WHAT IS THE PDPA?
The Personal Data Protection Act (PDPA) is Singapore’s data protection legislation which aims to govern the collection, use and disclosure of personal data, which is being used by various organisations.
“The purpose of this Act is to govern the collection, use and disclosure of personal data by organisations in a manner that recognises both the right of individuals to protect their personal data and the need of organisations to collect, use or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances.”
The key terms in the PDPA are highlighted in bold in the above quote and a detailed definition of each is available here.
The PDPA therefore creates a baseline standard for the protection of personal data. It applies to the storage of personal data in both electronic and non-electronic terms and its provisions apply in conjunction with all other Singaporean law concerning data and privacy.
The PDPA is administered and enforced by the Personal Data Protection Commission (PDPC)
A more detailed overview of the PDPA is available here.
ORGANISATIONS AND DATA INTERMEDIARIES
Definitions can be found in section 2 of the PDPA. Under section 2 an organisation includes any individual, company, association or body of persons, corporate or unincorporated.
Data intermediary is defined as an organisation which processes personal data on behalf of any other organisation, but does not include an employee of that organisation.
The definition which an organisation falls under, determines their rights, obligations and liabilities under the Act.
SIMPLEPAY’S PDPA OBLIGATIONS
Although falling within the definition of an organisation, more precisely SimplePay falls within the definition of a data intermediary. Because of falling under this category, pursuant to section 4(3) PDPA, our obligations are limited to the following two categories:
For yourself as an employer, you fall under the definition of an organisation. Organisations have nine main obligations under the PDPA, which can be grouped and summarised as follows:
In light of these obligations, we have appointed a Data Protection Officer (DPO) to help assist you in complying with your PDPA obligations linked to SimplePay. If you would like to make an inquiry in order to meet an obligation under the PDPA, please contact our DPO on [email protected].
RIGHTS OF DATA SUBJECTS
Under sections 21 of the PDPA, in certain circumstances, employees have the right to access the personal information which the organisation has on them, and be told any ways in which the information may have been disclosed in the year preceding the request.
Section 22 allows employees to request an organisation to correct an error or omission in their personal data.
TYPES OF PERSONAL DATA PROVIDED TO AND HANDLED BY SIMPLEPAY
Personal data is data about an individual which can be used to identify the individual, either on its own or when combined with other data. in the context of SimplePay, “individuals” would largely be employees of the companies using our system. In order to provide our full payroll and reporting functionality, SimplePay requires clients to provide the personal data of employees.
The PDPA does not provide an exhaustive list of what constitutes personal data. The below is all the data that SimplePay collects, which could be considered personal data:
All of the above data is required for the accurate processing and payment of payroll as well as for generating and submitting accurate year-end filing documents to IRAS.
SEPTEMBER 2019 AMENDMENT REGARDING NRICS
On 1 September 2019, the PDPC introduced stricter rules around the collection, use and disclosure of National Registration Identity Card (NRIC) numbers and other national identification numbers. In terms of these rules, it is now illegal for organisations to store such information, unless required to do so by law.
One such legal requirement is where it is “necessary to precisely verify an individual’s identity to a high degree of fidelity” as is the case in an employment relationship. This requirement allows employers and by extension SimplePay to continue to collect and store employees’ NRICs and other national identification numbers. SimplePay therefore remains compliant with PDPA in light of the 1 September 2019 rule changes.