Last week, I wrote an article titled “You have a right to privacy at work too!”
The article drew attention in a statement on the PDPA site that sounds like the Act does not protect employees.
The PDPA Commission wrote in to clarify, and actually, employees are protected also. Here is what they have to say:
“Regarding the concerns you raised about personal data in the use of employment though, we’d like to assure you that organisations generally have to inform employees of the purposes for the collection, use and disclosure of their personal data, and obtain their consent prior to the collection, use and disclosure. This can be obtained at the point of hiring the employee or at any other time under employment.
The other obligations of the PDPA are also applicable to employment relationships, such as allowing employees to access or correct their personal data, or requiring organisations to remove personal data associated with individuals, as soon as the purpose for which it was collected is no longer being served, and it is no longer necessary for legal or business purposes.
The sentence on our website which you had referred to in your article, that the PDPA “generally does not apply to an employee acting in the course of employment”, meant that employees acting in the course of employment are not subject to PDPA obligations (i.e. that organisations, not employees, will generally be held accountable should the employees breach the Act while acting for the organisation).
This does not mean that employee personal data is not subject to PDPA obligations.