Employment record-keeping and data access regulations overview
Employers in the Asia-Pacific region are obligated to maintain employee records containing personal data, and employees may have the right to access that data. However, record-keeping requirements vary across jurisdictions. Singapore requires records of employee data to be kept as set out in the First Schedule of the Employment (Employment Records, Key Employment Terms and Pay Slips) Regulations. Retention periods for different data vary, and there are also various record-keeping obligations under other laws and regulations. For example, Rule 11 of the Central Provident Fund Rules requires records of payments given by the Central Provident Fund Board to be retained for at least two years from the date of issue. In the event of a data breach, employers may face severe consequences. OrangeTee & Tie, a real estate firm, had to pay $37,000 after a data breach compromised the information of 250,000 employees and customers.
In Hong Kong, employers must keep wage and employment records of each employee covering the preceding 12 months of employment, and records must be kept for another six months after termination of employment. The Code of Practice on Human Resources Management specifies that other records relating to an employee’s personal data may be retained by the employer for up to seven years from the date of termination. Record-keeping obligations under other laws include keeping records of the type of identification document held by an employee under the Immigration Ordinance, and remittance statements under the Mandatory Provident Fund Schemes (General) Regulation.
In Thailand, the Thai Labour Protection Act B.E. 2541 (1998) requires employers with ten or more employees to have an employee register in Thai containing specific employee information, and the information of each employee must be updated within 15 days upon any change. The retention period of records in the employee register is at least two years after termination of employment. The Thai PDPA also requires employers to maintain records of data processing activities.
Under Singapore’s Personal Data Protection Act 2012, individuals may request access to their personal data in an organisation’s possession or control. However, organisations are not required to provide access to data that includes opinion data kept solely for an evaluative purpose or personal data that would reveal confidential commercial information that could harm the organisation’s competitive position, among others.