Measures HR departments can put in place to secure collected Personal Data
- Controlled access to Personal Data: After collecting personal data, most HR departments will store them in an HR Management System or HR document management system. Access to data within the system as well as the personal data within it should only be given to HR personnel that requires this information to carry out their work. You can consider a role-based access setup. Where the system will open up data to the user based on his/her role within HR or based on the departments that he/she is in charge.
- A battle-tested system: The system in use must be secure, with a substantial client portfolio and records of undergoing through penetration tests. These are necessary to deter hacking and reputational impacts on the organisation.
- Removal of unnecessary personal data when forwarding to the business units or clients: Personal data such as NRIC and contact number are not relevant to the managers of the business units or clients (if you are an HR agency serving clients). Remove this info before sending the information of the candidate out.
- Block the use of personal email services and cloud storages: Personal email services include the commonly used Gmail and Hotmail. Personal cloud storages services include Dropbox, iCloud and Google Drive. The reason is to prevent personal data from being transferred out of the secured and controlled environment of the organisation’s system. Having copies of sensitive personal data in these public services heighten the chance of data leakage which the organisation is accountable. Organisations should consider using Electronic Document Management Systems (EDMS) to store these sensitive personal data and to keep track of who and when personal data are being accessed. EDMS also has functions to allow employees to share files within the organisation and to outside counterparts securely.
- Thumb drives and portable storages: Organizations can consider stopping the use of portable drives in the office. They can be misplaced and may lead to data leakage if it contains sensitive personal data in unencrypted form. Companies can mandate that only encrypted thumb drives be used. Alternatively, IT can restrict data transfer unto portable drives but still allow data transfer from the thumb drive into the computers.
- Personal Mobile devices and access to company email: For checking of email on-the-go, organisations can issues secured mobile devices or ensure that devices can be encrypted. Most of these devices allow the feature of remote wipe where the data is automatically destroyed in the event of a suspected breach.
- Training: For convenience and efficiency, Employees may unintentionally or intentionally perform actions that bleach PDPA. There should be ongoing compulsory refresher training sessions and onboarding sessions to ensure that employees genuinely understand what personal data are and how to protect them.