Is your HR department compliant with personal data regulations?
As most people know, the European Union’s (EU) General Data Protection Regulation (GDPR) came into effect in 2018 mandating strict rules surrounding the use and collection of personal data from EU citizens.
Singapore also has its own Personal Data Protection Act, in place since 2012, which establishes requirements on how companies collect, use and disclose personal data. In September of this year, Singapore is set to introduce additional regulations aimed at enhancing consumer protection against the unjustified collection, use, disclosure and retention of physical National Registration Identity Card (NRIC) numbers.
Much has been written on the pros and cons of such regulations, including their effect on innovation, legal implications and how marketing and sales teams need to ensure they don’t breach the regulations in their quest for customer information. However, HR leaders need to be just as knowledgeable on the details of these regulations for a number of reasons.
HR departments typically hold a significant amount of personal data on employees. This includes identification numbers and documents (copies), resumes, CVs, copies of educational documents, performance history, bank account details and pay details among other items.
Despite coming from the EU, the GDPR affects any company (including Singaporean ones) who have employees or freelancers based in the EU, including non-EU citizens. The GDPR provides more rights to these employees and gives them more control over how their personal data is used.
Employees can now view, rectify and request the deletion of their personal data, they also have the right to be informed of how their data is used. The EU regulation also applies to third-party vendors that HR departments use including those that hold employee data on behalf of the company.
In Singapore, HR departments need to understand the PDPA and the provisions related to the collection, use, and disclosure of employees’ personal data, what their legal obligations are and have policies in place to comply with those obligations. For instance, employers need to inform their employees on the collection, use, and disclosure of their personal data even for reasonable purposes such as collecting bank account details for salary payments.
The same applies to job applicants. The PDPA clarifies that information voluntarily provided to the company by the applicant can be used by the company for the purpose of assessing the job application and can be retained should that applicant be hired in order to manage the employment relationship. However, that data should only be kept for as long as is necessary for business or legal purposes, after which it should be deleted/destroyed.
Employers need to take reasonable precautions and arrangements to protect employees’ personal data. This can come in many different forms but there need to be reasonable limitations to access and authorization to access this data.
Another consideration for HR (and leadership in general) is how information is handled in open office or shared workspace environments. Many firms are starting to embrace offices that are more open and eschew the ‘cubicle’ layout that, while it was disliked by many employees, did afford a certain level of privacy.
Today many firms prefer open office layouts with little or no barriers in between employees while others encourage shared workspaces. It is now easier for colleagues to see – either accidentally or otherwise – each other’s work including, potentially, employee and client data.
Companies should know that, according to the PDPA, an organization is responsible for the actions of its employees when it comes to the handling of personal data and any breaches, acts or conduct by the employee is considered as done by the employer – even if the employer had no knowledge of this action or did not provide approval. Open office layouts present many opportunities for data breaches to occur and processes should be put in place to avoid this.
These are just some areas that HR departments need to be aware of when collecting and handling employee data. Furthermore, as of September 1, 2019 companies in Singapore must not collect, use or disclose NRIC numbers unless legally required or necessary to establish an individual’s identity to a high degree of fidelity. Employers with large numbers of former employees and applicants may still have databases with NRICs, potentially in breach of these new rules.
HR heads need to pay as much attention to data protection regulations as their counterparts in sales and marketing. Failure to understand how these regulations affect their company could result in the wrong hire or could see their own department breach the rules exposing themselves to penalties.