PDPA and Employee Data: What Singapore Employers Must Know

Most employers understand that the PDPA covers customer data. Fewer realise it applies equally to employee data. Every piece of personal information you collect during hiring, employment, and after termination falls under the PDPA. Getting this wrong can result in fines of up to S$1 million — the same penalties that apply to customer data breaches.

This guide covers the practical steps Singapore employers need to take to handle employee data compliantly.

What Employee Data Is Covered

The PDPA protects any data that can identify an individual. In an employment context, this includes:

• Recruitment data: Resumes, cover letters, interview notes, reference check results, background check reports
• Employment records: NRIC numbers, contact details, bank account information, salary details, CPF contributions
• Performance data: Appraisals, disciplinary records, training records, promotion assessments
• Health data: Medical certificates, insurance claims, pre-employment medical results
• Monitoring data: CCTV footage, email logs, internet usage records, GPS tracking data
• Biometric data: Fingerprints and facial recognition data used for attendance systems

If you collect any of this data, you are subject to the PDPA's requirements.

The Employment Exception: What It Covers and What It Does Not

The PDPA provides specific exceptions for employment-related data processing under the Second, Third, and Fourth Schedules. These allow employers to collect, use, and disclose personal data without consent in certain situations.

What You Can Do Without Consent

• Collect and use data to evaluate candidates during recruitment
• Process data necessary for managing the employment relationship (salary, CPF, leave)
• Disclose data to government agencies as required by law (MOM, IRAS, CPF Board)
• Use data for business asset transactions (mergers, acquisitions)

What Still Requires Consent or Notification

• Using employee data for purposes beyond employment (marketing, newsletters)
• Sharing employee data with third parties not directly involved in employment (unless for a permitted purpose)
• Collecting data that is not necessary for the employment relationship
• Monitoring activities that go beyond reasonable workplace management

The critical point: even when consent is not required, you must still notify employees about what data you collect and why. The notification obligation under the PDPA always applies.

Step-by-Step: Managing Employee Data Compliantly

1. Audit Your HR Data Collection

Before you can comply, you need to know what you collect. Map every type of personal data your HR processes touch:

• What data do you collect at each stage (recruitment, onboarding, employment, offboarding)?
• Where is each type of data stored (HRIS, spreadsheets, email, paper files)?
• Who has access to each type of data?
• How long do you keep each type of data?

This is essentially a data inventory exercise focused on HR data. ComplyHQ's data inventory builder can automate this process.

2. Create an Employee Privacy Notice

You must inform employees about your data practices. An employee privacy notice should cover:

• What data you collect and the purposes for collection
• How you use the data (payroll, performance management, benefits administration)
• Who you share it with (payroll providers, insurance companies, government agencies)
• How long you retain it after employment ends
• How employees can access their own data or request corrections
• Your DPO's contact details for data protection queries

This notice should be provided at the start of employment and whenever your practices change. Many employers include it in the employee handbook.

3. Implement Access Controls

Not every HR team member needs access to all employee data. Apply the principle of least privilege:

• Salary and bank details: Restricted to payroll administrators
• Medical records: Restricted to HR manager handling leave/benefits
• Performance records: Accessible to direct supervisors and HR
• NRIC numbers: Minimise collection per NRIC Advisory Guidelines
• Disciplinary records: Restricted to relevant HR personnel

Document who has access to what, and review these permissions quarterly.

4. Secure Employee Data

Employee data often includes sensitive information like NRIC numbers, bank accounts, and medical records. Your security measures should be proportionate to the sensitivity:

• Encrypt employee data at rest and in transit
• Password-protect spreadsheets containing personal data (better yet, move to a proper HRIS)
• Secure paper files in locked cabinets with restricted access
• Train staff on data handling procedures
• Have a breach response plan — see our breach notification guide

5. Manage Third-Party Data Sharing

If you use external providers for payroll, benefits, recruitment, or background checks, you must:

• Include data protection clauses in all vendor contracts
• Verify vendors have adequate security measures
• Ensure data is only used for the agreed purposes
• Inform employees that their data is shared with these providers

Remember: under the PDPA, you remain responsible for employee data even when a vendor processes it.

6. Establish Retention and Disposal Policies

You cannot keep employee data forever. Create a retention schedule:

• Current employees: Keep only data that is necessary for the ongoing employment relationship
• Employment Act records: Retain salary and employment records for at least 2 years after the employee leaves
• CPF records: Retain for at least 2 years
• Medical records: Retain per your retention policy, but no longer than necessary
• Recruitment data for unsuccessful candidates: Dispose within a reasonable period (6-12 months is common practice)

When the retention period expires, securely dispose of the data — shred paper records and permanently delete digital files.

Common Mistakes Employers Make

Collecting More Data Than Necessary

Many employers collect data out of habit rather than necessity. Do you really need a candidate's NRIC number at the application stage? Do you need their marital status if it is not relevant to benefits? The PDPA requires you to collect only what is necessary for the stated purpose.

Using Employee Data for Marketing

Sending marketing emails to your own employees using their work email addresses still requires consent if the content is unrelated to their employment. Company newsletters about work matters are fine. Promotional material for the company's products is a different matter.

Neglecting Data After Termination

When an employee leaves, their data does not disappear. Many employers retain ex-employee data indefinitely in old email accounts, shared drives, and HR systems. Establish a clear offboarding data process: archive what you must keep legally, delete everything else.

Insufficient CCTV Policies

If your workplace has CCTV cameras, you must:

• Inform employees that monitoring is taking place
• Display clear signage in monitored areas
• Define and communicate the purpose (security, not performance monitoring)
• Limit access to CCTV footage
• Establish a retention period for footage (30-90 days is typical)

Handling Employee Data Access Requests

Under the PDPA, employees have the right to request access to their personal data and to request corrections. When an employee submits a data access request:

1. Respond within 30 days
2. Provide the data in a reasonable format
3. You may charge a reasonable fee to cover costs
4. You can refuse the request only in specific circumstances listed in the Fifth Schedule (e.g., data relates to other individuals, or disclosure could harm an ongoing investigation)

How ComplyHQ Helps

ComplyHQ's AI-powered platform helps you manage employee data compliance:

• Data inventory builder maps your HR data flows automatically
• Policy generator creates employee privacy notices and internal data protection policies
• Gap assessment identifies compliance gaps in your HR data practices
• AI compliance chat answers specific questions about employee data handling

Start with a free assessment to see where your HR data practices stand.

Related Resources

• PDPA Compliance Checklist for Singapore SMEs (2026 Edition) — Complete compliance checklist
• How to Appoint a Data Protection Officer in Singapore — DPO appointment guide
• NRIC Collection Rules in Singapore — Rules on collecting NRIC numbers
• PDPA Data Breach Notification Guide — What to do when a breach occurs
• PDPA Penalties and Fines — Understanding the risks of non-compliance