Legal

PDPA

We work hard to keep all our legal mumbo jumbo as simple as possible, but we still have to have it.

Amended in September 2019 for the NRIC rule changes and in December 2020 for the passing of the Personal Data Protection (Amendment) Act 2020.

What is the PDPA?

The Personal Data Protection Act (PDPA) is Singapore’s data protection legislation which aims to govern the collection, use and disclosure of personal data, which is being used by various organisations.

“The purpose of this Act is to govern the collection, use and disclosure of personal data by organisations in a manner that recognises both the right of individuals to protect their personal data and the need of organisations to collect, use or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances.”

The key terms in the PDPA are highlighted in bold in the above quote and a detailed definition of each is available here.

The PDPA therefore creates a baseline standard for the protection of personal data. It applies to the storage of, and control over, personal data in both electronic and non-electronic terms and its provisions apply in conjunction with all other Singaporean law concerning data and privacy.

The PDPA is administered and enforced by the Personal Data Protection Commission (PDPC).

A more detailed overview of the PDPA is available here.

Organisations and Data Intermediaries

Definitions can be found in section 2 of the PDPA. Under section 2 an organisation includes any individual, company, association or body of persons, corporated or unincorporated.

Data intermediary is defined as an organisation which processes personal data on behalf of any other organisation, but does not include an employee of that organisation.

The definition which an organisation falls under, determines their rights, obligations and liabilities under the Act.

Simplepay’s PDPA Obligations

Although falling within the definition of an organisation, more precisely SimplePay falls within the definition of a data intermediary. Because of falling under this category, pursuant to section 4(3) PDPA, our obligations are limited to the following three categories:

  1. Protection obligation: SimplePay must keep the personal information in its control secure.
  2. Retention limitation obligation: SimplePay must not keep data containing personal information longer than it is necessary to, or we must ensure that any data kept is non-identifiable to the data subject.
  3. Data breach obligation: in the unlikely event that SimplePay experiences an external data breach and you were affected, we would need to inform you (see below).

As an employer, you fall under the definition of an organisation. Organisations have several obligations under the PDPA, which can be grouped and summarised as follows:

  • Obligations relating to notification, consent and purpose:
    • notify individuals of the purposes of use of the data; and
    • obtain consent from individuals for the collection, use and disclosure of individuals’ personal data.
  • Obligations relating to compliance, accountability and access and correction:
    • make information available about their data protection policies;
    • appoint a data protection officer;
    • give individuals access to their personal data (upon request); and
    • allow individuals to correct their personal data (also upon request).
  • Obligations relating to safeguarding personal data:
    • comply with prescribed requirements when transferring personal data outside Singapore;
    • use reasonable measures to protect personal data;
    • make reasonable effort to ensure the accuracy of personal data; and
    • cease to retain personal data when no longer required.
  • Obligations relating to Data Portability and Data Breaches (see below):
    • Review and respond to data porting requests.
    • Inform the PDPC of a notifiable data breach

In light of these obligations, we have appointed a Data Protection Officer (DPO) to help assist you in complying with your PDPA obligations linked to SimplePay. If you would like to make an inquiry in order to meet an obligation under the PDPA, please contact our DPO at dpo@simplepay.com.sg.

Rights of Data Subjects

Under section 21 of the PDPA, in certain circumstances, employees have the right to access the personal information which the organisation has on them, and be told any ways in which the information may have been disclosed in the year preceding the request.

If an organisation refuses to provide an employee with their personal data for one of the prescribed reasons in the PDPA, the organisation is then required to keep a complete and accurate copy of the personal data for the prescribed period.

Section 22 allows individuals to request that an organisation correct an error or omission in their personal data.

Types of Personal Data Provided to and handled by Simplepay

Personal data is data about an individual which can be used to identify the individual, either on its own or when combined with other data. in the context of SimplePay, “individuals” would largely be employees of the companies using our system. In order to provide our full payroll and reporting functionality, SimplePay requires clients to provide the personal data of employees.

The PDPA does not provide an exhaustive list of what constitutes personal data. The below is the data that SimplePay collects, which could be considered personal data:

  • Full name
  • Date of birth
  • Legal status
  • Nationality
  • NRIC / FIN / Passport Number
  • Gender
  • Race
  • Religion
  • Physical address
  • Email address
  • Bank account details
  • Salary

All of the above data is required for the accurate processing and payment of payroll as well as for generating and submitting accurate year-end filing documents to IRAS.

For more information on how SimplePay collects, stores and uses your data, please refer to our Privacy Policy.

September 2019 Amendment regarding NRICS

On 1 September 2019, the PDPC introduced stricter rules around the collection, use and disclosure of National Registration Identity Card (NRIC) numbers and other national identification numbers. In terms of these rules, it is now illegal for organisations to store such information, unless required to do so by law.

One such legal requirement is where it is “necessary to precisely verify an individual’s identity to a high degree of fidelity” as is the case in an employment relationship. This requirement allows employers and by extension SimplePay to continue to collect and store employees’ NRICs and other national identification numbers. SimplePay therefore remains compliant with PDPA in light of the 1 September 2019 rule changes.

Personal Data Protection (AMENDMENT) Act 2020

The Personal Data Protection (Amendment) Act 2020 (the Amendment Act) was published in the Government Gazette on 11 December 2020 and, in the process, brought new obligations upon anyone who processes personal data of persons living and working in Singapore.

Whats’s new?

Several alterations to the legislation have been made, such as increased fines for non-compliance with the Act, additional exceptions to the need for consent and amendments to deemed consent, but there are two key changes that stand out for us:

1. Introduction of Data Portability

Subject to meeting the relevant requirements, data portability allows an individual to transfer data from one organisation to another, giving the individual more autonomy over their data.

For data portability to be permitted under the PDPA

  1. there must be an ongoing relationship between the requester and organisation; and
  2. the requester must complete a data porting request, in accordance with any requirements prescribed by the PDPC or other regulatory body.

Provided that there is nothing in the PDPA prohibiting the transfer, the requested information should be transferred.

The prescribed requirements stated in point 2 should be available in due course as the relevant regulatory bodies for each sector create guidance. The guidance is likely to cover the categories to which portability applies, in addition to any process, request and safeguard requirements.

Under section 4(2) of the PDPA, SimplePay, as a data intermediary, is not obliged to review data porting requests. However, as part of our continued commitment to customer service excellence we will do our best to aid you with requests you receive, as is appropriate and commercially reasonable.

2. Data Breach Procedure

The Amendment Act inserted Part VIA into the PDPA, which places obligations on organisations if they experience a “notifiable data breach”.

Subject to other sections of Part VIA, for an organisation to experience a notifiable data breach there needs to be:

  1. a data breach, as defined in the amended version of the PDPA; and
  2. this breach must result, or likely result in Significant Harm to an affected individual; or
  3. the breach is, or is likely to be of a Significant Scale.

Provided the above criteria are met, the organisation must notify the PDPC within three (3) days of making this assessment. Significant Harm and Significant Scale have not yet been formally defined. However, the public consultation paper suggests that more than 500 people would be significant, as would a breach of information that could cause psychologically or economically harm.

In the unlikely event that SimplePay were to experience an external data breach, we are required to contact anyone affected with information of the breach, allowing them to carry out an assessment. If we contact you and you conclude that the breach is a notifiable breach, as defined above, you would need to inform the PDPC within three (3) days.

For more information on how the information you provide is stored, processed and protected, please refer to SimplePay’s Privacy Policy, Security Statement and Terms of Service.