Managing employee data in Singapore
Singapore enacted the Personal Data Protection Act (PDPA) in 2012, which went into effect in stages; the data protection regulations went into effect on July 2, 2014. The PDPA applies to any organization that collects, uses, and discloses personal data (in electronic and non-electronic formats) from Singapore residents, whether the organization is located in Singapore or not. Recruitment agencies, headhunters, and other similar entities are similarly subject to the PDPA’s Data Protection Provisions.
This article serves as a guide for an organization’s Human Resource Management Team (HRM Team) attempting to comply with the PDPA. The following are the primary PDPA duties that an HRM Team must consider when dealing with personal data of job seekers, present and former employees.
Managing employee data: Collecting Personal Data of Job Applicants and Employees
According to Sections 13 and 14 of the PDPA, an organization must seek the individual’s consent before collecting, processing, or disclosing their personal data for any reason. However, in the context of employment, a company can process its employees’ data without their consent if:
- This type of processing is appropriate for managing or terminating the working relationship. This includes accessing an employee’s bank account information for payroll processing, administration of employee benefits, and monitoring their use of company-issued gadgets; or
2. The processing is for evaluative purposes, such as establishing an individual’s suitability for employment, a promotion, or termination of employment.
When a person willingly submits his personal information to an organization in the form of a job application, he may be presumed to consent to the organization collecting, using, and disclosing the personal information to evaluate his job application.
If the individual is hired, it is acceptable for the employer to continue to utilize the personal information supplied by the individual or employee in the job application form to manage the employment relationship with the individual.
Suppose the employer seeks to use the employee’s personal data for purposes that consent may not be deemed or for which there is no appropriate exception under the PDPA. In that case, the employer must notify the employee and acquire their approval.
Also Read: Cybersecurity Singapore: The nation’s approach to protecting its cybersecurity
Managing employee data: Social Networking Sources and Data Collection
When collecting or using publicly available personal data, organizations or recruitment agencies are not required by the PDPA to get the individual’s consent. When personal data is not publicly available but is voluntarily provided by an individual on a job-search portal in order to be contacted for future job possibilities, the individual may be regarded to have consented to the collection, use, and disclosure of his personal data for such purpose. As a result, it is correct to state that if social networking sources (such as Facebook, Twitter, or Linkedin) are publicly available, the PDPA does not restrict corporations from obtaining personal data about individuals without their consent.
Managing employee data: Notification and Purpose Limitation Obligations
According to Sections 18 and 20 of the PDPA, an employer must notify a job applicant or employee of the purpose(s) for which they intend to collect, use, or disclose their personal data on or before such collection, use, or disclosure, and may only collect, use, and disclose personal data for such purposes. An employer must also tell employees about the reason for managing and terminating the employment relationship. This can be accomplished by including applicable provisions in employment contracts.
This obligation, however, will not apply if any of the following conditions are met:
a. Under the PDPA, the individual is presumed to have consented to the collection, use, or disclosure; or
b. In line with Section 17 of the PDPA (in circumstances such as managing and terminating the work relationship or processing for evaluation purposes), the employer acquires, uses, or discloses personal data without the individual’s agreement.
Section 18 of the PDPA requires organizations to use gathered data only for the purpose it was collected. Employers must refrain from requesting personal information from applicants that are irrelevant to the job. In addition, an employer must make a reasonable effort to ensure that the personal data obtained is accurate and complete.
Managing employee data: Retention Limitation Obligation
Section 25 permits organizations to retain personal data only if required or if there is a valid business or legal reason to do so. After an organization has determined which job candidate to recruit, the personal data gathered from the other job applicants should only be maintained for as long as it is required for commercial or legal purposes.
Data Protection Obligations and Data Protection Impact Assessment
Employers must secure employee’s personal data in their custody or control, according to Section 24 of the PDPA, to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal, or similar dangers.
An organization’s HRM team should consider implementing security measures appropriate for the type of personal data handled by the organization and the potential harm that could arise from a security breach.
Organizations should undertake risk assessments, such as Data Protection Impact Assessments, as a best practice to analyze the risks to the personal data they own or control in order to identify adequate security to control or minimize these risks.
Managing employee data: Data Breach Management
According to Section 26C of the PDPA, once an employer has credible grounds to believe that a data breach has occurred (whether through self-discovery, public alert, or notification by your data intermediary), the employer must take reasonable and expeditious steps to determine whether the data breach is notifiable under the PDPA.
In addition, if the employer determines that there is a notifiable data breach, the employer must notify the PDPC as quickly as possible. The employer shall also inform each employee affected in any reasonable manner, either before or after notifying the PDPC.
Managing employee data: Rights of employees
Sections 16, 21, and 22 provide current and former employees rights over their personal data, which they can exercise, and the employer is compelled to satisfy these requests within a certain time frame. Among these rights are:
- Employees may revoke their consent to the employer’s collection, use, or disclosure of their personal data at any time.
2. Employees have the right to request that their personal data be accessed. An employee may seek access to any CCTV film in which they appear.
3. Employees have the right to request that their personal data be corrected.
Managing employee data: Operationalizing PDPA Compliance
It is essential that the HRM Team has met the PDPA’s criteria. With this, organizations must operationalize their procedures in order to achieve compliance. This can be accomplished in the following ways:
- Using transparent policies, explain how your business gathers, processes, maintains, shares, and processes data.
- Do not request the applicant’s NRIC until they accept the post during the recruitment process.
- Create formal policies and processes for your organization’s data collection and processing.
- As needed, update your organization’s privacy policies and communicate them with staff and customers.
- Ensure that your workforce’s privacy rules and notices are easily accessible and understandable.
- Examine and revise processes.
- Maintain accurate documentation.
Manually doing these processes raises the danger of human error, not to mention the extra expenses and time required. This is why organizations must utilize automation to make the compliance process easier.
Also Read: Check the Do Not Call Registry in Singapore before marketing to phone numbers