Personal Data Protection Act Guidelines

OBJECTIVE

To govern the collection, use and disclosure of personal data by the company in a manner that recognizes both the right of employees to protect their personal data and the need of the company to collect, use or disclose personal data for purpose that a reasonable person would consider appropriate in the circumstances.

SCOPE

“Personal Data” refers to data about an employee who can be identified from that data or other personal information of the employee that the organization has or is likely to have access.

THE DATA PROTECTION PRINCIPLES

There are nine key obligations that are central to the Act. The company and all its employees must comply with these principles at all times in its information-handling practices.

1. Consent Obligation
We Company must obtain consent from the employee before collecting, using or disclosing his or her personal data for a purpose. The Company holds personal data about an employee. By signing the contract of employment, an employee has consented to that data being processed by the Company for any purpose related to his/her continuing employment or its termination including, but not limited to, payroll, human resources and business continuity planning purposes. This is also considered as consent for the Company to provide the employee’s personal data to 3rd party, if the company has engaged a 3rd party to provide services related to continuation of employment. Agreement to the Company processing personal data is a condition of an employee employment. This includes giving consent to the Company using employee’s name, photograph and a brief work experience history in its marketing or promotional material, whether in hard copy print format or online on the Company’s website. It also includes supplying the Company with any personal data that it may request from an employee from time to time as necessary for the performance of the contract of employment or the conduct of the Company’s business, for example, supplying up-to-date contact telephone numbers to be held by line managers as part of its business continuity plan. The Company also holds limited sensitive personal data about its employees and, by signing the contract of employment, an employee gives explicit consent to the Company holding and processing that data, for example sickness absence records, medical condition, health needs, etc.

2.Purpose Obligation
The Company may collect, use or disclose personal data about an employee only for purposes that a reasonable person would consider appropriate in the circumstances and, if applicable, have been notified to the employee concerned. 

The Company is obliged to process fairly and lawfully unless certain conditions are not met in relation to usage of personal data. The conditions are either that the employee has given consent to the processing, or the processing is necessary for the various purposes set out in the Act. Sensitive personal data may only be processed with the explicit consent of the employee and consists of information relating to:

  • Race or ethnic origin
  • Political opinions and trade union membership
  • Religious or other beliefs
  • Physical or mental health or condition
  • Sexual life
  • Criminal offences, both committed and alleged

3.Notification Obligation
The Company must notify the employee (either verbally or in writing) of the purpose(s) for which it intends to collect, use or disclose the employee’s personal data on or before such collection, use or disclosure of the personal data.

4.Access and Correction Obligation
Company must upon request:

  • Provide an employee with his/her personal data in the Company’s possession or under the control of the company and information about the ways in which the personal data has been or may have been used or disclosed.
  • Correct an error or omission in an employee’s personal data that is in the possession or under the control of the company.

Employee’s right to access personal information

An employee has the right, on request, to receive a copy of the personal information that the Company holds about him/her and to request that any inaccurate data be corrected or removed. An employee also has the right on request to:

  • Be told by the Company whether and for what purpose personal data about him/her is being processed
  • Be given a description of the data and the recipients to whom it may be disclose

Upon request, the Company will provide an employee information regarding the personal data that is being held about him/her. If an employee wishes to access a copy of any personal data, then he/she must make an official request and the Company reserves the right to charge him/her a fee of up to S$20 per request.

5.Accuracy Obligation

The Company must make a reasonable effort to ensure that personal data collected by the Company is accurate and complete if the personal data is likely to be:

  • Used by the Company to make a decision that affects the employee concerned; or
  • Disclosed by the company to 3rd party.

The information provided or collected must be adequate, relevant and not excessive. The Company will do an annual personal data update. If an employee’s personal information changes, for example, change of address, an employee must inform HR department as soon as practicable so that the Company’s records can be updated. The Company cannot be held responsible for any errors unless employee has notified the Company of the relevant change.

6.Protection Obligation
The Company must protect personal data in its possession by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal or similar risks. The Company has to also ensure that any personal data of employees that were provided to 3rd party is protected per the Personal Data Protection Act. Appropriate measures will be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. Personnel files are confidential and are to be stored in filing cabinets that are accessible only to authorized employees. Files will not be removed from their normal place of storage without good reason. Personal data stored on discs, memory sticks, portable hard drives or other removable storage media will be kept in locked filing cabinets or locked drawers when not in use by authorized employees. Data held on computer will be stored confidentially by means of password protection, encryption or coding, and again only authorized employees have access to that data. The Company must ensure that network backup procedures are in place to prevent personal data from being accidentally lost or destroyed.

7.Retention Limitation Obligation

The Company or 3rd Party provider that was appointed by the Company must cease to retain documents containing personal data as soon as it is reasonable to assume that:

  • Purpose for which the personal data was collected is no longer being served by retention of the personal data; and
  • Retention is no longer necessary for legal or business purposes.
  • Not kept for longer than is necessary. The Company will keep personnel files for no longer than five (5) years after termination of employment. Different categories of data will be retained for different time periods, depending on legal, operational and financial requirements. Any data which the Company decides that it does not need to hold for a period of time will be destroyed immediately based on the retention policy. Data relating to unsuccessful job applications will only be retained for a maximum period of one year.

8.Transfer Limitation Obligation
The Company must ensure that personal data that are transferred outside Singapore including to other sister companies or 3rd parties have comparable standards of protection.

9.Openness Obligation
The Company is required to develop and implement policies and practices that are necessary for the Company to meet its obligations under the PDPA and to make information about their data protection policies and practices available. The Personnel & Administration Manager is appointed as Data Protection Officer (DPO) and he/she is responsible for ensuring its compliance.

OBLIGATIONS IN RELATION TO PERSONAL INFORMATION

If, as part of your job duties and responsibilities, you collect personal information about employees or other people such as clients or customers, you must comply with this policy. This includes ensuring the information is processed in accordance with the Act, is only processed for the purposes for which it is held, is kept secure and is not kept for longer than necessary. You must also comply with the following guidelines at all times:

  • Do not disclose confidential personal information to anyone except the data subject. In particular, it should not be:
  1. Passed to any other unauthorized third party
  2. Placed on the Company’s website
  3. Posted on the Internet in any form

unless the data subject has given their explicit prior written consent.

  • Be aware that those seeking information sometimes use deception in order to gain access to it. Always verify the identity of the data subject and the legitimacy of the request before releasing personal information.
  • Only transmit personal information between locations by fax or e-mail if a secure network is in place, for example, a confidential fax machine or encryption is used for e-mail.
  • If you receive a request for personal information about another employee, you should forward this to the HR department who is responsible for dealing with such requests.
  • Ensure any personal data you hold is kept securely, either in a locked filing cabinet or, if computerized, it is password protected so that it is protected from unintended destruction or change and is not accessed by unauthorized persons.
  • Do not access another employee’s records without authorization as this will be treated as gross misconduct and it is a criminal offence.
  • Do not write down (in electronic or hard copy form) opinions or facts concerning a data subject which is inappropriate to be shared with that data subject.
  • Do not remove personal information from the workplace with the intention of processing it elsewhere unless this is necessary to enable you to carry out your job duties and has been authorized by your line manager.
  • Ensure that, when working on personal information as part of your job duties when away from your workplace and with the authorization of your line manager, you continue to observe the terms of this policy and the Act, in particular in matters of data security.
  • Ensure that hard copy personal information is disposed off securely, for example using a cross-shredding machine.
  • Remember that compliance with the Act is your personal responsibility. If you have any questions or concerns about the interpretation of these rules, please contact the HR department.
 
Required 'Candidate' login to applying this job. Click here to logout And try again
 
 

Answers

 

Account Activation

Before you can login, you must activate your account with the code sent to your email address. If you did not receive this email, please check your junk/spam folder. Click here to resend the activation email. If you entered an incorrect email address, you will need to re-register with the correct email address.