Singapore PDPA

Introduction

Singapore’s Personal Data Protection Act (PDPA) regulates the collection, use, disclosure, and management of personal data, as outlined in the official Quick Guide to the PDPA. Central to the PDPA are the 9 Main Data Protection Obligations, which aim to balance individuals’ rights to data privacy with organizations’ legitimate business needs.

This whitepaper aims to inform our customers about the PDPA and how ClayHR employs top-tier data privacy and security measures to store, process, maintain, and protect customer data. We are dedicated to helping our customers use HR-related data effectively while complying with the PDPA’s requirements. This document details our data protection features, how they align with the PDPA, and how we share compliance responsibilities with our customers.

Personal Data Protection Act Overview

The PDPA governs how organizations in Singapore handle personal data, including cases where data is collected abroad and transferred to Singapore. The Personal Data Protection Commission (the Commission) oversees the administration, promotion, and enforcement of the PDPA. For more details, consult the Act, related subsidiary legislation, and the Commission’s guidance.

Purpose of the PDPA

"To regulate how organizations collect, use, and disclose personal data, balancing individuals'

rights to protect their data with the legitimate needs of organizations to handle personal data for

reasonable purposes.

This section defines the PDPA’s key terms and concepts. In particular, we briefly describe the PDPA’s 9 Main Data Protection Obligations. To learn more, see the Act, the Commission’s Overview of the Obligations, and the Advisory Guidelines for Key Concepts in the PDPA. 

9 Main Data Protection Obligations
Collection, use, and disclosure of personal data requirements
  • The Notification Obligation
  • The Consent Obligation
  • The Purpose Limitation Obligation
Accountability requirements
  • The Openness Obligation
  • The Access and Correction Obligations
Care of personal data requirements
  • The Accuracy Obligation
  • The Protection Obligation
  • The Retention Limitation Obligation
  • The Transfer Limitation Obligation

Key terms & concepts

Key term definitions

The PDPA explicitly defines the following terms:

Personal data: Data, “whether true or not, about an individual who can be identified - from that data; or from that data and other information to which the organization has or is likely to have access.” 

Organization: Any “individual, company, association or body of persons, corporate or unincorporated, whether or not - formed or recognized under the law of Singapore; or resident, or having an office or a place of business, in Singapore.”

Processing: The “carrying out of any operation or set of operations in relation to the personal data,” including, but not limited to, recording; holding; organization, adaptation, or alteration; retrieval; combination; transmission; erasure or destruction. 

Data intermediary: An “organization which processes personal data on behalf of another organization but does not include an employee of that other organization.”

Key concepts

Although the PDPA does not define the following concepts, the Commission provides explanatory guidance on interpreting them: 

Purpose: The term refers to an organization’s “objectives or reasons” for collecting, using, or disclosing personal data, not the activities it may intend to take with that data.

Reasonable: In attempting to comply with the PDPA, organizations must “act based on what a reasonable person would consider appropriate in the circumstances.” 

The “reasonable person” concept is an “objective standard” and essentially represents “a person who exercises the appropriate care and judgment in the particular circumstances.”

Data intermediaries under the PDPA

Data intermediary obligations

A data intermediary handles data for another organization. When there is a written contract, the organization and the data intermediary have distinct responsibilities:

Organization: The organization has the same responsibilities under the PDPA as if it were handling the personal data directly.

Data intermediary: The data intermediary needs to adhere only to the PDPA provisions concerning the “Protection Obligation” and the “Retention Limitation Obligation” (explained below). However, if the data intermediary performs activities outside of processing data for the organization as specified in the contract, it must comply with all PDPA data protection obligations.

ClayHR as a data intermediary

ClayHR acts as a data intermediary under the PDPA by processing personal data on behalf of organizations or for their purposes under a cloud services contract. Therefore, ClayHR must comply with the PDPA’s Protection and Retention Limitation Obligations. Later in this paper, we explain how ClayHR meets its own PDPA requirements and supports its customers in meeting theirs.9 data protection obligations

Organizations responsible for managing and controlling personal data must comply with the obligations specified by the PDPA. The 9 primary data protection obligations are grouped into three categories, as detailed below:

Collection, use, and disclosure of personal data
  • Notification
  • Consent
  • Purpose limitation
Accountability
  • Openness
  • Access to and correction of personal data
Care of personal data
  • Accuracy 
  • Protection 
  • Retention limitation 
  • Transfer limitation

ClayHR Data Protection Overview & the Shared Responsibility Model

ClayHR’s strong security and privacy measures provide customers with the confidence to use ClayHR in compliance with the PDPA requirements. Additionally, we are continually enhancing our privacy and security features. To assist customers with compliance and reporting, ClayHR offers information, best practices, and easy access to documentation.

This section outlines our extensive data protection and privacy capabilities, as well as our robust data security features that are most relevant to the PDPA. We also detail how security and compliance responsibilities are divided according to the Shared Responsibility Model.

ClayHR’s approach to data protection and privacy 

  • Data privacy trust principles 
  • Dedicated privacy team 
  • Data access and customer control 
  • Restricted access to customer data 
  • Law enforcement data requests

ClayHR’s approach to data security 

  • Strong security culture 
  • Security team 
  • Trusted infrastructure 
  • Infrastructure redundancy 
  • Data encryption 
  • The Shared Responsibility Model

ClayHR’s approach to data protection and privacy

 At ClayHR, data protection and privacy are core values. We design our products and services with privacy and trust as foundational principles. ClayHR ensures the protection and privacy of customers' data through three key approaches: 

  1. We offer exceptional data protection with a secure core infrastructure designed, built, and operated to mitigate threats.
  2. We provide customers with strong security controls to help them achieve policy, regulatory, and business objectives.
  3. We meet our compliance obligations and make it easier for our customers to meet theirs.

Data protection and privacy trust principles

Our goal is to ensure that customers feel confident when using ClayHR. Trust is fostered through transparency, so we are dedicated to being open about our commitments and services, particularly concerning data protection.

Our commitments to you about your data

Your data is essential to your business, and you work hard to keep it safe and secure. We want you to feel assured that using ClayHR doesn't mean compromising the security or control of your business's data. At ClayHR, we believe trust is built through transparency, and we strive to be clear about our commitments and what you can expect from us in terms of our shared responsibility for protecting and managing your data.

When using the ClayHR Platform, you can expect:

  1. Priority is placed on your security across all our operations.

We promptly inform you of any security breach that may compromise your data.

  1. Control over your data.

We process customer data based on your instructions, granting you access to it and the ability to delete it whenever you choose.

  1. Assurance that customer data is not used for advertising purposes.

You retain ownership of your data, and ClayHR does not process it for advertising.

  1. Transparency regarding data storage locations and availability.

Your data is stored in the most relevant and nearest AWS regions. Please contact your Account Manager to determine the specific region.

  1. Reliance on ClayHR's independently verified security practices.

Our adherence to recognized international security and privacy standards is independently audited and certified, regardless of where your data resides within ClayHR.

For more information on how we safeguard customer information, please visit the ClayHR Privacy page and refer to the Data Processing Addendum for additional details.

Data access and customer control

At ClayHR, customers retain ownership of their data. We process customer data solely based on contractual obligations. Additionally, we offer solutions that enable precise management of resource permissions. For instance, customers can assign job functions to groups and roles, granting users specific permissions aligned with their responsibilities on the platform. Moreover, customers have the option to delete their data from our systems or export it if they choose to discontinue our services.

Restricted access to customer data

To ensure data privacy and security, ClayHR maintains strict logical isolation of each customer's data, even if it resides on the same physical server. Access to customer data is limited to a select group of ClayHR employees based on job function and role-specific needs. Any additional access is granted through rigorous procedures and meticulously logged in audit records.

ClayHR’s approach to data security 

This section outlines the organizational and technical measures ClayHR employs to safeguard your data:

Commitment to Security

At ClayHR, security is ingrained in our culture. We prioritize it through comprehensive employee training and company-wide initiatives aimed at enhancing awareness and fostering innovation in security and privacy. For more details, refer to the security and reliability culture sections in our ClayHR Security and Reliability Whitepaper.

Dedicated Security Team

Our security incident management program adheres to industry best practices and operates 24/7 to swiftly detect and resolve potential security issues. We regularly test our incident response plans to ensure readiness.

Secure Infrastructure

ClayHR was purpose-built with security at its core. We custom-design our instances, servers and databases to ensure secure service deployment, data storage with privacy safeguards, encrypted communications between services, and secure interactions with customers over the Internet. Our administrators operate in a secure environment.

Infrastructure Redundancy

ClayHR’s infrastructure is highly redundant across various components, including server design, data storage, network connectivity, and software services. This redundancy is achieved through multi-region deployment and automated failover mechanisms, ensuring continuous service availability:

  • Multi-Region Deployment: Enables seamless operation from alternate regions in case of regional disruptions.
  • Active-Active Configuration: Multiple instances of applications run concurrently in different regions, sharing the workload and enabling uninterrupted service during outages.
  • Active-Passive Configuration: One region serves actively while another remains on standby, ready to take over if needed.
  • Automated Failover: Ensures immediate recovery in scenarios like database server failure and load balancer redirection of traffic to healthy servers.

These measures underscore our commitment to maintaining the highest standards of data protection and service reliability at ClayHR.

Data encryption 

ClayHR automatically encrypts data both at rest and in transit. The specific encryption method employed varies based on the OSI layer, the type of service, and the physical infrastructure component involved. Whenever data moves beyond physical boundaries not under ClayHR's direct control, we ensure that all data in transit is encrypted and authenticated across one or more network layers by default. For further details, please consult the Encryption in Transit section of the ClayHR whitepaper.

The Shared Responsibility Model

As a trusted partner, ClayHR plays a crucial role in this model by delivering services through a secure and tightly controlled platform, offering a variety of security features that benefit our customers. This shared responsibility allows our customers to allocate resources more efficiently to their core activities and focus on their strengths. You can find our Shared Responsibility Disclosure document here.

ClayHR and the PDPA

The Personal Data Protection Commission (the Commission) advises organizations that they may be held accountable if their service providers violate the PDPA. The Commission recommends that organizations ensure their contracts with service providers include provisions requiring compliance with the PDPA. Additionally, organizations should establish standard operating procedures for how service providers handle personal data and implement processes to monitor compliance with these procedures.

Our commitment to compliance is grounded in our robust security and privacy infrastructure. We adhere to applicable data protection laws, undergo regular audits, maintain certifications, implement industry-standard contractual protections, and share tools and information with customers. ClayHR continues to make substantial investments in security, privacy, and compliance management to assist customers in fulfilling their current and future regulatory obligations. Our approach includes collaborating closely with customers to understand and address their specific compliance requirements, defining roles and responsibilities, conducting both internal and independent audits, and ensuring transparency in our operations.

Mapping ClayHR data protection capabilities to the PDPA & our shared responsibilities

Below, we outline the responsibilities for meeting the PDPA’s 9 Main Data Protection Obligations. The table specifies each legal obligation and clarifies whether it falls on our customers or ClayHR. Additionally, it highlights how we can assist our customers in fulfilling their legal obligations.

While customers hold ultimate responsibility for PDPA compliance, our steadfast adherence to data protection and privacy principles and regulations empowers them to leverage ClayHR software as a service with confidence.

Collection, use, and disclosure of personal data

Data Protection Obligations Who Has the Responsibility
Notification of Purpose
Section 20
  • The organisation must notify individuals of the purposes for collecting, using, or disclosing their personal data. The notification should also provide other information, such as the business contact information of the data protection officer, how an individual may withdraw consent, how an individual may access or correct his personal data, and the organisation’s retention policies.
Customer responsibility to provide notification of the purposes for the collection, use, or disclosure of individual personal data.
Consent
Sections 13-17
  • The organization must obtain individuals’ consent to collect, use, or disclose their personal data unless an exemption applies. The request for personal data should be reasonable for providing the product or service.
  • The organization must allow individuals to withdraw consent and cease collecting, using, or disclosing personal data upon withdrawal of consent.
Customer responsibility to obtain individuals’ consent to collect, use, or disclose their customers’ personal data.
Data Protection Obligations Who Has the Responsibility
Purpose Limitation
Section 18
  • An organization may collect, use, or disclose personal data about an individual only for purposes that a reasonable person would consider appropriate in the circumstances and, if applicable, only after it has notified the individual of those purposes.
  • The organization must collect, use, or disclose personal data only for the purposes for which the individuals gave consent.
Customer responsibility to ensure collection, use, or disclosure of personal data is limited to the purposes for which the individuals gave their consent.

ClayHR support

  • The data you entrust to ClayHR belongs to your organization. We process your organization’s data according to your explicit instructions under our contractual obligations to you. To read more, please visit the Data Processing Addendum.

Accountability of data subjects

Data Protection Obligations Who Has the Responsibility
Openness
Sections 11 and 12
  • The organization must appoint a data protection officer (DPO) who is responsible for the organization’s compliance with the PDPA and make the DPO’s business contact information publicly available so that data subjects can contact the DPO for PDPA-related queries or complaints.
  • The organization must publish information on its data protection policies, practices, and complaint-handling process.
Customer responsibility to appoint a data protection officer (DPO) and satisfy this obligation.
  • We recommend the Commission’s Advisory Guidelines on the Openness Obligation to learn more.

ClayHR support

  • ClayHR believes transparency is essential to build trust and recommends that data users inform their data subjects about their use of ClayHR
  • ClayHR has up-to-date security and privacy policies that have been reviewed and approved by management and are published and communicated to employees and vendors with access to the ClayHR environment. These policies describe information governance objectives, provide information security guidelines, and emphasize the importance of data protection and privacy to ClayHR’s business. Policies are reviewed at least annually and tested as part of the SOC 2 audit. ClayHR reviews and updates our policies as needed to comply with the latest regulatory requirements and information governance best practices.
  • In addition, customers may contact ClayHR’s data privacy officer for questions or comments.
Requests for Access to and Correction of Personal Data
Sections 21-22
  • Upon request, an organization must provide individuals with their personal data and inform them of the ways in which it collected, used, or disclosed their personal data within the past year (i.e., 12 months).
  • An organization must correct any error or omission in individuals’ personal data upon their request (unless an exception applies).
Customer responsibility to provide access to and correction of personal data collected, used, or disclosed within the past year.

ClayHR support

  • ClayHR allows customers to easily and safely access and correct the personal data stored in the cloud in order to fulfill their data subjects’ requests.
  • ClayHR is certified to SOC 2, which demonstrates the controls and guidelines ClayHR implements to protect personal data held within a public cloud environment.
  • For data subject requests or enquiries relating to their personal data, our privacy team will advise requesters to submit their request to the ClayHR customer. ClayHR customers can then take control for responding to these requests as per their internal procedures and requirements.
  • ClayHR will assist ClayHR customers per our terms in responding to these data subject requests.
  • ClayHR administrative consoles and services possess the functionality to access or rectify any data that they and their users put into our systems. This functionality will help our customers fulfill their obligations to respond to requests from data subjects to exercise their rights under the PDPA.
  • We encourage you to review our terms of service for more information about data subject rights.

Care of personal data


Data Protection Obligations Who Has the Responsibility
Accuracy S
Section 23
  • An organization must make reasonable efforts to ensure that an individual’s personal data collected is accurate and complete, if it is likely to use that data to make a decision that impacts that individual or to disclose that data to another organization.
Customer responsibility to satisfy this obligation.

ClayHR support

  • ClayHR administrative consoles and services possess the functionality to maintain the accuracy of their data.
Protection
Section 24
  • An organization must implement reasonable security processes to protect personal data against unauthorized access, collection, use, disclosure, copying, modification, disposal, or similar risks. The organization should have:
    1. Comprehensive policies and procedures to ensure appropriate levels of security for personal data of different sensitivities.
    2. Security measures appropriate to the nature of the personal data and the potential impact to individuals from unauthorized use or disclosure.
    3. Reliable, well-trained personnel.
    4. Robust security breach response plans, including a data breach management program and a procedure to notify the Commission as soon as possible of any data breaches that might cause public concern or where there is a risk of harm to a group of affected individuals.
  • With respect to data intermediaries, the organization should contractually define the responsibility of reporting, investigating, and taking remedial actions.
Shared ClayHR and customer responsibility.

How ClayHR meets the Data Protection Obligation Industry certifications and third-party attestations

  • Security team: ClayHR employs well trained and experts in the area security and privacy professionals who maintain the company’s defense systems, develop security review processes, build security infrastructure, implement ClayHR’s security policies, and actively scan for security threats. We also take part in research and outreach activities to protect the wider community of Internet users, beyond just ClayHR customers.
Protection (continued)
  • Defense in depth: ClayHR builds our cloud infrastructure security through layers to provide defense in depth. The security of the infrastructure is designed in progressive layers starting from the physical security of facilities, continuing on to the security of the hardware and software that underlie the infrastructure, and finally, the technical constraints and processes in place to support operational security. Our infrastructure was designed to be multi-tenant from the start, and multiple mechanisms are utilized to establish and maintain trust between services. We operate the infrastructure securely by defending against threats to the infrastructure from both insiders and external actors. We protect our employees’ credentials from compromise by replacing phishable, one-time-password second factors with mandatory use of multi-factor authentication. We aggressively limit and actively monitor the activities of employees who are granted administrative access to the infrastructure. ClayHR continually works to eliminate the need for privileged access for particular tasks by providing automation that can accomplish the same tasks in a safe and controlled way. This includes requiring two-party approvals for some actions and introducing limited APIs that allow debugging without exposing sensitive information.
  • Data encryption: ClayHR encrypts data at rest and encrypts data in transit, by default. The type of encryption used depends on the OSI layer, the type of service, and the physical infrastructure component. By default, we encrypt and authenticate all data in transit at one or more network layers when data moves outside physical boundaries not controlled by or on behalf of ClayHR. To learn more, refer to the Encryption in Transit in ClayHR whitepaper.
  • Threat and vulnerability management: ClayHR’s dedicated security team actively scans and detects security threats to our infrastructure from both insiders and external actors, 24/7/365. We use a combination of commercially available and in-house tools, automated and manual penetration testing, quality assurance processes, software security reviews, and external audits to support the vulnerability management process.
  • Unauthorized access prevention: To prevent unintended disclosure or unauthorized access to your data from ClayHR insiders, we tightly restrict and monitor any internal access to user data. The small set of employees with access to your data is subject to rigorous authentication measures, and detailed logging to detect inappropriate access via log analysis. ClayHR employees’ access rights and levels are based on their job functions and roles. Technical controls are applied to enforce the concepts of least-privilege and need-to-know to match access privileges to defined responsibilities. Requests for additional access follow a formal process that involves a request and an approval from a data or system owner, manager, or other executives, as dictated by ClayHR’s security policies. Approvals are managed by workflow tools that maintain audit records of all changes. Furthermore, ClayHR’s security team actively monitors ClayHR employees’ access patterns and investigates unusual events. Finally, ClayHR employees are required to sign a confidentiality agreement and complete mandatory training on our Code of Conduct, data protection, data confidentiality, and data privacy. ClayHR’s Code of Conduct specifically addresses responsibilities and expected behavior with respect to the protection of information.
  • Incident response plan and data breach notification: We have a rigorous incident management process for security events that may affect the confidentiality, integrity, or availability of systems or data. We assign the highest priority to events that directly impact our customers. Our process specifies courses of action, procedures for notification, escalation, mitigation, and documentation. Key staff are trained in forensics and handling evidence in preparation for an event. We test incident response plans for key areas, such as systems that store sensitive customer information.The ClayHR security team operates 24/7. Additionally, we will promptly notify customers if we detect a security breach leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to their data on systems we manage. Moreover, we will assist with investigative efforts via our support team.
  • Business continuity and disaster recovery: At ClayHR, we plan on our services being always available, even when we are upgrading our services or maintaining our systems. The service level agreements (SLAs) for ClayHR’s service offerings meet or exceed system availability requirements for enterprises across various industries. Our application and network architecture design maximizes reliability and uptime. We utilize robust software failover within our cloud computing platform to minimize the impact of unlikely hardware/software disruptions. All systems within the ClayHR infrastructure that support ClayHR services are redundant by design, and each subsystem is not dependent on any particular physical or logical server for ongoing operation. Data is replicated multiple times across active servers so in the case of a machine failure, data will still be accessible through another system. Data is also replicated across secondary data centers to ensure protection from data center failures. Furthermore, we have a business continuity plan that allows us to continue delivery of our services to our customers. Likewise, our DR program enables continuous and automated disaster readiness, response, and recovery of our business, systems, and data.
  • We conduct DR testing on a regular basis to provide a coordinated venue for infrastructure and application teams to test communication plans, failover scenarios, operational transition, and other emergency responses. All teams that participate in the DR exercise develop testing plans and post mortems which document the results, lessons learned, and remediation plans (if applicable).
Data Protection Obligations Who Has the Responsibility
Retention Limitation
Section 25
  • An organization must cease to retain personal data or remove the means by which the personal data can be associated with particular individuals when the data is no longer necessary for any business or legal purposes.
  • Ceasing to retain personal data means safely disposing of personal data or anonymizing it.
  • The organization should set a retention period for various types of personal data.
Shared ClayHR and customer responsibility.
How ClayHR satisfies the Data Retention Limitation Obligation
  • ClayHR will retain, return, destroy, or delete the personal data in accordance with the contract or service level agreements. ClayHR administrative consoles and services possess the functionality to delete any data that they and their users put into our systems. If customers delete their data, we commit to deleting it from our systems within 30 days. We also provide tools that make it easy for customers to take their data with them if they choose to stop using our services, without penalty or additional cost.
  • ClayHR data is never stored on physical drives.
Data Protection Obligations Who Has the Responsibility
Transfer Limitation
Section 26
  • When transferring personal data overseas , an organization must 1) take steps to ensure that it protects the data in compliance with the PDPA while the data is still in its possession or control; and 2) ensure that the standard of protection afforded to that data in a separate jurisdiction or region is comparable to the PDPA.
Customer responsibility to satisfy this obligation.
  • To learn more, we recommend the Commission’s Advisory Guidelines on the Transfer Limitation Obligation.

    • ClayHR support

  • Read here for ClayHR’s AWS regions. ClayHR informs its customers of the storage locations and legal jurisdictions of the personal data. For many ClayHR services, customers can choose where their data is stored.

Conclusion

We have outlined the secure storage, processing, maintenance, and access of information in ClayHR. This information can assist customers in assessing the suitability of ClayHR Platform and ClayHR Workspace products or services, whether they handle personal data within Singapore or of individuals in Singapore but outside the city-state, in accordance with the PDPA.