PERSONAL DATA PROTECTION POLICY OF PROVIDENCE PRESBYTERIAN CHURCH
1.1 Providence Presbyterian Church (the “Church”) respects the right of individuals to protect their personal data. The Church is committed to protect the privacy of every individual’s personal data in accordance with the Personal Data Protection Act 2012 (the “PDPA”).
1.2 To comply with the PDPA, we have produced this Personal Data Protection Policy (“Policy”). This Policy sets out what we need to do when any personal data of an individual is collected, used or disclosed and it also seeks to provide general guidance as to how to collect, handle, store or transmit personal data that we may receive in the course of administering the affairs of the Church.
2. OVERVIEW OF THE PDPA
The PDPA came into effect on 2 January 2013 with the main personal data protection provisions coming into force on 2 July 2014.
The PDPA is concerned with the protection of “Personal Data”, which is defined as any data, whether true or not, about an individual who can be identified from that data or from that data and other information that an organisation has access to. The PDPA seeks to balance the rights of an individual to protect his/her personal data and the need of organisations to collect, use and disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances.
OBLIGATIONS UNDER THE PDPA
4. Consent for Collection, Use or Disclosure of Personal Data and Withdrawal of Consent
4.1 We will, as best as we can, obtain the consent of our members, regular worshippers and visitors (individually “Congregant” and collectively “Congregants”) before we collect use or disclose their personal data. In obtaining consent, we will use reasonable efforts to ensure that the Congregant is advised of the identified purposes for which his/her personal data is being collected, used or disclosed. Purposes will be stated in a manner that can be reasonably understood by the Congregant.
4.2 We will seek consent to use and disclose personal data at the same time as we collect the personal data. If we intend to use or disclose the personal data for a new purpose that was not previously identified, we will seek consent to use and disclose the personal data before it is used or disclosed for the new purpose, unless such new consent is not required by law.
4.3 We will limit the type of personal data collected to that which is necessary for the purposes that we have identified.
4.4 A Congregant may withdraw or may limit consent at any time, subject to legal or contractual restrictions and reasonable notice. A Congregant may contact us for more information regarding the implications of withdrawing consent.
4.5 Pastoral Staff, the Office Staff, relevant members of the Elders and Deacons Court, and Ministry Leaders are authorized to collect personal data in accordance with this Policy in the performance or in the discharge of their roles, duties and responsibilities.
4.6 National Registration Identification Card (NRIC) Policy
(a) In compliance to the Advisory Guidelines on the Personal Data Protection Act for NRIC and other National Identification Numbers published on 31 August 2018, we will not collect, use or disclose the NRIC number or photocopy the NRIC of an individual.
(b) NRIC will only be collected if:
• it is required by the law or the authorities of the Government; and
• we to accurately establish or verify the identity of an individual to a high degree of fidelity.
(c) If there is a need to collect NRIC number which does not fall under the above list, the approval from the Data Protection Officer (DPO) must be sought.
5. Notification of Purpose
5.1 We will identify the purposes for which we collect, use or disclose personal data on or before we collect, use or disclose the personal data of Congregants. Upon receipt of the personal data, we will use or disclose the personal data only for the identified purpose and for purposes that a reasonable person would consider appropriate in the circumstances.
5.2 As a religious organisation, we generally collect, use and disclose personal data for the following purposes:
(a) To identify our members and those who regular worship with us and visitors to the Church;
(b) To carry out the ministry programmes and activities of the Church;
(c) To manage the administration and operations of the Church;
(d) To communicate to Congregants activities, programs and other church-related information including church bulletin and other publications;
(e) To maintain and update records such as membership, participants of activities and programs, baptism, marriage, birth, death and financial pledges and giving;
(f) To meet our legal and regulatory obligations;
(g) To contact Congregants in the event of contact tracing implementation; and
(h) For such other purposes as may reasonably be appropriate in the circumstances of the collection of personal data.
5.3 When personal data that has been collected is to be used or disclosed for a purpose not previously notified, the new purpose will be notified to Congregants prior to use. Unless the new purpose is permitted or required by law, consent will be required before the personal data will be used or disclosed for the new purpose.
6. Use of Existing Personal Data
Personal data collected prior to 2 July 2014, when the main provisions of the PDPA on the protection of personal data came into force, can continue to be used or disclosed but only for the purpose that the personal data was originally collected, unless a Congregant has withdrawn his/her consent for such continued use or disclosure of his/her personal data.
7. Disclosure of Personal Data
7.1 Generally, only the Pastoral Staff, the Office Staff, members of the Session, members of the Elders and Deacons Court, and Ministry Leaders with a need to know or whose duties or services reasonably require access to personal data are granted access to personal data about the Congregants.
7.2 As a member of the Presbyterian Church in Singapore, we may, however, disclose personal data of the Congregants to the relevant Presbytery and the Synod of the Presbyterian Church in Singapore in order for each of us to fulfil our respective roles and responsibilities as constituents of the Presbyterian Church in Singapore.
7.3 Points 7.1 and 7.2 herein constitute part of the process of disclosure mentioned in Point 5.1 above.
8. Access to Personal Data
8.1 Upon receipt of a request from a Congregant, we will provide the Congregant with a reasonable opportunity to review the personal data that we have about the Congregant in our possession or under our control. Personal data will be provided within a reasonable time and at minimal cost to cover administrative expenses.
8.2 Upon receipt of a request from a Congregant, we will provide an account of the use and disclosure of the personal data of the Congregant. In providing an account of disclosure, we will provide a list of the organisations to which we may have disclosed personal data about the Congregant.
8.3 In certain situations we may not be able to provide access to all of the personal data we hold about a Congregant; for instance:
(a) If doing so would likely reveal personal data about another individual or could reasonably be expected to threaten the life or security of another individual;
(b) If doing so would reveal any confidential information;
(c) If the information is protected by legal privilege;
(d) If the information was generated in the course of a formal dispute resolution process; or
(e) If the information was collected in relation to the investigation of a contravention of a law or a breach of an agreement.
In such a case, we will provide the reasons for denying access to the personal data.
9. Accuracy and Correction of Personal Data
9.1 We will endeavor to ensure that the personal data collected will be as accurate, complete and up-to-date as is necessary for the purposes for which it is to be used. Ensuring that the personal data that we possess is sufficiently accurate, complete and up-to-date will help minimize the possibility that inappropriate decisions are being made based on inaccurate or incomplete or out-dated information.
9.2 We will promptly correct or complete any personal data found to be inaccurate or incomplete. Upon receipt of a request from a Congregant to correct or update his/her personal data, we will promptly correct or update his/her personal data.
9.3 Where we are not able to confirm the accuracy or completeness of a Congregant’s personal data (such as those Congregants who have emigrated or who are no longer contactable), a note will be made against that Congregant’s personal data of potential unresolved differences.
9.4 We will inform and remind Congregants via our periodic newsletters or publications to update their personal data from time to time.
10. Transfer of Personal Data Outside of Singapore
10.1 We will protect personal data disclosed to third parties by contractual or other means stipulating the purposes for which it is to be used and the necessity to provide a comparable level of protection.
10.2 We will not transfer any personal data to any organisation located in a country or territory outside Singapore unless that other organisation is subject (whether by way of legislation or contractual arrangement) to obligations of protection of personal data that are comparable to those under the PDPA.
We will use appropriate security measures to protect personal data against such risks as loss or theft, unauthorized access, disclosure, copying, use, modification or destruction, regardless of the format in which the personal data is held.
12. Retention and Destruction
12.1 We will keep personal data only as long as it remains necessary or relevant for the identified purposes or as required by law.
12.2 Once the personal data in our possession or control is no longer necessary for administrative or legal purpose, we will destroy or erase the personal data or remove the means by which the personal data can be associated with particular individuals.
13.1 An individual who wishes to make a request, or to lodge a complaint pertaining to any matters relating to the PDPA, may make a written request or lodge a written complaint by doing one of the following:
(a) contacting the DPO the telephone number of the Church Office; or
(b) in writing by post sent to the Church Office and attention to “Data Protection Officer”.
13.2 We will attend to and investigate any complaints concerning any possible breach of this Policy. If a complaint is found to be justified, we will take appropriate measures to resolve the complaint. The complainant will be informed of the outcome of the investigation regarding his/her complaint.
13.3 In the event of a security breach, the Data Protection Officer shall be notified and shall investigate if such breach is a malicious act and shall take appropriate action in accordance with our data breach response plan.
14. CCTV, video recording and photography
14.1 Appropriate notices shall be put up to inform that the premises are covered by CCTV video surveillance, if any. Notices shall be put up to inform visitors and volunteers that photographs and videos taken may be used by the Church for communication and publicity purposes in print or electronic media.
14.2 For special events, it should be stated in application forms or equivalent document at the inception of the event that photographs of attendees will be taken at the function for communication and publicity in print and electronic form.
15. DATA PROTECTION OFFICER
15.1 The DPO is responsible for ensuring that the Church complies with the PDPA. The DPO must keep fully up to date with the requirements of the PDPA and ensure that all personnel who handle personal data are fully aware of these requirements.
15.2 Where appropriate, the DPO may delegate some of his responsibilities as DPO to other individuals to ensure that the Church complies with the PDPA.
15.3 In addition to ensuring that the Church complies with the PDPA, the DPO is also responsible for dealing with queries and requests from individuals in relation to the Church’s data protection policies and practices.
For enquiries about this Policy, please write to the Data Protection Officer at the following address:-
Providence Presbyterian Church
3 Orchard Road
Attn: Data Protection Officer
OR via email at: firstname.lastname@example.org
17. UPDATING THE POLICY
This Policy may be updated from time to time to take in consideration changes in policy, technology, and/or to ensure compliance with any legislative changes.