Protection of Personal Data and Adherence to PDPA
In Singapore, the Personal Data Protection Commission or better known as PDPC, was set up in 2013. The main motive behind setting up this was to focus on building better standards and rules to govern in order to protect and manage personal data better. This was set up in Singapore as a part of their Data Protection Act.
In the case of a Personal Data Protection Act violation, the commission can levy fines of up to SGD 1 mn. This has made local businesses focus on accountability in the management of personal data more than compliance.
This is crucial for human resource managers of the country to inform and update the top management on their accountability related to PDPA when it comes to managing employees’ data. It is important for companies to understand how vulnerable businesses have become when it comes to personal information breaches.
Employee Data Management
Job seekers and employees trust the company with all their personal information required to get the job. It is the company’s responsibility to safeguard the personal and sensitive information of these individuals even if their application is rejected. The personal data includes name, contact details, NRIC number, passport details, fingerprints etc. It is important to note that data of failed candidates and job seekers are equally protected under PDPA as that of the employee.
Organizations must have clearly established procedures regarding the recording and disposal of job application information. This aspect is often omitted in policy papers. When an applicant agrees to the stated policies, only then they should be allowed to proceed.
The PDPA calls for nine obligatory compliance aspects:
- It is important to ask for the consent of those applying for the job. When candidates apply with resumes, their consent is assumed. However, if the candidate fails to get the job or is not considered for it, their resumes should not be stored for long.
- Personal information of the individuals should be used for reasonable purposes only.
- The organization should make it a point to inform the applicants and employees about the reasons for obtaining personal data.
- On request of the individual, the organization is liable to give access to any data held by them, its usage or disclosure, in the last one year. The employee must be able to get the errors corrected.
- Organizations must make sure that the personal data obtained is accurate and complete, especially if any decisions are to be taken based on the personal data.
- Organizations must take adequate steps to protect and safeguard the data from unauthorized access.
- Personal data should be held as long as it is required for legal or business purposes.
- The PDPA states that if it is transferred out of Singapore, the other organization on the receiving end should protect the data with the same standards as in Singapore.
- The firm should have established policies and processes in place for implementing the PDPA, including the designation of a Data Protection Officer (DPO). The contact information of the DPO must be made public and accessible to all.
The Human Resource Department should take charge of all the personal documents that contain private data, and it should be kept secure even if it contains information regarding paychecks. HR should forward these data only to those who need it for business purposes, and that too in a responsible way. Any data breach would cause problems.
The Human Resource Department of every organization should have a secure space with clear desk policies. This is to ensure that the documents containing personal information are protected and are accessible to authorized personnel only. This should also apply to the sensitive payroll documents with the payroll department. If the organization has outsourced HR or payroll services, it is crucial that strictly important data is shared with them. Furthermore, organizations should be aware that accountability and ownership of personal data rest with them.
The PDPC is actively working towards data protection. For instance, in 2019, the Singhealth firm was fined for the data breach. As stated by PDPC, even if the organization hires third parties or outsources its services, it is still responsible for keeping personal information safe.
All the data stored in computers should be regulated and controlled. It is important for organizations to keep a check on personal data and make it accessible only to those departments who need it. A monitoring system must be installed to understand and control the data and keep track of those accessing it.
Human resource professionals must be completely aware of the new legislation governing the use of an individual’s NRIC. The NRIC is an essential aspect of personal data which comprises NRIC numbers, passport numbers, birth certificate numbers, foreign identification numbers, and work permit numbers. The NRIC numbers should be taken only if the organization needs the verification of it in the legal sense.
Owing to the sensitivity of the information, PDPC suggests only using the last three letters and digits. In no way the NRIC is to be scanned or the information to be stored for later use.
Reviewing your Employee’s Behaviour
According to the PDPA, it is possible to monitor employees to determine if they are suitable, eligible, and qualified for appointment, promotion, retention in office, and termination.
Firms can collect, use, and disseminate evaluation data without the consent of the individual. Maintaining employee emails and network usage can be part of this role. Despite the lack of employee approval, organizations should warn workers about such monitoring in employee handbooks or other policy documents.
Some Tips from HR
There are some policies and tips which would make HR work efficiently:
Try and avoid taking the applicant’s NRIC before he/she has landed the job.
- Keep the resumes of the failed applicants for a short time and dispose of them carefully after that. Be sure that there are no data leaks while disposing of the information.
- HR should always keep in mind that they need to ask the applicants before relocating a resume for an entirely different job position from the one that the applicant initially applied for.
- If in case the personal data has to be delivered outside Singapore, the company needs to take complete responsibility for the data. And before that, they need to get the consent of the person whose data is being transferred along with a valid purpose behind it.
- Make sure to dispose of the ex-employees’ personal data in a secure manner, and it is better to write that policy in the forms.
- If you are planning to review the laptop’s data, monitor, or telephone information of the employees, please inform them of the valid need to do it.
- It is necessary to appoint a DPO or Data Protection Officer and publish their contact details if one has not been appointed.
- To avoid any kind of data leaks in the workplace, employee data should only be handed to an authorized partner. To deliver quality data security and information management is needed, use the International Norm on Assurance Engagements (ISAE) 3402, ISO 27001 – the standard for information security management systems and the ISAE 3402/SOC 1 for various services.
To make a good mark for your company, the directors should focus on assigning a proper amount of resources for safeguarding the employee’s data.
So what’s next?
HR must take full responsibility for following the rules of the PDPA and be updated on the laws and regulations governing the PDPA put up by the PDPC. It is the job of HR to keep the senior management team updated regarding the need to follow the rules of PDPA and why personal data security is essential. In case of problems, help can always be received from locally trained data security specialists.
If you have any concerns related to PDPA and its compliance, contact our team for professional consultancy!