- The Personal Data Protection Act 2012 (“PDPA”) establishes a data protection law that comprises various rules governing the collection, use, disclosure and care of personal data.
- The PDPA recognises: (a) the rights of individuals to protect their personal data, including rights of access and correction, and (b) the needs of organisations to collect, use or disclose personal data for legitimate and reasonable purposes.
- The main data protection rules of the PDPA came into effect on 2 July 2014.
- Orchard Road Presbyterian Church – The Presbyterian Church in Singapore (“ORPC”) is committed to complying with all of the church’s obligations under the PDPA.
- This policy sets out how ORPC will collect, use and disclose an individual’s personal data.
DEFINITION OF PERSONAL DATA
Data, whether true or not, about an individual who can be identified from that data; or from that data and other information to which ORPC has or is likely to have access.
This includes unique identifiers (e.g. NRIC number, passport number); as well as any set of data (e.g. name, age, address, telephone number, occupation, etc), which when taken together would be able to identify the individual. Videos and photographs may constitute personal data if an identifiable individual is captured.
MAIN DATA PROTECTION OBLIGATIONS
ORPC will comply with the 9 main data protection obligations listed in the PDPA:
- Consent Obligation – ORPC will only collect, use or disclose personal data for purposes for which an individual has given his or her consent. If the personal information is given voluntarily, then the individual is deemed to have given consent.
ORPC will allow individuals to withdraw consent, with reasonable notice, and inform them of the likely consequences of withdrawal.
- Purpose Limitation Obligation – ORPC will only collect, use or disclose personal data about an individual for the purposes that a reasonable person would consider appropriate in the circumstances and for which the individual has given consent.
- Notification Obligation – ORPC will notify individuals of the purposes for which the organisation is intending to collect, use or disclose their personal data on or before such collection, use or disclosure of personal data.
- Access and Correction Obligation – Upon request, ORPC will grant an individual access to his/her personal information unless disclosure would reveal confidential information or compromise operations. ORPC will also correct any error or omission in an individual’s personal data upon his or her request unless satisfied on reasonable grounds that a correction should not be made.
- Accuracy Obligation – ORPC will make reasonable effort to ensure that personal data collected by or on behalf of the organisation is accurate and complete, if it is likely to be used to make a decision that affects the individual, or if it is likely to be disclosed to another organisation.
- Protection Obligation – ORPC will make reasonable security arrangements to protect the personal data that the organisation possesses or controls to prevent unauthorised access, collection, use, disclosure or similar risks.
- Retention Limitation Obligation – ORPC will cease retention of personal data when it is no longer necessary for any business or legal purpose.
- Transfer Limitation Obligation – ORPC will transfer personal data to an organisation in another country only according to the requirements prescribed under the regulations. The foreign third party (for example, overseas missions partners) must have in place comparable standards of protection to personal data.
- Openness Obligation – ORPC will make information about data protection policies, practices and complaints process available on request.
ORPC will designate one or more individuals as Data Protection Officer (DPO) to ensure that ORPC complies with the PDPA, including the implementation of personal data protection policies within ORPC. The contact information of at least one of such individuals should also be made available to the public.
EXISTING PERSONAL DATA
ORPC will continue to use personal data that has been collected before 2 July 2014 for the purposes for which the personal data was collected, unless the individual has withdrawn consent. If there is a different purpose for the use of the personal data, ORPC will obtain consent for the new purpose.
CCTV, VIDEO RECORDINGS AND PHOTOGRAPHY
CCTV, video footage and photographs may constitute personal data if an identifiable individual is captured. Among other obligations, the Data Protection Provisions require consent from the individual to be obtained for the purposes of the collection, use or disclosure of his personal data. The Consent Obligation does not apply when the photographer or videographer is acting in his personal capacity (for example, when a congregation member takes photos for his own personal purposes at an ORPC event or worship services). However, consent is required when ORPC uses the photographs or videos in ORPC-related print or electronic media (for example, when a photo taken by a congregation member in his personal capacity is subsequently used on the cover of ORPC’s Sunday worship bulletin).
- CCTV – Notices will be placed in prominent locations to inform individuals that CCTVs have been deployed in the church premises for security and surveillance purposes. There is no requirement to reveal the location of the CCTVs.
- Photos and Videos – Notices will be put up at entrances to Worship areas, to inform congregation members and visitors that photographs and videos taken may be used by ORPC for communication purpose in print or electronic media.
For ORPC-organised events, it should be stated in the invitation/sign-up form that photos of attendees will be taken at the function for publicity purposes on print and electronic media. Appropriate notice should also be put up at the reception or entrance to inform the attendees on the event day.
If photos and videos are taken out of the context of the above, ORPC will obtain the individual’s consent before using them for any purpose in print or electronic media.
POLICY UPDATES AND REVIEW
This Personal Data Protection Policy will be maintained and updated by the Data Protection Officer, reviewed by the Data Protection Committee and approved by the Board of Management.
PERSONAL DATA REQUESTS
Individuals who wish to exercise their right to access, modify or delete their personal data records held by ORPC or choose to withdraw their consent for the use and disclosure of their personal data must make the request in writing (with full particulars included) to the ORPC Data Protection Officer or the ORPC church office. ORPC will respond to the request within two weeks from the time the written request is received.
Data Protection Officer
Orchard Road Presbyterian Church
3 Orchard Road