The Personal Data Protection Act and Its Practical Applications for HR Practitioners (including mandatory data breach notification, 1 February 2021)
This workshop, PDPA for HR practitioners, as the name implies, is meant for HR practitioners only. Unlike the two days’ WSQ, PDPA, a generic version for organisations, needs to know about PDPA. More importantly, HR practitioners need to know exactly when to collect, use and disclose NRIC as the PDPA makes it illegal with effect from 1 September 2019 unless under the permitted situation. Also, the data breach notification which came into effect on 1 February 2021.
As an HR practitioner, are you ready to implement this new statutory law in your area of work? Can you use or disclose an employee’s personal data without the employee’s consent? What is deemed as ‘consent’? Can you grant access to an employee’s personal data as and when a request for it is made? Can you collect NRIC number from job applicants and employees? Under what circumstances organisations must notify the PDPC of significant scale data breaches, and must the affected personnel be notified? Come and find out the exact answers to these questions, non-exhaustive, at this workshop.
The HR Department is, without a doubt, one of the biggest ‘collectors’ of personal data in any organisation. These data relate to employees and outsourced employees like cleaners and security personnel, members of the public such as job applicants, etc. The onus is also on the HR Department to ensure that adequate and sound personal data protection is offered by its appointed 3 rd party vendors for its outsourced functions such as payroll, flexible benefits etc., and also government agencies such as the CPF Board etc.
The maximum financial penalty for data protection breaches will be increased to 10% of an organisation’s annual turnover in Singapore or S$1 million, whichever is higher. The increase in financial penalties has not yet commenced, with no date yet confirmed. Therefore, it is time to revise personal data protection, including risk assessment, code of conduct incorporated in the existing HR Policies and Procedures.
The trainer will share only HR-related personal data protection case studies and scenarios relevant to HR practitioners at this workshop. Due to the uniqueness of its contents, HR practitioners are highly recommended to attend this workshop.
At the end of this workshop, participants will be able to:
- Background of PD Protection in the workplace.
- The objective of the PDPA.
- Functions of the PDPC.
- Enforcement of the PD Protection.
- Data Protection Framework.
- Who must comply with PDPA?
- The obligation of the PDPA.
- Understand how to operationalise the obligations, particularly to NRIC, which came into effect 1 September 2019.
- Understand how to apply the data breach notifications, which came into effect on 1 February 2021 and what safeguard measures to be adopted.
- How PD should be collected, used and disposed of for job applicants and resignees activities.
- The liability for breaching the PDPA and the financial penalties.
A competent HR practitioner must have the skills and knowledge in the following:
1. Introduction to Personal Data Protection Act (PDPA)
- Objectives of the Data Protection Regime.
- Key Terms Personal Data, Business Contact Information (BCI), Individual & Organisations, Data Intermediary and Other Key Terms.
- Mandatory data breach notification, which came into effect 1 February 2021.
2. Data Protection Provisions
- PDPA 10 Key Obligations/ Consent Obligation/ Purpose Limitation Obligation.
- Notification Obligation/ Access & Correction Obligation/ Accuracy Obligation.
- Protection Obligation/ Retention Limitation Obligation.
- Transfer Limitation Obligation/ Data Breach Obligation/ Accountability Obligation
- Existing Data and Other Existing Laws.
3. Collection of personal data by HR practitioners:
i) What constitutes to be consent given by applicants.
ii) What constitutes to be deemed consent by applicants.
iii) Under what circumstances where you need not seek consent from applicants:
- Personal data are publicly available.
- Investigation or proceedings conducted by practitioners and their bearing on applicants.
- Usage of personal data by the HR practitioner for evaluative purposes.
- Document produced in the course of employment.
- Need by practitioners for managing and terminating employment.
- Business asset transaction as required in due diligence context by practitioners.
- Circumstance whereby practitioners need to release personal data to the proper authority:
iv) Withdrawal of consent by employees.
v) Access to personal data by HR practitioners.
vi) Use of personal data by HR practitioners.
vii) Under what circumstances must HR practitioners need to disclose personal data?
viii) Accuracy of personal data as required by HR practitioners.
ix) Protection of personal data as required by practitioners.
x) Retention of personal data as required by HR practitioners.
xi) Liability for breach of personal data by HR practitioners and its bearing on office bearers.
4. HR Practitioner and its duties governing PDPA:
- Taking the role of a Data Protection Officer.
- Developing good policies for handling personal data in an electronic and manual form that suit your organisation’s needs and comply with the PDPA.
- Communicating the internal personal data protection policies and processes to customers, members and employees.
- Handling queries or complaints about personal data from customers, members and employees.
- Alerting your organisation to any risks that might arise with personal data; and
- Liaising with the PDPC, if necessary.
- Liaising with data intermediaries such as payroll vendor.
5. Practitioners as custodian and managing personal data.
- Set out how the personal data in custody may be well-protected.
- Classify the personal data to manage it accordingly.
- Set clear timelines to retain the various personal data and cease to retain documents containing personal data that is no longer required for business or legal purposes.
- The transfer of personal data overseas.
6. The rules governing the collection, use and disclosure of NRIC came into effect on 1 September 2019.
- Collection of NRIC by organisations.
- The alternatives to NRIC numbers.
- Operational perspective on place job advertisements involving NRIC.
- The collection, use and disclosure of NRIC on job applicants, existing employees, and ex-employees.
7. The rules governing data breach notification (DBN) came into effect on 1 February 2021.
- The definition and interpretation of DBN.
- The obligations for the organisation to report to PDPC and the affected individuals.
- The exceptions are that it is not necessary to report data breach to PDPC and the remedial actions.
- The bearing on data intermediary on DBN.
- The penalties for data breach and how to mitigate or safeguard the heavy penalties.
- The need for training and a code of conduct for all employees involves safeguarding personal data and the disciplinary actions for the data breach.
8. Applicability of the PDPA to different situations
- Employment, Receptionist, Security department.
- Photography, recordings and CCTV of job applicants, employees, and ex-employees.
- Personal identification documentation such as NRIC, Passport, Foreign Identification.
- Alternatives to NRIC.
- The permitted situations to collect NRIC.
9. Roles of Data Protection Officer (DPO)
- Appointment of DPO/ Possible Roles of a DPO/ Governance Structures.
- Assessment: Develop a Governance Structure for Your Organisation.
- Under DBN, the need for audit and risk assessment.
- Responsibilities and training requirements for DPO.
Lecture and case study.
Who Should Attend
Human Resource practitioners
Please visit this page to register.