The Personal Data Protection Commission (PDPC), set up in 2013 to implement Singapore’s Personal Data Protection Act (PDPA), focused on establishing standards and rules to govern the control and management of personal data.
The PDPC can impose financial penalties of up to SG$1m in the event of a breach of the PDPA, and they are actively regulating businesses. This has resulted in a shift in focus, meaning that local companies must themselves shift from compliance to accountability in the management of personal data.
Singapore’s HR managers must make their senior management aware of their accountability and the increased risk that data breaches pose.
Management of employee data through the full lifecycle
Personal data includes any information that can identify a specific individual, be it via their full name, their National Registration Identity Card (NRIC) number, passport, personal mobile number, fingerprints, and so on.
For HR professionals, it is important to note that information relating to failed job applicants is just as sensitive as that of employees and is equally protected under the PDPA. Companies must have clear written policies on the retention and destruction of job applicant information – an element often overlooked in policy documents. Companies must fulfil nine key obligations under the PDPA:
HR departments should always be located in secure areas, with clear desk policies. Documents containing personal data must be kept securely and only disclosed to those who require access for business purposes. This includes sensitive payroll data that may be held in payroll departments.
For organisations that are moving HR & payroll operations to managed service providers, it is critical to only provide necessary data to the service provider. Additionally, organisations should note that the accountability and ownership of the personal data remains with them.
On 15 January 2019, PDPC imposed a financial penalty on Singhealth following a cyberattack incident and stated, "Even if organisations delegate work to vendors, organisations as data controllers must ultimately take responsibility for the personal data that they have collected from their customers."
All computer-held data must be secure and only accessible on a need-to-know basis. Systems must be monitored to be certain controls have not been compromised.
HR professionals must be fully aware of the new regulations concerning the use of an individual’s NRIC that will be effective from 1 September 2019. The NRIC, which includes NRIC numbers, passport numbers, birth certificate numbers, foreign identification numbers and work permit numbers, should only be collected or retained if required under the law and there is a need to confirm the identity to a high degree of fidelity. NRIC of visitors to a building should not be retained or printed on ID badges. Even if there is a need to collect NRIC numbers, it is highly recommended to only collect a redacted portion, namely the last 3 digits and the letters.
Evaluation and monitoring of employee behaviour
The PDPA allows for the monitoring of employees to determine their suitability, eligibility and qualifications for appointment, promotion, continuance in office and removal from their position.
A company can collect, use and disclose evaluative data without the consent of the individual. This can include monitoring an employee’s emails and their use of computer network resources.
Whilst consent is not required, the organisation should notify employees by stating that they do perform such monitoring in the employee handbook or other policy document.
HR best practice and governance
Best practice policies and procedures need to be documented and implemented. These should include:
More than ever before, the board of directors must take an active part in protecting the reputation of their business and properly fund the protection of personal data of employees and customers alike.
HR professionals must understand the full scope of the PDPA and review current policies and procedures and strengthen them where necessary to achieve compliance.
They need to make senior management aware of the importance of compliance with the policies and where responsibility will be deemed to lie. If in any doubt on how to fully comply, HR management should consider seeking professional advice from local experts.
The views expressed in this column are the author's own and do not necessarily reflect this publication's view, and this article is not edited by Singapore Business Review. The author was not remunerated for this article.
Do you know more about this story? Contact us anonymously through this link.
Shin Ee Gwee is the Head of HR & Payroll at TMF Singapore. She joined TMF Group in 2016 as Operations Associate Director. She was also the Local Security Officer and Data Protection Officer at TMF Singapore before moving to HR & Payroll in 2018.
Shin Ee spent over a decade as a management consultant, working with organisation across industries in APAC on business process improvement, shared services design and implementation, project management and organisation re-design.
Shin Ee holds a Bachelor of Science (Honours) in Economics and Finance from University of Bristol, UK.