The Personal Data Protection Act (PDPA) was enacted in Thailand in May 2019, and it governs the collection, use, disclosure, and storage of personal data. To manage employee data under the PDPA, employers should take the following steps:
- Obtain consent: Employers should obtain the consent of their employees before collecting and processing their personal data. The consent should be specific, informed, and freely given unless it is contained under the employee contract of employment. Not all employee sensitive personal data falls under the contract exemption.
- Limit collection: Employers should limit the collection of personal data to that which is necessary for the specific purpose for which it is being collected. This should be defined by the organisations data retention policy and local laws.
- Use and disclosure: Employers should only use and disclose personal data for the purpose for which it was collected, or for a purpose that is directly related to that purpose.
- Implement appropriate security measures: Employers should implement appropriate security measures to protect employee personal data against unauthorized access, use, or disclosure. This could include access controls, encryption, and regular security assessments.
- Provide access and correction rights: Employers should provide employees with the right to access and correct their personal data, and to withdraw their consent to the processing of their personal data.
- Retention and disposal: Employers should retain employee personal data only for as long as necessary to fulfill the purpose for which it was collected, and then dispose of it securely.
- Implement a privacy policy: Employers should develop and implement a privacy policy that outlines their data protection practices and procedures, including the management of employee personal data. The employee privacy policy should be seperate from the main published organisation’s privacy notice.
Employers should also ensure that their employees are aware of their rights under the PDPA and are trained on data protection best practices. It may be helpful to seek expert advice or consult the relevant guidance from the Personal Data Protection Committee (PDPC) when managing employee data under the PDPA.
Formiti Data International Ltd provide extensive PDPA services if you would like to find out more please reach out at [email protected]