Glints TalentHub
Switch Language
EOR, PEO, and Compliance

PDPA for Employers in Singapore: What HR Teams Need to Know

Elbert Jolio
Elbert JolioJuly 6, 2026
PDPA for Employers in Singapore: What HR Teams Need to Know

The Personal Data Protection Act, or PDPA, sets out how employers in Singapore should collect, use, disclose, store, protect, retain, and transfer personal data. For HR teams, this matters across recruitment, onboarding, payroll, benefits, performance management, employee records, and offboarding. The PDPA applies to personal data that can identify an individual, whether the data is true or not.

For employers, PDPA compliance is not only a legal requirement. It is also part of building employee trust. Candidates and employees share sensitive information with the company, including salary details, identification numbers, bank account information, family details, medical certificates, work pass information, emergency contacts, and performance records. If this data is handled poorly, the risk is not limited to regulatory penalties. It can also affect employee confidence, employer reputation, and business continuity.

What is the PDPA?

The PDPA is Singapore’s main personal data protection law. Its purpose is to govern how organisations collect, use, and disclose personal data while balancing individuals’ right to protect their personal data with organisations’ legitimate need to use data for reasonable purposes.

This means employers should only collect, use, or disclose employee data for purposes that are reasonable and related to the employment relationship. This can include assessing candidates, preparing employment contracts, processing payroll, managing benefits, administering leave, conducting performance reviews, handling disciplinary matters, fulfilling statutory obligations, and managing exits.

Does PDPA Apply to Employee Data?

Yes. Employee data is still personal data if it identifies the person. The PDPA also makes clear that organisations remain responsible for personal data processed on their behalf by a data intermediary, such as an outsourced payroll provider, HR software vendor, recruitment platform, or benefits administrator.

One point employers often misunderstand is the employee exclusion. The PDPA states that certain obligations do not apply to an employee acting in the course of employment. This does not mean employee data is outside the PDPA. It means the individual employee is generally not personally subject to those obligations when acting for the organisation. The organisation still needs to manage personal data properly.

Examples of Employee Personal Data Employers May Collect

Employee personal data may include:

  1. Full name, contact details, date of birth, nationality, and address
  2. NRIC, FIN, passport number, work pass details, or other identification information
  3. Resume, education history, employment history, interview notes, and reference checks
  4. Salary, bonus, commission, CPF, tax, bank account, and payroll details
  5. Medical certificates, insurance details, leave records, and benefits information
  6. Emergency contact details and dependent information
  7. Performance records, disciplinary records, promotion history, and internal feedback
  8. System access logs, attendance records, device records, and workplace investigation records

Business contact information, such as a person’s business email address, job title, business phone number, and office address, is generally treated differently under the PDPA. However, most HR records go beyond business contact information because they contain personal, financial, legal, or employment related information.

Do Employers Always Need Employee Consent?

Not always. In many HR situations, employers collect and use personal data because it is necessary to enter into, manage, or terminate the employment relationship. PDPC guidance recognises that there are employment related situations where consent may not be required, but employers still need to notify employees of relevant purposes where required and ensure the data use is reasonable.

For example, an employer may need employee bank details to process salary, identification information to meet statutory requirements, or performance records to manage promotion and appraisal decisions. The key question is whether the data is necessary and reasonable for the stated HR purpose.

Key PDPA Obligations Employers Should Understand

1. Collect Only What is Necessary

Employers should avoid collecting more personal data than needed. For example, if a job application form asks for information that is not relevant to the role or hiring process, the company should reconsider whether that field is necessary.

For recruitment, collect the information needed to assess the candidate’s suitability. For onboarding, collect the information needed to issue the employment contract, run payroll, administer benefits, and comply with statutory requirements.

2. Tell Employees Why Their Data is Being Collected

Employees and candidates should be informed of the purposes for which their personal data is collected, used, or disclosed. This can be done through a privacy notice, recruitment notice, employee handbook, onboarding form, employment contract, or HR policy.

The notice should be clear and practical. Instead of using broad wording such as “for business purposes,” employers should specify examples such as recruitment assessment, payroll processing, statutory reporting, employee benefits administration, IT access management, internal investigations, and performance management.

3. Protect Employee Data Properly

Employers should put reasonable security measures in place to protect personal data from unauthorised access, collection, use, disclosure, copying, modification, disposal, or similar risks. This is especially important because HR teams often handle highly sensitive files.

Good practices include limiting access to HR files, using secure payroll systems, encrypting sensitive documents, avoiding shared passwords, reviewing vendor access, securing employee folders, and training HR and people managers on data handling.

4. Be Careful with NRIC and FIN Numbers

NRIC and FIN numbers should not be collected or used casually. PDPC guidance states that organisations are generally not allowed to collect, use, or disclose NRIC numbers unless required by law or necessary to accurately establish or verify identity to a high degree of fidelity.

There is also an important 2026 update. Private organisations should review their practices and phase out the use of NRIC numbers for authentication by 31 December 2026.

For employers, this means HR teams should check whether NRIC or FIN numbers are being used as default passwords, payslip passwords, onboarding document passwords, HR portal logins, or identity verification shortcuts. These practices should be replaced with safer authentication methods.

5. Retain Employee and Applicant Data Only as Long as Needed

Employers should not keep personal data indefinitely unless there is a valid business or legal reason. For example, successful candidates’ data may need to be retained as part of their employment records. Unsuccessful candidates’ data should only be retained for as long as there is a reasonable recruitment, legal, or business purpose. PDPC guidance notes that once an organisation has decided which applicant to hire, personal data collected from other applicants should only be kept for a limited purpose.

A practical approach is to create a retention schedule covering candidate records, payroll documents, tax records, employment contracts, medical certificates, disciplinary records, and exit documents.

6. Manage HR Vendors Carefully

Many employers use vendors for recruitment, payroll, background checks, employee benefits, HR systems, insurance, or cross border employment administration. Under the PDPA, an organisation can remain responsible for personal data processed on its behalf by a data intermediary.

This means employers should review vendor contracts, access controls, data transfer practices, breach notification timelines, and data deletion processes. If a payroll provider, HR platform, or recruitment vendor mishandles employee data, the employer may still face risk.

7. Have a Data Breach Response Process

A data breach can happen when employee records are sent to the wrong recipient, payroll files are exposed, HR systems are compromised, or personal data is accessed without authorisation. PDPC’s breach reporting guidance says organisations should assess whether a breach is notifiable, meet the three day deadline, and report through the required process.

Employers should have a clear internal process covering who investigates the breach, who contacts the vendor, who assesses harm, who informs leadership, who notifies PDPC where required, and who communicates with affected employees.

What Happens if Employers Breach the PDPA?

PDPA non-compliance can lead to directions, enforcement action, reputational damage, employee complaints, operational disruption, and financial penalties. PDPC guidance states that organisations may face fines of up to S$1 million or 10% of annual Singapore turnover for organisations with turnover exceeding S$10 million.

For employers, the bigger issue is often trust. Employees expect HR to handle sensitive information with care. A payroll leak, careless sharing of medical information, exposed offer letters, or insecure employee database can quickly damage confidence in the company.

Practical PDPA Checklist for Employers

Here’s a practical PDPA checklist:

1. Appoint a Data Protection Officer and make the contact details available

2. Review what candidate and employee data is collected across recruitment, onboarding, payroll, benefits, performance, and offboarding

3. Remove unnecessary fields from job application forms and HR forms

4. Update employee privacy notices and candidate privacy notices

5. Review how NRIC, FIN, passport, and work pass details are collected and protected

6. Stop using NRIC or FIN numbers for passwords, document access, or authentication

7. Limit access to HR files based on role and business need

8. Review HR vendors, payroll providers, recruitment platforms, and benefits administrators

9. Set retention rules for applicant records and employee records

10. Train HR teams, hiring managers, and people managers on safe data handling

11. Create a data breach response process and test it internally

12. Review cross border data transfers if employee data is shared with regional offices, vendors, or overseas systems

How PDPA Compliance Becomes More Complex for Regional Teams

PDPA compliance is already important for Singapore employers, but it becomes more complex when companies hire and manage employees across multiple countries. Each market may have different rules for employment records, payroll data, tax information, identity documents, statutory reporting, and employee consent.

For companies managing distributed teams, HR data may move between hiring managers, payroll vendors, local employment partners, finance teams, benefits providers, and regional leadership. Without clear processes, employee data can easily become fragmented across inboxes, spreadsheets, shared folders, and disconnected platforms.

This is why employers should treat data protection as part of workforce operations, not only a legal checklist. The more countries, vendors, and HR workflows involved, the more important it becomes to have one clear process for collecting, storing, protecting, and updating employee information.

Keep Employment Operations Compliant as Your Team Grows

Hiring and managing talent across markets requires more than finding the right candidate. Employers also need to handle contracts, onboarding, payroll, statutory contributions, benefits, employee records, and compliance in a way that protects both the company and the employee.

Glints TalentHub helps companies manage regional employment operations more confidently, including compliant hiring, onboarding, payroll, HR administration, and ongoing workforce support. For employers expanding across Southeast Asia and beyond, this gives your team a clearer way to manage employee operations without building every local process from scratch.

FAQ about PDPA for employers

What is PDPA in employment?

PDPA in employment refers to how employers collect, use, disclose, store, protect, retain, and transfer candidate and employee personal data. It covers HR activities such as recruitment, onboarding, payroll, benefits, performance management, and offboarding.

Does PDPA apply to job applicants?

Yes. Job applicant data can be personal data if it identifies the candidate. Employers should collect only relevant information, explain how the data will be used, protect the data, and avoid keeping unsuccessful applicant data longer than necessary.

Can employers collect NRIC or FIN numbers?

Employers should only collect NRIC, FIN, or similar identification numbers when required by law or necessary to verify identity to a high degree of accuracy. Employers should also protect this data carefully and avoid using it for authentication.

Can employers share employee data with payroll vendors?

Yes, employers may share employee data with payroll vendors when needed for payroll processing, but they should ensure the vendor handles the data securely. The employer may still have responsibility for personal data processed on its behalf by a vendor.

What should employers do if employee data is leaked?

Employers should assess the incident quickly, contain the breach, identify the affected data and individuals, determine whether the breach is notifiable, and notify PDPC and affected individuals where required. A clear breach response plan helps employers act faster and reduce harm.

Do employers need a Data Protection Officer?

Yes. Appointing a Data Protection Officer is a mandatory step under the PDPA. The DPO helps the organisation manage data protection responsibilities, policies, practices, and compliance.

Conclusion

PDPA compliance is a core part of responsible employment management in Singapore. Employers handle some of the most sensitive personal data in the organisation, from payroll records and identification numbers to medical certificates, performance reviews, and exit documents.

A strong PDPA approach starts with simple but important habits. Collect only what is needed. Tell employees why their data is used. Protect HR records properly. Review vendors carefully. Retain data only for as long as necessary. Prepare for data breaches before they happen.

For employers hiring across Singapore and the wider region, data protection should be built into the full employee lifecycle. When HR operations, payroll, compliance, and employee records are managed clearly, companies can reduce risk and give employees greater confidence that their data is handled with care.

Join our Employers Community!

Subscribe to our newsletter to receive all our latest news and offers delivered right to your desk.