Are HR records subject to data protection law in Myanmar?
Yes — Myanmar HR records are subject to data-protection duties even though there is no single PDPA. Confidentiality flows from the Constitution (Article 357), the Electronic Transactions Law, sectoral confidentiality rules, the Penal Code, and contractual NDAs. Employers must treat personnel data on a need-to-know basis, restrict access, and retain records for the statutory periods (7 years HR/payroll; 5 years OSH).
What Myanmar requires: HR records and data-protection duties
Even without a single Personal Data Protection Act, Myanmar HR records are subject to data-protection duties. Sources include the Constitution (Article 357 — privacy), the Electronic Transactions Law, sectoral confidentiality rules (health, banking, telecom), the Penal Code, and contractual NDAs.
Filing | Deadline | Form | Authority
| HR record category | Confidentiality basis | Authority |
|---|---|---|
| Personnel file (CV, contract, performance) | ESDL + contract + Penal Code defamation | Civil + criminal courts |
| Salary / payroll records | Payment of Wages Law confidentiality + Income Tax Law | IRD audit / civil |
| Medical / sickness records | Sectoral health confidentiality + ETL | Health regulator + civil |
| Disciplinary / grievance records | ESDL + Penal Code defamation | Township labour office + civil |
| SSB IP records | Social Security Law 2012 | SSB + civil |
| Bank / payment account data | Banking confidentiality rules | Banking regulator |
Process — how to handle HR data lawfully
- Limit access to HR records on a need-to-know basis (HR + line manager + payroll only where required).
- Include a confidentiality clause in every Employment Agreement.
- NDA for senior, technical, or sensitive roles.
- Use role-based access in HRIS / payroll systems with audit logs.
- For third-party processors (payroll bureau, cloud HRIS), execute a written processing agreement covering confidentiality, breach notification, and return / destruction at exit.
- Watch for Myanmar's PDPA — if enacted, expect notification, lawful-basis, and breach-reporting duties.
Records and retention
| Record type | Retention duration | Reason |
|---|---|---|
| Personnel files | 7 years post-exit | ESDL 2013 |
| Payroll / wage register | 7 years | Payment of Wages Law / Income Tax Law |
| Confidentiality / NDA records | 7 years post-exit | Civil enforcement |
| Access logs in HRIS | Per IT policy + 7 years | Breach investigation |
| OSH (medical / training) | 5 years | OSH Law 2019 |
Employer takeaway
Myanmar HR records are protected even without a single PDPA. Use need-to-know access, contractual confidentiality, and sectoral compliance for medical / banking / telecom data. Wrongful disclosure can attract civil damages, Penal Code liability, and Electronic Transactions Law penalties. Retain HR records 7 years post-exit (5 years for OSH), and document any third-party processor / cloud arrangements.
Penalties for non-compliance
- Wrongful disclosure — civil damages + Penal Code liability.
- Electronic Transactions Law offences — fines + imprisonment in serious cases.
- Sectoral confidentiality breach (health, banking, telecom) — sectoral fines.
- Contract breach — damages + injunctive relief.
Common HR data mistakes
- Sharing personnel files with line managers who don't need them.
- Sending payslips by unsecured email.
- Not having a written processing agreement with payroll bureau.
- Cloud-storing HR data overseas without safeguards — see overseas cloud servers.
- See Myanmar's data protection regime.
- Constitution of Myanmar (2008) — Article 357
- Electronic Transactions Law (as amended)
- Employment & Skills Development Law (ESDL) 2013
Related questions
Stop calculating PIT manually.
QHRM's payroll engine applies the latest Union Tax Law brackets, basic relief, and dependant allowances automatically.