With the Personal Data Protection Act (“PDPA”) coming into full force on 2 July 2014, it is time for employers to revise workplace policies to ensure that they comply with the new legislation and adequately protect their employees’ personal data. In this article, we highlight the relevant obligations under the PDPA arising in the employment context according to the typical cycle of an employment relationship.

Personal Data Protection in the Workplace

Background

As many of us would know by now, the PDPA is a baseline data protection framework which applies to all organisations which collect, use and disclose personal data in Singapore. 

To set the context for this article, it is helpful to understand the key concepts used in the PDPA. “Organisation” is defined in the legislation to include any individual, company, association or body of persons, corporate or unincorporated, whether or not formed or recognised under the law of Singapore. In light of this broad definition, most employers will fall within it and, therefore, have to comply with the obligations set out in the PDPA. The term “personal data” is also defined broadly. It includes data, whether true or not, about an individual which can be used to identify the person.¹ Information that does not directly identify the individual may still be considered personal data if it can identify the individual when combined with other information that the organisation has or is likely to have access to.

The PDPA also establishes a Personal Data Protection Commission (the “Commission”) whose functions include promoting the awareness of data protection in Singapore, and administrating and enforcing the PDPA. 

The Commission has issued five sets of Advisory Guidelines:

1. The Advisory Guidelines on Key Concepts in the PDPA (the “Key Concepts Guidelines”);

2. The Advisory Guidelines on the PDPA for Selected Topics (the “Selected Topics Guidelines”);

3. The Advisory Guidelines on the Do Not Call Provisions;

4. The Advisory Guidelines for the Telecommunications Sector; and

5. The Advisory Guidelines for the Real Estate Agency Sector.

On 16 May 2014, the Personal Data Protection Regulations (“PDPR”) were gazetted. The PDPR expands on the PDPA’s Access and Correction Obligation and Transfer Obligation. The revised Key Concepts Guidelines were also published and provide examples in relation to the PDPR. Public consultations for two other Advisory Guidelines, namely the Advisory Guidelines for the Education, Healthcare and Social Service Sectors and the Selected Topics Guidelines (photography), were recently concluded. While these Advisory Guidelines are not legally binding, they provide an indication as to how the Commission will interpret the PDPA. As such, it is important for organisations to be familiar with these non-binding guidelines.

To Hire or Not to Hire – Recruitment Process

Designing the Appropriate Application Form

At the pre-employment stage, it is often necessary for job-seekers to submit a job application form. The PDPA imposes an obligation on employers to obtain the applicants’ consent before collecting, using or disclosing their personal data (the “Consent Obligation”).² An applicant is not taken to have consented unless he has been notified of the purposes for which his personal data will be collected, used or disclosed (the “Notification Obligation”).³ Nevertheless, when an applicant voluntarily provides his personal data to the employer in the form of a job application, he may be deemed to consent to the employer collecting, using and disclosing the personal data for the purpose of assessing his job application.⁴

What Information Should be Requested?

Employers should refrain from requiring job applicants to provide personal data that are not relevant to the job they are applying for or to the employers’ decision of hiring them. Personal data should only be collected, used or disclosed for purposes that a reasonable person would consider appropriate in the circumstances (the “Purpose Limitation Obligation”).⁵ Where an employee-to-be voluntarily provides personal data knowing the purpose for which such personal data is provided, and the circumstances are such that it is reasonable for the individual to have provided his personal data, he may be deemed to have consented to the collection and use of his personal data for the said purpose. 

Getting to Know the Job Applicants Before the First Interview

It is common for employers to conduct due-diligence checks on prospective employees. This may be done in a number of ways. One of the ways is to conduct a search on publicly available material on the job applicants. Employers who have the habit of doing so will be happy to know that they need not obtain the applicants’ consent if the personal data is publicly available.⁶ Due to the volatility of information on the internet, the Commission allows employers to use and disclose an individual’s personal data even if the data is no longer publicly available so long as it was publicly available at the point of collection. Another way of conducting checks is to obtain references from the applicants’ former employers. To the extent that personal data is collected and used only for evaluative purposes, the applicant’s consent is not required.⁷ However, some former employers may nevertheless require requests for references to be made by the applicant himself, as a means of checking on the legitimacy of such requests from third parties.   

Ensuring Accuracy

The employer also has an obligation to make a reasonable effort to ensure that the personal data collected is accurate and complete if the data is likely to be used by the company to make a decision that affects the individual or is likely to be disclosed by the organisation to another organisation (the “Accuracy Obligation”).⁸ If the personal data is provided by the individual and supported by documents such as his identification card or academic transcripts, the employer will be able to verify the accuracy of the personal data. However, if the employer is uncertain about the accuracy of the personal data, he may require the individual to make a verbal or written declaration that the data provided is accurate and complete.

Dealing with Personal Data of Unsuccessful Applicants

For unsuccessful applicants, employers should only retain their personal data if there is a reasonable purpose for doing so or if it is necessary for any legal or business purposes (the “Retention Limitation Obligation”).⁹ For example, the employer may wish to retain personal data to consider the applicants for future job vacancies. If so, the applicants should be informed of this intended purpose and their consent should be sought for their personal data to be kept for such purpose.

You’re Hired! – Commencement of Employment 

After the applicant has been employed, the employer may require additional information about him not provided in the job application form. Similarly, in relation to the additional personal data, the employer will have to notify its employees of the purposes for the collection, use or disclosure of the personal data and obtain their consent.

However, there are two exceptions to the general obligations that are applicable in the employment context: the “evaluative purposes” exception and the “managing and terminating an employment relationship” exception.

The “Evaluative Purposes” Exception

Employers may collect, use and disclose personal data without obtaining the employees’ consent or notifying them where it is necessary for evaluative purposes.¹⁰ Evaluative purposes include the determination of the suitability or eligibility of an individual to whom the data relate for employment, continuance in employment or promotion.

The “Managing and Terminating an Employment Relationship” Exception

Employers are permitted to collect personal data of employees without their consent if the collection is reasonable for the purpose of managing or terminating an employment relationship.¹¹ The use or disclosure of such personal data is also allowed if it is consistent with the purpose of the collection.¹² However, employers must still notify their employees of the purposes of such collection, use or disclosure. 

The Selected Topics Guidelines provided four examples of purposes that could fall within the meaning of managing and terminating an employment relationship: 

1. Using the employee’s bank account details to issue salaries;

2. Monitoring how the employee uses company computer network resources;

3. Posting employees’ photographs on the staff directory page on the company intranet; or

4. Managing staff benefit schemes like training or educational subsidies.

This “employee exemption” is special to some jurisdictions, but not available in others. Apart from Singapore, one other example is Australia, where employee records held by a private sector employer are given a limited exemption from its Privacy Act.¹³ Employers in Australia are also not obliged to grant employees access to their records. In contrast, Singapore’s “employee exemption” does not abrogate the access and correction obligations of employers which will be discussed below. Other jurisdictions such as Hong Kong, Malaysia and Philippines do not have specific exemptions relating to employee data.

In practice, it may be difficult to distinguish between the exception for the purpose of managing or terminating an employment relationship and the exception for evaluative purposes. The Selected Topics Guidelines illustrate that if an employer collects information about the work an employee has done in order to decide whether to promote him, this situation is covered under the evaluative purposes exception and no consent or notification is needed. If information is collected to conduct audits on the employee’s finance claims, the purpose is to manage or terminate the employment relationship and the employee must be notified that his personal data is being collected for audit purposes. Even if a situation falls within an exception under the PDPA, employers should be mindful of their other legal obligations, such as the need to protect confidential information of their employees under their employment contracts (if any) and their duties at common law.

Security

After collecting personal data, employers have a duty to safeguard it (the “Protection Obligation”).¹⁴ Reasonable security arrangements must be made to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks to the personal data. In order to do so, the Key Concepts Guidelines suggest that employers design security arrangements according to the nature of the personal data held and the possible harm resulting from a breach. For example, highly confidential information about employees should be kept in locked file cabinet systems or in a secured computer network with restricted access. The information should only be entrusted to reliable and well-trained personnel. There should also be a plan on how to deal with security breaches expeditiously and effectively.

Access and Correction

A more complicated situation arises when an employee requests to access his personal data. Section 21 of the PDPA requires an employer to respond to such a request and make reasonable efforts to provide the employee an opportunity to examine his own personal data (the “Access Obligation”). Personal data includes data about the employee that is in the employer’s possession or under the employer’s control.¹⁵ Upon the employee’s request, the organisation should also inform him of the ways in which his personal data has been used or disclosed by the employer within a year before the date of request. When doing so, the organisation should individually identify each possible third party, instead of simply providing general categories of organisations (eg “pharmaceutical company ABC” instead of “pharmaceutical companies”) to which personal data has been disclosed. The exceptions to the Access Obligation are found in the Fifth Schedule of the PDPA. One of them exempts the employer from giving the employee access to his personal data if it would reveal confidential commercial information that could harm the competitive position of the employer.

Other than accessing his personal data, an employee may also request the employer to correct an error or omission in his personal data, subject to the exceptions listed in the Sixth Schedule (the “Correction Obligation”).¹⁶ The employer should correct the personal data as soon as practicable and, if the employee consents, send the corrected personal data to the specific organisations to which the personal data was disclosed by the employer within a year before the date of correction. However, the employer need not make a correction if he is satisfied on reasonable grounds that a correction should not be made. In such a case, the employer shall annotate the personal data with the correction that was requested but not made.

Withdrawal of Consent

Employers should be aware that employees may at any time withdraw their consent to the collection, use or disclosure of their personal data by the employer.¹⁷ In this situation, the employer must inform the employee of the likely consequences of withdrawing his consent. The employer must not prohibit the employee from withdrawing consent. However, any legal consequences arising from the withdrawal will still ensue. After the withdrawal of consent, the employer must cease the collection, use and disclosure of personal data. This obligation does not require the employer to delete or destroy the personal data upon request. If any of the statutory exceptions apply, or if there is a valid purpose for retention, the personal data may be preserved.

Monitoring Employees – Use of Closed-circuit Television Cameras

The use of closed-circuit television cameras (“CCTVs”) at work premises is common. The Selected Topics Guidelines made particular mention on the collection of personal data through CCTVs. Whether or not employers have to notify their employees when CCTVs are deployed depends on the purpose for which the CCTV footage is being collected, used or disclosed. As a good practice, employers may still wish to provide notification even if an exception applies. Notices that CCTVs are in operation should be placed in such a manner and at such positions to make employees sufficiently aware of the operation of the CCTVs and their purpose. The employer may decide not to reveal the exact location of the CCTVs if the purpose is to covertly monitor the premises for security reasons.

Like other documents containing personal data, an employee may request to access the CCTV footage. If images of other individuals can be seen in the footage, the employer is required to mask the other individuals. If the processing fee to edit the footage is too costly, the employer may invoke the exceptions provided for in the Fifth Schedule, such as on the ground that the expense of providing access would be unreasonable to the organisation or disproportionate to the individual’s interests, and reject the access request.

“Bring Your Own Device”

There is a rising trend in companies adopting the “Bring Your Own Device” (“BYOD”) model in Singapore. Despite its commercial advantages, BYOD also brings about certain concerns. Employers may find it more difficult to monitor their employees’ behaviour or ensure that confidential corporate data is not leaked. To address these concerns, employers may require employees to consent to giving the employers access to their devices and the personal data that may be stored in such devices. This would reduce the employers’ risk of infringing the Computer Misuse and Cybersecurity Act which prohibits the unauthorised access to computer material. Employers should also notify their employees if they are able to access their employees’ personal data when the employees connect to the company’s network.

Transfer of Personal Data Overseas

Employers may need to transfer their employees’ personal data out of Singapore for various reasons. For example, the company may have outsourced its payroll functions overseas or if the company’s headquarters requires the information. Under the PDPA, an organisation which transfers personal data out of Singapore must take appropriate steps to: (i) ensure that it complies with the obligations under the PDPA; and (ii) ensure that the recipient is bound by legally enforceable obligations to provide the personal data a standard of protection that is comparable to the PDPA.¹⁸

When there is a need to transfer personal data to countries with weak or no data privacy laws, employers may consider using binding contracts for inter-corporate transfers and binding corporate rules for intra-corporate transfers. Regardless of the type of instrument used, it should always set out the purpose of the personal data, the permissible extent of use and disclosure, the obligation of the receiving organisation to maintain accuracy, the security arrangements required, the retention guidelines, and any other policies to ensure that the employees handling the data comply with similar obligations. 

Notwithstanding the above, an organisation is taken to have satisfied the requirement to ensure the recipient is bound by legally enforceable obligations if, among others:¹⁹

1. the individual whose personal data is to be transferred gives consent to the transfer after being given a reasonable summary in writing of the extent to which the personal data to be transferred to that country or territory will be protected to a standard comparable to the protection under the PDPA;

2. the transfer is necessary for the performance of a contract between the organisation and the individual;

3. the transfer is necessary for the conclusion or performance of a contract between the organisation and a third party which is entered into at the individual’s request; or

4. the personal data is “data in transit”.²⁰

Adios! – Termination of Employment 

When an employee leaves the company, the employer should cease to retain all documents containing the ex-employee’s personal data or remove the means by which the personal data can be associated with the ex-employee, unless there is a clearly defined purpose for retaining it or if it is necessary for legal or business purposes. For example, the employer may want to retain the personal data for future hiring references or for its alumni activities. Consent of the employee should be obtained in respect of such purposes.

Where there is no longer any valid purpose for retention, employers should make reasonable efforts to destroy, dispose or delete the personal data permanently. For example, the employer may return the documents to the individual in question, shred the document, or anonymise the personal data such that it no longer identifies any particular individual. The Retention Limitation Obligation is not adequately satisfied just by locking the documents away or transferring the documents to someone else.

Going Forward

The passing of the PDPA reflects a growing realisation that the absence of an umbrella statute on data protection puts local businesses at a competitive disadvantage as compared to those in jurisdictions with robust data protection laws. Singapore is positioning itself as a trusted hub for data storage in order to compete with the pioneers in this area. At the same time, the PDPA is also intended to provide individuals with some level of protection. 

Moving forward, employers should start implementing measures to comply with their new obligations under the Act. For example, employers should:

1. provide training for its employees to impart good practices in handling personal data and strengthen awareness of threats to security;

2. develop and implement appropriate data protection policies (eg BYOD, HR policies);

3. conduct privacy audits on the company’s security systems; and

4. document retention policies for personal data.

Employers should also keep a look-out for how the Commission or the Courts will interpret the exceptions applicable to employee data, and evaluate their compliance procedures accordingly. 

► Celeste Ang
     Baker & McKenzie.Wong & Leow 
     E-mail: [email protected]

► Tan Weiyi
     Baker & McKenzie.Wong & Leow
     E-mail: [email protected]

Notes

1. PDPA, s 2.

2 PDPA, s 13.

3 PDPA, s 20.

4 PDPA, s 15.

5 PDPA, s 18.

6 Exception 1(c) of the Second Schedule, Exception 1(c) of the Third Schedule, and Exception 1(d) of the Fourth Schedule.

7 Exception 1(f) of the Second Schedule and Exception 1(f) of the Third Schedule.

8 PDPA, s 23.

9 PDPA, s 25.

10 Exception 1(f) of the Second Schedule, Exception 1(f) of the Third Schedule, and Exception 1(h) of the Fourth Schedule.

11 Exception 1(o) of the Second Schedule.

12 Exception 1(j) of the Third Schedule and Exception 1(s) of the Fourth Schedule.

13 Australian Privacy Act 1988 (No. 119 of 1988), s 7B(3).

14 PDPA, s 24.

15 PDPA, s 21(1)(a).

16 PDPA, s 22.

17 PDPA, s 16.

18 PDPR, s 9(1).

19 PDPR, s 9(3).

20 “Data in transit” refers to personal data transferred through Singapore in the course of onward transportation to a country or territory outside Singapore, without the personal data being accessed or used by, or disclosed to, any organisation (other than the transferring organisation or an employee of the transferring organisation acting in the course of his employment with the transferring organisation) while the personal data is in Singapore, except for the purpose of such transportation.