Employees are typically required to provide personal data to the organization that hires them as part of the company’s due diligence process. While the reasons to collect personal data of employees may be legitimate, the possibilities of mishandling of sensitive data are high.
The PDPA (Personal Data Protection Act) aims to offer comprehensive protection against misuse or mishandling of personal data. All employers who collect any kind of data from employees are subject to PDPA’s regulations.
Here is a closer look at the implications of PDPA on employee data handling and the challenges HR professionals face concerning compliance:
Employee data handling and recruitment process
Employers need to obtain consent from employees for collecting the latter’s personal data and collect only the data that is necessary to meet the lawful purpose of data collection. HR professionals need to consider carefully whether they need to obtain separate consent from employees during recruitment or from those already employed. They need to also look into the language and terms of the employment agreement to ensure it is aligned with the PDPA’s data collection norms.
If separate consent has to be obtained, the request has to be
- made before or at the time of data collection,
- given in writing or through electronic means,
- clearly understandable and written in simple language without being misleading or deceptive.
What happens to sensitive personal data?
Employers cannot collect sensitive data from employees without obtaining the latter’s express consent. The Act prohibits the collection of sensitive data that pertains to the employee’s.
- Ethnic background
- Religious affiliation
- Political opinion
- Biometric data
- Sexual orientation
- Criminal records
- Health records
The exemptions for meeting consent requirements under the PDPA are when there is a legitimate reason such as a medical emergency or for workers compensation claims, public interest, or to meet contractual obligations.
Data security: How should employers protect employee files?
Employers have the responsibility towards putting in place appropriate security measures – both digital and physical – at the workplace to protect employees’ personal data. While preventing unauthorized access to the personal data of employees, HR professionals need to ensure there are no alterations, losses, or disclosure of employees’ data. Any security breach must be reported within 72 hours of the company/data controller becoming aware of the breach to the Office of the Personal Data Protection Committee.
In addition, there needs to be a system and process for destroying personal data after the retention period, when it is no longer necessary to store the data, or when an employee withdraws consent or requests its destruction.
How long can the personal data of employees be retained?
At the time of obtaining consent for data collection, employers must also inform employees as to how long the data will be retained. The PDPA does not establish a definite retention period. However, companies can consider a retention period of ten years as this is the maximum prescription period for unfair termination or other labour disputes.
For HR professionals, the task is cut out, with the PDPA coming to effect in June of 2021. Some measures the HR needs to take to be compliant include.
- Evaluating existing data collection policy to identify gaps in compliance with PDPA.
- Creating a separate consent form for new recruits.
- Reviewing internal policies and practices of collecting, storing, and processing personal data.
- Putting in place streamlined data management systems and policies.
- Train employees on PDPA requirements.
- Implement stringent digital and physical security measures to protect employee data and files.