KNQX Domain Brain · PDPA Compliance Profile
ASSESSMENTYour HR team collects 10 of 10 tracked data categories — including biometric data (fingerprint/face), the highest PDPA sensitivity classification. Data flows through 5 third-party processors and crosses borders to a regional HQ.
Your HR data mapping posture shows significant PDPA risk exposure. 5 high-severity and 3 medium-severity findings require urgent attention.
Without a defined retention schedule, data accumulates indefinitely — a direct PDPA s25 violation. Employment Act requires minimum 2 years post-cessation; CPF Act requires 5 years. Beyond these periods, every day of retention without a lawful basis is a separate contravention.
⚠️ PDPA enforcement trigger — PDPC may issue mandatory data destruction orders
Employee data flowing to a regional office (e.g. shared service centre in India, Malaysia, Philippines) requires PDPA s26 comparable protection. Cloud HRIS platforms often default to hosting data offshore. Remote access from overseas offices = a transfer, even if data never physically moves.
✅ Action: Conduct Transfer Impact Assessment + put contractual assurance (DPA with PDPA-comparable clauses) in place
PDPA s21 requires organisations to respond to access requests within 30 days. Without any process, the first DAR you receive will trigger an automatic compliance failure. Combined with your risk concern about 'no access request handling process', this is a confirmed gap.
✅ Action: Implement formal DAR workflow — receipt acknowledgment, 30-day SLA, documented response
PDPA s26C requires notification to PDPC within 3 calendar days of assessing a notifiable breach. Your team is unsure if a plan exists — which means you likely cannot meet the 3-day deadline. HR data breaches (salary leaks, medical record exposures) are high-impact because they affect an identifiable, concentrated population.
✅ Action: Build HR-specific breach playbook: detect → assess → notify PDPC (3 days) → notify affected individuals
Biometric data (fingerprint/face) has the highest PDPA sensitivity classification. The PDPC's Advisory Guidelines on NRIC establish the standard — biometric data goes further. Collection requires explicit consent under s18A, and purpose limitation must be strictly documented.
✅ Action: Review biometric consent forms, ensure separate consent per usage purpose, implement encryption at rest
Bundling consent into employment contracts creates power asymmetry — the PDPC has emphasised that employees must be able to refuse consent without workplace consequences for non-essential processing. Your consent bases (contractual necessity, legal obligation, explicit consent) are correct but the mechanism is problematic. The contract clause covers everything in one signature, which may invalidate consent for optional processing.
✅ Supplement with standalone data consent form employees can review independently
PDPA s11(3) requires all organisations to designate a DPO and notify PDPC. Your team is mid-size (6–20 HR staff) managing a broad data footprint — the absence of a DPO is a visible compliance gap, especially given the volume of sensitive data and cross-border transfers.
✅ Appoint a DPO (can be existing employee) and register with PDPC notification portal
Your data flows through: Payroll bureau, Recruitment agency, Health insurer, Background screening, Benefits provider. Each is a data transfer point requiring a written Data Processing Agreement, cross-border safeguard assessment, and audit rights. The payroll bureau and health insurer process the highest-sensitivity data (NRIC, salary, medical records).
✅ Map each third party's data access, verify DPA in place, confirm cross-border safeguards
Collecting NRIC only post-offer aligns with PDPC Advisory Guidelines on NRIC. This is the gold standard — using applicant-generated identifiers until the point where NRIC is legally required (CPF, tax) demonstrates purpose limitation awareness.
Maintain this practice and document it in your privacy notice
Using contractual necessity (for core employment), legal obligation (for CPF/IRAS/MOM), and explicit consent (for additional processing) is the recommended PDPA framework. Most organisations rely solely on explicit consent — your mixed approach is more robust.
Formalise this in a consent register mapping each data category to its basis
Your survey data can now feed the KNQX Domain Brain to generate a visual data flow diagram — showing every collection point, transfer, consent basis, and risk, mapped to specific PDPA sections. Ready when you are.