PDPA and Employee Data

June 28, 2014

The data protections sections of the Personal Data Protection Act (“PDPA”) will come into force on 2 July 2014.

Even at this late hour, many organisations still do not know that PDPA requirements are far-reaching and impact their businesses beyond just customer information. Unbeknownst to many, the PDPA has implications even to organisations catering to business clients (i.e. B2B organisations).

An example of an area of application even to B2B organisations is employee data.

The PDPA applies to employee data collected, used and/or disclosed by an organisation. It also applies to data belonging to prospective employees as contained in the employment application form or their CVs sent together with such forms. Please note that the term “employee” also includes volunteers. It is considered that the PDPA principles applicable to employees also apply to interns, apprentices, trainees, freelancers…etc.

The PDPA’s application to employee data is wide-ranging and focus must be given as to how the organisation collect, use and/or disclose such data. As long as an organisation intends to collect, use or disclose employee data, the PDPA’s requirements must be considered carefully.


PDPA and typical Employment Scenarios

We list down below some common “employment” situations where organisations might wish to consider PDPA implications:

a. At the interview stage when the organisation will collect personal data from the prospective employee and use it to decide his/her suitability for employment.

b. When organisation A approaches organisation B for a reference of a particular candidate. Or organisation A is approached by organisation B seeking a reference for an ex-employee seeking employment with organisation B. References of the ex-employee are clearly personal data.

c. An organisation has responsibility over personal data collected during the interview process even after the process has ended and the candidate is unsuccessful. The PDPA has application to questions like how long the candidate’s personal data can be retained, what would be the purposes of such retention, were these purposes communicated to the organisation…etc.

d. When an organisation hires an employee or engages a freelancer/trainee/volunteer, personal data belonging to these persons are subject to the PDPA regime. What information is being collected and how they are intended to be used must be evaluated against the PDPA.

e. Employers are obliged to ensure that personal data of employees are protected and not kept beyond a period which can be said to be necessary. Employers are also to implement processes to allow employees to exercise their rights to access and/or correct their personal data.

f. Employees can also withdraw their consent to an organisation’s collection, use and/or disclosure of their personal data and an organisation should lay down the procedure should they wish to do so.

g.The PDPA also has relevance to the common practice of employers monitoring their staff using CCTV or other tracking/security devices.

h. Some employers allow their staff to use their own laptops for employment purposes but on condition company software is installed and monitoring is done through that software. As such personal laptops can contain personal data, employers should be aware that PDPA considerations would be relevant.

i. In the course of his/her employment, some staff will be tasked to handle personal data – whether of customers or of their colleagues. The PDPA provides that if an employee of an organisation fails to handle personal data in accordance with the requirements of the PDPA, then not just the employee but even the employer organisation will be liable for such breaches under the PDPA.

j. Organisations with more than one offices will have to observe and comply with the PDPA’s personal data transfer obligations when it transfers employee data to another of its offices whether local or overseas.

k. After terminating an employment relationship, the organisation will also need to give thought to how it wishes to retain the ex-employee’s personal data and for what purposes.


Suggested Steps

In seeking to comply with the requirements of the PDPA, employers may wish to consider the following steps:

  1. develop and implement corporate data protection policies with application to employees, volunteers, freelancers, interns…etc;
  1. provide training to employees to ensure they know how to handle personal data including their own and those of their colleagues;
  1. conduct personal data audits on its own data system to ensure it is robust and satisfies PDPA obligations of accuracy, protection, security, retrieval and retention; and
  1. create document and data retention policies and ensure they are enforced.


Should you have any queries or comments on the above note, kindly contact gluu@gluu.asia.

If you like to continue receiving our regular updates, please “like” our Facebook page at https://www.facebook.com/gluu.asia or drop us an email to indicate your wish to subscribe at gluu@gluu.asia.


Important Notice: The contents of this note are owned by its author and subject to copyright protection in Singapore and, through international treaties, other countries. No part of this note may be reproduced, licensed, sold, published, transmitted, modified, adapted, publicly displayed, broadcast (including storage in any medium by electronic means) without the prior written permission of Gluu.


While the information in this note is correct to the best of the author’s knowledge and belief at the time of writing, it is only intended to provide a general guide to the subject matter and should not be treated as legal advice or a substitute for specific professional advice for any particular course of action. Should you intend to rely on the contents of this note, please seek legal advice applicable to your specific situation.

Share This

Hey, like this post? Why not share it with a buddy?

More Posts