Singapore’s Personal Data Protection Act (PDPA) sets strict requirements for how organisations handle employee data. Compliance isn’t just a legal obligation—it builds trust with your workforce and strengthens your organisation’s data governance framework.
What the PDPA Covers
The PDPA governs the collection, use, disclosure, and protection of personal data in Singapore. For employers, it applies from the moment a candidate submits a CV through to when you securely dispose of records after someone leaves.
Personal data in an employment context means names, identification numbers, contact details, salary information, performance records, medical data, CCTV footage, employee monitoring data. Basically anything that identifies an individual.
Your Core Obligations
The PDPA sets several obligations that directly apply to HR and people operations.
Consent and notification: You must tell employees what you’re collecting their personal data for. In many cases you need consent, though data collection that’s reasonably necessary for managing the employment relationship (payroll, CPF contributions, benefits) can proceed without explicit consent. Employees should still be informed.
Purpose limitation: Data collected for one purpose can’t be repurposed without fresh consent. Employee contact details collected for HR administration can’t be used for a marketing campaign.
Protection: You need reasonable security measures to protect employee data from unauthorised access or disclosure. That covers technical controls (access restrictions, encryption) and organisational ones: policies, staff training.
Access and correction: Employees can request access to their personal data and request corrections if it’s inaccurate. You need to respond within a reasonable timeframe.
Retention limitation: Personal data can’t be kept longer than necessary. You need a clear policy on retention periods for employment records and a secure disposal process once that period ends.
The Data Protection Officer Requirement
Every organisation in Singapore must appoint a Data Protection Officer (DPO) to oversee PDPA compliance. In a small business it doesn’t need to be full-time, but someone needs to own it. Without a designated DPO, accountability gets fuzzy and compliance tends to drift.
Employee Monitoring
This is an area many employers handle poorly, especially with hybrid and remote work. You can monitor employees through CCTV, email access, attendance systems, or productivity tools, but only if employees are properly informed.
What monitoring is in place, what data gets collected, and how it’ll be used must all be disclosed. Document it in employment contracts or a standalone workplace monitoring policy. Installing CCTV without visible notices or monitoring emails without disclosure are both PDPA violations.
A useful principle: if your monitoring practices would surprise your employees if they found out, they’re probably not PDPA-compliant.
The Cost of Getting It Wrong
The 2024/2025 amendments to the PDPA significantly strengthened enforcement. Organisations can now face fines up to 10% of annual Singapore turnover or S$1 million, whichever is higher. Mandatory breach notification to the Personal Data Protection Commission (PDPC) is required for breaches that cause or are likely to cause significant harm.
For a small or mid-sized business, a data breach involving employee payroll records, medical data, or identification numbers carries real financial and reputational consequences.
Practical PDPA Compliance Steps for Singapore Employers
Appoint a Data Protection Officer if you haven’t already, and document their responsibilities.
Audit what employee data you hold, where it’s stored, and who can access it.
Review your employment contracts and onboarding materials to ensure data collection and use is properly disclosed.
Put a clear monitoring policy in place if you use any form of employee monitoring.
Establish a data retention and disposal policy. Old records sitting on shared drives are an increasing risk.
Train your HR team and managers on basic PDPA obligations.
PDPA compliance isn’t primarily an IT problem. It’s an HR and people operations problem. The foundations are straightforward to put in place. Leaving them unaddressed creates exposure that compounds over time.
Expert People Solutions helps growing businesses in Singapore build the HR infrastructure that keeps them compliant. If you want to review your current data practices or build a PDPA-ready HR framework, we’d be happy to help.
