Singapore’s newly passed Personal Data Protection Act 2012 (PDPA) is expected to be enacted in early 2013 and be implemented in about mid-2014, giving organizations above 18 months to get ready to comply with the PDPA.
The PDPA applies to all private sector organizations. In general, the collection, use & disclosure of personal data (PD) requires the individual’s consent. The holder of PD will also have responsibilities in relation to the security of the data, access to and correction of the personal data.
However, in relation to employees’ PD, the PDPA dispenses with consent for the following permitted purposes:
(a) Managing or terminating employment relationships
Employee PD can be collected, used and disclosed (including outsourced) without need for the employees’ consent provided:
- the collection, use and disclosure of employee PD is reasonable for the purpose of managing or terminating an employment relationship between the organization and the individual (“Employment Purpose”);
- on or before collecting, using or disclosing employee PD for the Purpose, the employer notifies the individual of that Employment Purpose; and
- upon request by the individual, the employer provides the business contact information of a person who is able to answer on behalf of the employer the individual’s questions about the collection, use or disclosure of the individual’s PD.
(b) Evaluative purposes
Employee PD can also be collected, used and disclosed without need for the employees’ consent and without notification for “evaluative purposes” which includes determining suitability for employment, for promotion, or for removal from employment.
PD of applicants for employment too can be collected, used and disclosed without need for the applicants’ consent and without notification for “evaluative purposes”, including for the purpose of determining the suitability, eligibility or qualifications of the individual for employment.
(c) Business asset transactions
Employee PD can be used or disclosed to a party or prospective party (“3rd party”) in a business asset transaction provided all of the following conditions are satisfied:
- the PD relates directly to the part of the employer’s organization or business assets with which the transaction is concerned;
- the PD is necessary for the 3rd party to determine whether to proceed with the business asset transaction;
- the employer and the 3rd party have entered into an agreement which requires the 3rd party to use or disclose the PD only for the purposes related to the business asset transaction;
- if the employer enters into the business asset transaction, the employer must notify the employees that the transaction has taken place and that their PD has been disclosed to the 3rd party.
if the business asset transaction falls through, the 3rd party to the transaction must return or destroy the PD obtained.
A business asset transaction is defined to mean the purchase, sale, lease, merger or amalgamation, or any other acquisition, disposal or financing of any organization or part of the organization, or any of its business or assets, other than the PD which is to be disclosed.
(d) Pre-PDPA Employee PD
An employer may continue to use employee PD which the employer collected before the PDPA comes into effect for the purpose for which it was collected. An employee may however withdraw his consent to such pre-PDPA collected PD. In that case, the employer may nevertheless collect fresh employee PD for the permitted purposes under the PDPA, without need for the employee’s consent.