In the recruitment industry, information on people are the biggest asset. Yet this could become a double-edged sword if not managed well.
"People looking for jobs always want assurance that their data is safe with us; good personal data protection practices is one of the basic expectations of us as recruitment consultants," says Mr Ronald Lee, managing director of human resource firm, PrimeStaff Management Services.
Established in 1994, the home- grownSME places people not only in Singapore, but also around Southeast Asia and Australia. PrimeStaff was named "Best Recruitment Firm - Overall (Singapore)" and "Best Recruitment Firm for HR Positions" at the HRM Asia Awards in 2015.
PrimeStaff had a personal data policy in place before the Personal Data Protection Act (PDPA) came into full effect in July 2014. The policy then was focused largely on putting in place measures to restrict access to files containing personal data, and the blocking of file sharing sites and non-corporate email access to prevent unauthorised transfer of data to any third parties.
"Things are different now with the mandatory requirements of the PDPA," Mr Lee adds. "The new requirements imposed by the Act means we need to obtain consent to use personal data, and the resultant shift in customer expectations is a motivating factor that keeps us on our toes."
PrimeStaff's employees handle personal data on a daily basis. Their biggest challenge is to ensure employes comply with its personal data protection policies to fulfil their functions and operations.
- Regular employee training on PDPA requirements and on the importance of protecting personal data protection.
- Enhanced security measures in IT systems such as restricting access to and transfer of personal data.
- Development of new forms to notify and obtain consent from potential candidates.
- Increased trust and confidence among clients, candidates and employees that their personal data is protected.
- Reduced risk of personal data leaks and misuse.
- Enhances professionalism and instills pride in PrimeStaff employees who know they are entrusted with sensitive personal data.
PERIOD OF TRANSITION
PrimeStaff took several months to align its personal data protection policies to meet the PDPA's obligations. The process started with a team of five, including Mr Lee. They attended introductory talks, seminars and other related courses to familiarise themselves with the requirements of the PDPA.
Given the company's specialised function, the bulk of personal data handled by PrimeStaff is for the purpose of recruitment for client organisations, and they handle the personal data of about 40,000 individuals. So it was clear to the team that ensuring the personal data remained safe and secure was of utmost importance.
"Our biggest challenge is ensuring that no personal data is leaked by our employees, whether unwittingly or deliberately, because our consultants handle so much personal data on a daily basis," Mr Lee shares.
To prevent softcopies of personal data being downloaded and transferred, the team enhanced the security of the company's IT systems, including blocking access to free email service providers such as Google mail, Yahoo mail, Hotmail and other media-sharing sites such as Dropbox, iCloud, Google Drive.
Third-party storage devices such as thumb drives and CD readers are also fully or partially disabled so that information cannot be readily copied or transferred.
Other steps taken by PrimeStaff included the development of new forms to document consent from potential candidates to use their data for recruitment, and the introduction of a retention limitation policy.
The company's retention policy limits its consultants from keeping a candidate's data unnecessarily. Some personal data is typically kept for a period of time in order to recommend suitable job openings.
However, the data would be deleted when it is no longer needed for legal and business purposes.
CANDIDATE DATA VS EMPLOYEE DATA
Apart from candidate data, PrimeStaff is mindful that it has to protect its own employee data, too. As an HR consultancy, PrimeStaff believes all personal data is important and does not treat employee data any differently.
Therefore, file access control measures are put in place to ensure only the relevant employee has access to employee data.
Mr Lee explains, "Access and processing of employee data are restricted. Only HR or the Payroll department and recruiters are allowed access to such data based on whether they have been tasked to use or process the data to fulfil the purpose it was collected for."
"For IT systems, once properly put in place, they are less likely to pose compliance problems," says Mr Lee. For example, once a file access control measure is set, employees who do not have permission to handle the information will not be able to access the file.
"However, there is less certainty with people," he adds. To help reduce human errors, PrimeStaff makes it a point to conduct regular training for its employees. These sessions reinforce the importance of protecting personal data and update employees on new developments and regulations in the HR industry.
COMPLIANCE A WORTHWHILE EFFORT
Mr Lee estimates that they spent about $45,000 to hone and implement its personal data protection policy to comply with the PDPA.
He attributes 93 per cent of the cost to man-hours spent understanding the application of the PDPA to PrimeStaff's operations as well as in developing and implementing policies to comply with the PDPA.
Training fees accounted for the rest of the cost.
However, Mr Lee considers these to be necessary compliance costs. "Knowing how careful we are with personal data increases the trust and confidence our clients and candidates have in us. We allocated more time and effort on compliance with the PDPA so as to get this right, which in turn enhances our position as a preferred HR consultant."