'Most Innovative Startup 2020' by RSA - Watch the videoLearn More
Published on August 16, 2021 AUTHOR - Privacy Research Team
Singapore enacted the Personal Data Protection Act (the "PDPA") in 2012, which came into force in different phases; the provisions concerning data protection were enforced on 2nd July 2014. The PDPA applies to any organization that deals with the collection, use, and/or disclosure of personal data (stored in electronic and non-electronic forms) from individuals in Singapore, whether the organization is located in Singapore or not.
This article provides a guide to the Human Resource Management Team (HRM Team) of an organization aiming to comply with the PDPA. Following are the key obligations under the PDPA that an HRM Team must consider while handling personal data of job applicants and current and former employees.
As per Sections 13 and 14 of the PDPA, an organization must obtain the consent of the individual before collecting, using, or disclosing his/her personal data for a purpose. However, in the employment context, an employer can process its employees' data without consent if:
When an individual voluntarily provides his personal data to an organization in the form of a job application, he may be deemed to consent to the organization collecting, using, and disclosing the personal data for the purpose of assessing his job application.
If the individual is subsequently employed, it would be reasonable for the employer to continue to use the personal data provided by the individual/employee in the job application form for the purpose of managing the employment relationship with the individual.
If the employer wishes to use the personal data for purposes for which consent may not be deemed or to which there is no applicable exception under the PDPA, the employer must then inform the employee of those purposes and obtain his/her consent.
The PDPA does not require organizations or recruitment agencies to obtain the consent of the individual when collecting or using personal data that is publicly available. Where the personal data is not publicly available but is voluntarily made available by the individual on a job-search portal for being contacted for prospective job opportunities, the individual may be deemed to have consented to the collection, use, and disclosure of his personal data for such purpose. So it would be right to state that where social networking sources (e.g., Facebook, Twitter, or Linkedin) are publicly available, the PDPA does not prohibit organizations from collecting personal data about the individual without his consent.
As per Sections 18 and 20 of the PDPA, an employer must notify the job applicant or employee of the purpose(s) for which the employer intends to collect, use, or disclose his/her personal data on or before such collection, use, or disclosure, and may only collect, use, and disclose personal data for such purposes. An employer also needs to inform employees of the purpose for managing and terminating the employment relationship. This can be done by way of drafting relevant provisions in the employment contracts.
However, this obligation won't apply if:
Section 18 of the PDPA requires organizations to only use collected data for the purpose it was intended for. Employers must refrain from asking applicants for personal data that is not relevant to the job. Also, an employer has an obligation to make a reasonable effort to ensure that the personal data collected is accurate and complete.
Section 25 allows organizations to only retain information that is necessary to store or if there is a valid business or legal purpose of storing the personal data. After an organization has decided which job applicant to hire, the personal data that the organization had collected from the other job applicants should only be kept for as long as it is necessary for business or legal purposes.
As per Section 24 of the PDPA, employers must protect the personal data of employees in their possession or under their control in order to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal, or similar risks.
The HRM team of an organization should consider adopting security arrangements that fit the nature of the personal data held by their organization and the possible harm that might result from a security breach.
As good practice, organizations should conduct risk assessments (e.g., Data Protection Impact Assessments) to assess the risks to the personal data they possess or control to determine appropriate security to control or mitigate these risks.
As per Section 26C of the PDPA, once an employer has credible grounds to believe that a data breach has occurred (whether through self-discovery, alert from the public, or notification by your data intermediary), then the employer is required to take reasonable and expeditious steps to assess whether the data breach is notifiable under the PDPA.
And where the employer assesses that a data breach is a notifiable data breach, the employer must notify the PDPC as soon as it is practicable. On or after notifying the PDPC, the employer must also notify each affected employee affected by a notifiable data breach in any manner that is reasonable in the circumstances.
While sharing an employee's personal data with external third parties and vendors such as HR services, security contractors, or medical insurance services, the employer must assess their privacy practices and their third-party/vendor's compliance with the PDPA' 's requirements.
Under Section 26 of the PDPA, an employer who transfers personal data of employees out of Singapore is required to take the following appropriate steps to:
Under sections 16, 21, and 22, current and former employees are given rights over their personal data which can be exercised, and the employer is required to fulfill these requests in a stipulated time frame. These rights include:
Employers can collect, use and disclose evaluative data without the consent of the individual. This can include monitoring an employee's emails and their use of computer network resources. However, employers should provide notices to employees if the CCTVs are in place at workstations and if they are monitoring their use of computer network resources. The employer may decide not to reveal the exact location of the CCTVs if the purpose is to covertly monitor the premises for security reasons. Employers should also conduct risk assessments and have sufficient technical measures in place for monitoring and to enable BYOD equipment for accessing or storing organization-collected personal data while respecting the personal data of their employees.
HRM Team is required to meet the aforesaid requirements of the PDPA. To achieve compliance, organizations need to operationalize their processes.
This can be done in the following ways:
Performing these tasks through manual methods increases the risk of human error, not to mention increased costs and time taken. Organizations need to incorporate automation that can simplify the compliance process.
Securiti's Sensitive Data Intelligence Solution can help your organization to discover, analyze, and protect large datasets. It offers you a 360 solution to all your compliance needs. See a demo of our Sensitive Data Intelligence solution and let Securiti help you on your road to PDPA compliance.
Securiti also offers automated data mapping, DSR rights fulfillment, data breach management, and security controls to help you comply with the obligations required by the PDPA.