PDPA and HR Data in Singapore — What Every Employer Must Know

HR Departments Hold the Most Sensitive Data

Human Resources departments are the custodians of some of the most personal information in any organization. From NRIC numbers and salary details to medical records, performance reviews, and disciplinary actions — HR handles data that employees trust will be protected.

In Singapore, the Personal Data Protection Act (PDPA) governs how organizations collect, use, and disclose personal data. While many businesses focus on customer data compliance, employee data is equally covered — and HR violations are among the most common PDPA complaints.

How PDPA Applies to Employee Data

Deemed Consent — But Not a Blank Check

The PDPA provides a concept of "deemed consent" for employment-related purposes. This means employers don't need explicit consent for routine HR activities like:

• Processing payroll
• Making CPF contributions
• Filing tax returns with IRAS
• Administering medical benefits

However, deemed consent is not blanket permission. It only covers purposes that a reasonable person would consider appropriate in the employment context.

Activity	Deemed Consent?	Notes
Payroll processing	Yes	Standard employment purpose
CPF submissions	Yes	Legally required
Tax filing (IRAS)	Yes	Legally required
Marketing with employee photos	No	Requires explicit consent
Sharing medical info with colleagues	No	Must have consent or legal basis
Background checks for promotion	Situational	Must notify employee of purpose

The Notification Obligation

Even when deemed consent applies, employers must inform employees about:

• What personal data is being collected
• Why it is being collected (the purposes)
• Who it may be shared with

This is typically done through employment contracts, employee handbooks, or dedicated data protection notices.

NRIC Advisory Guidelines — A Common Pitfall

Since September 1, 2019, Singapore's NRIC Advisory Guidelines have been in effect. These rules catch many HR departments off guard:

What You Must NOT Do

• Collect full NRIC/FIN/birth certificate numbers unless legally required or necessary for accurate identification
• Use NRIC as a general-purpose identifier (e.g., employee login, queue numbers)
• Photocopy NRICs without a valid legal basis

What You Should Do Instead

• Collect only the last 4 characters of the NRIC where partial identification suffices
• Use alternative identifiers (employee ID numbers)
• Only retain full NRIC when mandated by law (CPF, IRAS, MOM work passes)

Exceptions Where Full NRIC Is Allowed

Scenario	Reason
CPF contributions	Required by law
IRAS tax filing	Required by law
Healthcare records	Accurate identification needed
Education institutions	Student identification
MOM work pass applications	Required by law

Employee Rights Under PDPA

Access and Correction

Employees have the right to:

1. Request access to their personal data held by the employer
2. Request corrections to inaccurate data
3. Be informed of how their data was used or disclosed in the past year

Employers must respond to access requests within 30 days and may charge a reasonable fee for processing.

Withdrawal of Consent

Employees can withdraw consent for non-essential data processing. However, employers should inform them of the consequences of withdrawal (e.g., inability to provide certain benefits).

Data Retention — Don't Keep It Forever

One of the most overlooked PDPA requirements is the retention limitation obligation. Organizations must stop retaining personal data when:

• It is no longer needed for the purpose it was collected for
• There is no legal or business requirement to keep it

Recommended Retention Periods for HR Data

Data Type	Suggested Retention	Reason
Payroll records	5–7 years after departure	IRAS audit requirements
Tax records (IR8A)	5 years	IRAS requirement
CPF records	5 years	CPF Board requirements
Medical claims	1–2 years after departure	Insurance reconciliation
Performance reviews	2–3 years after departure	Reference purposes
Recruitment records (rejected candidates)	6–12 months	Re-application consideration

After an employee leaves, HR should have a clear data deletion schedule rather than keeping records indefinitely.

Cross-Border Transfer of HR Data

If your Singapore office sends employee data to headquarters overseas — for example, to a regional HQ in Hong Kong or a parent company in the US — you must ensure the recipient provides a comparable level of protection to the PDPA.

Common approaches include:

• Binding corporate rules governing data handling across entities
• Contractual clauses requiring PDPA-equivalent protection
• Obtaining employee consent for the specific transfer

Common HR PDPA Violations (And How to Avoid Them)

1. Sharing Medical Information Without Consent

A manager asks HR about an employee's medical condition. HR shares the diagnosis. This is a violation — medical information requires specific consent for disclosure beyond the benefits administration team.

2. Visible Payslips

Leaving printed payslips on desks or in open mailboxes where colleagues can see them exposes salary information. Use sealed envelopes or secure digital delivery.

3. Sending Salary Information to the Wrong Person

Accidentally emailing salary details to the wrong recipient is a data breach that must be assessed and potentially reported to the PDPC.

4. Retaining Data After Employee Departure

Keeping a former employee's complete HR file for 15+ years "just in case" violates the retention limitation obligation.

Sharing Sensitive HR Documents Securely

Many of these violations happen because HR teams lack secure channels for sharing sensitive documents. Emailing offer letters, salary information, and medical records as plain attachments creates unnecessary risk.

Tools like LOCK.PUB let you create password-protected memos for sharing sensitive HR information. Instead of sending salary details or medical documentation via email, you can share a secure link that requires a password to access — ensuring only the intended recipient can view the content.

HR PDPA Compliance Checklist

Use this checklist to audit your HR department's PDPA compliance:

• Data protection notice provided to all employees
• Full NRIC collection limited to legally required purposes only
• Consent obtained for non-standard data uses (photos, marketing)
• Data retention schedule documented and followed
• Secure channels used for transmitting sensitive employee data
• Cross-border transfer safeguards in place (if applicable)
• Employee access and correction request process established
• HR staff trained on PDPA obligations
• Breach response plan includes HR data scenarios

The Cost of Non-Compliance

The PDPC can impose financial penalties of up to SGD 1 million (or 10% of annual turnover for organizations with turnover exceeding SGD 10 million). Beyond fines, PDPA breaches involving employee data can lead to:

• Loss of employee trust and morale
• Reputational damage
• Difficulty attracting talent

Key Takeaways

1. PDPA applies to employee data — deemed consent is not unlimited
2. Stop collecting full NRICs unless legally required (since September 2019)
3. Don't retain data forever — implement a clear deletion schedule
4. Share sensitive HR documents securely — consider tools like LOCK.PUB for password-protected sharing
5. Train your HR team — they handle the most sensitive data in your organization

Protecting employee data isn't just about compliance — it's about trust. Start by auditing your current HR data practices and closing the gaps before they become costly mistakes.

---

Need to share sensitive HR documents securely? Try LOCK.PUB — create password-protected memos that only the intended recipient can access.