Ways to protect HR data and avoid penalties for data breaches

Ways to protect HR data and avoid penalties for data breaches

The focus of the Personal Data Protection Commission (PDPC) in implementing Singapore’s Personal Data Protection Act (PDPA) is to establish standards and rules in governing the management and control of data. 

When there is breach in Personal Data Protection Act (PDPA), the Personal Data Protection Commission (PDPC) has the power to impose financial penalties up to $1,000,000 SGD. With this, there has been a shift from mere compliance on the organization’s part to full accountability in the management of personal data. 

Thus, there is a need for the HR managers in Singapore to inform senior management of their accountability and the risk posed by data breaches. 

Also Read: Data Protection Act of Singapore: Validity in the Post-pandemic World

Management of employee data through the full lifecycle

The personal data that can be subject of breaches include any information that can identify a specific person, be it via their full name, passport, personal email, image, their National Registration Identity Card (NRIC) number, their personal mobile number, residential address, next-of-kin contact details and so on.

It is important for HR professionals to know that any applicant’s information, be it a failed job applicant, is as sensitive and confidential to those who are already an employee, and they are equally protected under the PDPA. Thus, it is imperative for companies that they have clear written and imposed policies in the retention and disposal of the information of job applicants– an element usually  an element often snubbed in policy documents.

According to Shin Ee Gwee, Head of HR & Payroll at TMF Singapore, keeping in mind the ways to protect data, companies must fulfill the nine (9) key obligations under the PDPA:

1.    Consent of the individual must be obtained before collecting personal data. As resumés are provided directly by applicants, consent can be assumed but they should not be retained for a prolonged period if the application has failed.

2.    On the ways to protect data, the Personal information must only be used for reasonable and appropriate purposes.

3.    A company must notify the employee of the reason for collecting, usage and disclosure to third parties of their personal data.

4.    The company must upon request, provide the individual access to any personal data held about them and how it has been used or disclosed for the past year. It must be possible for the employee to have inaccuracies corrected.

5.    Reasonable steps should be taken to ensure that the personal data collected is accurate and complete. This is especially so if a decision is to be made about the employee based on the personal data.

6.  One of the ways to protect HR data is that all reasonable administrative, technical and physical measures need to be put in place to ensure that personal data is held securely to prevent unauthorized access.

7.   Personal data must only be retained for as long as it is properly required for legal or business purposes.

8.    Before personal data is transferred out of Singapore, measures must be put in place to ensure that the receiving organization will protect the personal data to the same standards used in Singapore.

9.   Lastly, one of the ways to protect HR data is for a company to have documented policies and procedures concerning its implementation of the PDPA, including the appointment of a Data Protection Officer (DPO), whose contact information must be publicly available.

Employee Behavior’s Evaluation and Monitoring

Monitoring of employees is allowed under the Personal Data Protection Act. It is for the determination of the employees’ suitability, eligibility and qualifications for appointment, continuance in office, promotion, and removal from their position.

This can be done by collecting evaluative data without the consent of the employee, which include, but not limited to, the use of computer network resources and monitoring of their work emails. 

Whilst consent is not required, it is imperative on the part of the organization to inform the employee that they will be monitored from time-to-time to evaluate their work ethics. This could be done by stating it in the employee handbook or any other policy documents. 

HR Best Governance and Practice

According to Gwee, the best practice policies and procedures need to be implemented and documented. These should include:

1.    Don’t request submission of an individual’s NRIC in the recruitment process until they accept the position.

2.    Only retain failed applicant resumés for a short period; dispose of them securely.

3.    Seek consent before redirecting a resume for a different role from the one applied for; state on recruitment postings that the organization will consider all applicants for alternative positions.

4.    Only transfer personal data outside of Singapore if necessary, have measures in place to protect the personal data to the same standard as in Singapore and obtain the individual’s consent in advance.

5.    Have clear policies on retaining ex-employees’ personal data and its destruction.

6.    Inform employees if emails, computer usage and telephones are monitored and why.

7.    If not already in place, a DPO must be appointed and their contact details made public.

8.    Management of employee data should only be entrusted to an accredited partner to prevent data leakage in the workplace. In the HR and payroll services industry, accreditations and compliance programmes that you should look for include International Standard on Assurance Engagements (ISAE) 3402, ISO 27001 – the standard for information security management systems and the ISAE 3402/SOC 1 report for payroll services, to provide the standard of data security and information management that you need.

Also Read: National Cybersecurity Awareness Campaign of Singapore: Better Cyber Safe than Sorry