Personal Data Protection Act (PDPA) and Human Resource (HR)
In force since 2014, The Personal Data Protection Act (PDPA) deals with the three processes of collection, use and disclosure of personal data. It also lay out the obligations of organizations to:
- Notify the individual of the purpose(s) for which organization intend to collect, use or disclose the individual’s personal data
- Obtain consent to collect, use or disclose individuals’ personal data and allow individuals to withdraw consent. Note that failure to opt-out will not be regarded as consent in all situations. This prevents the common method where marketers require people to opt-out instead of opt-in
- Collect, use or disclose personal data about an individual only for purposes that a reasonable person would consider appropriate in the circumstances.
PDPA requires that organizations treat personal data of employees and candidates with the same level of diligence as customers and other individuals that the organization deal with.
One thing that PDPA does is that it does not dictate the way organisations obtain consent from the individual with regards to the collection, use and disclosure of his personal data. However, PDPA does encourage companies to get these consents in written form to prevent disputes.
Today we want to explore the notion of “Deemed Consent”. To be crystal clear will save us unnecessary actions that complicate, reduce productivity and affects our professionalism. HR also needs to be aware of our rights in the event that we are sued for seemingly natural or logical actions.
Here is how PDPA defines “Deemed Consent”: An individual is deemed to consent to the collection, use or disclosure of personal data by an organisation if the individual voluntarily provides the personal data to the organisation for that purpose; and it is reasonable that he or she would do so.
Here is an example by PDPA to better illustrate the point: An individual seeking medical treatment from a clinic or hospital, would voluntarily provide his or her personal data for such a purpose. He or she would be deemed to have consented to the collection and use of his or her personal data by the medical facility for that purpose.
Here is another scenario that HR is familiar with: A job applicant who voluntarily provides his personal data when applying for a job with the organisation may be deemed to have consented to the organisation’s collection and use of his personal data for the purpose of processing his job application.
PDPA also list out certain situations where consent is not needed to carry out collection, use and disclosure of personal data, such as when it is necessary for certain evaluative purposes. Example:
- Obtaining references from a potential job applicant’s former employer to determine his suitability for employment,
- Obtaining performance records to determine an employee’s suitability for promotion,
- Organisations also do not have to obtain the consent of the employee when their collection of the employee’s personal data is reasonable for the purposes of managing or terminating the employment relationship with him, for example, collecting his bank account details for payment of salaries etc.
Notifying employees or candidates regarding the collection use and disclosure of personal data
In the examples, although employees do not need to seek consent; they do however need to notify employees of the collection, use or disclosure of their personal data for such purposes. You may consider if it will be possible to notify employees through mediums such as employment contracts, employee handbooks, or notices in the company intranet if these are left out in contracts before the PDPA is active.
If your HR team is under obligation to GDPR
Do note that “deemed consent” does not have such significant traction under the GDPR. With this in mind, at all times, organizations must take prudent steps to ensure that consent is clearly obtained when we need to take into account GDPR.
We hope we have helped. SQL View provides Human Resource HR document Management system to Singapore companies. An Electronic document management system (EDMS) helps secure personal data and satisfies retention limit obligations of HR teams.