The Retention Limit Obligation
PDPA requires employers and recruitment agencies to fulfil the Retention Limitation Obligation.
Section 25 of the PDPA requires an organisation to cease to retain its documents containing personal data, or remove the means by which the personal data can be associated with particular individuals, as soon as it is reasonable to assume that the purpose for which that personal data was collected is no longer being served by retention of the personal data, and retention is no longer necessary for legal or business purposes.
How does this apply to the HR context?
A common scenario takes place after a position is hired and closed, applications from other job applicants are kept within the system. HR teams need to evaluate how long the information of the applicants should be retained for necessary business or legal purposes.
A three year retention period is a good timeline for consideration because
- There could be another opportunity for the job applicant and
- The experience and information on the resume would be outdated at the end of three years.
Do note that applications must be notified during their application that their information will be kept for three years for the purpose of evaluation for other roles which are not applied by him/her.
Applications should also be notified that they can withdraw their consent for retention, use and disclosure of their personal data by giving reasonable notice to effect the changes. The manner of how they can withdraw should be stated clearly as well as the consequences of the withdrawal.
Materialising this in day to day HR operations
An automated system is necessary to keep track of the three years count down and ensure that the deletion of candidate data gets carried out without fail. With an HR Document Management System, this can be easily achieved, freeing up the HR team to focus on work that matters. With an automated system in place, it also clearly demonstrates the commitment of the company to safe keep personal data
With an electronic Document Management System (EDMS) Users can specify the retention period of each type of document created or upload. Personnel files that met certain conditions (e.g. staff has resigned) and after being kept a specific period of time (e.g. three years) will be automatically deleted from the system. This will reduce the data security liability of the company and satisfy audit regulations holistically.