Personal Data Protection Policy
Purpose of policy
The Methodist Church in Singapore - General Conference (“MCS-GC” or “organization” or “us”) is committed to safeguarding the personal data entrusted to it by the Individuals.
MCS-GC manages Individual’s personal data in accordance with Singapore Personal Data Protection Act 2012 (No. 26 of 2012) (“PDPA 2012” or the “Act”) and other applicable written laws. The purpose of the Personal Data Protection Policy (the “Policy”) outlines the principles and practices adopted by MCS-GC in protecting personal data.
Personal data means data, whether true or not, about an individual who can be identified from that data; or from that data and other information to which the organization has or is likely to have access.
Individual means a natural person, whether living or deceased.
For the MCS-GC, individuals include, but not limited, to the following:
• Staff (either paid or not paid. Unpaid staff include volunteers, lay person holding office or represents MCS-GC in anyway.);
• Researchers; and
The term “purpose” refers to objectives or reasons the organization relating to the collection, use and disclosure of personal data.
1. Policy statement
- comply with regulatory requirements as stated in the PDPA 2012;
- respect individuals’ rights;
- be open and honest to the individuals whose data are held by us; and
- provide training and support for staffs and volunteers who handle personal data, so that they may confidently comply with this Policy.
MCS-GC recognizes that our primary commitment with reference to the Data Protection Act is to ensure individuals’ personal data are not misused and may result in harmful consequences. We strive to achieve this by ensuring personal data are:
- obtained fairly and lawfully and shall not be processed unless certain conditions are met;
- obtained for specified and lawful purposes and not further processed in a manner incompatible with that purpose;
- adequate, relevant and not excessive;
- accurate, and up to date;
- kept for no longer than necessary; and
- protected by appropriate security and keep with trusted and authorized parties.
MCS-GC is also committed to being open and transparent and will response to any legitimate enquiries from individuals regarding usage, storage and accuracy of their personal data in a timely manner.
2.1. General Conference Executive Council’s (GCEC) Responsibilities.
The General Conference Executive Council (GCEC) is the responsible authority for ensuring MCS-GC complies with the following legal obligations: -
- Develop and implement its data protection policies and practices;
- Appoint a Data Protection Officer (“DPO”);
- Develop process to receive and respond to complaints that may arise with respect to the application of PDPA 2012;
- Communicate information about its data protection policies and practices to its staff; and
- Make information available on request about its data protection policies and practices and its process to receive and respond to complaints.
Each agency, council and department which manages personal data is responsible for formulating their respective operational procedures in compliance to this Policy (including induction and training) to ensure that good data protection practices are established and implemented.
Significant breaches of this Policy shall be dealt according to MCS-GC’s disciplinary procedures.
2.2. MCS-GC Staffs, Lays’ and Vendors’ Responsibilities
All MCS-GC staffs, paid and unpaid, including lay and clergy office bearers, shall comply with this Policy.
All staff shall read, understand and acknowledge Policy procedures that relate to the personal data that they may manage in MCS-GC.
Staff shall seek approval from the DPO when there is a need to consider using personal data in a manner not consistent with this Policy, or an official disclosure request is received. The considerations, approval and disclosures shall be documented and filed.
3. Data collection, usage and disclosure
3.1. Purpose limitation
MCS-GC collects, uses and discloses personal data for the following purposes:
- Human resource administration;
- Education and training;
- Event organisation and management;
- Missions organisation and management;
- Fundraising, donations and activities for charitable causes;
- Tenancy management;
- Service intermediation(insurance and banking);
- Members services;
- Queries and requests handling;
- Meet regulatory requirements (Charity portal declaration); and
- Advertising and communication.
MCS-GC shall only collect personal data relevant to the purpose of the collection or if it is mandatory in order to accomplish the purpose. Individuals shall be informed of the purpose of collecting optional data (e.g. to improve services rendered).
MCS-GC shall seek consent from individual to collect, use or disclose the individual’s personal data, except in specific circumstances where collection, use or disclosure without consent is authorized under this Act or required by any other written law.
Consent may be collected through written documentations (e.g. consent form, written note) or electronically (email consent, electronic forms). In situations that consent cannot be conveniently obtain in written form or electronically, MCS-GC may opt to obtain verbal consent and such process shall be approved by DPO.
MCS-GC may not be able to fulfill certain services if individuals are unwilling to provide consent to the collection, use or disclosure of certain personal data.
3.3. Deemed consent
MCS-GC may deem the individual has consented to collection, usage and disclosure of their personal data in situations where the individual provided information for obvious purposes.
MCS-GC may deem individual’s consent were obtained for personal data collected prior to 2nd July, 2014 for the purpose of which the personal data was collected, unless consent for such use is withdrawn. The consent may include for MCS-GC’s usage and where applicable include disclosure.
MCS-GC need not seek consent from staff (including volunteers and part time workers) for purposes related to the staff’s work in MCS. However, staff’s consent shall be obtained if such purpose is unrelated to their work. Staff shall be informed that their personal data may be disclosed to public and arrangements may be made to limit such disclosure with mutual agreement.
3.4. Consent withdrawal
Any individual may withdraw their consent to the use and disclosure of their personal data at any time, unless such personal data is necessary for MCS-GC to fulfil its legal obligations. MCS-GC shall comply with the withdrawal request and inform the individual if such withdrawal will affect the services and arrangements between the individual and MCS-GC. MCS-GC may cease such services or arrangements as a result of the withdrawal.
3.5. Notification obligation
MCS-GC shall collect this personal data directly from the Individuals. However, MCS-GC may also collect individual’s personal data from third parties provided the consent was obtain from the individual or required by law.
Prior or during collecting personal data, MCS-GC shall made known to the individual the purpose for which the personal data was collected, except when such personal data is provided by an individual for an obvious purpose. (E.g. individual provided personal data to register for an event, as such the purpose is for that event participation).
3.6. Accuracy obligation
MCS-GC shall make every reasonable effort to ensure that individuals’ information it keeps are accurate and complete. MCS-GC relies on individuals’ self-notification of any changes to their personal data that is relevant to MCS-GC.
3.7. Data disclosure and transfer of personal data in and outside Singapore
MCS-GC may disclose Individual’s personal data to the following group of external organisations for appropriate purposes and subjected to compliance of applicable written laws:
- agents, contractors, data intermediaries or third party service providers who provide services, such as telecommunications, mailing, information technology, payment, payroll, insurance, training, storage and archival, to the organisation;
- banks and financial institutions;
- MCS-GC’s professional services providers such as auditors;
- relevant government regulators, statutory boards or authorities or law enforcement agencies to comply with any laws, rules, guidelines and regulations or schemes imposed by relevant government;
- charity organisations; and
- any relevant person related to achieving the intended purposes.
MCS-GC will transfer personal data to a country or territory outside Singapore when required for business purposes. Such transfer shall be done in a manner that is secure and appropriate align with PDPA 2012 requirements.
4. Security and storage
4.1. Protection obligation
MCS-GC shall adopts security arrangements that are reasonable and appropriate to the circumstances, while taking into consideration the nature of the personal data, the form in which the personal data is collected (physical or electronic) and the possible impact to the individual concerned if an unauthorized person were to obtain, modify or dispose of the personal data. Each departments shall determine such arrangement appropriate for their operating unit. The DPO shall review and examine such arrangements and provide necessary recommendations.
4.1.1. Storage of personal data
MCS-GC shall take reasonable and appropriate security measures to protect the storage of personal data such as:
- Marking confidential on documents with personal records clearly and prominently;
- Storing hardcopies of documents with personal records in locked file cabinet systems;
- Storing electronic files that contains personal data in secured folders; and
- Archived paper records and data backup files may be stored in off-site facilities or service providers provided such facilities are secured.
4.1.2. Protection of personal data
All personal data held must be secured and protected against unauthorised access and theft.
MCS-GC shall ensure that:
- MCS-GC IT networks that host personal data are secured and protected against unauthorised access;
- Personal computers and other computing devices that may access to personal data are password protected. Passwords are managed in accordance with industry best practices;
- Personnel and other files that contains sensitive or confidential personal data are secured and only made available to staff with authorised access; and
- Ensure that IT service provider complies with security standards in line with industry practices.
In the event of a security breach, the DPO shall be notified. The DPO shall investigate if such breach is a malicious act and shall take appropriate action after consulting with MCS-GC’s management, FAC (“Finance and Administration Council”) Chairperson, GCEC Chairperson and GC Secretary.
4.2. Retention limitation obligation
MCS-GC shall retains individual’s personal data only for as long as it is reasonable to fulfill the purposes for which the information was collected for or as required by any written law.
MCS-GC shall establish a personal data retention schedule and ensures that personal data managed are processed regularly. MCS-GC may anonymise collected personal data or destroy records containing personal data according to the retention schedule.
MCS-GC shall ensures the disposal of personal data are performed appropriately with little possibility to recover the information from disposal process. Such method may include shredding paper records and permanently delete electronic records.
5. Access and correction of personal data
5.1. Access to personal data
Individuals whose personal data are kept by MCS-GC shall be allowed to access to their personal data. MCS-GC shall disclose such information, including the usage and disclosure history of the personal data that has occurred within a year of the date of request. Individuals may make request from MCS-GC for such disclosure and correction by writing to MCS-GC in accordance to clause 5.3.
5.2. Correction of personal data
MCS-GC is committed to ensure that all personal data kept are accurate and up-to-date. To achieve this, MCS-GC recognizes individual’s participation in informing MCS-GC of any changes, error or omission in their personal data is essential. MCS-GC shall provide facilities and processes to allow individual to submit corrections to their personal data.
MCS-GC shall notify all other organisations of such corrections, if the individual’s personal data was disclosed by MCS-GC to that organization one year prior to this correction. Such notification shall take place except if MCS-GC deems the personal data is no longer relevant or needed by the organization for the purpose that MCS-GC’s disclosure was made earlier.
5.3. Access and correction process
The DPO will have oversight of all personal data access or correction requests and ensures that they are processed in accordance with this Policy.
Request for personal data access or correction by individuals, including any enquires and complains shall be submitted to MCS-GC in writing to the DPO at the following address and contact information:
70 Barker Road, #03-01, Singapore 039936
Telephone number: 64784786
Email address: firstname.lastname@example.org
All MCS-GC staffs shall forward any personal data access or correction request to the DPO in a timely manner.
MCS-GC may request for additional information from the requestor to aid in the investigation. The DPO shall verify the identity of the individual before responding to the request for access or correction. MCS-GC may respond to the requestor via telephone call, written note or electronic mail. In any case, the DPO shall make a record of such requests and responds for future reference and verification.
5.4. Openness obligation
MCS-GC shall develop and publish data protection policy statements to inform staff, including part time staff and volunteers, declaring the manner that their personal data are collected, used and disclosed. Such statement shall be made available to staff upon request, or may be published in an appropriate manner that MCS-GC deems fit.
MCS-GC shall also publish a data protection policy statement for other parties (non-staff) and such statement shall be published on MCS-GC’s web site.
6. Policy review
This Policy shall be maintained and updated by the DPO and reviewed by the FAC at least bi-yearly. FAC shall submit its recommendation to GCEC and GCEC shall be the approving authority to adopt the proposed revised Policy.