Products
By Use Cases By Roles
Data Command Center
View
Learn more

Asset and Data Discovery

Discover dark and native data assets

Learn more

Data Access Intelligence & Governance

Identify which users have access to sensitive data and prevent unauthorized access

Learn more

Data Privacy Automation

PrivacyCenter.Cloud | Data Mapping | DSR Automation | Assessment Automation | Vendor Assessment | Breach Management | Privacy Notice

Learn more

Sensitive Data Intelligence

Discover & Classify Structured and Unstructured Data | People Data Graph

Learn more

Data Flow Intelligence & Governance

Prevent sensitive data sprawl through real-time streaming platforms

Learn more

Data Consent Automation

First Party Consent | Third Party & Cookie Consent

Learn more

Data Security Posture Management

Secure sensitive data in hybrid multicloud and SaaS environments

Learn more

Data Breach Impact Analysis & Response

Analyze impact of a data breach and coordinate response per global regulatory obligations

Learn more

Data Catalog

Automatically catalog datasets and enable users to find, understand, trust and access data

Learn more

Data Lineage

Track changes and transformations of data throughout its lifecycle
Data Controls Orchestrator
View
Data Command Center
View
Sensitive Data Intelligence
View

Asset Discovery
Data Discovery & Classification
Sensitive Data Catalog
People Data Graph
Learn more

Privacy

Automate compliance with global privacy regulations

Data Mapping Automation

View

Data Subject Request Automation

View

People Data Graph

View

Assessment Automation

View

Cookie Consent

View

Universal Consent

View

Vendor Risk Assessment

View

Breach Management

View

Privacy Policy Management

View

Privacy Center

View

Learn more

Security

Identify data risk and enable protection & control

Data Security Posture Management

View

Data Access Intelligence & Governance

View

Data Risk Management

View

Data Breach Analysis

View

Learn more

Governance

Optimize Data Governance with granular insights into your data

Data Catalog

View

Data Lineage

View

Data Quality

View
Data Controls Orchestrator
View
Solutions
Technologies

Covering you everywhere with 1000+ integrations across data systems.

Snowflake

View

AWS

View

Microsoft 365

View

Salesforce

View

Workday

View

GCP

View

Azure

View

Oracle

View

Learn more

Regulations

Automate compliance with global privacy regulations.

US California CCPA

View

US California CPRA

View

European Union GDPR

View

Thailand’s PDPA

View

China PIPL

View

Canada PIPEDA

View

Brazil's LGPD

View

+ More

View

Learn more

Roles

Identify data risk and enable protection & control.

Privacy

View

Security

View

Governance

View

Marketing

View
Resources

Blog

Read through our articles written by industry experts

Collateral

Product brochures, white papers, infographics, analyst reports and more.

Knowledge Center

Learn about the data privacy, security and governance landscape.

Securiti Education

Courses and Certifications for data privacy, security and governance professionals.
Company

About Us

Learn all about Securiti, our mission and history

Partner Program

Join our Partner Program

Contact Us

Contact us to learn more or schedule a demo

News Coverage

Read about Securiti in the news

Press Releases

Find our latest press releases

Careers

Join the talented Securiti team

How to Manage Employees’ Data Under Singapore’s Personal Data Protection Act (PDPA)

By Securiti Research Team

Published August 16, 2021 / Updated May 8, 2023

Singapore enacted the Personal Data Protection Act (the "PDPA") in 2012, which came into force in different phases; the provisions concerning data protection were enforced on 2nd July 2014. The PDPA applies to any organization that deals with the collection, use, and/or disclosure of personal data (stored in electronic and non-electronic forms) from individuals in Singapore, whether the organization is located in Singapore or not. Recruitment companies, employment agencies, head-hunters, and other similar organizations are also subject to the Data Protection Provisions of the PDPA.

Collecting Personal Data of Job Applicants and Employees:

As per Sections 13 and 14 of the PDPA, an organization must obtain the consent of the individual before collecting, using, or disclosing his/her personal data for a purpose. However, in the employment context, an employer can process its employees' data without consent if:

Such processing is reasonable for managing or terminating the employment relationship. This includes using an employee's bank details for payroll processing, administering staff benefits, and monitoring their use of company-issued devices; or
The processing is for evaluative purposes, which include determining the suitability of an individual for employment, a promotion, or termination of employment.

When an individual voluntarily provides his personal data to an organization in the form of a job application, he may be deemed to consent to the organization collecting, using, and disclosing the personal data for the purpose of assessing his job application.

If the individual is subsequently employed, it would be reasonable for the employer to continue to use the personal data provided by the individual/employee in the job application form for the purpose of managing the employment relationship with the individual.

If the employer wishes to use the personal data for purposes for which consent may not be deemed or to which there is no applicable exception under the PDPA, the employer must then inform the employee of those purposes and obtain his/her consent.

The PDPA does not require organizations or recruitment agencies to obtain the consent of the individual when collecting or using personal data that is publicly available. Where the personal data is not publicly available but is voluntarily made available by the individual on a job-search portal for being contacted for prospective job opportunities, the individual may be deemed to have consented to the collection, use, and disclosure of his personal data for such purpose. So it would be right to state that where social networking sources (e.g., Facebook, Twitter, or Linkedin) are publicly available, the PDPA does not prohibit organizations from collecting personal data about the individual without his consent.

Notification and Purpose Limitation Obligations:

As per Sections 18 and 20 of the PDPA, an employer must notify the job applicant or employee of the purpose(s) for which the employer intends to collect, use, or disclose his/her personal data on or before such collection, use, or disclosure, and may only collect, use, and disclose personal data for such purposes. An employer also needs to inform employees of the purpose for managing and terminating the employment relationship. This can be done by way of drafting relevant provisions in the employment contracts.

However, this obligation won't apply if:

The individual is deemed to have consented to the collection, use, or disclosure, as the case may be under the PDPA; or
The employer collects, uses, or discloses the personal data without the consent of the individual in accordance with section 17 of the PDPA (that is, in the circumstances like managing and terminating the employment relationship, or processing for the evaluative purposes.

Section 18 of the PDPA requires organizations to only use collected data for the purpose it was intended for. Employers must refrain from asking applicants for personal data that is not relevant to the job. Also, an employer has an obligation to make a reasonable effort to ensure that the personal data collected is accurate and complete.

Data Protection Obligations and Data Protection Impact Assessment:

As per Section 24 of the PDPA, employers must protect the personal data of employees in their possession or under their control in order to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal, or similar risks.
The HRM team of an organization should consider adopting security arrangements that fit the nature of the personal data held by their organization and the possible harm that might result from a security breach.

As good practice, organizations should conduct risk assessments (e.g., Data Protection Impact Assessments) to assess the risks to the personal data they possess or control to determine appropriate security to control or mitigate these risks.

Data Breach Management:

As per Section 26C of the PDPA, once an employer has credible grounds to believe that a data breach has occurred (whether through self-discovery, alert from the public, or notification by your data intermediary), then the employer is required to take reasonable and expeditious steps to assess whether the data breach is notifiable under the PDPA.

And where the employer assesses that a data breach is a notifiable data breach, the employer must notify the PDPC as soon as it is practicable. On or after notifying the PDPC, the employer must also notify each affected employee affected by a notifiable data breach in any manner that is reasonable in the circumstances.

While sharing an employee's personal data with external third parties and vendors such as HR services, security contractors, or medical insurance services, the employer must assess their privacy practices and their third-party/vendor's compliance with the PDPA' 's requirements.

Under Section 26 of the PDPA, an employer who transfers personal data of employees out of Singapore is required to take the following appropriate steps to:

Ensure that it complies with the obligations under the PDPA;
Ensure that the recipient is bound by legally enforceable obligations to provide the personal data a standard of protection that is comparable to the PDPA. Employers may consider using binding contracts for inter-corporate transfers and binding corporate rules for intra-corporate transfers.
Ensure that the employee whose personal data is to be transferred gives consent to such transfer

Rights of employees:

Under sections 16, 21, and 22, current and former employees are given rights over their personal data which can be exercised, and the employer is required to fulfill these requests in a stipulated time frame. These rights include:

Employees may withdraw their consent to the collection, use, or disclosure of their personal data by the employer at any time.
Employees have the right to request access to their personal data. An employee may request to access any CCTV footage that they appear in.
Employees have the right to request the correction of their personal data.

Employees' Monitoring:

Employers can collect, use and disclose evaluative data without the consent of the individual. This can include monitoring an employee's emails and their use of computer network resources. However, employers should provide notices to employees if the CCTVs are in place at workstations and if they are monitoring their use of computer network resources. The employer may decide not to reveal the exact location of the CCTVs if the purpose is to covertly monitor the premises for security reasons. Employers should also conduct risk assessments and have sufficient technical measures in place for monitoring and to enable BYOD equipment for accessing or storing organization-collected personal data while respecting the personal data of their employees.

Operationalizing PDPA Compliance

HRM Team is required to meet the aforesaid requirements of the PDPA. To achieve compliance, organizations need to operationalize their processes.

This can be done in the following ways:

Disclose how your organization collects, processes, retains, shares, and processes data through transparent policies.
Don't request submission of the applicant's NRIC in the recruitment process until he/she accepts the position.
Develop formal policies and procedures within your organization for the collection and handling of data.
Update your organization's privacy policies as needed and share them with employees and consumers.
Ensure privacy policies and notices are easily accessible and understandable to your workforce.
Review and update processes.
Maintain proper documentation.

Performing these tasks through manual methods increases the risk of human error, not to mention increased costs and time taken. Organizations need to incorporate automation that can simplify the compliance process.

Securiti's Sensitive Data Intelligence Solution can help your organization to discover, analyze, and protect large datasets. It offers you a 360 solution to all your compliance needs. See a demo of our Sensitive Data Intelligence solution and let Securiti help you on your road to PDPA compliance.

Securiti also offers automated data mapping, DSR rights fulfillment, data breach management, and security controls to help you comply with the obligations required by the PDPA.

How to Manage Employees’ Data Under Singapore’s Personal Data Protection Act (PDPA)

Collecting Personal Data of Job Applicants and Employees:

Notification and Purpose Limitation Obligations:

Retention Limitation Obligation:

Data Protection Obligations and Data Protection Impact Assessment:

Data Breach Management:

Rights of employees:

Employees' Monitoring:

Operationalizing PDPA Compliance

Securiti for Workday

More Stories that May Interest You

Newsletter

Company

Resources

Terms

Get in touch

How to Manage Employees’ Data Under Singapore’s Personal Data Protection Act (PDPA)

Collecting Personal Data of Job Applicants and Employees:

Social Networking Sources and Data Collection:

Notification and Purpose Limitation Obligations:

Retention Limitation Obligation:

Data Protection Obligations and Data Protection Impact Assessment:

Data Breach Management:

Data Sharing with Vendors and Cross-Border Transfers:

Rights of employees:

Employees' Monitoring:

Operationalizing PDPA Compliance

Securiti for Workday

Schedule a LIVE One-on-One Demo

Join Our Newsletter

Share

More Stories that May Interest You

Employer Obligations on Employee Data Under Indian Law

Securiti named a Leader in the IDC MarketScape for Data Privacy Compliance Software

The HR Guide to Employee Data Protection

Newsletter

Company

Resources

Terms

Get in touch