INTRODUCTION TO THE PERSONAL DATA PROTECTION ACT
PDPA is a Data Protection Law that encompasses various statutes & regulations governing the collection, use, disclosure & care of personal data.
It recognizes both the rights of individuals to protect their Personal Information including access rights & correction rights, along with the needs of companies, businesses & organizations to collect, use or disclose this information for legitimate activities & reasonable purposes.
1.2 WHAT IS PERSONAL DATA?
Personal data refers to data about an individual who can be identified from that data & other information to which the company, business or organization to which the organization has or is likely to have access.
Personal Data in Singapore is protected under the PDPA [Personal Data Protection Act 2012]
AGHRMS COMPLIANCE WITH PDPA
1.3.1 WHERE IS AGHRMS STORING OUR DATA?
AGHRMS is hosted by Amazon Web Services & Microsoft Azure. However, AGHRMS is using Singapore Data Center for deployment of its services.
This is compliant with Item 26 of the PDPA which requires data to be stored in Singapore.
1.3.2 SECURITY MEASURES TO ENSURE SAFETY OF DATA
AGHRMS safeguards customer data via a Multi-pronged approach.
Transmission: All hosted users access our website via 2048-bit SSL (Secured Socket Layer) to ensure that all transmitted data over the internet is encrypted & cannot be intercepted.
This is reviewed annually to ensure that the encryption strength keeps up with technological advances.
Password Policy: AGHRMS comes with Password Policy Features which allow the administrator to implement Password Policies that can support:
- Minimum & Maximum password length
- Maximum password age
- Enforce Password history
- Complex passwords
Network Security: AGHRMS is hosted on Amazon Web Services & we’re leveraging on Amazon Global Infrastructure to provide world-class network protection to our customers.
For more detail about Amazon Security infrastructure. Please visit http://aws.amazon.com/security for more information.
Non Disclosure Agreement: AGHRMS has a standard Non-Disclosure clause pertaining to all customers as part of the agreement to use our services.
For certain specific customers, AGHRMS might also have a separate Non-Disclosure Agreement [NDA] signed with them.
Employee Information is deemed as highly confidential information which AGHRMS is bounded by the above agreements. All employees sign a Non-Disclosure Agreement (NDA) with AGHRMS not to disclose any information about customers.
1.3.3 DISASTER RECOVERY PLAN FOR AGHRMS
Please see Section 2.5 on AGHRMS’s Business Continuity Plan.
1.3.4 CUSTOMERS’ DATA UPON TERMINATION OF AGHRMS SERVICES
AGHRMS requires at least 30 days advance notice in writing for any termination of services. This period of time may vary from contract to contract.
During the notice period, customers can make use of the available reporting & export functions in the system to export data into .csv format.
Upon termination of AGHRMS services, AGHRMS will purge all copies of customer data in 30 dats from the date of termination of services.
1.4 AGHRMS COMPLIANCE TO PROPOSED NRIC ADVISORY GUIDELINES
1.4.1 COLLECTION OF NRIC NUMBER & RETENTION OF PHYSICAL NRIC
NRIC is a permanent & non-replaceable unique identifier assigned to the Government of Singapore & is often used for transactions with Government Agencies & specific transactions such as banking or paying bills, & hence can be used to unlock huge amounts of information relating to individuals.
If unprotected, this may be used for unauthorised & illegal activities such as identity theft & fraud.
Our physical NRIC contains our NRIC Number, along with other personal data such as individual’s full name, photograph, thumbprint & residential address.
There is excessive collection of personal information when retaining a physical NRIC or collecting a copy of an NRIC.
1.4.2 PUBLIC CONSULTATION: PDPC’s PROPOSED NRIC ADVISORY
PDPC has issued a public consultation paper between November 2017 to December 2017 to seek opinions on the
Revised chapter on NRIC numbers in Advisory Guidelines on Selected Topics in the PDPA &
Proposed technical guide on alternatives to NRIC number as a unique identifier used in websites & system.
1.4.3 PROPOSED GUIDELINES
Companies, businesses & organizations should never collect NRIC Number (or copies of them) unless required by law (or by exception under PDPA regulations & statutes) or deemed necessary to accurately establish or verify the identity of an individual to a high level of fidelity.
Organizations that collect a copy of each NRIC must ensure it is not collecting excessive personal data contained (& in copies) for other unauthorized or ill intentions.
*SPECIFICALLY FOR HR SOFTWARE SYSTEMS:
NRIC Number should not be collected during the Job Application stage.
It is permitted to collect NRIC number when the Employment Relationship is Established (Covered under Employment Act regulations & statutes)
1.4.4 AGHRMS COMPLIANCE
Employee ID: The unique identifier of the employee within the system. The value of this field is displayed all across the system.
“Login Name” is the field as the basis of identifying each employee.
Constraint: this cannot be duplicated within the same group of companies. It is a free text field and accepts alphanumeric characters.
2 options are available for the customer to manage this field.
- System-Generated Employee Number
- Manual Entry
Referring to Q3 of the Declaration form, our customers can change the ID value to any value, as long as it is distinct & unique within the same group of companies.
ID Card Number: This stores the ID Card Number, which is submitted, for reporting purposes, to various government agencies.
- CPF Board
- Ministry of Health [MOH]
AG Net Pte Ltd provides it’s HR Software solutions to about 11 nursing homes in Singapore which need to report staff information to Ministry of Health [MOH] under the ILTC portal.
AG Net Pte Ltd is committed to supporting this initiative & will implement the following to AGHRMS by Q4, year 2018:
- ID Card Number field will be encrypted.
- As Employee ID field can be entered manually, we are also planning to provide mass upload to allow customers who use their NRIC number as Employee ID, to change accordingly.