Introduction
Singapore’s Personal Data Protection Act (PDPA) regulates the collection, use, disclosure, and management of personal data, as outlined in the official Quick Guide to the PDPA. Central to the PDPA are the 9 Main Data Protection Obligations, which aim to balance individuals’ rights to data privacy with organizations’ legitimate business needs.
This whitepaper aims to inform our customers about the PDPA and how ClayHR employs top-tier data privacy and security measures to store, process, maintain, and protect customer data. We are dedicated to helping our customers use HR-related data effectively while complying with the PDPA’s requirements. This document details our data protection features, how they align with the PDPA, and how we share compliance responsibilities with our customers.
Personal Data Protection Act Overview
The PDPA governs how organizations in Singapore handle personal data, including cases where data is collected abroad and transferred to Singapore. The Personal Data Protection Commission (the Commission) oversees the administration, promotion, and enforcement of the PDPA. For more details, consult the Act, related subsidiary legislation, and the Commission’s guidance.
Purpose of the PDPA
"To regulate how organizations collect, use, and disclose personal data, balancing individuals'
rights to protect their data with the legitimate needs of organizations to handle personal data for
reasonable purposes.
This section defines the PDPA’s key terms and concepts. In particular, we briefly describe the PDPA’s 9 Main Data Protection Obligations. To learn more, see the Act, the Commission’s Overview of the Obligations, and the Advisory Guidelines for Key Concepts in the PDPA.
Key terms & concepts
Key term definitions
The PDPA explicitly defines the following terms:
Personal data: Data, “whether true or not, about an individual who can be identified - from that data; or from that data and other information to which the organization has or is likely to have access.”
Organization: Any “individual, company, association or body of persons, corporate or unincorporated, whether or not - formed or recognized under the law of Singapore; or resident, or having an office or a place of business, in Singapore.”
Processing: The “carrying out of any operation or set of operations in relation to the personal data,” including, but not limited to, recording; holding; organization, adaptation, or alteration; retrieval; combination; transmission; erasure or destruction.
Data intermediary: An “organization which processes personal data on behalf of another organization but does not include an employee of that other organization.”
Key concepts
Although the PDPA does not define the following concepts, the Commission provides explanatory guidance on interpreting them:
Purpose: The term refers to an organization’s “objectives or reasons” for collecting, using, or disclosing personal data, not the activities it may intend to take with that data.
Reasonable: In attempting to comply with the PDPA, organizations must “act based on what a reasonable person would consider appropriate in the circumstances.”
The “reasonable person” concept is an “objective standard” and essentially represents “a person who exercises the appropriate care and judgment in the particular circumstances.”
Data intermediaries under the PDPA
Data intermediary obligations
A data intermediary handles data for another organization. When there is a written contract, the organization and the data intermediary have distinct responsibilities:
Organization: The organization has the same responsibilities under the PDPA as if it were handling the personal data directly.
Data intermediary: The data intermediary needs to adhere only to the PDPA provisions concerning the “Protection Obligation” and the “Retention Limitation Obligation” (explained below). However, if the data intermediary performs activities outside of processing data for the organization as specified in the contract, it must comply with all PDPA data protection obligations.
ClayHR as a data intermediary
ClayHR acts as a data intermediary under the PDPA by processing personal data on behalf of organizations or for their purposes under a cloud services contract. Therefore, ClayHR must comply with the PDPA’s Protection and Retention Limitation Obligations. Later in this paper, we explain how ClayHR meets its own PDPA requirements and supports its customers in meeting theirs.9 data protection obligations
Organizations responsible for managing and controlling personal data must comply with the obligations specified by the PDPA. The 9 primary data protection obligations are grouped into three categories, as detailed below:
Collection, use, and disclosure of personal data
- Notification
- Consent
- Purpose limitation
Accountability
- Openness
- Access to and correction of personal data
Care of personal data
- Accuracy
- Protection
- Retention limitation
- Transfer limitation
ClayHR Data Protection Overview & the Shared Responsibility Model
ClayHR’s strong security and privacy measures provide customers with the confidence to use ClayHR in compliance with the PDPA requirements. Additionally, we are continually enhancing our privacy and security features. To assist customers with compliance and reporting, ClayHR offers information, best practices, and easy access to documentation.
This section outlines our extensive data protection and privacy capabilities, as well as our robust data security features that are most relevant to the PDPA. We also detail how security and compliance responsibilities are divided according to the Shared Responsibility Model.
ClayHR’s approach to data protection and privacy
- Data privacy trust principles
- Dedicated privacy team
- Data access and customer control
- Restricted access to customer data
- Law enforcement data requests
ClayHR’s approach to data security
- Strong security culture
- Security team
- Trusted infrastructure
- Infrastructure redundancy
- Data encryption
- The Shared Responsibility Model
ClayHR’s approach to data protection and privacy
At ClayHR, data protection and privacy are core values. We design our products and services with privacy and trust as foundational principles. ClayHR ensures the protection and privacy of customers' data through three key approaches:
- We offer exceptional data protection with a secure core infrastructure designed, built, and operated to mitigate threats.
- We provide customers with strong security controls to help them achieve policy, regulatory, and business objectives.
- We meet our compliance obligations and make it easier for our customers to meet theirs.
Data protection and privacy trust principles
Our goal is to ensure that customers feel confident when using ClayHR. Trust is fostered through transparency, so we are dedicated to being open about our commitments and services, particularly concerning data protection.
Our commitments to you about your data
Your data is essential to your business, and you work hard to keep it safe and secure. We want you to feel assured that using ClayHR doesn't mean compromising the security or control of your business's data. At ClayHR, we believe trust is built through transparency, and we strive to be clear about our commitments and what you can expect from us in terms of our shared responsibility for protecting and managing your data.
When using the ClayHR Platform, you can expect:
- Priority is placed on your security across all our operations.
We promptly inform you of any security breach that may compromise your data.
- Control over your data.
We process customer data based on your instructions, granting you access to it and the ability to delete it whenever you choose.
- Assurance that customer data is not used for advertising purposes.
You retain ownership of your data, and ClayHR does not process it for advertising.
- Transparency regarding data storage locations and availability.
Your data is stored in the most relevant and nearest AWS regions. Please contact your Account Manager to determine the specific region.
- Reliance on ClayHR's independently verified security practices.
Our adherence to recognized international security and privacy standards is independently audited and certified, regardless of where your data resides within ClayHR.
For more information on how we safeguard customer information, please visit the ClayHR Privacy page and refer to the Data Processing Addendum for additional details.
Data access and customer control
At ClayHR, customers retain ownership of their data. We process customer data solely based on contractual obligations. Additionally, we offer solutions that enable precise management of resource permissions. For instance, customers can assign job functions to groups and roles, granting users specific permissions aligned with their responsibilities on the platform. Moreover, customers have the option to delete their data from our systems or export it if they choose to discontinue our services.
Restricted access to customer data
To ensure data privacy and security, ClayHR maintains strict logical isolation of each customer's data, even if it resides on the same physical server. Access to customer data is limited to a select group of ClayHR employees based on job function and role-specific needs. Any additional access is granted through rigorous procedures and meticulously logged in audit records.
ClayHR’s approach to data security
This section outlines the organizational and technical measures ClayHR employs to safeguard your data:
Commitment to Security
At ClayHR, security is ingrained in our culture. We prioritize it through comprehensive employee training and company-wide initiatives aimed at enhancing awareness and fostering innovation in security and privacy. For more details, refer to the security and reliability culture sections in our ClayHR Security and Reliability Whitepaper.
Dedicated Security Team
Our security incident management program adheres to industry best practices and operates 24/7 to swiftly detect and resolve potential security issues. We regularly test our incident response plans to ensure readiness.
Secure Infrastructure
ClayHR was purpose-built with security at its core. We custom-design our instances, servers and databases to ensure secure service deployment, data storage with privacy safeguards, encrypted communications between services, and secure interactions with customers over the Internet. Our administrators operate in a secure environment.
Infrastructure Redundancy
ClayHR’s infrastructure is highly redundant across various components, including server design, data storage, network connectivity, and software services. This redundancy is achieved through multi-region deployment and automated failover mechanisms, ensuring continuous service availability:
- Multi-Region Deployment: Enables seamless operation from alternate regions in case of regional disruptions.
- Active-Active Configuration: Multiple instances of applications run concurrently in different regions, sharing the workload and enabling uninterrupted service during outages.
- Active-Passive Configuration: One region serves actively while another remains on standby, ready to take over if needed.
- Automated Failover: Ensures immediate recovery in scenarios like database server failure and load balancer redirection of traffic to healthy servers.
These measures underscore our commitment to maintaining the highest standards of data protection and service reliability at ClayHR.
Data encryption
ClayHR automatically encrypts data both at rest and in transit. The specific encryption method employed varies based on the OSI layer, the type of service, and the physical infrastructure component involved. Whenever data moves beyond physical boundaries not under ClayHR's direct control, we ensure that all data in transit is encrypted and authenticated across one or more network layers by default. For further details, please consult the Encryption in Transit section of the ClayHR whitepaper.
The Shared Responsibility Model
As a trusted partner, ClayHR plays a crucial role in this model by delivering services through a secure and tightly controlled platform, offering a variety of security features that benefit our customers. This shared responsibility allows our customers to allocate resources more efficiently to their core activities and focus on their strengths. You can find our Shared Responsibility Disclosure document here.
ClayHR and the PDPA
The Personal Data Protection Commission (the Commission) advises organizations that they may be held accountable if their service providers violate the PDPA. The Commission recommends that organizations ensure their contracts with service providers include provisions requiring compliance with the PDPA. Additionally, organizations should establish standard operating procedures for how service providers handle personal data and implement processes to monitor compliance with these procedures.
Our commitment to compliance is grounded in our robust security and privacy infrastructure. We adhere to applicable data protection laws, undergo regular audits, maintain certifications, implement industry-standard contractual protections, and share tools and information with customers. ClayHR continues to make substantial investments in security, privacy, and compliance management to assist customers in fulfilling their current and future regulatory obligations. Our approach includes collaborating closely with customers to understand and address their specific compliance requirements, defining roles and responsibilities, conducting both internal and independent audits, and ensuring transparency in our operations.
Mapping ClayHR data protection capabilities to the PDPA & our shared responsibilities
Below, we outline the responsibilities for meeting the PDPA’s 9 Main Data Protection Obligations. The table specifies each legal obligation and clarifies whether it falls on our customers or ClayHR. Additionally, it highlights how we can assist our customers in fulfilling their legal obligations.
While customers hold ultimate responsibility for PDPA compliance, our steadfast adherence to data protection and privacy principles and regulations empowers them to leverage ClayHR software as a service with confidence.
Conclusion
We have outlined the secure storage, processing, maintenance, and access of information in ClayHR. This information can assist customers in assessing the suitability of ClayHR Platform and ClayHR Workspace products or services, whether they handle personal data within Singapore or of individuals in Singapore but outside the city-state, in accordance with the PDPA.