PDPA - Key revisions in 2021 for recruiters to note

The Personal Data Protection Act 2012 (the “PDPA”) establishes a general data protection law in Singapore which governs the collection, use and disclosure of individuals’ personal data by organisations. The PDPA was first enacted in 2012, and The Personal Data Protection Commission (the “Commission”) is established under the PDPA with the key functions, amongst others, of promoting awareness of data protection in Singapore and administering and enforcing the PDPA.

Organisations are required to comply with the Data Protection Provisions in Parts 3 to 6A of the PDPA. When considering what they should do to comply with the Data Protection Provisions, organisations should note that they are responsible for personal data in their possession or under their control.

Here in this article, we have made a nifty summary of the ten obligations in the Data Protection Provisions which organisations are required to comply with, specifically pertaining to the collection,access, management and retention of recruitment related personal information.

Consent Obligation

An individual has not given consent unless the individual has been notified of the purposes for which his personal data will be collected, used or disclosed and the individual has provided his consent for those purposes.

In the case of the collection of personal information as part of the job application process, the organization should allow for the jobseekers to indicate express consent and make available the organization's privacy policy for easy reference. Such consent should be obtained through the opt-in method (e.g. requiring action to check an unchecked box in order to give consent), like so:

Use RecruiterPal to track and manage jobseekers' consent when collecting application data.

Withdrawal of consent

Section 16 of the PDPA provides that individuals may at any time withdraw any consent given or deemed to have been given under the PDPA in respect of the collection, use or disclosure of their personal data for any purpose by an organisation.

In general, organisations must allow an individual who has previously given (or is deemed to have given) his consent to the organisation for collection, use or disclosure of his personal data for a purpose to withdraw such consent by giving reasonable notice.

Use RecruiterPal to easily enable candidates to withdraw their application and consideration for the job opportunity

Purpose Limitation Obligation and Notification Obligation

The main objective of the Purpose Limitation Obligation is to ensure that organisations collect, use and disclose personal data that are relevant for the purposes, and only for purposes that are reasonable.

Per each application, we enable direct employers to solicit express consent from the applicants for the collection, use and disclosure of their supplied personal data for the purposes of recruitment and selection. At the same time, we also enable your organization to fulfil the requirement for Notification Obligation to inform individuals of the purposes for which their personal data will be collected, used and disclosed prior to getting their consent, through the availability of the organization's Data Protection policies.

The Access and Correction Obligations

Obligation to allow access request to personal data

Section 21(1) of the PDPA provides that, upon request by an individual, an organisation must provide the individual with the following as soon as reasonably possible:

• personal data about the individual that is in the possession or under the control of the organisation; and
• information about the ways in which that personal data has been or may have been used or disclosed by the organisation within a year before the date of the individual’s request.

An important and relevant exception is that opinion data kept for an evaluative purpose (e.g. candidate interview reviews or notes) is exempt from this obligation.

Before responding to an access request, organisations should exercise due diligence and adopt appropriate measures to verify an individual’s identity.

Obligation to correct personal data

Section 22(1) of the PDPA provides that an individual may submit a request for an organisation to correct an error or omission in the individual’s personal data that is in the possession or under the control of the organisation (a “correction request”).

In particular, section 22(2) goes on to provide that unless the organisation is satisfied on reasonable grounds that the correction should not be made, it should:

• correct the personal data as soon as practicable; and
• send the corrected personal data to every other organisation to which the personal data was disclosed by the organisation within a year before the date the correction request was made, unless that other organisation does not need the corrected personal data for any legal or business purpose.

An important and relevant exception / exemption as well, includes opinion data kept for an evaluative purpose (e.g. candidate interview reviews or notes, employee appraisals or reference checks).

The Accuracy Obligation

Section 23 of the PDPA requires an organisation to make a reasonable effort to ensure that personal data collected by or on behalf of the organisation is accurate and complete, if the personal data is likely to be used by the organisation to make a decision that affects the individual to whom the personal data relates (e.g. candidate offer / job fit)

Organisations may presume that personal data provided directly by the individual concerned is accurate in most circumstances. When in doubt, organisations can consider requiring the individual to make a verbal or written declaration that the personal data provided is accurate and complete.

Digital declaration on veracity of submission, alongside with express consent in your RecruiterPal's application form(s)

The Protection Obligation

Section 24 of the PDPA requires an organisation to make reasonable security arrangements to protect personal data in its possession or under its control in order to prevent (a) unauthorised access, collection, use, disclosure, copying, modification or disposal, or similar risks; and (b) the loss of any storage medium or device on which personal data is stored.

The following are some of the measures that should be put in place within the organizations:

• Requiring employees to be bound by confidentiality obligations in their employment agreements
• Implementing robust policies and procedures (with disciplinary consequences for breaches) regarding confidentiality obligations
• Conducting regular training sessions for staff to impart good practices in handling personal data and strengthen awareness of threats to security of personal data; and
• Ensuring that only the appropriate amount of personal data is held, as holding excessive data will also increase the efforts required to protect personal data.

In addition, with the use of RecruiterPal's permissions frameworks, you are also able to restrict user access easily based on hiring teams and user access roles.For example, you can restrict the ability to view sensitive information such as offer and current salary information of the candidate.

The Retention Limitation Obligation

Section 25 of the PDPA requires an organisation to cease to retain its documents containing personal data, or remove the means by which the personal data can be associated with particular individuals, as soon as it is reasonable to assume that the purpose for which that personal data was collected is no longer being served by retention of the personal data, and retention is no longer necessary for legal or business purposes.

The Retention Limitation Obligation does not specify a fixed duration of time for which an organisation can retain personal data. Instead, the duration of time for which an organisation can legitimately retain personal data is assessed on a standard of reasonableness, having regard to the purposes for which the personal data was collected and other legal or business purposes for which retention of the personal data may be necessary.

As good practice, organisations should prepare an appropriate personal data retention policy which sets out their approach to retention periods for personal data. In particular, where personal data is retained for a relatively long period of time, an organisation should set out its rationale for doing so in its personal data retention policy.

The Transfer Limitation Obligation

Section 26 of the PDPA limits the ability of organisations to transfer personal data to another organisation outside Singapore in circumstances where it relinquishes possession or direct control over the personal data.

Specifically, section 26 (1) provides that an organisation must not transfer any personal data to a country or territory outside Singapore except in accordance with requirements prescribed under the PDPA, i.e. to ensure that organisations provide a standard of protection to transferred personal data that is comparable to the protection under the PDPA. This means that the organizations looking to provide the transferred personal data to overseas recipient, must ensure that the overseas recipient is bound by legally enforceable obligations or specified certifications to provide the transferred personal data a standard of protection that is comparable to that under the PDPA.

The Data Breach Notification Obligation

Part 6A of the PDPA sets out the requirements for organisations to assess whether a data breach is notifiable, and to notify the affected individuals and/or the Commission where it is assessed to be notifiable.

The Accountability Obligation

Accountability under the PDPA requires organisations to undertake measures in order to ensure that they meet their obligations under the PDPA and, importantly, demonstrate that they can do so when required. Some of these measures are specifically required under the PDPA, as follows:

• Appointment of a Data Protection Officer
• Developing and implementing data protection policies and practices
• Provide staff training and communicate to its staff information about its policies and practices
• Making available on request concerning its data protection policies and practices and its complaint process