PDPA HR data Singapore is one of the most misunderstood employer obligations. Most Singapore employers think PDPA is about customer data. It applies equally to employee data. The NRIC numbers, salary information, medical records, and biometric templates held by a Singapore employer are personal data under the PDPA, and the same nine obligations apply. Our team has seen Singapore companies invest heavily in customer data protection and then store employee payslips in a public Google Drive folder accessible to everyone in the company. The customer-facing PDPA investment is meaningless if the HR data is unprotected.
PDPA HR Data Singapore
- Employee personal data collected by Singapore employers is subject to all nine PDPA obligations: Consent, purpose limitation, notification, accuracy, security, retention limitation, transfer limitation, access and correction, and data breach notification(Source: PDPC).
- Payroll data (salary, CPF contribution history, bank details) is personal data requiring security measures: Access should be restricted to HR and payroll staff with a documented need.
- Biometric data (fingerprint templates, face geometry) is among the most sensitive HR data categories: PDPC’s advisory on biometric data collection specifies enhanced security and consent obligations.
- Employers who use third-party payroll providers must have a written data processing agreement. The outsourcing does not transfer the PDPA compliance obligation to the vendor.
- Data breach notification is mandatory for breaches affecting significant numbers of individuals or causing significant harm: Notification to PDPC and affected individuals must occur within 3 business days of the assessment decision.
The Nine PDPA Obligations Applied to HR Data
The nine PDPA obligations all apply to employee personal data. Their application in an HR context:
1. Consent: Obtain employee consent for personal data collection. Most HR data collection is covered by the employment contract or the legitimate interests exception. However, biometric data collection and data collection beyond core employment administration require explicit consent.
2. Purpose limitation: Use employee data only for the purposes for which it was collected. Payroll data cannot be used for marketing. Attendance data cannot be shared with third parties without consent.
3. Notification: Inform employees of the data collected, the purposes, and who it will be shared with. An employee data privacy notice at onboarding (as part of the employment contract or separate) satisfies this obligation.
4. Accuracy: Maintain accurate, up-to-date employee records. Outdated bank details causing wrong salary transfers, or incorrect medical records can create both PDPA and Employment Act issues.
5. Security: Implement security measures appropriate to the sensitivity of the data. Salary and bank details require encryption at rest and access controls. Biometric templates require enhanced encryption. Paper records must be locked.
6. Retention limitation: Delete employee personal data when it is no longer needed. Employment records must be retained for at least 2 years under the Employment Act. After that statutory minimum period, data should be deleted unless there is a continuing legitimate purpose.
7. Transfer limitation: When transferring employee data outside Singapore (e.g., to a regional HR system), ensure the receiving organisation provides comparable protection.
8. Access and correction: Employees can request access to their personal data and correct inaccuracies. Requests must be responded to within 30 business days.
9. Data breach notification: If a breach occurs, assess the harm risk and notify PDPC and affected individuals within 3 business days if the breach is notifiable.
HR Data Categories and Security Requirements
Different categories of HR data require different security measures:
| Data category | Security level | Access restriction |
|---|---|---|
| NRIC/FIN numbers | High | HR admin only |
| Salary and payroll records | High | HR and payroll team only |
| Bank account details | High | Payroll team only |
| Biometric templates | Very high | System administrators only |
| Medical records and MCs | High | HR admin only; not shared with line managers without employee consent |
| Performance records | Medium | HR and direct manager |
| General contact details | Standard | As needed for the role |
| Leave records | Standard | HR and direct manager |
The principle: the more sensitive the data, the fewer people who should have access, and the stronger the technical controls that should protect it.
Third-Party Payroll and HR Vendor Obligations
When a Singapore employer uses a third-party payroll bureau, cloud HR system, or HRMS vendor, a written data processing agreement (DPA) is required under PDPA.
The DPA must specify:
- The data categories being processed by the third party
- The specific purposes for which the third party can use the data
- The security measures the third party must implement
- The third party’s obligation to notify the employer of any data breach
- Data deletion obligations at the end of the contract
Using a vendor without a DPA does not reduce the employer’s PDPA liability. If the vendor suffers a breach, the employer is still responsible for affected employees and to the PDPC. The DPA creates a contractual right to enforce remedies against the vendor.
For payroll software in Singapore, checking whether the vendor provides a standard DPA is part of the procurement due diligence.
“A Singapore employer who sends payroll data to a vendor without a data processing agreement has outsourced the payroll function but not the PDPA compliance obligation. They have, however, lost the contractual lever to enforce the vendor’s security obligations.”
Employee Data Deletion on Departure
When an employee leaves, not all personal data should be deleted immediately. Employment records must be retained for at least 2 years under the Employment Act. However, some data categories should be deleted promptly:
- Biometric templates (fingerprint, face geometry): delete within 30 days of the last day, or earlier
- System access credentials: revoke on the last day
- Active bank details linked to payroll processing: retain until final pay is confirmed, then archive
- Medical records: retain for the Employment Act period (2 years), then delete
A data deletion schedule for departing employees should be part of the offboarding process. For final pay resignation termination in Singapore, the offboarding process should include a data deletion checkpoint.
Frequently Asked Questions
Does PDPA apply to HR data for Singapore foreign employees?
Yes. PDPA applies to all personal data held by Singapore organisations, regardless of the data subject’s nationality. Employee data for foreign workers on Employment Pass, S Pass, or Work Permit is subject to the same PDPA obligations as data for Singapore Citizens and PRs.
Can a Singapore HR manager share an employee’s medical certificate with their team manager?
With care. The medical certificate is personal health data. Sharing the fact that the employee is on medical leave with the team manager for operational planning is generally acceptable under the legitimate interests exception. Sharing the diagnosis or the contents of the MC without the employee’s consent goes beyond what is necessary and is a PDPA purpose limitation concern.
What should a Singapore employer do immediately after discovering an HR data breach?
Contain the breach, assess the harm risk, and determine whether the breach is notifiable. If the breach is notifiable (likely to cause significant harm to affected employees, e.g., bank details exposed), notify PDPC and affected employees within 3 business days of the assessment. Document the incident, the assessment, and the remediation steps.
Are employment references personal data under Singapore’s PDPA?
Yes. A reference about an identified individual (former employee) is personal data. Providing a reference without the individual’s consent may violate PDPA’s consent obligation. The common practice is to obtain the employee’s consent to provide references as part of the offboarding process. Factual references (confirming dates of employment, role, and reason for leaving) carry lower PDPA risk than subjective assessments.
How should Singapore employers store paper HR records securely?
Paper HR records containing personal data should be stored in locked cabinets accessible only to authorised HR staff. Documents containing NRIC numbers, salary details, or medical information should not be left on desks, in open filing systems, or in areas accessible to non-HR employees. Disposal should be via cross-cut shredding, not general waste.
Conclusion
PDPA applies to all employee personal data held by Singapore employers, covering every HR process from recruitment through offboarding. The obligations are the same nine obligations that apply to customer data, but the data categories in HR (NRIC numbers, payroll records, biometrics, medical records) are among the most sensitive categories in the organisation. Security access restrictions, third-party DPAs, retention schedules, and breach response procedures are all required. HR software that implements role-based data access controls, encrypted storage, and automated retention management reduces the PDPA compliance burden significantly compared to manual HR systems.
Tipsoi’s HR platform implements PDPA-compliant data security, role-based access controls, and retention management for Singapore employee data. Get a quote. Download Tipsoi’s Singapore HR PDPA Compliance Guide for an employer’s data protection checklist.