Privacy Notice for Employees (Singapore)

A Privacy Notice for Employees in Singapore gives formal notice of the matter it concerns to the recipient.

Section 20 of the PDPA requires organisations to notify individuals of the purposes for which their personal data is being collected, used, or disclosed, on or before the collection of personal data. For employers, this notification obligation applies to all personal data collected from employees — including NRIC numbers, contact details, salary information, performance records, medical records, and disciplinary records. The PDPC's Advisory Guidelines on Key Concepts in the PDPA (revised 2021) clarify that the employment relationship does not exempt employers from PDPA obligations, and employers must provide clear notice of their data practices.

The PDPC's Advisory Guidelines on the PDPA for HR (Human Resource) Purposes provide specific guidance for employers on PDPA compliance in the employment context. The guidelines address the collection of NRIC numbers (subject to the Advisory Guidelines on the NRIC and Other National Identification Numbers, which restrict the collection, use, and disclosure of NRIC numbers to situations where required by law or necessary to accurately establish the identity of the individual), pre-employment checks, employee monitoring, and the transfer of employee data to overseas entities.

The Employment Act 1968 (Cap. 91), administered by the Ministry of Manpower (MOM), requires employers to maintain certain employment records — including salary records, leave records, and Key Employment Terms (KETs) — and the collection of personal data for Employment Act compliance is a legitimate purpose under the PDPA. The Central Provident Fund Act (Cap. 36) requires employers to collect and process employee data for CPF contribution purposes. The Income Tax Act 1947 (Cap. 134) requires employers to report employee income to the Inland Revenue Authority of Singapore (IRAS) through the Auto-Inclusion Scheme.

For employers transferring employee personal data outside Singapore — common for multinational companies with regional headquarters in Singapore — Section 26 of the PDPA imposes transfer restrictions, requiring that the overseas recipient provides a comparable standard of data protection or that the employer obtains consent or takes prescribed contractual measures. The PDPC has published a Guide on Data Protection Clauses for Agreements Relating to the Processing of Personal Data to assist organisations with cross-border data transfers.

The Workplace Safety and Health Act 2006 (Cap. 354A) may require employers to collect health-related personal data for occupational health surveillance programmes, and the privacy notice should disclose this collection purpose. The Skills Development Fund Act (Cap. 235) and SkillsFuture Singapore Agency require employers to report employee training data for SDL and SkillsFuture Credit administration, constituting an additional purpose for personal data collection that should be disclosed in the privacy notice. The Trade Unions Act (Cap. 333) protects employees right to join trade unions affiliated with NTUC, and employers must not collect or use personal data regarding union membership for discriminatory purposes.

A Privacy Notice for Employees is needed whenever an employer in Singapore collects, uses, or discloses the personal data of employees and must comply with the notification obligation under Section 20 of the PDPA 2012.

All employers in Singapore — whether Singapore-incorporated companies registered with the Accounting and Corporate Regulatory Authority (ACRA), branches of foreign companies, sole proprietorships, partnerships, or statutory bodies — must provide a privacy notice to employees whose personal data they collect. The PDPA applies to all organisations in Singapore regardless of size, and there is no small business exemption.

New employee onboarding requires a privacy notice to be provided at or before the point of collecting personal data. Employers collecting NRIC copies, bank account details for salary crediting, next-of-kin information, medical history, and educational qualifications during the onboarding process must notify employees of the purposes for this collection before or at the time of collection.

Employers implementing employee monitoring systems — including email monitoring, internet usage tracking, CCTV surveillance in the workplace, GPS tracking of company vehicles, and computer activity monitoring — must provide a privacy notice disclosing the monitoring and its purposes. The PDPC's Advisory Guidelines on the PDPA for HR Purposes recommend that employers clearly communicate monitoring practices to employees to maintain trust and comply with the consent and notification obligations.

Employers transferring employee data to overseas entities — parent companies, regional headquarters, shared service centres, or cloud service providers with servers outside Singapore — must update their privacy notices to disclose the cross-border transfer and the countries or regions to which data may be transferred, in compliance with PDPA Section 26.

Employers undergoing corporate restructuring — mergers, acquisitions, or transfers of business — must consider whether employee personal data will be transferred to a new entity and update privacy notices accordingly. Section 22A of the PDPA (introduced by the 2020 amendments) provides for 'deemed consent by notification' in certain business improvement and merger scenarios, but employers must still notify employees of the data transfer.

Employers appointing a Data Protection Officer (DPO) — mandatory under the PDPA for all organisations — must include the DPO's contact details in the privacy notice so employees know whom to contact regarding data protection queries, access requests, and complaints.

A Privacy Notice for Employees compliant with the Personal Data Protection Act 2012 (PDPA) and the PDPC's Advisory Guidelines must include the following elements. The forms-legal.com Privacy Notice for Employees template covers all mandatory disclosure requirements and recommended standard practices issued by the PDPC.

Employer identification requires the employer's full registered name and Unique Entity Number (UEN) as registered with ACRA, the employer's registered address, and the employer's business contact details. The notice should identify the employer as the 'organisation' responsible for the collection, use, and disclosure of employee personal data under the PDPA.

Categories of personal data collected must list all types of personal data the employer collects from employees, including: identification data (full name, NRIC/FIN number, passport details, photograph); contact data (address, telephone number, email); employment data (job title, department, employment dates, salary, bonuses, CPF contributions); financial data (bank account details for salary crediting, tax records); health and medical data (medical certificates, pre-employment medical examination results, insurance claims); performance data (appraisals, disciplinary records, training records); and any other categories specific to the employer's operations.

Purposes of data collection and use must clearly state all purposes for which the employer collects and uses employee personal data, including: administering the employment contract and complying with Employment Act (Cap. 91) obligations; processing salary payments and CPF contributions under the CPF Act (Cap. 36); reporting employee income to IRAS under the Income Tax Act (Cap. 134); administering leave entitlements and benefits; managing performance and development; conducting workplace health and safety assessments under the Workplace Safety and Health Act (Cap. 354A); managing disciplinary processes; and any other specific purposes.

Disclosure of personal data to third parties must identify the categories of third parties to whom employee data may be disclosed, including: CPF Board (for CPF contributions); IRAS (for tax reporting); MOM (for work pass administration and Employment Act compliance); insurance providers (for group insurance and WICA coverage); payroll service providers; recruitment agencies; and overseas group entities (with identification of the countries involved).

Data retention policy must state the employer's data retention periods for different categories of employee data. The PDPA requires organisations to cease retaining personal data when it is no longer necessary for any business or legal purpose (Section 25). The Employment Act requires employers to retain salary and employment records for at least two years after the employee leaves. IRAS requires income records to be retained for at least five years.

Employee rights section must inform employees of their rights under the PDPA, including: the right to access their personal data held by the employer (Section 21); the right to correct inaccurate personal data (Section 22); the right to withdraw consent for the collection, use, or disclosure of personal data (Section 16), with an explanation of the consequences of withdrawal; and the right to complain to the PDPC if unsatisfied with the employer's data protection practices.

Data Protection Officer (DPO) contact details must provide the name (or title), email address, and telephone number of the employer's designated DPO, appointed in compliance with Section 11(3) of the PDPA. The DPO is the employees' primary contact point for data protection queries and access/correction requests.

Data breach notification clause should inform employees that, in the event of a notifiable data breach under PDPA Section 26D (introduced by the 2020 amendments), the employer will notify affected individuals and the PDPC within the prescribed timeframes — notification to the PDPC within three calendar days of assessment, and notification to affected individuals as soon as practicable.