How To Comply With The New Ppa

Transcription

1 PDPA Singapore: What Recruiters Need To Know Singapore Japan Vietnam Indonesia China Malaysia Hong Kong

2 CONTENT Introduction Page Understanding the PDPA What is Personal data? Summary of PDPA framework The 9 commandments of the PDPA It s time for the DPO PDPA & Recruitment: Other Common Questions You could be held criminally liable The Most important Obligation of All: The Protection Obligation Security is our prime concern: The Protection Obligation 8 9

3 Introduction The enactment of the Personal Data Protection Bill will strengthen Singapore s overall competitiveness, and enhance our status as a trusted hub and choice location for global data management and processing services. It will also address growing concerns over the misuse of personal data and provide much needed protection for individuals in Singapore. Dr Yaacob Ibrahim, Minister for Information, Communications and the Arts It comes as no surprise that the data privacy trend is catching on in Asia. Data protection frameworks have long been implemented across the globe, with Canada and Australia being some of the earliest adopters. Countries around the world are now shifting towards an information-based economy, leading to the emergence of a new class of assets known as personal data. The introduction of Singapore s PDPA follows a series of developments in the data privacy landscape within the Asia Pacific region. In 2010, Taiwan passed its Personal Information Protection Act (PIPA) and Malaysia, its Personal Data Protection Act (PDPA). Two years later in 2012, Philippines enacted its Data Privacy Act and South Korea s PIPA came into force in March Now, in 2014, it is Singapore s turn. I m a Recruiter. Why does the PDPA matter to me? Working in the staffing industry means that candidate, client and contact information is critical data - but how do you safeguard your recruiting business amidst the new laws and ensure that you are always audit-ready? This guide provides an overview of what PDPA is and how it applies to your recruitment processes. The PDPA shouldn t be a recruiter s worst nightmare. Read on to equip yourself with everything you need to comply with the new laws. 1

4 hrboss.com 1. Understanding PDPA 1.1 What is Personal Data? Personal data refers to data, whether true or not, about an individual who can be identified from that data; or from that data and other information to which the organisation has, or is likely to have, access. Examples of personal data (but are not limited to): Name Address Gender Date of Birth Telephone Number Photographs Videos 1.2 Summary of the PDPA Framework What is the Personal Data Protection Act about? The PDPA is a data protection law that comprises various rules governing the collection, use, disclosure and care of personal data. In brief, the PDPA covers the following issues: Having reasonable purposes, notifying purposes and obtaining consent for collection, use or disclosure of personal data; Allowing individuals to access and correct their personal data; Taking care of personal data, which relates to ensuring accuracy, protecting personal data (including protection in the case of transfers) and not retaining personal data if no longer needed; and Having policies and practices to comply with the PDPA. Do Not Call Registry (DNC) [Click here to read more about DNC provisions.] 2

5 1.3 The 9 Commandments of the PDPA The Data Protection Provisions encompasses nine main obligations which organisations must abide by if they undertake activities relating to data. 1. The Consent Obligation (PDPA sections 13 to 17): An organisation must obtain the consent of the individual before collecting, using or disclosing his personal data for a purpose. 2. The Purpose Limitation Obligation (PDPA section 18): An organisation may collect, use or disclose personal data about an individual only for purposes that a reasonable person would consider appropriate in the circumstances and, if applicable, have been notified to the individual concerned. 3. The Notification Obligation (PDPA section 20): An organisation must notify the individual of the purpose(s) for which it intends to collect, use or disclose the individual s personal data on or before such collection, use or disclosure of the personal data. 4. The Access and Correction Obligation (PDPA sections 21 and 22): An organisation must, upon request, (i) provide an individual with his or her personal data in the possession or under the control of the organisation and information about the ways in which the personal data may have been used or disclosed during the past year; and (ii) correct an error or omission in an individual s personal data that is in the possession or under the control of the organisation. (This obligation will be considered in greater detail in advisory guidelines to be issued at a future date) 5. The Accuracy Obligation (PDPA section 23): An organisation must make a reasonable effort to ensure that personal data collected by or on behalf of the organisation is accurate and complete if the personal data is likely to be used by the organisation to make a decision that affects the individual concerned or disclosed by the organisation to another organisation. 6. The Protection Obligation (PDPA section 24): An organisation must protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks. 7. The Retention Limitation Obligation (PDPA section 25): An organisation must cease to retain documents containing personal data, or remove the means by which the personal data can be associated with particular individuals as soon as it is reasonable to assume that (i) the purpose for which the personal data was collected is no longer being served by retention of the personal data, and (ii) retention is no longer necessary for legal or business purposes. 8. The Transfer Limitation Obligation (refer to PDPA section 26): An organisation must not transfer personal data to a country or territory outside Singapore except in accordance with the requirements prescribed under the PDPA. (This obligation will be considered in greater detail in advisory guidelines to be issued at a future date) 9. The Openness Obligation (refer to PDPA sections 11 and 12): An organisation must implement the necessary policies and procedures in order to meet its obligations under the PDPA and shall make information about its policies and procedures publicly available. Source: 3

6 1.4 It s Time for the DPO ( Data Protection Officer ) Every organisation must appoint a compliance officer to be responsible for ensuring that the organisation complies with the PDPA. The DPO will be in charge of: Communicating the internal personal data protection policies and processes to customers, members and employees; Handling queries or complaints about personal data from customers, members and employees; Alerting your organisation to any risks that might arise with personal data Liaising with the PDPC, if necessary. 4

7 2. PDPA & Recruitment: Other Common Questions How does PDPA apply to recruitment processes? When recruiting, organisations usually collect large amounts of personal data from candidates. It is important for organisations to inform individuals the purpose of collecting, using or disclosing their personal data and obtain consent to do so. Recruitment Agencies should ensure that policies implemented and practices carried out meets the obligations under the PDPA framework during recruitment. Refer to Consent Obligation & Notification Obligation above. How does the PDPA apply to recruitment agencies? Recruitment companies, employment agencies, head-hunters and other similar organisations are subjected to the PDPA. Recruitment agencies will have to inform job applicants of the purposes for which they are collecting, using or disclosing their personal data, and obtain consent before doing so. For recruitment agencies that are acting as data intermediaries, there may be a partial exclusion from the obligations under the PDPA. The PDPA provides that a data intermediary that processes personal data on behalf of and for the purposes of another organisation pursuant to a contract which is evidenced or made in writing will only be subject to the provisions in the PDPA relating to the safeguarding and retention of personal data in respect of such processing. In certain circumstances these recruitment agencies could qualify as data intermediaries. For more information on data intermediaries, please refer to the section from the obligations under the PDPA. The PDPA provides that a data intermediary that processes personal data on behalf of and for the purposes of another organisation pursuant to a contract which is evidenced or made in writing will only be subject to the provisions in the PDPA relating to the safeguarding and retention of personal data in respect of such processing. In certain circumstances these recruitment agencies could qualify as data intermediaries. For more information on data intermediaries, please refer to the section on Excluded Organisations in the Key Concept Guidelines. What about reference checks? Under the PDPA, organisations are not required to obtain consent of individuals if the collection, use or disclosure of personal data is needed for evaluative purposes. This means that organisations are allowed to collect, use and disclose personal data without consent if data is meant for determining the suitability, eligibility or qualifications of the job applicant for a job. Source: 5

8 hrboss.com Does an organisation need to seek the consent of a job applicant for the collection and use of his personal data? When an individual voluntarily (e.g. through job application or recruitment advertisement), provides his personal data to an organisation, he may be deemed to consent to the organisation collecting, using and disclosing the personal data for the purpose of assessing his job application. However, if the organisation wish to use the personal data for other purposes, the organisation must then inform the individual of those purposes and obtain his consent. Can organisations collect and use personal data on the job applicant from social networking sources (e.g. Facebook or Twitter)? The PDPA does not require organisations to obtain the consent of the job applicant when collecting personal data that is publicly available e.g newspapers, telephone directories and websites containing content which is generally available to the public. Can organisations use the information in business cards for recruitment? The Data Protection Provisions in the PDPA do not apply to business contact information, which is defined in the PDPA as: an individual s name, position name or title, business telephone number, business address, business electronic mail address or business fax number and any other similar information about the individual, not provided by the individual solely for his personal purposes. If the individual provided his business card for purposes other than solely for personal purposes, then the organisation is not required to comply with the PDPA in respect of the contact information set out in the business card. How long can an organisation keep the personal data of job applicants who are not hired? After an organisation has decided which job applicant to hire, the personal data that the organisation had collected from the other job applicants should only be kept for as long as it is necessary for business or legal purposes. Can job applicants ask the organisation to reveal how much information the organisation has on them or find out why they were not selected? Under the PDPA, individuals have the right to obtain access and request corrections to their personal data held by organisations. Upon request, the organisation must also inform the individual of the ways in which the personal data had been used for the past year. Thus, organisations must reveal to the job applicant who requests so, the personal data the organisation has on them. There are however exceptions to this obligation to provide access to personal data, including several mandatory exceptions. Please refer to the section on The Access and Correction Obligation in the Key Concept Guidelines for more details. 6

9 3. You could be held criminally liable. As the PDPA comes into full force in July 2014, Staffing organisations should take advantage of the transitional period now to implement practices and policies to ensure compliance with the new law and that all these obligations are fulfilled. If your business has not adopted any data protection policies yet, its definitely time to consider implementing a recruitment process that is appropriate and ensures compliance. If the PDPC (Personal Data Protection Commission) finds that an organisation is in breach of any of the data protection provisions in the PDPA, the organisation will be required to: 1. Stop collecting, using or disclosing personal data in contravention of the Act How do you recruit if you can t collect candidate information and data? 2. Destroy personal data collected in contravention of the Act; No data means losing successful job placements and perhaps even losing the business altogether. 3. Provide access to or correct the personal data; and/or How will this reflect on your company s reputation in providing accurate candidate information to clients and vice versa? 4. Pay a financial penalty of an amount up to $1 million. Can you afford to pay the fine? 7

10 hrboss.com 4. The Protection Obligation - the most important obligation of all As a recruiter or employee, you work first hand with data. You deal with personal data when screening candidates, job applications and liaising with clients. Being in charge of data means that you are responsible for the accuracy and security of the database. If you re in the top management level, a staffing firm owner or CEO, you can t afford to have your precious data compromised, deleted or even stolen. Any breaches will cost you your business it s not worth losing an arm and a leg. Even if you have a checklist in place to help keep you on track about the collection, use and disclosure of personal data across the entire organisation, all these will be futile if basic security measures are not in place. All your data is highly vulnerable to not just external, but internal threats as well. Have you assessed the personal data protection risks within your organisation and put in place personal data security policies? Consider the following 3 questions with regards to your organisation s current practices: 1. Is the personal data secure? It s not surprising to find that some recruiting organisations still depend on excel spreadsheets or even SharePoint to store data. It s your duty to keep personal data under your control safe and secure from unauthorised access. Consider the likelihood of security failures, including possible threats and vulnerabilities. Do external parties have easy access to the personal data that you hold? Are hardcopy records still used? Are they filled immediately upon submission to prevent others from obtaining access? 2. Is the personal data adequately classified in your database system? Different sets of data can be accessed by various parties. It is important that your employees, vendors and partners access the personal data on a need-to know basis hence the data should be classified and stored adequately to ensure only authorised access. 3. Is your database system able to pull out compliance reports ready for audit? Do you conduct or schedule regular audits on the data protection processes within your organisation? Are there any remedial measures in place in the event of a breach? Reference: 8

11 5. Security is our prime concern StaffingBoss is Asia s 1 st dedicated staffing CRM solution built in Asia for global businesses. A recruiting agency software built for speed and power, StaffingBoss comes with embedded Business Intelligence. With StaffingBoss, you can be assured that your data is in safe hands. StaffingBoss utilises various cloud storage resources and best practices so that a high level of security and integration can be achieved. Candidate and client data ownership is an area of increasing concern among agency owners so StaffingBoss follows the gold-standard in data protection. StaffingBoss s Expertise in Data Protection 99 HTTPS using Secure Sockets Layer (SSL) A protocol that provides secure communications through the internet. Activities on StaffingBoss are as secure as internet banking. 99 ISO SOC 1 SSAE 16 ISAE 3402 Certified You are assured that relevant security controls have been set in place for handling data. With StaffingBoss, the security measures you are working within are equivalent to the best industry practices. 99 Formidable against external threats StaffingBoss system is built to deter any attack against consumer s data such as DoS Attacks, SQL Injection, Port Scanning, MITM attacks etc. 99 Database & Servers hosted at Amazon Data Center Amazon Web Services provides a world-class Cloud infrastructure with highly secure data centre that uses state-of-the-art surveillance. Click here to read more about the security features of our database & server host. 99 Daily Back-up of Client Data We respect our client s database s privacy and confidentiality so ultimately, all the data is yours. A 100%. 9

12 hrboss.com Switching to StaffingBoss is easy One of the factors that distinguishes us from other vendors is a seamless data migration experience. We help with data relocation so our clients are reassured that they can easily move from their current system to StaffingBoss, without risk of losing precious data and documents (both current and historical) about jobs, companies, clients and candidates. Read our article here on non-disruptive data-migration for recruitment agencies We don t believe in long distance relationships. HRBoss is the only company offering friendly, in-country support across Asia. Some of the other features include: Embedded business intelligence Real time data on every screen Advanced search tool Powerful visual analytics & Reporting engine Resume Parsing integration Job board & social integration Optimised for mobile Access data anytime, from anywhere 10

13 To safeguard your recruitment business and processes from any potential breaches, staffing and recruiting organisations must no longer manage data in an unfettered manner. Getting your basic IT infrastructure right is key to a protected database. Data encryption and security solution is the route to compliance in light of the recent PDPA enforcements. If you wish to learn more about how StaffingBoss can help you in your recruitment process, please contact us at marketing@hrboss.com, we d love to show you what StaffingBoss can do for you. Here are some of our StaffingBoss clients: Click here to view the full profile of our clients. 11

14 hrboss.com About HRBoss HRBoss is Asia s leading provider of data-driven software for both corporate HR and recruiting firms. Founded in 2011, we are rapidly expanding our footprint across Asia with offices currently open in 7 countries today (Singapore, Japan, Vietnam, Indonesia, China, Malaysia and Hong Kong) and additional Asian, European and US offices launching in All of our Cloud solutions are intuitive, highly-configurable and are supported locally on-theground where you are. HRBoss services companies from all industries, from local start-ups and government agencies through to industry leaders, including Changi Airport Group, Singtel, Nissan, the Economic Development Board of Singapore, Michael Page International and MetLife. Recent accolades include Best SaaS (international) at the 2014 Cloud Awards Best Big Data Solution at the China HR Pioneer Awards 2013 Best Software-as-a-Solution at the 2013 SiTF Awards. Our Awards : Tech Company of the Year Best HR Big Data Soluiton Best Software as-a-service Best Software-as-a Service Stevie Aards 2014 HR Pioneer Awards 2014 The Cloud Awards 2014 SiTF Awards 2013 ASIA PACIFIC CHINA U.S.A. SINGAPORE Connect with Us : 12

15 CONTACT SINGAPORE Hours: 9am-6pm SGT, Mon-Fri OFFICE : Support: Fax: Sales.Singapore@hrboss.com Address: 17A Boon Tat Street Singapore OTHER COUNTRIES JAPAN Hours: 9am-6pm, Mon-Fri Office: +81 [0] Support: +81 [0] Fax: +81 [0] Sales.Japan@hrboss.com Address: Clover Kamiyacho 10F, Toranomon, Minato-ku, Tokyo Japan VIETNAM Hours: 8:30am-5:30pm, Mon-Fri Office: Support: Fax: Sales.VietNam@hrboss.com Address: 9F, President Place, 93 Nguyen Du Street, District 1, Ho Chi Minh City, Vietnam INDONESIA Hours: 9am-6pm, Mon-Fri Office: Support: Fax: Sales.Indonesia@hrboss.com Address: Sequis Center Building 9th Floor Jl.Jend.Sudirman Kav.71 Jakarta Indonesia CHINA Hours: 9am-6pm, Mon-Fri Office: Support: Fax: Sales.China@hrboss.com Address: 18/F Shanghai Oriental Center 699 West Nanjing Road, Jingan Shanghai China MALAYSIA Hours: 9:00am-6:00pm, Mon-Fri Office: Support: Fax: Sales.Malaysia@hrboss.com Address: Level Block 2, PJ City Centre, Jalan Utara Petaling Jaya, Selangor Malaysia HONG KONG Hours: 9am-6pm, Mon-Fri Office: Support: Fax: Sales.HongKong@hrboss.com Address: Level 19, Two International Finance Centre 8 Finance Street, Central Hong Kong, China 13

16 14 hrboss.com