What laws apply to the collection and use of individuals’ personal information?
Data privacy laws have become more prominent in recent years. As the amount of personal information available online has grown substantially, there has been an enhanced focus on the processing of personal data, as well as the enforcement of such laws.
The Personal Data Protection Act 2012 (PDPA) sets the basic requirements for data privacy in Singapore. The Act governs the collection, use and disclosure of individual’s personal data whether in paper or electronic form.
In addition to the PDPA, Singapore has additional subsidiary Regulations along with advisory Guidelines relating to different aspects of the Act.
Personal data under the PDPA is defined as data about an individual who can be identified from that information, or from that data in conjunction with other information that the organization has or can access.
Unlike other jurisdictions such as the UK or Canada, in the PDPA, there is no distinction between the sensitivity of different kinds of data. This is consistent with keeping the PDPA as a “content-neutral” and harmonized baseline regime.
The PDPA is based on the concepts of consent, purpose and reasonableness. Businesses may only process an individual’s data with that person’s knowledge and consent (note: there are some exceptions). The data can only be collected/used/disclosed in a way that is appropriate for the purposes of the collection and would be generally considered reasonable.
One key exception to the requirement of consent relates to employment. Consent is not necessary when “the personal data is collected by the individual’s employer and the collection is reasonable for the purpose of managing or terminating an employment relationship between the organisation and the individual (PDPA, Second Schedule, O).” This applies both when collecting data directly from the individual and from other sources.
Employers should take note that in terms of the obligation to protect personal data, the more sensitive the data the greater the need to ensure that employee data is secured. For example, it would be reasonable to expect a greater level of security for highly confidential employee appraisals as compared to more general information about the projects an employee has worked on.
The current authority responsible for enforcement of data privacy law and regulations in Singapore is the:
Personal Data Protection Commission
Led by PeopleDoc’s Chief Legal & Compliance Officer, the HR Compliance Assist team relies on a network of internal and external compliance experts and lawyers, including the global law firm Morgan Lewis, to provide clients with best practices and recommendations on topics such as HR document retention, employee data privacy, and HR electronic records. HR Compliance Assist also provides local compliance monitoring and alert services in select countries where PeopleDoc’s customers have employees. HR Compliance Assist is a service exclusively available to PeopleDoc customers.