Singapore companies must protect personal data and adhere to the PDPA or risk reputational damageBy Shin Ee Gwee
The Personal Data Protection Commission (PDPC), set up in 2013 to implement Singapore’s Personal Data Protection Act (PDPA), focused on establishing standards and rules to govern the control and management of personal data.
The PDPC can impose financial penalties of up to SG$1m in the event of a breach of the PDPA, and they are actively regulating businesses. This has resulted in a shift in focus, meaning that local companies must themselves shift from compliance to accountability in the management of personal data.
Singapore’s HR managers must make their senior management aware of their accountability and the increased risk that data breaches pose.
Management of employee data through the full lifecycle
Personal data includes any information that can identify a specific individual, be it via their full name, their National Registration Identity Card (NRIC) number, passport, personal mobile number, fingerprints, and so on.
For HR professionals, it is important to note that information relating to failed job applicants is just as sensitive as that of employees and is equally protected under the PDPA. Companies must have clear written policies on the retention and destruction of job applicant information – an element often overlooked in policy documents. Companies must fulfil nine key obligations under the PDPA:
- Consent of the individual must be obtained before collecting personal data. As resumés are provided directly by applicants, consent can be assumed but they should not be retained for a prolonged period if the application has failed.
- Personal information must only be used for reasonable and appropriate purposes.
- A company must notify the employee of the reason for collecting personal data.
- The company must, upon request, provide the individual access to any personal data held about them and how it has been used or disclosed for the past year. It must be possible for the employee to have inaccuracies corrected.
- Reasonable steps should be taken to ensure that the personal data collected is accurate and complete. This is especially so if a decision is to be made about the employee based on the personal data.
- All reasonable measures need to be put in place to ensure that personal data is held securely to prevent unauthorised access.
- Personal data must only be retained for as long as it is properly required for legal or business purposes.
- Before personal data is transferred out of Singapore, measures must be put in place to ensure that the receiving organisation will protect the personal data to the same standards used in Singapore.
- A company must have documented policies and procedures concerning its implementation of the PDPA, including the appointment of a Data Protection Officer (DPO), whose contact information must be publicly available.
HR departments should always be located in secure areas, with clear desk policies. Documents containing personal data must be kept securely and only disclosed to those who require access for business purposes. This includes sensitive payroll data that may be held in payroll departments.
For organisations that are moving HR & payroll operations to managed service providers, it is critical to only provide necessary data to the service provider. Additionally, organisations should note that the accountability and ownership of the personal data remains with them.
On 15 January 2019, PDPC imposed a financial penalty on Singhealth following a cyberattack incident and stated, "Even if organisations delegate work to vendors, organisations as data controllers must ultimately take responsibility for the personal data that they have collected from their customers."
All computer-held data must be secure and only accessible on a need-to-know basis. Systems must be monitored to be certain controls have not been compromised.
HR professionals must be fully aware of the new regulations concerning the use of an individual’s NRIC that will be effective from 1 September 2019. The NRIC, which includes NRIC numbers, passport numbers, birth certificate numbers, foreign identification numbers and work permit numbers, should only be collected or retained if required under the law and there is a need to confirm the identity to a high degree of fidelity. NRIC of visitors to a building should not be retained or printed on ID badges. Even if there is a need to collect NRIC numbers, it is highly recommended to only collect a redacted portion, namely the last 3 digits and the letters.
Evaluation and monitoring of employee behaviour
The PDPA allows for the monitoring of employees to determine their suitability, eligibility and qualifications for appointment, promotion, continuance in office and removal from their position.
A company can collect, use and disclose evaluative data without the consent of the individual. This can include monitoring an employee’s emails and their use of computer network resources.
Whilst consent is not required, the organisation should notify employees by stating that they do perform such monitoring in the employee handbook or other policy document.
HR best practice and governance
Best practice policies and procedures need to be documented and implemented. These should include:
- Don’t request submission of an individual’s NRIC in the recruitment process until they accept the position.
- Only retain failed applicant resumés for a short period; dispose of them securely.
- Seek consent before redirecting a resume for a different role from the one applied for; state on recruitment postings that the organisation will consider all applicants for alternative positions.
- Only transfer personal data outside of Singapore if necessary, have measures in place to protect the personal data to the same standard as in Singapore and obtain the individual’s consent in advance.
- Have clear policies on retaining ex-employees’ personal data and its destruction.
- Inform employees if emails, computer usage and telephones are monitored and why.
- If not already in place, a DPO must be appointed and their contact details made public.
- Management of employee data should only be entrusted to an accredited partner to prevent data leakage in the workplace. In the HR and payroll services industry, accreditations and compliance programmes that you should look for include International Standard on Assurance Engagements (ISAE) 3402, ISO 27001 – the standard for information security management systems and the ISAE 3402/SOC 1 report for payroll services, to provide the standard of data security and information management that you need.
More than ever before, the board of directors must take an active part in protecting the reputation of their business and properly fund the protection of personal data of employees and customers alike.
HR professionals must understand the full scope of the PDPA and review current policies and procedures and strengthen them where necessary to achieve compliance.
They need to make senior management aware of the importance of compliance with the policies and where responsibility will be deemed to lie. If in any doubt on how to fully comply, HR management should consider seeking professional advice from local experts.