Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Managing employee data under Singapore’s PDPA

Managing employee data
Managing employee data is a must for an organization’s Human Resource Management Team

Managing employee data in Singapore

Singapore enacted the Personal Data Protection Act (PDPA) in 2012, which went into effect in stages; the data protection regulations went into effect on July 2, 2014. The PDPA applies to any organization that collects, uses, and discloses personal data (in electronic and non-electronic formats) from Singapore residents, whether the organization is located in Singapore or not. Recruitment agencies, headhunters, and other similar entities are similarly subject to the PDPA’s Data Protection Provisions.

This article serves as a guide for an organization’s Human Resource Management Team (HRM Team) attempting to comply with the PDPA. The following are the primary PDPA duties that an HRM Team must consider when dealing with personal data of job seekers, present and former employees.

Managing employee data is no easy task for an organization’s Human Resource Management Team

Managing employee data: Collecting Personal Data of Job Applicants and Employees

According to Sections 13 and 14 of the PDPA, an organization must seek the individual’s consent before collecting, processing, or disclosing their personal data for any reason. However, in the context of employment, a company can process its employees’ data without their consent if:

  1. This type of processing is appropriate for managing or terminating the working relationship. This includes accessing an employee’s bank account information for payroll processing, administration of employee benefits, and monitoring their use of company-issued gadgets; or

2. The processing is for evaluative purposes, such as establishing an individual’s suitability for employment, a promotion, or termination of employment.

When a person willingly submits his personal information to an organization in the form of a job application, he may be presumed to consent to the organization collecting, using, and disclosing the personal information to evaluate his job application.

If the individual is hired, it is acceptable for the employer to continue to utilize the personal information supplied by the individual or employee in the job application form to manage the employment relationship with the individual.

Suppose the employer seeks to use the employee’s personal data for purposes that consent may not be deemed or for which there is no appropriate exception under the PDPA. In that case, the employer must notify the employee and acquire their approval.

Also Read: Cybersecurity Singapore: The nation’s approach to protecting its cybersecurity

To avoid any monetary penalties, managing employee data must be the top priority for the employers

Managing employee data: Social Networking Sources and Data Collection

When collecting or using publicly available personal data, organizations or recruitment agencies are not required by the PDPA to get the individual’s consent. When personal data is not publicly available but is voluntarily provided by an individual on a job-search portal in order to be contacted for future job possibilities, the individual may be regarded to have consented to the collection, use, and disclosure of his personal data for such purpose. As a result, it is correct to state that if social networking sources (such as Facebook, Twitter, or Linkedin) are publicly available, the PDPA does not restrict corporations from obtaining personal data about individuals without their consent.

Managing employee data: Notification and Purpose Limitation Obligations

According to Sections 18 and 20 of the PDPA, an employer must notify a job applicant or employee of the purpose(s) for which they intend to collect, use, or disclose their personal data on or before such collection, use, or disclosure, and may only collect, use, and disclose personal data for such purposes. An employer must also tell employees about the reason for managing and terminating the employment relationship. This can be accomplished by including applicable provisions in employment contracts.

This obligation, however, will not apply if any of the following conditions are met:

a. Under the PDPA, the individual is presumed to have consented to the collection, use, or disclosure; or

b. In line with Section 17 of the PDPA (in circumstances such as managing and terminating the work relationship or processing for evaluation purposes), the employer acquires, uses, or discloses personal data without the individual’s agreement.

Section 18 of the PDPA requires organizations to use gathered data only for the purpose it was collected. Employers must refrain from requesting personal information from applicants that are irrelevant to the job. In addition, an employer must make a reasonable effort to ensure that the personal data obtained is accurate and complete.

An organization’s HRM Team should see to it to follow these guidelines to avoid breach of the PDPA

Managing employee data: Retention Limitation Obligation

Section 25 permits organizations to retain personal data only if required or if there is a valid business or legal reason to do so. After an organization has determined which job candidate to recruit, the personal data gathered from the other job applicants should only be maintained for as long as it is required for commercial or legal purposes.

Data Protection Obligations and Data Protection Impact Assessment

Employers must secure employee’s personal data in their custody or control, according to Section 24 of the PDPA, to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal, or similar dangers.

An organization’s HRM team should consider implementing security measures appropriate for the type of personal data handled by the organization and the potential harm that could arise from a security breach.

Organizations should undertake risk assessments, such as Data Protection Impact Assessments, as a best practice to analyze the risks to the personal data they own or control in order to identify adequate security to control or minimize these risks.

Managing employee data: Data Breach Management

According to Section 26C of the PDPA, once an employer has credible grounds to believe that a data breach has occurred (whether through self-discovery, public alert, or notification by your data intermediary), the employer must take reasonable and expeditious steps to determine whether the data breach is notifiable under the PDPA.

In addition, if the employer determines that there is a notifiable data breach, the employer must notify the PDPC as quickly as possible. The employer shall also inform each employee affected in any reasonable manner, either before or after notifying the PDPC.

Managing employee data: Rights of employees

Sections 16, 21, and 22 provide current and former employees rights over their personal data, which they can exercise, and the employer is compelled to satisfy these requests within a certain time frame. Among these rights are:

  1. Employees may revoke their consent to the employer’s collection, use, or disclosure of their personal data at any time.

2. Employees have the right to request that their personal data be accessed. An employee may seek access to any CCTV film in which they appear.

3. Employees have the right to request that their personal data be corrected.

Managing employee data: Operationalizing PDPA Compliance

It is essential that the HRM Team has met the PDPA’s criteria. With this, organizations must operationalize their procedures in order to achieve compliance. This can be accomplished in the following ways:

  • Using transparent policies, explain how your business gathers, processes, maintains, shares, and processes data.
  • Do not request the applicant’s NRIC until they accept the post during the recruitment process.
  • Create formal policies and processes for your organization’s data collection and processing.
  • As needed, update your organization’s privacy policies and communicate them with staff and customers.
  • Ensure that your workforce’s privacy rules and notices are easily accessible and understandable.
  • Examine and revise processes.
  • Maintain accurate documentation.

Manually doing these processes raises the danger of human error, not to mention the extra expenses and time required. This is why organizations must utilize automation to make the compliance process easier.

Also Read: Check the Do Not Call Registry in Singapore before marketing to phone numbers



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us