Employee Monitoring and the PDPA: What Singapore Employers Can and Cannot Do

Employee monitoring is one of the most sensitive areas of data protection in Singapore. As an employer, you have legitimate reasons to monitor workplace activity -- security, compliance, productivity, protecting company assets. But every form of monitoring involves collecting personal data about your employees, which brings you squarely within the scope of the Personal Data Protection Act (PDPA).

Get the balance wrong, and you face two risks: PDPA enforcement action from the Personal Data Protection Commission (PDPC) with penalties of up to S$1 million, and damage to employee trust that is far harder to repair than any fine.

This guide covers the PDPA rules for common forms of employee monitoring, practical compliance steps, and real enforcement cases that show where employers have crossed the line.

Does the PDPA Apply to Employee Data?

Yes. The PDPA applies to the collection, use, and disclosure of personal data by organisations, and employees' personal data is no exception. Employment data receives limited exemptions under the PDPA (primarily for evaluative purposes under the Fourth Schedule), but these exemptions are narrow and do not provide a blanket right to monitor employees however you wish.

The key principles that apply to employee monitoring are:

• Purpose limitation -- you can only collect personal data for purposes that a reasonable person would consider appropriate
• Notification -- you must inform employees about what data you collect, why, and how it is used
• Consent -- required in most cases, though deemed consent may apply when employees are informed through policies
• Proportionality -- the monitoring must be proportionate to the legitimate purpose
• Retention limitation -- monitoring data should not be kept longer than necessary

Common Forms of Employee Monitoring

CCTV and Video Surveillance

CCTV in the workplace is the most common form of employee monitoring in Singapore. The PDPC has issued specific guidance on this.

What is permitted:

• CCTV in common work areas (lobbies, corridors, open-plan offices) for security and safety purposes
• CCTV at entry and exit points for access control
• CCTV in warehouses, production areas, and retail spaces for loss prevention

What is not permitted:

• CCTV in areas where individuals have a reasonable expectation of privacy -- toilets, changing rooms, nursing rooms, prayer rooms
• Covert CCTV without any notification to employees (except in limited investigation scenarios, and even then, legal advice is strongly recommended)

Compliance requirements:

• Display clear signage informing people that CCTV is in operation
• Include CCTV monitoring in your employee data protection policy
• Limit footage retention to a reasonable period (30-90 days is typical)
• Restrict access to footage to authorised personnel only
• Ensure footage is stored securely with access logs

Email and Communication Monitoring

Monitoring work email accounts is generally permissible, but monitoring personal communications is a higher-risk area.

Best practices:

• Draft a clear acceptable use policy (AUP) that states company email accounts may be monitored
• Distinguish between company email and personal email -- avoid monitoring personal accounts
• Inform employees that work messaging platforms (Slack, Teams, company WhatsApp groups) may be reviewed for compliance purposes
• Limit monitoring to metadata and flagged content rather than reading every message
• Document the business justification for monitoring (regulatory compliance, security incident investigation, quality assurance)

PDPC enforcement context: The PDPC has not published a case specifically about email monitoring, but the principles from enforcement decisions consistently emphasise the importance of purpose limitation and proportionality. Monitoring all employee emails without a specific purpose would be difficult to justify.

GPS and Location Tracking

GPS tracking is common for companies with field workers, delivery drivers, and company vehicle fleets.

When GPS tracking is permitted:

• Tracking company vehicles during work hours for fleet management, route optimisation, and safety
• Tracking company-issued devices during work hours when employees have been informed
• Tracking for safety purposes in hazardous environments

When GPS tracking is problematic:

• Tracking personal vehicles, even if used for work purposes, without explicit consent
• Continuing to track outside work hours (this is a significant PDPA risk)
• Tracking employees' personal mobile phones without consent

Compliance steps:

• State clearly in the employment contract or vehicle use policy that company vehicles are GPS-tracked
• Define the hours during which tracking is active
• Provide a mechanism to disable tracking outside work hours (or prove that tracking data outside work hours is not accessed)
• Limit access to location data to authorised managers

Computer Activity Monitoring

This includes screen capture software, application usage tracking, internet browsing history monitoring, and keystroke logging.

Proportionality is the key principle here. The more intrusive the monitoring, the stronger the justification must be.

Low-risk (generally acceptable with notice):

• Monitoring which applications are used on company devices
• Tracking internet browsing history on company networks
• Monitoring login and logout times

Medium-risk (requires strong justification):

• Periodic screen captures during work hours
• Recording which files are accessed and when
• Monitoring time spent on specific applications

High-risk (difficult to justify for general use):

• Continuous screen recording
• Keystroke logging
• Webcam monitoring without employee-initiated activation

For any computer monitoring, your IT acceptable use policy must explicitly state what monitoring occurs. Employees should acknowledge this policy in writing.

Work From Home (WFH) Monitoring

Remote work has created new monitoring challenges. Some employers have deployed software that:

• Takes periodic screenshots of employees' screens
• Tracks mouse movement and keyboard activity
• Monitors webcam presence
• Records application usage and idle time

PDPA considerations for WFH monitoring:

The same principles apply as for office monitoring, but the risk of disproportionality is higher because you are monitoring activity in an employee's home. The PDPC has not yet published specific guidance on WFH monitoring, but the general principles suggest:

• Focus on output-based performance measurement rather than activity surveillance
• If monitoring software is used, clearly document what it captures and when
• Allow employees to deactivate monitoring outside work hours
• Do not capture personal activities or family members visible on webcam
• Obtain informed consent through a clear remote work monitoring policy

Building a PDPA-Compliant Monitoring Framework

Step 1: Conduct a Monitoring Audit

List every form of employee monitoring currently in place. For each one, document:

• What data is collected
• The business purpose for collection
• Who has access to the data
• How long it is retained
• Whether employees have been informed

Step 2: Apply the Proportionality Test

For each form of monitoring, ask: is this the least intrusive means of achieving the legitimate business purpose? If you can achieve the same goal with a less intrusive method, use that method instead.

For example, if the goal is to ensure productivity, output-based metrics (projects completed, response times, customer satisfaction) are less intrusive than keystroke logging or screen capture.

Step 3: Draft Clear Policies

Create or update the following policies:

• Employee Data Protection Policy -- what personal data you collect from employees, why, and how it is used
• IT Acceptable Use Policy -- what monitoring occurs on company devices and networks
• CCTV Policy -- where cameras are located, how footage is stored, who can access it
• Remote Work Monitoring Policy (if applicable) -- what monitoring occurs during WFH

These policies should be written in plain language, not buried in dense legal text that nobody reads.

Step 4: Inform and Obtain Acknowledgement

Distribute policies to all employees and obtain written acknowledgement. For new hires, include monitoring policies in the onboarding pack. Deemed consent can apply when employees are properly notified through clear policies, but obtaining explicit acknowledgement strengthens your compliance position.

Step 5: Implement Access Controls

Monitoring data should only be accessible to personnel with a legitimate need. A line manager does not need access to CCTV footage from the lobby. An IT administrator does not need to read individual emails. Implement role-based access controls and maintain access logs.

Step 6: Set Retention Periods

Define and enforce retention periods for all monitoring data:

• CCTV footage: 30-90 days (unless needed for an investigation)
• Email logs: in line with your data retention policy
• GPS data: 30-90 days
• Computer activity logs: 30-60 days

Delete monitoring data when the retention period expires. Do not keep it indefinitely "just in case."

Real PDPC Enforcement Lessons

While the PDPC has not published a case specifically about employee monitoring overreach, several enforcement decisions offer relevant guidance:

• Organisations that collect personal data without a clear purpose face enforcement action
• Failure to implement reasonable security measures for stored personal data leads to financial penalties
• Collecting more data than necessary for the stated purpose violates the PDPA

The overarching lesson is clear: monitor what you need to, for a legitimate reason, with transparency, and with appropriate safeguards.

How ComplyHQ Can Help

Managing employee monitoring compliance manually is complex, especially as your workforce grows and monitoring tools evolve. ComplyHQ helps Singapore SMEs:

• Assess your current monitoring practices against PDPA requirements using our AI-powered gap assessment
• Generate compliant policies -- employee data protection, CCTV, IT acceptable use, and remote work monitoring policies
• Build a data inventory that includes employee monitoring data alongside customer and vendor data
• Track compliance status with a centralised dashboard

Our AI compliance copilot can answer your specific questions about employee monitoring, helping you make informed decisions without expensive legal consultations for routine queries.

Start your free PDPA assessment today and find out if your employee monitoring practices are compliant.