Amended in September 2019 for the NRIC rule changes and in December 2020 for the passing of the Personal Data Protection (Amendment) Act 2020.
WHAT IS THE PDPA?
The Personal Data Protection Act (PDPA) is Singapore’s data protection legislation which aims to govern the collection, use and disclosure of personal data, which is being used by various organisations.
“The purpose of this Act is to govern the collection, use and disclosure of personal data by organisations in a manner that recognises both the right of individuals to protect their personal data and the need of organisations to collect, use or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances.”
The key terms in the PDPA are highlighted in bold in the above quote and a detailed definition of each is available here.
The PDPA therefore creates a baseline standard for the protection of personal data. It applies to the storage of, and control over, personal data in both electronic and non-electronic terms and its provisions apply in conjunction with all other Singaporean law concerning data and privacy.
The PDPA is administered and enforced by the Personal Data Protection Commission (PDPC).
A more detailed overview of the PDPA is available here.
ORGANISATIONS AND DATA INTERMEDIARIES
Definitions can be found in section 2 of the PDPA. Under section 2 an organisation includes any individual, company, association or body of persons, corporated or unincorporated.
Data intermediary is defined as an organisation which processes personal data on behalf of any other organisation, but does not include an employee of that organisation.
The definition which an organisation falls under, determines their rights, obligations and liabilities under the Act.
SIMPLEPAY’S PDPA OBLIGATIONS
Although falling within the definition of an organisation, more precisely SimplePay falls within the definition of a data intermediary. Because of falling under this category, pursuant to section 4(3) PDPA, our obligations are limited to the following three categories:
As an employer, you fall under the definition of an organisation. Organisations have several obligations under the PDPA, which can be grouped and summarised as follows:
In light of these obligations, we have appointed a Data Protection Officer (DPO) to help assist you in complying with your PDPA obligations linked to SimplePay. If you would like to make an inquiry in order to meet an obligation under the PDPA, please contact our DPO at [email protected].
RIGHTS OF DATA SUBJECTS
Under section 21 of the PDPA, in certain circumstances, employees have the right to access the personal information which the organisation has on them, and be told any ways in which the information may have been disclosed in the year preceding the request.
If an organisation refuses to provide an employee with their personal data for one of the prescribed reasons in the PDPA, the organisation is then required to keep a complete and accurate copy of the personal data for the prescribed period.
Section 22 allows individuals to request that an organisation correct an error or omission in their personal data.
TYPES OF PERSONAL DATA PROVIDED TO AND HANDLED BY SIMPLEPAY
Personal data is data about an individual which can be used to identify the individual, either on its own or when combined with other data. in the context of SimplePay, “individuals” would largely be employees of the companies using our system. In order to provide our full payroll and reporting functionality, SimplePay requires clients to provide the personal data of employees.
The PDPA does not provide an exhaustive list of what constitutes personal data. The below is the data that SimplePay collects, which could be considered personal data:
All of the above data is required for the accurate processing and payment of payroll as well as for generating and submitting accurate year-end filing documents to IRAS.
SEPTEMBER 2019 AMENDMENT REGARDING NRICS
On 1 September 2019, the PDPC introduced stricter rules around the collection, use and disclosure of National Registration Identity Card (NRIC) numbers and other national identification numbers. In terms of these rules, it is now illegal for organisations to store such information, unless required to do so by law.
One such legal requirement is where it is “necessary to precisely verify an individual’s identity to a high degree of fidelity” as is the case in an employment relationship. This requirement allows employers and by extension SimplePay to continue to collect and store employees’ NRICs and other national identification numbers. SimplePay therefore remains compliant with PDPA in light of the 1 September 2019 rule changes.
PERSONAL DATA PROTECTION (AMENDMENT) ACT 2020
The Personal Data Protection (Amendment) Act 2020 (the Amendment Act) was published in the Government Gazette on 11 December 2020 and, in the process, brought new obligations upon anyone who processes personal data of persons living and working in Singapore.
Several alterations to the legislation have been made, such as increased fines for non-compliance with the Act, additional exceptions to the need for consent and amendments to deemed consent, but there are two key changes that stand out for us:
1. Introduction of Data Portability
Subject to meeting the relevant requirements, data portability allows an individual to transfer data from one organisation to another, giving the individual more autonomy over their data.
For data portability to be permitted under the PDPA
Provided that there is nothing in the PDPA prohibiting the transfer, the requested information should be transferred.
The prescribed requirements stated in point 2 should be available in due course as the relevant regulatory bodies for each sector create guidance. The guidance is likely to cover the categories to which portability applies, in addition to any process, request and safeguard requirements.
Under section 4(2) of the PDPA, SimplePay, as a data intermediary, is not obliged to review data porting requests. However, as part of our continued commitment to customer service excellence we will do our best to aid you with requests you receive, as is appropriate and commercially reasonable.
2. Data Breach Procedure
The Amendment Act inserted Part VIA into the PDPA, which places obligations on organisations if they experience a “notifiable data breach”.
Subject to other sections of Part VIA, for an organisation to experience a notifiable data breach there needs to be:
Provided the above criteria are met, the organisation must notify the PDPC within three (3) days of making this assessment. Significant Harm and Significant Scale have not yet been formally defined. However, the public consultation paper suggests that more than 500 people would be significant, as would a breach of information that could cause psychologically or economically harm.
In the unlikely event that SimplePay were to experience an external data breach, we are required to contact anyone affected with information of the breach, allowing them to carry out an assessment. If we contact you and you conclude that the breach is a notifiable breach, as defined above, you would need to inform the PDPC within three (3) days.