Personal Data Protection Act: What HR needs to know

HRM 12 Aug 2013

Singapore’s Personal Data Protection Act 2012 (PDPA) came into force on 2 January 2013 and is applicable to all organisations in Singapore, except for organisations in the public sector. Organisations have been given a transitional period of 18 months, which ends early in July next year.

The objective of the PDPA is to regulate an organisation’s activities relating to personal data. For instance, organisations must seek the consent of individuals before collecting, using or disclosing their personal data, as well as provide individuals with access to any personal data kept. An organisation must also protect personal data in its possession or control, as well as remove personal data that is no longer required to be retained for legal or business purposes.

Under the PDPA, personal data is defined very widely and refers to any data to which an organisation is likely to have access, and from which an individual can be identified. The regulatory authority in charge of implementing the PDPA will be the Singapore Personal Data Protection Commission (PDPC).

General compliance

Organisations are well advised to take advantage of the transitional period to develop and implement policies and practices for compliance. Failure to fulfil an obligation or duty under the PDPA could attract both criminal or civil sanctions, and the PDPC has the right to impose fines of up to $1 million.

In particular, organisations need to designate at least one person as a data protection officer, who will be responsible for ensuring that the organisation complies with the PDPA.

Organisations are also expected to respect the Do Not Call Register, which allows individuals to opt-out of receiving marketing messages by registering their Singapore phone numbers. The DNC Register, available for public sign-up from January next year, applies to voice calls, text messages and facsimile. Under the PDPA, it is an offence for any person or organisation to send a marketing messages to a Singapore telephone number unless that person or organisation had checked with the relevant DNC Register and ensured that they are not registered.

HR implications

Given that almost all organisations collect and process personal data of employees, many HR processes and policies will need to be reevaluated. Organisations can no longer deal in personal data in an unfettered manner, such as storing personal data of employees indefinitely on servers or in general storage. Under the PDPA, such information must be deleted once it is no longer necessary for legal or business purposes. Similarly, the personal data of non-shortlisted job candidates who have must be destroyed or anonymised.

Organisations will also have to identify where potential data security breaches may occur by analysing how personal data is collected, what medium is used for storage, and where personal data enters and leaves each department. Organisations will then have to implement the necessary security policies to address any possible risks identified.

There are some exemptions in the PDPA that are highly applicable to HR activities.

For example, an organisation may collect personal data about an individual without their consent if such an activity was carried out for an evaluative purpose, which includes determining the suitability, eligibility or qualifications of an individual for employment or promotion.

There is also an exemption providing for the collection of personal data pursuant to ‘managing or terminating an employment relationship’, which includes using an employee’s bank account details to issue salaries, or monitoring how the organisation’s computer network resources are being used. Do note however that organisations are still required to inform their employees of the purposes for which such data is being collected. This could be done by including the relevant terms in the employment agreement or the employee handbook.

Another instance where a PDPA exemption will apply is when the organisation has to use the personal data of an individual when dealing with workplace grievances. Such use typically requires the individual’s consent. However the organisation may be exempted from seeking such consent if the use of the personal data is for the purpose of any “investigation or proceeding”.

Next, organisations may disclose personal data without that individual’s consent to a prospective party of a ‘business asset transaction’, which refers to any type of acquisition, disposal or financing of an organisation or division. Employers are also not required to provide access to an individual’s personal data where such data is “opinion data” that is “kept solely for an evaluative purpose”. This includes opinions written in the course of assessment of individuals for employment or promotions.

Finally, organisations should take note that the PDPA provisions do not apply to business contact information, which is commonly provided through business cards. Unless such a business card was provided solely for personal purposes, an organisation that receives such information will not have to worry about complying with the PDPA requirements on seeking consent before using it for business activities.

Prepare early

Currently, organisations still have some lead time to undertake a review of their processes and activities to ensure that they will be compliant with the PDPA. However in order to avoid unforeseen delays, organisations would do well to initiate such reviews as soon as possible.

Latest comments
Start a new discussion

Commented by: Jessica Khoo at 08 Jun 2014 03:11 AM Report this comment
I am writing the various work processes to incorporate all the PDPA requirements

Leave your comment
Start a new discussion

HRM Asia forum is the place for positive industry interaction and welcomes your professional and informed opinion.

Post a Comment
HRM Asia welcomes your contribution. Your IP address is recorded in the event of a complaint.
Name *
Email *
(required, but will not display)
Comment *
Please enter in the numbers in the box left.
You are about to submit your comment. Is it:
  • Professional
  • In your own name or pseudonym, not impersonating someone else
  • Free from rude language
  • Free from advertising
  • If you prefer not to post but are still keen to get your viewpoint across, you can always e-mail the editor.
  • 10 Sep | Frazer Jones Global HR Search & Recruitment | Singapore
    A true HR business partner role that requires you to coach, advise and consult to senior stakeholders and align business objectives.
    16 Sep | Kerry Consulting | Singapore
    16 Sep | Kerry Consulting | Singapore
    Gamification and story-telling at Sabre Holdings
    Joyita Poddar, HR Director, APAC, Sabre Holdings, elaborates on how firms should sell the success stories of their own employees through different platforms
    TTSH: HR leading the health drive
    The business case for WSH
    Itron: A five-prong guideline to employee retention
    Performance Leadership Pte Ltd |
    Lunch, Learn and Bond with your teams, all within 1 hour! Choose from a variety of light-hearted, interesting or thought-provoking topics that appeal ...
    Performance Recognition Pte Ltd |
    A monthly business incubator where leaders grow their skills, exchange ideas and share best practices.
    Nanyang Tecnological University - Nanyang Business School, Open Enrolment Programmes |
    This program will explore the reasons and motivations for mergers and acquisitions, and will examine the strategic considerations in planning and impl ...