Protection of personal data and adherence to PDPA.
Many countries have taken a step forward to put legislation in place to ensure that citizens and their personal data are offered more rigorous protections and controls.
In Singapore, the Personal Data Protection Commission or better known as PDPC established in 2013, to carry out Personal Data Protection Act (PDPA), concentrating on creating guidelines and standards for the administration and control of personal information.
In the case of a violation of the PDPA, the PDPC may levy pecuniary penalties of up to SG$1m, and they are vigorously policing firms. As a result, the focus has shifted, forcing local businesses to change their approach to the handling of personal data from compliance to accountability.
Human Resource managers in Singapore must keep the top management informed in order to carry out their obligation under the PDPA to handle employee data. Companies must be made aware of their accountability and the risk that data breaches pose.
Employee Personal Data Management Lifecycle
Any information used to identify a specific person is considered personal data. This includes the person’s full name, National Registration Identity Card (NRIC) number, passport, personal mobile number, fingerprints, and so forth.
HR professionals must keep in mind that, in accordance with the PDPA, information of the rejected job applicants is just as sensitive as that of employees. An element that is often overlooked in policy documents is the need for organisations to have explicit written policies managing the retention and deletion of application data.
The PDPA calls for eleven key obligations:
- Accountability: The organization must establish policies and processes in place for implementing the PDPA. This includes the appointment of a Data Protection Officer (DPO), whose contact information must be made available to the public.
- Notification: The organization must notify the applicants or employees of the purpose of collecting their personal data.
- Consent: Consent of individuals must be sought before collecting personal data. Consent is assumed for applications submitted by the applicant directly. However, they shouldn’t be kept around for a long time if the application is unsuccessful.
- Purpose: Personal information of the individuals should be used for reasonable and appropriate purposes only.
- Accuracy: Organisations must take reasonable measures to guarantee the accuracy and completeness of the personal data obtained. This is especially true if a choice regarding employment is to be made based on personal information.
- Protections: Personal data must be stored securely to prevent unauthorized access, so all conceivable precautions must be taken.
- Retention. Personal data must only be kept for as long as is necessary for legal or commercial purposes.
- Transfer Limitation: Prior to the transfer of personal data out of Singapore, measures must be put in place to ensure that the organization receiving the information will protect it in accordance with Singapore’s regulations.
- Access & Correction: Organisations are required to give the employee access to their personal data upon request, as well as details about how it was used or shared in the year prior to the request. The employee must be able to request the correction of errors.
- Data Breach Notification: Organisations are expected to notify the PDPC and the affected individuals as soon as possible. If the data breach is likely to cause serious harm to individuals and/or is of significant scope.
- Data Portability: Organisations must send any personal data about an individual that is in their custody or under their control—at the individual’s request—to another organization in a generally used machine-readable format.
Always have secure locations for HR departments, with clear desk policies. Personal data-containing documents must be kept confidential and only given to those who need access for professional reasons. This includes any private payroll information that payroll departments may have.
It is crucial for businesses that outsource their HR and payroll functions to managed service providers, and provide them with the information they really need. Organizations should also be aware that they retain responsibility for and ownership of personal data.
Following a cyberattack incident, PDPC fined Singhealth on January 15 and issued a statement that read, “Even if organisations delegate tasks to vendors, organisations as data controllers must ultimately bear responsibility for the personal data that they have obtained from individuals.”
All data stored on computers must be protected, and only those with a need to know should have access. To ensure that controls have not been breached, systems must be monitored.
HR professionals must be completely aware of the rules governing the use of an individual’s NRIC, taken effect on 1 September 2019. The NRIC, which consists of NRIC numbers, passport numbers, birth certificate numbers, foreign identification numbers, and work permit numbers, should only be taken only if there is a requirement to verify the identity.
Due to the sensitivity, even if collecting NRIC numbers is necessary, it is strongly advised to simply collect the last three digits and the letters of NRIC numbers.
Review and Monitor Employee’s Behaviour
According to the PDPA, employers are allowed to monitor employees. This is to ascertain if they are suitable, eligible, and qualified for appointments, promotions, continuation in office, and termination from their positions.
Evaluative data may be gathered, used, and disclosed by a company without the individual’s consent. This may entail keeping an eye on an employee’s emails and computer network usage.
The organization does not need the employees’ permission to monitor them. However, they should be informed by including a statement to that effect in the employee handbook or other policy document.
Best practices and governance for HR
Documenting processes and putting best practices into implementation are essential components of excellent HR governance. Following are some optimal practices:
- Don’t request for your candidate’s NRIC before he/she has accepted the job.
- Refrain from keeping the unsuccessful candidates’ resumes for a long time and discard them securely.
- Applicant needs to give you consent before you send their resume for a position other than the one they applied for. Make it clear on job listings if all applications will be taken into account for alternative positions.
- Transferring personal data outside of Singapore should only be done when absolutely required and consented. Putting the same standard of measures to safeguard the data collected.
- Establish explicit guidelines for the disposal of personal data of former employees
- Let your workers know if their emails, internet use, and phone calls are being tracked and why.
- It is necessary to appoint a Data Protection Officer (DPO) and make their contacts available to the public.
- Avoid data leaks in the workplace, only an authorized partner should be given control of employee data. The International Standard on Assurance Engagements (ISAE) 3402, ISO 27001 – the standard for information security management systems, and the ISAE 3402/SOC 1 report for payroll services are accreditations and compliance programs you should look for in the HR and payroll services provider to get the level of data security and information management you require.
The management executive should play a proactive role in safeguarding the company’s reputation. By providing adequate resources for the security of both employees’ and customers’ personal data.
What’s Next?
To achieve compliance, HR professionals must comprehend the entire implications of the PDPA, evaluate current policies and processes, and reinforce them where appropriate. Start by sending your team for training with us today on Fundamentals of the Personal Data Protection Act (2020), our trainer is accredited PDP Commission. Anyone that handles personal data should attend this course.
Your senior management has to be informed about the significance of adhering to the policies and who will be held accountable. If your HR management is unsure how to comply, consult or outsource your data function with Elitez Data Protection.