IDC Names Securiti a Worldwide Leader in Data Privacy
ViewSingapore enacted the Personal Data Protection Act (the "PDPA") in 2012, which came into force in different phases; the provisions concerning data protection were enforced on 2nd July 2014. The PDPA applies to any organization that deals with the collection, use, and/or disclosure of personal data (stored in electronic and non-electronic forms) from individuals in Singapore, whether the organization is located in Singapore or not. Recruitment companies, employment agencies, head-hunters, and other similar organizations are also subject to the Data Protection Provisions of the PDPA.
This article provides a guide to the Human Resource Management Team (HRM Team) of an organization aiming to comply with the PDPA. Following are the key obligations under the PDPA that an HRM Team must consider while handling personal data of job applicants and current and former employees.
As per Sections 13 and 14 of the PDPA, an organization must obtain the consent of the individual before collecting, using, or disclosing his/her personal data for a purpose. However, in the employment context, an employer can process its employees' data without consent if:
When an individual voluntarily provides his personal data to an organization in the form of a job application, he may be deemed to consent to the organization collecting, using, and disclosing the personal data for the purpose of assessing his job application.
If the individual is subsequently employed, it would be reasonable for the employer to continue to use the personal data provided by the individual/employee in the job application form for the purpose of managing the employment relationship with the individual.
If the employer wishes to use the personal data for purposes for which consent may not be deemed or to which there is no applicable exception under the PDPA, the employer must then inform the employee of those purposes and obtain his/her consent.
The PDPA does not require organizations or recruitment agencies to obtain the consent of the individual when collecting or using personal data that is publicly available. Where the personal data is not publicly available but is voluntarily made available by the individual on a job-search portal for being contacted for prospective job opportunities, the individual may be deemed to have consented to the collection, use, and disclosure of his personal data for such purpose. So it would be right to state that where social networking sources (e.g., Facebook, Twitter, or Linkedin) are publicly available, the PDPA does not prohibit organizations from collecting personal data about the individual without his consent.
The Securiti Consent Management Solution offers organizations a complete consent orchestration platform with customizable endpoints, configurable workflows, and comprehensive record keeping. This solution can help organizations easily honor consumer consent and maintain compliance with privacy regulations.
Securiti can help organizations map data to their owners, create privacy notices and incorporate sensitive data intelligence to ensure that all data protection principles are complied with.
As per Sections 18 and 20 of the PDPA, an employer must notify the job applicant or employee of the purpose(s) for which the employer intends to collect, use, or disclose his/her personal data on or before such collection, use, or disclosure, and may only collect, use, and disclose personal data for such purposes. An employer also needs to inform employees of the purpose for managing and terminating the employment relationship. This can be done by way of drafting relevant provisions in the employment contracts.
However, this obligation won't apply if:
Section 18 of the PDPA requires organizations to only use collected data for the purpose it was intended for. Employers must refrain from asking applicants for personal data that is not relevant to the job. Also, an employer has an obligation to make a reasonable effort to ensure that the personal data collected is accurate and complete.
Securiti has a privacy notice creation and management solution with pre-built expert-made templates which can be synced with your data maps to ensure your privacy policies are always up-to-date. The solution utilizes automation and data intelligence to continuously scan data stores, automatically update any changes to the collection, processing, sharing, selling, or retention of personal data, and updates the privacy notice automatically, in real-time, ensuring consistent compliance.
Section 25 allows organizations to only retain information that is necessary to store or if there is a valid business or legal purpose of storing the personal data. After an organization has decided which job applicant to hire, the personal data that the organization had collected from the other job applicants should only be kept for as long as it is necessary for business or legal purposes.
Securiti enables employers to maintain track of employees' data and consent with its data mapping automation tool. This tool will allow employers to know where the employee's data is in the data stores, what purpose it is being used for, and what consent they have from the employees.
As per Section 24 of the PDPA, employers must protect the personal data of employees in their possession or under their control in order to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal, or similar risks.
The HRM team of an organization should consider adopting security arrangements that fit the nature of the personal data held by their organization and the possible harm that might result from a security breach.
As good practice, organizations should conduct risk assessments (e.g., Data Protection Impact Assessments) to assess the risks to the personal data they possess or control to determine appropriate security to control or mitigate these risks.
Securiti incorporates AI to enable Assessment Automation (PIAs, DPIAs, Readiness Assessments, Transfer Impact Assessments) to trigger and conduct risk-based assessments. It can further enable organizations to mitigate data exposures, remediate misconfigurations and discover risks within your organization.
As per Section 26C of the PDPA, once an employer has credible grounds to believe that a data breach has occurred (whether through self-discovery, alert from the public, or notification by your data intermediary), then the employer is required to take reasonable and expeditious steps to assess whether the data breach is notifiable under the PDPA.
And where the employer assesses that a data breach is a notifiable data breach, the employer must notify the PDPC as soon as it is practicable. On or after notifying the PDPC, the employer must also notify each affected employee affected by a notifiable data breach in any manner that is reasonable in the circumstances.
Securiti's Data Breach Management Solution swiftly identifies compromised data and impacted data subjects in a security incident. It utilizes built-in privacy research to help organizations deliver breach notifications within hours of a security incident.
While sharing an employee's personal data with external third parties and vendors such as HR services, security contractors, or medical insurance services, the employer must assess their privacy practices and their third-party/vendor's compliance with the PDPA' 's requirements.
Under Section 26 of the PDPA, an employer who transfers personal data of employees out of Singapore is required to take the following appropriate steps to:
Securiti's Vendor Management Solution allows organizations to assess their vendor's risk based on a predefined risk score. Securiti also offers cross-border data transfer risk assessments to help organizations identify and review data transfers outside Singapore.
Under sections 16, 21, and 22, current and former employees are given rights over their personal data which can be exercised, and the employer is required to fulfill these requests in a stipulated time frame. These rights include:
Securiti's DSR Automation Solution helps organizations simplify the process of fulfilling Data Subject Requests submitted by the employee. This automated system helps enterprises swiftly process data subject requests and enable coordination between stakeholders for reviews and approvals.
Employers can collect, use and disclose evaluative data without the consent of the individual. This can include monitoring an employee's emails and their use of computer network resources. However, employers should provide notices to employees if the CCTVs are in place at workstations and if they are monitoring their use of computer network resources. The employer may decide not to reveal the exact location of the CCTVs if the purpose is to covertly monitor the premises for security reasons. Employers should also conduct risk assessments and have sufficient technical measures in place for monitoring and to enable BYOD equipment for accessing or storing organization-collected personal data while respecting the personal data of their employees.
Securiti's helps keep privacy notices up-to-date with the help of robotic automation. The solution can help your organization build privacy notices in minutes, centralize management and reduce risks of errors.
HRM Team is required to meet the aforesaid requirements of the PDPA. To achieve compliance, organizations need to operationalize their processes.
This can be done in the following ways:
Performing these tasks through manual methods increases the risk of human error, not to mention increased costs and time taken. Organizations need to incorporate automation that can simplify the compliance process.
Securiti's Sensitive Data Intelligence Solution can help your organization to discover, analyze, and protect large datasets. It offers you a 360 solution to all your compliance needs. See a demo of our Sensitive Data Intelligence solution and let Securiti help you on your road to PDPA compliance.
Securiti also offers automated data mapping, DSR rights fulfillment, data breach management, and security controls to help you comply with the obligations required by the PDPA.
Get all the latest information, law updates and more delivered to your inbox
September 14, 2023
UPDATE: The Personal Data Protection Bill 2019 has been withdrawn by the Indian government after over three years of discussion. The Bill had attracted...
September 11, 2023
Securiti has just been recognized as a Leader in the “IDC MarketScape: Worldwide Data Privacy Compliance Software 2023 Vendor Assessment” report. This makes us...
August 11, 2023
Employee data protection is becoming increasingly important for organizations that are aiming to comply with global privacy laws. This puts pressure on the HR...
At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.
Copyright © 2023 Securiti · Sitemap · XML Sitemap
[email protected]
300 Santana Row Suite 450. San Jose,
CA 95128