Personal Data Protection Act: What HR needs to know
Singapore’s Personal Data Protection Act 2012 (PDPA) came into force on 2 January 2013 and is applicable to all organisations in Singapore, except for organisations in the public sector. Organisations have been given a transitional period of 18 months, which ends early in July next year.
The objective of the PDPA is to regulate an organisation’s activities relating to personal data. For instance, organisations must seek the consent of individuals before collecting, using or disclosing their personal data, as well as provide individuals with access to any personal data kept. An organisation must also protect personal data in its possession or control, as well as remove personal data that is no longer required to be retained for legal or business purposes.
Under the PDPA, personal data is defined very widely and refers to any data to which an organisation is likely to have access, and from which an individual can be identified. The regulatory authority in charge of implementing the PDPA will be the Singapore Personal Data Protection Commission (PDPC).
Organisations are well advised to take advantage of the transitional period to develop and implement policies and practices for compliance. Failure to fulfil an obligation or duty under the PDPA could attract both criminal or civil sanctions, and the PDPC has the right to impose fines of up to $1 million.
In particular, organisations need to designate at least one person as a data protection officer, who will be responsible for ensuring that the organisation complies with the PDPA.
Organisations are also expected to respect the Do Not Call Register, which allows individuals to opt-out of receiving marketing messages by registering their Singapore phone numbers. The DNC Register, available for public sign-up from January next year, applies to voice calls, text messages and facsimile. Under the PDPA, it is an offence for any person or organisation to send a marketing messages to a Singapore telephone number unless that person or organisation had checked with the relevant DNC Register and ensured that they are not registered.
Given that almost all organisations collect and process personal data of employees, many HR processes and policies will need to be reevaluated. Organisations can no longer deal in personal data in an unfettered manner, such as storing personal data of employees indefinitely on servers or in general storage. Under the PDPA, such information must be deleted once it is no longer necessary for legal or business purposes. Similarly, the personal data of non-shortlisted job candidates who have must be destroyed or anonymised.
Organisations will also have to identify where potential data security breaches may occur by analysing how personal data is collected, what medium is used for storage, and where personal data enters and leaves each department. Organisations will then have to implement the necessary security policies to address any possible risks identified.
There are some exemptions in the PDPA that are highly applicable to HR activities.
For example, an organisation may collect personal data about an individual without their consent if such an activity was carried out for an evaluative purpose, which includes determining the suitability, eligibility or qualifications of an individual for employment or promotion.
There is also an exemption providing for the collection of personal data pursuant to ‘managing or terminating an employment relationship’, which includes using an employee’s bank account details to issue salaries, or monitoring how the organisation’s computer network resources are being used. Do note however that organisations are still required to inform their employees of the purposes for which such data is being collected. This could be done by including the relevant terms in the employment agreement or the employee handbook.
Another instance where a PDPA exemption will apply is when the organisation has to use the personal data of an individual when dealing with workplace grievances. Such use typically requires the individual’s consent. However the organisation may be exempted from seeking such consent if the use of the personal data is for the purpose of any “investigation or proceeding”.
Next, organisations may disclose personal data without that individual’s consent to a prospective party of a ‘business asset transaction’, which refers to any type of acquisition, disposal or financing of an organisation or division. Employers are also not required to provide access to an individual’s personal data where such data is “opinion data” that is “kept solely for an evaluative purpose”. This includes opinions written in the course of assessment of individuals for employment or promotions.
Finally, organisations should take note that the PDPA provisions do not apply to business contact information, which is commonly provided through business cards. Unless such a business card was provided solely for personal purposes, an organisation that receives such information will not have to worry about complying with the PDPA requirements on seeking consent before using it for business activities.
Currently, organisations still have some lead time to undertake a review of their processes and activities to ensure that they will be compliant with the PDPA. However in order to avoid unforeseen delays, organisations would do well to initiate such reviews as soon as possible.