HR Compliance Assist

 Back to Topics

Employee Data Privacy

Singapore - Employee Access Rights

 Download as a PDF

Do individuals have the right to access their personal information?

Data protective jurisdictions tend to guarantee the right of individuals to contact an organization directly and find out whether personal data is being tracked. Access procedures and acceptable exceptions (such as business secrecy) are determined by law and may be subject to the control of data protection authorities. In the context of HR, personal data access requests can include information tracked by the company as well as data tracked by third-party solutions, such as background check vendors.

joshua-newton-210070

Employees and job applicants are generally allowed access to their personal data under the Personal Data Protection Act (PDPA, Sec. 21). In addition, employers must generally notify employees prior to data collection/use/disclosure (excluding for evaluative purposes).

Employee Access

Upon request, employers should provide individuals with the personal data about the individual that is under the control of the employer. In addition, employers should provide information as to the the personal data has been or may have been used or disclosed in the year prior to the request. Some data is exempt from this requirement, such as:

  • personal data that would reveal personal data about another individual;
  • personal data that would threaten the safety, physical or mental health of an individual;
  • opinion data kept solely for an evaluative purpose (such as job candidate reviews);
  • personal data subject to legal privilege;
  • personal data, which, if disclosed, could in the opinion of a reasonable person, harm the competitive position of the organization;
  • requests that would: unreasonably interfere with the operations of the organization due to the systemic nature of the requests; be unreasonable or disproportionate to the individual’s interests; not be possible as the data doesn’t exist/can’t be found; or is otherwise frivolous or vexatious.

Organizations can charge a reasonable fee to process access requests in order to cover the incremental costs associated with responding to a request.


Access should be provided to employees as soon as reasonably possible. If it will take more than 30 days to respond to an access request, inform the employee within 30 days as to when the response will be provided (employers should provide access at the soonest possible time).


chuttersnap-255210Correction/Withdrawal Requests 

Employers should correct personal data upon an individual’s request unless there are reasonable grounds that the correction should not be made. If a correction is made, the employer should send the updated data to every other organization to which the personal data was disclosed in the last year before the date the correction was made. 


Employers do not need to correct personal data where:

  • the personal data was only kept for an evaluative purpose;
  • the data is relating to a legal claim that hasn’t been completed.

Note that organizations cannot charge a fee to process a correction request.

If it will take more than 30 days to respond to a correction request, inform the employee in writing within 30 days as to when the correction can be made (information should be corrected at the earliest feasible time).

 

Personal Data Protection (Amendment) Act 2020

The Ministry of Communications and the Personal Data Protection Commission (PDPC) have passed amendments to the existing Personal Data Protection Act 2012. The enhanced PDPA includes additional access requirements, including that:

  • organizations are required to retain personal data requested pursuant in an access request (or a copy) for at least 30 calendar days after rejection of a request or, until the individual has exhausted their right to apply for reconsideration to the PDPC or appeal to the Data Protection Appeal Committee, High Court or Court of Appeal (whichever is later);
  • organizations may have a data portability obligation for data held electronically (i.e., organizations may, at the request of an individual, be required to transmit personal data that is in the organization’s possession or under its control, to another organization in a commonly used machine-readable format). This only applies when: the user provided data and user activity data is held in electronic form, including business contact information; requesting individuals have an existing, direct relationship with the organization; and receiving organizations have a presence in Singapore.

 

HR Best Practices: Employers should establish official procedures and contacts for employee access and correction requests. When processing an access request from an employee, make sure not to disclose information connected to other employees.

UKG's HR Compliance Assist team relies on a network of internal and external compliance experts and lawyers to provide clients with best practices and recommendations on topics such as HR document retention, employee data privacy, and HR electronic records. HR Compliance Assist also provides local compliance monitoring and alert services in select countries where UKG's customers have employees. HR Compliance Assist is a service exclusively available to UKG customers.

Share Your Feedback

Let's Talk