate security to control or mitigate these risks.

Securiti incorporates AI to enable Assessment Automation (PIAs, DPIAs, Readiness Assessments, Transfer Impact Assessments) to trigger and conduct risk-based assessments. It can further enable organizations to mitigate data exposures, remediate misconfigurations and discover risks within your organization.

Data Breach Management:

As per Section 26C of the PDPA, once an employer has credible grounds to believe that a data breach has occurred (whether through self-discovery, alert from the public, or notification by your data intermediary), then the employer is required to take reasonable and expeditious steps to assess whether the data breach is notifiable under the PDPA.

And where the employer assesses that a data breach is a notifiable data breach, the employer must notify the PDPC as soon as it is practicable. On or after notifying the PDPC, the employer must also notify each affected employee affected by a notifiable data breach in any manner that is reasonable in the circumstances.

Securiti's Data Breach Management Solution swiftly identifies compromised data and impacted data subjects in a security incident. It utilizes built-in privacy research to help organizations deliver breach notifications within hours of a security incident.

Data Sharing with Vendors and Cross-Border Transfers:

While sharing an employee's personal data with external third parties and vendors such as HR services, security contractors, or medical insurance services, the employer must assess their privacy practices and their third-party/vendor's compliance with the PDPA' 's requirements.

Under Section 26 of the PDPA, an employer who transfers personal data of employees out of Singapore is required to take the following appropriate steps to:

  • Ensure that it complies with the obligations under the PDPA;
  • Ensure that the recipient is bound by legally enforceable obligations to provide the personal data a standard of protection that is comparable to the PDPA. Employers may consider using binding contracts for inter-corporate transfers and binding corporate rules for intra-corporate transfers.
  • Ensure that the employee whose personal data is to be transferred gives consent to such transfer

Securiti's Vendor Management Solution allows organizations to assess their vendor's risk based on a predefined risk score. Securiti also offers cross-border data transfer risk assessments to help organizations identify and review data transfers outside Singapore.

Rights of employees:

Under sections 16, 21, and 22, current and former employees are given rights over their personal data which can be exercised, and the employer is required to fulfill these requests in a stipulated time frame. These rights include:

  1. Employees may withdraw their consent to the collection, use, or disclosure of their personal data by the employer at any time.
  2. Employees have the right to request access to their personal data. An employee may request to access any CCTV footage that they appear in.
  3. Employees have the right to request the correction of their personal data.

Securiti's DSR Automation Solution helps organizations simplify the process of fulfilling Data Subject Requests submitted by the employee. This automated system helps enterprises swiftly process data subject requests and enable coordination between stakeholders for reviews and approvals.

Employees' Monitoring:

Employers can collect, use and disclose evaluative data without the consent of the individual. This can include monitoring an employee's emails and their use of computer network resources. However, employers should provide notices to employees if the CCTVs are in place at workstations and if they are monitoring their use of computer network resources. The employer may decide not to reveal the exact location of the CCTVs if the purpose is to covertly monitor the premises for security reasons. Employers should also conduct risk assessments and have sufficient technical measures in place for monitoring and to enable BYOD equipment for accessing or storing organization-collected personal data while respecting the personal data of their employees.

Securiti's helps keep privacy notices up-to-date with the help of robotic automation. The solution can help your organization build privacy notices in minutes, centralize management and reduce risks of errors.

Operationalizing PDPA Compliance

HRM Team is required to meet the aforesaid requirements of the PDPA. To achieve compliance, organizations need to operationalize their processes.

This can be done in the following ways:

  • Disclose how your organization collects, processes, retains, shares, and processes data through transparent policies.
  • Don't request submission of the applicant's NRIC in the recruitment process until he/she accepts the position.
  • Develop formal policies and procedures within your organization for the collection and handling of data.
  • Update your organization's privacy policies as needed and share them with employees and consumers.
  • Ensure privacy policies and notices are easily accessible and understandable to your workforce.
  • Review and update processes.
  • Maintain proper documentation.

Performing these tasks through manual methods increases the risk of human error, not to mention increased costs and time taken. Organizations need to incorporate automation that can simplify the compliance process.

Securiti's Sensitive Data Intelligence Solution can help your organization to discover, analyze, and protect large datasets. It offers you a 360 solution to all your compliance needs. See a demo of our Sensitive Data Intelligence solution and let Securiti help you on your road to PDPA compliance.

Securiti also offers automated data mapping, DSR rights fulfillment, data breach management, and security controls to help you comply with the obligations required by the PDPA.

Frequently Asked Questions (FAQs)

PDPA (Personal Data Protection Act) is Singapore’s law that protects personal data, including employee information. It ensures companies handle data responsibly, keep it secure, and inform employees about how their information is used.

Yes, the Singapore Personal Data Protection Act (PDPA) applies to employees. Employers must comply with PDPA regulations when collecting, using, or disclosing personal data, including that of their employees.

The employee data protection policy in Singapore outlines how employers handle the personal data of their employees. It includes provisions related to data collection, consent, data security, and employee rights regarding their personal information.

Securiti for Workday

Security | PrivacyOps | Governance | Compliance

See a demo
Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox

Share
More Stories that May Interest You
Inside Echoleak View More
June 25, 2025
Inside Echoleak
How Indirect Prompt Injections Exploit the AI Layer and How to Secure Your Data What is Echoleak? Echoleak (CVE-2025-32711) is a vulnerability discovered in...
The Risks of Legacy DLP: Why Cloud Security Needs DSPM View More
June 10, 2025
The Risks of Legacy DLP: Why Cloud Security Needs DSPM
82% of 2024 data breaches involved cloud data, raising concerns about the effectiveness of legacy data loss prevention (DLP) solutions in today's cloud-centric data...
Navigating the Evolving Data Security Landscape View More
December 22, 2024
Navigating the Evolving Data Security Landscape: Why Detection Alone Isn’t Enough
Proactive vs. Reactive: Why Threat Detection Alone Falls Short in Data Protection In an era where digital transformation and AI adoption are accelerating at...
Please enter a minimum of 3 characters to begin your search.
Videos
View More
January 20, 2025
Mitigating OWASP Top 10 for LLM Applications 2025
Generative AI (GenAI) has transformed how enterprises operate, scale, and grow. There’s an AI application for every purpose, from increasing employee productivity to streamlining...
View More
January 15, 2025
Top 6 DSPM Use Cases
With the advent of Generative AI (GenAI), data has become more dynamic. New data is generated faster than ever, transmitted to various systems, applications,...
View More
January 2, 2025
Colorado Privacy Act (CPA)
What is the Colorado Privacy Act? The CPA is a comprehensive privacy law signed on July 7, 2021. It established new standards for personal...
View More
December 24, 2024
Securiti for Copilot in SaaS
Accelerate Copilot Adoption Securely & Confidently Organizations are eager to adopt Microsoft 365 Copilot for increased productivity and efficiency. However, security concerns like data...
View More
November 1, 2024
Top 10 Considerations for Safely Using Unstructured Data with GenAI
A staggering 90% of an organization's data is unstructured. This data is rapidly being used to fuel GenAI applications like chatbots and AI search....
View More
October 29, 2024
Gencore AI: Building Safe, Enterprise-grade AI Systems in Minutes
As enterprises adopt generative AI, data and AI teams face numerous hurdles: securely connecting unstructured and structured data sources, maintaining proper controls and governance,...
View More
August 12, 2024
Navigating CPRA: Key Insights for Businesses
What is CPRA? The California Privacy Rights Act (CPRA) is California's state legislation aimed at protecting residents' digital privacy. It became effective on January...
View More
June 3, 2024
Navigating the Shift: Transitioning to PCI DSS v4.0
What is PCI DSS? PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards to ensure safe processing, storage, and...
View More
January 29, 2024
Securing Data+AI : Playbook for Trust, Risk, and Security Management (TRiSM)
AI's growing security risks have 48% of global CISOs alarmed. Join this keynote to learn about a practical playbook for enabling AI Trust, Risk,...
AWS Startup Showcase Cybersecurity Governance With Generative AI View More
October 17, 2023
AWS Startup Showcase Cybersecurity Governance With Generative AI
Balancing Innovation and Governance with Generative AI Generative AI has the potential to disrupt all aspects of business, with powerful new capabilities. However, with...

Spotlight Talks

Spotlight 11:29
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Watch Now View
Spotlight 11:18
Rewiring Real Estate Finance — How Walker & Dunlop Is Giving Its $135B Portfolio a Data-First Refresh
Watch Now View
Spotlight 13:38
Accelerating Miracles — How Sanofi is Embedding AI to Significantly Reduce Drug Development Timelines
Sanofi Thumbnail
Watch Now View
Spotlight 10:35
There’s Been a Material Shift in the Data Center of Gravity
Watch Now View
Spotlight 14:21
AI Governance Is Much More than Technology Risk Mitigation
AI Governance Is Much More than Technology Risk Mitigation
Watch Now View
Spotlight 12:!3
You Can’t Build Pipelines, Warehouses, or AI Platforms Without Business Knowledge
Watch Now View
Spotlight 47:42
Cybersecurity – Where Leaders are Buying, Building, and Partnering
Rehan Jalil
Watch Now View
Spotlight 27:29
Building Safe AI with Databricks and Gencore
Rehan Jalil
Watch Now View
Spotlight 46:02
Building Safe Enterprise AI: A Practical Roadmap
Watch Now View
Spotlight 13:32
Ensuring Solid Governance Is Like Squeezing Jello
Watch Now View
Latest
Shrink The Blast Radius: Automate Data Minimization with DSPM View More
August 27, 2025
Shrink The Blast Radius
Recently, DaVita disclosed a ransomware incident that ultimately impacted about 2.7 million people, and it’s already booked $13.5M in related costs this quarter. Healthcare...
Why I Joined Securiti View More
August 11, 2025
Why I Joined Securiti
I’m beyond excited to join Securiti.ai as a sales leader at this pivotal moment in their journey. The decision was clear, driven by three...
View More
September 25, 2025
What is Trustworthy AI? Your Comprehensive Guide
Learn what Trustworthy AI means, the principles behind building reliable AI systems, its importance, and how organizations can implement it effectively.
View More
September 25, 2025
What is Security Posture?
Learn what security posture is, its strategic importance, types, how to conduct a security posture assessment, and how Securiti DSPM helps.
The Healthcare Data & AI Security Playbook View More
September 22, 2025
The Healthcare Data & AI Security Playbook
Practical blueprint to secure PHI and AI workloads—discover and classify data across EHRs and clouds, enforce least privilege, de-identify/tokenize, monitor risk, and meet HIPAA/FHIR...
Energy Data & AI: A DSPM Playbook for Secure Innovation View More
September 22, 2025
Energy Data & AI: A DSPM Playbook for Secure Innovation
The whitepaper highlights the critical data security challenges and risks associated with the Energy sector, the real-world risk scenarios, and how DSPM can help.
Operationalizing DSPM: 12 Must-Dos for Data & AI Security View More
September 22, 2025
Operationalizing DSPM: 12 Must-Dos for Data & AI Security
A practical checklist to operationalize DSPM—12 must-dos covering discovery, classification, lineage, least-privilege, DLP, encryption/keys, policy-as-code, monitoring, and automated remediation.
7 Data Minimization Best Practices View More
September 10, 2025
7 Data Minimization Best Practices: A DSPM Powered Guide
Discover 7 core data minimization best practices in this DSPM-powered infographic checklist. Learn how to cut storage waste, automate discovery, detection and remediation.
The DSPM Architect’s Handbook View More
June 16, 2025
The DSPM Architect’s Handbook: Building an Enterprise-Ready Data+AI Security Program
Get certified in DSPM. Learn to architect a DSPM solution, operationalize data and AI security, apply enterprise best practices, and enable secure AI adoption...
Gencore AI and Amazon Bedrock View More
January 7, 2025
Building Enterprise-Grade AI with Gencore AI and Amazon Bedrock
Learn how to build secure enterprise AI copilots with Amazon Bedrock models, protect AI interactions with LLM Firewalls, and apply OWASP Top 10 LLM...
What's
New