31 July, 2012
Legal News & Analysis – Asia Pacific – Singapore – Labour & Employment
The Ministry of Information, Communications and the Arts has proposed a Personal Data Protection Bill to be introduced to Parliament in the third quarter of 2012. This Bill will have a sunrise implementation period of 18 months from the date it is passed. It is intended as a baseline applicable to consumer data collected by non-public organisations, i.e. those not already under the existing data protection regime for public organisations.
From an employment perspective, the new Personal Data Protection Act 2012 (“PDPA”) will also now regulate the collection of employee data by an organisation for employment purposes. Generally, under the PDPA, a company is only permitted to collect a reasonable amount of personal data from an individual, for reasonable purposes. The individual’s consent is required for collection, use or disclosure of this data.
However, for new candidates seeking a position of employment within
an organisation, a broad exclusion applies to data collected and used
for determining the eligibility or suitability of an individual for employment. Organisations are therefore able to collect personal data from these candidates for carrying out background checks, which are increasingly common in Singapore.
A similar exclusion applies to employee data. Under the PDPA, employers are permitted to collect, use and disclose its employees’ personal data without the employees’ consent for the sole purpose of establishing, managing or terminating employment relationship, provided the organisation informs the employee of the purpose of the collection, use or disclosure of such data.
For employee data that is already within the organisation’s possession before the implementation of the PDPA, the organisation is not required to notify or seek the employees’ consent for retaining such employee data so long as the purpose of retaining such data has not changed since the time of collection. The PDPA will also regulate business asset transactions, which include mergers and sale of businesses. If an organisation is a party to a business asset transaction, the organisation is permitted to use or disclose its employees’ personal data to other
party in the transaction provided the organisation:
(a) uses or discloses the personal data collected for the same purposes for which the other organisation would have been permitted to use or disclose the data; and
(b) informs its employees of the disclosure of the personal data and whether the business asset transaction has taken place.
If the transaction falls through, the other party to the transaction is required to return or destroy the data obtained.
For further information, please contact: