Following on from our article on 25 January 2013 which outlined new rules on data protection, the main provisions of the new Personal Data Protection Act 2012 (the “PDPA”) came into effect on 2 July 2014.
Broadly speaking, there are nine main obligations under the data protection provisions of the PDPA, which a private sector organisation will need to comply with if it undertakes activities relating to the collection, use and disclosure of personal data in Singapore:
- The Consent Obligation- organisations will need to obtain the individual’s consent (whether deemed or express) before the collection, use and disclosure of that individual’s personal data.
- The Notification Obligation- when obtaining the consent, the individual must be informed of the purposes of the proposed collection, use or disclosure.
- The Purpose Limitation Obligation- organisations may only collect, use or disclose personal data about an individual for purposes that a reasonable person would consider appropriate in the circumstances and that have been notified and consented to by the individual concerned.
- The Accuracy Obligation- organisations must make reasonable efforts to ensure that personal data collected is accurate and complete if the personal data is (i) likely to be used to make a decision that affects the individual; or (ii) likely to be disclosed to another organisation.
- The Access and Correction Obligation- at the request of the relevant individual, the organisation must as soon as it is reasonably possible (i) provide him with his/her personal data and information about the ways in which the personal data may have been used or disclosed during the past year; (ii) correct any error or omission in his/her personal data.
- The Protection Obligation- organisations are required to make reasonable security arrangements to protect personal data in its possession or under its control in order to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.
- The Retention Obligation- organisations must cease to retain documents containing personal data or remove the identifying information relating to a particular individual, as soon as it is reasonable to assume that: (a) the purpose for which that personal data was collected is no longer being served by the retention of the personal data; and (b) the retention is no longer necessary for legal or business purposes.
- The Transfer Limitation Obligation- organisations may only transfer personal data to a country or territory outside of Singapore if the recipient is bound by legally enforceable obligations to provide to the personal data transferred a standard of protection that is comparable to the protection provided under the PDPA.
- The Openness Obligation- organisations must implement the necessary policies and procedures in order to meet its obligations under the PDPA and make information about its policies and procedures available to its employees or to the public, if requested. The openness obligation also includes designating at least one individual in the organisation responsible for ensuring its compliance with the PDPA.
We set out below some non-exhaustive scenarios of how the abovementioned personal data obligations will apply in the employment context:
Generally, employers should obtain candidates' written consent before the collection, use and disclosure of their personal data for pre-employment screenings, unless such collection, use and disclosure of personal data is necessary for the employer to evaluate the candidates for employment, and falls within the “evaluative purposes” exemption under the PDPA. Employers should note that the “evaluative purposes” exception does not affect rights or obligations arising under any other law, for example, the legal obligations under the law of confidentiality. Therefore, employers should obtain candidates' written consent before the collection, use and disclosure of their personal information to pre-empt any questions on consent which may be raised by a disgruntled candidate.
If requested by the candidate, employers will be required to provide his or her personal data discovered in any pre-employment screening checks and give an opportunity for the candidate to verify or correct such information.
After the employer has decided which job applicant to hire, the personal data that it had collected from the unsuccessful job applicants should only be kept for as long as it is necessary for business or legal purposes.
Employee personal data
Employers maintaining employee personal information (for example, contact information, resumes, remuneration histories, other personal information obtained through the monitoring of employee email and chat room messages) should inform the employees of the purposes for the collection, use and disclosure of their personal data and obtain their consent for the same. For new employees, consent may be obtained at the point of appointing the new employee, for example, through the employment contract. Consent from existing employees may be obtained through, for example, publication of the employer’s personal data policy in the employer’s internal website or employee handbook and requesting the employees to execute and return a consent slip with regards to the policy. The policy should set out clearly the purpose of the collection, use or disclosure, the procedure for withdrawal of consent, the procedure for access and correction of personal data, and the business contact information of a designated person who is able to answer the employee’s questions about the collection, use or disclosure of their personal data.
If the employing organisation shares employee personal data with its group companies outside of Singapore (for example, due to the group’s centralised HR information management system being located outside of Singapore), in addition to obtaining consent from the employees for such transfer, such organisation will need to set up binding corporate rules that apply to both the transferring organisation and the receiving group company to ensure that the personal data so transferred are conferred protection that is comparable to the standard under the PDPA.
Third party service providers processing employee personal information
Employers who engage third party service providers to process employee personal information on its behalf (“Data Intermediaries”), for example, pay roll service providers, work pass agencies etc., should be aware that it will be held responsible under the PDPA in respect of personal data processed on its behalf by such data intermediary as if the personal data were processed by itself. Therefore, employers are strongly encouraged to review the terms of engagement with its Data Intermediaries to ensure adherence to the PDPA compliance and to ensure the contracts set out each party’s responsibilities and liabilities in relation to the personal data in question. Employers are also recommended to set up due diligence processes so that it can assure itself that a potential Data Intermediary is capable of complying with the PDPA.