WHAT IS PDPA?
The Personal Data Protection Act (PDPA) is Singapore’s data protection legislation which aims to govern the collection, use and disclosure of personal data, which is being used by various organisations.
“The purpose of this Act is to govern the collection, use and disclosure of personal data by organisations in a manner that recognises both the right of individuals to protect their personal data and the need of organisations to collect, use or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances.”
The key terms in the PDPA are highlighted in bold in the above quote and a detailed definition of each is available here.
The PDPA therefore creates a baseline standard for the protection of personal data. It applies to the storage of personal data in both electronic and non-electronic terms. Its provisions apply in conjunction with all other Singaporean law concerning data and privacy.
The PDPA is administered and enforced by the Personal Data Protection Commission (PDPC)
A more detailed overview of the PDPA is available here.
SIMPLEPAY’S PDPA OBLIGATIONS
SimplePay falls within the PDPA’s definition of an organisation and has nine main obligations under the PDPA, which can be grouped and summarised as follows:
In light of these obligations, we have appointed a Data Protection Officer (DPO) to handle all queries related to the collection, use and disclosure of personal data by SimplePay. If you would like to make an inquiry or exercise any right under the PDPA, please contact our DPO on [email protected].
TYPES OF PERSONAL DATA COLLECTED AND HANDLED BY SIMPLEPAY
Personal data is data about an individual, which, can be used to identify the individual, either on its own or when combined with other data. in the context of SimplePay, “individuals” would largely be employees of the companies using our system. In order to provide our full payroll and reporting functionality, SimplePay is required to collect the personal data of employees.
The PDPA does not provide an exhaustive list of what constitutes personal data. The below is all the data that SimplePay collects, which could be considered personal data:
All of the above data is required for the accurate processing and payment of payroll as well as for generating and submitting accurate year-end filing documents to IRAS.
SEPTEMBER 2019 AMENDMENT REGARDING NRICS
On 1 September 2019, the PDPC introduced stricter rules around the collection, use and disclosure of NRIC and other national identification numbers. In terms of these rules, it is now illegal for organisations to store such information, unless required to do so by law.
One such legal requirement is where it is “necessary to precisely verify an individual’s identity to a high degree of fidelity” as is the case in an employment relationship. This requirement allows employers and by extension SimplePay to continue to collect and store employees’ NRICs and other national identification numbers. SimplePay therefore remains compliant with PDPA in light of the 1 September 2019 rule changes.