The human resource function regardless of in-house or outsourced have a wide range of responsibility within an organization. One of the most important tasks is to ensure employee information is update to date and well protected from potential threats, from internal leaks to cybersecurity breaches. If they fail to perform their duties, it could lead to a series of consequences from loss of talents to law suites filed against the company.
A journey of a thousand steps starts with one and working towards comprehensive personal data protection policies to meet the PDPA’s obligation is not a start forward one. The process begins with ensuring the large amount of personal data that is generated daily by job applicants and employees remained updated, safe and secured. A big challenge is to ensure that no personal data was leaked by employees whether unwittingly or deliberately.
HR is not only responsible for the data they hold but often deciding the clearance level of an individual before they are allowed to access information that is confidential to the business.
PDPA for HR Practitioners
There are many rules within the PDPA that applies to HR practice, and these are just a few basic ones. In the employment context, an employer can obtain and process its’ employee’s personal data even without consent if:
1. Processing is reasonable for managing or terminating employment relationships. Such processing includes using an employee’s bank details for payroll processing, administrating staff benefits, and monitoring their use of company-issued devices
2. Data collected for evaluative purposes, which include determining the suitability of an individual when processing his employment, promotion, or termination.
3. Information about an individual that is made publicly available on social media like Facebook, Instagram, LinkedIn can be collected and used without consent.
When an individual voluntarily provides his personal data to an organization in a job application, he may be deemed to consent to the organization collecting, using, and disclosing the personal data in relation to the job application.
If the individual is subsequently employed, the employer is allowed to continue to use personal data provided in the job application for the purpose of managing the employment relationship.
However, if an employer wishes to use personal data for any other purpose, they must inform the employee of those purposes and obtain his/her consent.
How to align with PDPA Compliance
These are the steps to fulfilling PDPA compliance
1. Educate yourself and the organization about good data protection practices.
2. Plan data protection policies
3. Implementation of planned out policies
4. Active monitoring to prevention of data breach
Education
The PDPA is constantly being updated and amendments are passed to keep up with changes to personal data protection requirements across the global. Before planning your company’s approach to data protection policies, it is important to educate yourself on what is the latest development for PDPA and provide training for your staff. Data protection is only as good as the weakest link, so it is important to ensure that each person within the organization knows their obligations under PDPA.
Policies
To established data protection policies, it is important to map out how sensitive personal data flows within your organization. Keep track of the people handling the data and the purpose for them to handle such information to make sure that it is necessary. Put in place protocols and policies to ensure that private information is kept within the organization and only used for the purpose that it has been collected for and not easily shared out of the organization.
Within the HR function, access to information like NRIC, contact information, salary information, bonus, performance reviews must be controlled and only accessible as and when necessary. Physical areas that contain sensitive information should be segregated from the rest and as much as possible should have locks and keys to limit access to non-HR personnel.
Implementation
Deployment of new data protection practices can be challenging as it is normal for people to resist change. Expect resistance and organize training sessions to educate your team on the importance of the new business and data protection practices and allow room for questions to be answered. In certain circumstances, it is helpful to have a professional change management team to step in to ease you through the transitional stage and don’t expect to do things overnight.
Monitoring
In the past, this was a huge project that required manual effort to prevent softcopies of personal data from being download and transferred, blocking access to shadow IT services, and/or disable third-party storage devices like thumb drives and USB hard disks one by one. With modern data breach prevention tools, policies can be implemented and monitored across the board with ease.
HR & IT Departments are now able to put in place software that is capable of monitoring user activity within the organization and block out functions with an easy-to-use program. Organizations will also be able to call upon forensic evidence to trace what has resulted in a data breach. This can be used as a deterrent to warn threats with ill intentions to think twice before attempting an attack on your organization. It can also be used for investigations to trace and identify the individual or action that resulted in a data leak.
How can I work towards PDPA Compliance
If you would like to embark on a journey towards being PDPA compliant, you can start reading up for more information on https://www.pdpc.gov.sg/Overview-of-PDPA/The-Legislation/Personal-Data-Protection-Act
Alternatively, reach out to us @ shawn.lee@beite.co and we can provide a free assessment and consultation to help you get started!