The Personal Data Protection Act 2012 (PDPA) governs personal data protection and applies to all organisations except for those in the public sector. It generally protects personal data, which is broadly defined as data about an individual who can be identified from that data, or in conjunction with other likely accessible information, through governing its collection, use and disclosure. The PDPA is administered and enforced by the PDPC, which has also released substantive Advisory Guidelines informing the content and application of the PDPA.i Requirements for registration and protection of personal data
The PDPA does not contain any express requirement for an organisation to register itself with the PDPC. However, it requires that an organisation designate one or more individuals to be responsible for ensuring that the organisation complies with it (i.e., the data protection offer (DPO)). The business contact information of at least one of these individuals must be made available to the public, and DPOs are encouraged to register themselves with the PDPC.
The PDPA generally requires that an individual's consent be obtained before the organisation can collect, use or disclose personal data. This applies to all forms of relationships with companies, including clients, customers, suppliers and employees. However, the PDPA dispenses with the requirement for the individual's consent in certain situations, four of which are pertinent in the employment context.
First, personal data produced for the purposes of an individual's employment, and personal data for the purposes of managing or terminating an employment relationship, may be collected, used and disclosed for those purposes, provided that notification of the purposes are given to the employee.
Second, an employee's personal data can also be collected, used and disclosed for 'evaluative purposes', without the need for the employee's consent and without the need to notify the employee. This includes determining suitability for employment, promotion or removal from employment by obtaining references from a former employer and maintaining employees' performance records.
Third, an employee's personal data can be used by the employer or disclosed to a third party or prospective third party in a business asset transaction, provided the personal data relates to the part of the employer's organisation or business assets with which the transaction is concerned if the personal data is necessary for the third party to determine whether to proceed with the transaction, and the employer and the third party have entered into an agreement that requires the third party to use or disclose the personal data only for the purposes related to the transaction. In such a case, the employer must notify the employees that the transaction has taken place and that their personal data has been disclosed to the third party. If the business asset transaction is ultimately not completed, the third party to the transaction must return or destroy the personal data obtained.
Fourth, an employee's personal data may be collected, used or disclosed without notification or consent if it is 'necessary for any investigation or proceedings'. Collection of the data may only take place if it is reasonable to expect that seeking the consent of the individual would compromise the availability or the accuracy of the personal data. While the term 'proceedings' relates to civil, criminal or administrative proceedings by or before a court, tribunal or regulatory authority, it is quite likely that the term 'investigations', as distinguished from 'proceedings', would also encompass investigations within an organisation. Organisations must also safeguard the personal data in their custody or control by making reasonable security arrangements to prevent unauthorised access, use, disclosure, copying, modification, disposal or other similar risks. They must destroy or anonymise personal data once the purpose for its collection has expired. Employers must also ensure that their employees understand and uphold the PDPA obligations regarding data privacy. Under the PDPA, any conduct engaged in by an employee in the course of his or her employment is treated as also engaged in by the relevant employer, regardless of whether it was with the employer's knowledge or approval.
Revisions to the PDPA that impose stricter breach reporting rules can be expected. Proposed revisions that may come into effect in 2019 include requiring organisations to notify individuals who have been affected by a data breach as soon as practicable. Organisations would have 30 days to determine the veracity of suspected breaches, following which they would have 72 hours to notify the PDPC of the breach. Additionally, the PDPC has approved a proposal for organisations to share blacklists to detect fraud and prevent abuse of data, provided that the organisation ensures that the consumer is not harmed in any way and the data is not abused.ii Cross-border data transfers
Under the PDPA, an organisation is not allowed to transfer any personal data to a country or territory outside Singapore except in accordance with requirements prescribed under the PDPA to ensure that organisations provide a standard of protection to personal data that is comparable to the protection under this Act. Insofar as the transfer may constitute disclosure of personal data to different organisations, consent would have to be obtained from the relevant individuals unless an exception applies. This is pertinent to multinational corporations as the personal data of employees is often transferred to offices outside Singapore.
The PDPC's Advisory Guidelines provide further guidance in this regard. Personal data may be transferred overseas provided that the PDPA's substantive data protection provisions are complied with. This may be done through ensuring that the recipient of personal data is bound by legally enforceable obligations to afford the personal data transferred a standard of protection that is comparable to that under the PDPA.iii Sensitive data
The PDPA does not expressly differentiate between sensitive personal data and other personal data that is not sensitive. The general obligation is to obtain appropriate consent before collecting, using or disclosing personal data (whether sensitive or not).
The extent of personal data collected, used or disclosed would have to be reasonable, as the PDPA provides that an organisation may collect, use or disclose personal data about an individual only for purposes that a reasonable person would consider appropriate in the circumstances. An organisation is also prohibited from requiring an individual to consent to the collection, use or disclosure of personal data about the individual beyond what is reasonable to provide products or services to that individual.
Accordingly, guidelines published by the PDPC (which will be applied by the PDPC in interpreting the PDPA from 1 September 2019) indicate that organisations are generally not allowed to collect, use or disclose national identifiers (national registration identification card numbers, birth certificate numbers, foreign identification numbers and work permit numbers) unless it is required by law, is an exception under the PDPA or is necessary. In the employment context, employers are required under Section 95 of the Employment Act to maintain detailed employment records of employees covered by the Employment Act, which includes employees' national identifiers and other relevant information.
Once collected, as with all kinds of personal data, an organisation is obliged to make reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks. As the PDPC recognises in its guidelines, there is no 'one size fits all' solution, and an organisation should, among other things, implement robust policies and procedures for ensuring appropriate levels of security for personal data of varying levels of sensitivity. A higher level of security would therefore be warranted if the personal data concerned is more sensitive.iv Background checks
Background checks are generally permissible. Though the general rule remains that an individual's consent must be provided before his or her personal data may be collected, used or disclosed, the PDPA provides certain exceptions. These include where the personal data is publicly available, where the personal data is collected by a credit bureau and where collection is necessary for evaluative or investigative purposes, as discussed above.