Hiring the right employees for your organisation, maintaining their records, and conducting disciplinary actions that may lead to firing them: these are examples of the human resource (HR) department’s work that heavily relies on personal data. Before the Personal Data Protection Act B.E. 2562 (2019) (PDPA), it is the organisation that mainly dictates what personal data of a candidate or an employee to collect and how to collect and use it.
After the PDPA becomes fully effective on 1 June 2022, the organisation should rethink such procedures. The PDPA aims to give back to your employees control over their personal data given to your organisation. Therefore, it sets out an EU-like level of protection for the data subjects (i.e. the employees), and it will change the way HR works.
Here are some key questions that HR needs to take into consideration when dealing with employees’ personal data.
1. Is the data necessary?
All personal data you collect must serve a purpose. Any personal data collected that does not have anything to do with any of your organisation’s purposes cannot be collected from the outset. It is your job to identify the minimum amount of personal data necessary to fulfil each of the purposes.
An example is when you require a candidate to fill in certain types of information such as religion or blood type in the application form. Do you use information regarding a candidate’s religion and blood type in the recruitment process? If the answer is ‘no’, you can no longer ask for such information from a candidate, and your application form needs revising. The PDPA requires HR to rethink and reshape its recruitment process.
2. Is the data processing transparent?
Now that the ‘Is the data necessary?’ question above has identified the ‘what’, let us move on to ‘how’ personal data must be processed. We are not talking about the method of data processing, for example, whether it should be online or paper-based, which your organisation still has absolute authority to decide. The PDPA, however, indicates that your data processing must be transparent.
Transparency means that your employees must be informed of how their personal data will be processed throughout the data life cycle prior to or at the time of data collection. The document that contains all this information is generally known as a ‘privacy notice’. Key information in the privacy notice includes what personal data is being collected; the purposes of collection/usage/disclosure, legal bases; and employees’ rights under the PDPA.
Although the PDPA does not indicate how a privacy notice should be written, in order to avoid unnecessary future disputes, it is advisable that it be written in clear and plain language, especially when communicating to children.
3. Is your data processing legal?
The PDPA ensures that an organisation processes personal data lawfully. It is the organisation’s responsibility to identify which legal bases to use with particular groups of personal data. Legal bases heavily involved in personal data processing of a private organisation include consent, contract, legal obligation and legitimate interest. In the event of failure to apply a legal basis or special condition (in case of sensitive data) to your processing, your processing will be unlawful, which could lead to criminal charges (if it is sensitive data, such as religion, criminal records, political opinions or data concerning health) with up to one year imprisonment or up to THB 1 million fine (or both) or to an administrative fine of up to THB 5 million.
4. Can you keep the data safe?
What does it mean by ‘safe’? It means that appropriate security measures must be put in place in your organisation to prevent loss and unauthorised access/usage/alteration/disclosure of personal data. Examples of this include putting in place access control to personal data, meaning that only authorised persons in your organisation can have access to certain groups of personal data. The levels of security used in different organisations vary due to the level of risk associated with personal data in each organisation’s possession. Various factors will be taken into consideration when it comes to risk assessment. An organisation processing personal data of millions of people is in need of a higher security level then those processing only the personal data of hundreds of people. The latter, however, might consider engaging a more secure measure if most of its processing involves sensitive data such as employees’ health data.
5. Do you know your employees’ rights?
Aside from the employees’ rights under labour laws, they are entitled to exercise certain rights regarding the processing of their personal data. For example, any consent your employees have given you to process their personal data can be withdrawn at any time, and if consent is withdrawn it is your organisation’s obligation to promptly cease the relevant processing of such personal data. Your employees may also ask that you erase any of their personal data that no longer serves the intended purpose. It is your job to know where such data is stored within your organisation in order to be able to erase such data from all storage locations.
6. Do you know that some data is more sensitive than other?
To which data do you think the PDPA aims to provide extra protection, between a person’s name and religion or criminal records? Certain types of personal data are sensitive by nature and misuse of such data will entail more liability than that of general personal data (e.g. name, address, or date of birth).
Sensitive data includes racial/ethnic origin, political opinions, cults, religious or philosophical beliefs, sexual behaviour, criminal records, health data, disability, trade union information, genetic data, and biometric data (more could be added to this list by the Personal Data Protection Committee).
Why should HR worry about this? It is rather common for HR to use biometric data (e.g. fingerprints) for attendance and time-tracking management. Some organisations could require a police clearance from candidates for certain positions. In most cases, processing of sensitive data requires prior consent from each employee/candidate. Though no regulations have been issued regarding collecting criminal records, it has been discussed among lawmakers today that criminal records might only be collected when there is a relevant law requiring the organisation to do so, or consent has been given. More clarification on collection of criminal records will be made once the relevant regulation is issued.
What you should do next
Your organisation needs a PDPA compliance check-up now. You may start the work yourself or engage a professional firm to find out all information relating to personal data that your organisation processes, including: what and how you collect personal data, what are the purposes of collection, who are involved in the processing of personal data, is the data kept safe, to whom and how is the data disclosed. You can then put in place appropriate systems and legal documents to deal with the issues. Failure to comply with the PDPA may entail up to three times the actual damages (class action is also possible), criminal charges with up to one year imprisonment or a fine of up to THB 1 million (or both) or an administrative fine of up to THB 5 million.
For any personal data collected prior to 1 June 2022, your organisation may retain and use it according to its original purpose. However, for whatever personal data collected before 1 June 2022 which requires consent, your organisation must allow the employees to withdraw consent. In any event, if you would disclose or process such personal data otherwise, you must then comply with the PDPA.
PDPA compliance check-up is a lengthy process and requires a lot of collaboration from all departments in your organisation. To avoid disputes and to maintain your organisation’s reputation and good relationship with your employees and clients, we advise that you take all necessary steps to ensure PDPA compliance.
About the Authors: Nattaya Tantirangsi (nattaya.t@kap.co.th) is a senior associate and Head of Data Privacy and Protection Practice specialising in PDPA compliance at Kudun and Partners Limited.
Panithida Termrungruanglert (panithida.t@kap.co.th) is an associate specialising in PDPA compliance at Kudun and Partners Limited.
Pariyakorn Rungrueang (pariyakorn.r@kap.co.th) is an associate at Kudun and Partners Limited and was part of the research team of the PDPA Regulations Legislation Project.
For more information please contact Ben Cheok, Head of Business Development at ben.c@kap.co.th.
Series Editor: Christopher F. Bruton, Executive Director, Dataconsult Ltd,chris@dataconsult.co.th. Dataconsult’s Thailand Regional Forum provides seminars and extensive documentation to update business on future trends in Thailand and in the Mekong Region.