Personal Data Protection Policy — Living Praise Presbyterian Church (LPPC)

PERSONAL DATA PROTECTION POLICY OF LIVING PRAISE PRESBYTERIAN CHURCH

1. INTRODUCTION

1.1 LIVING PRAISE PRESBYTERIAN CHURCH (LPPC) respects the right of individuals to protect their personal data. The Church is committed to protect the privacy of every individual’s personal data in accordance with its obligations under the Personal Data Protection Act 2012 (“PDAP”).
1.2 To comply with our obligations under the PDAP, we have produced this Personal Data Protection Policy (“Policy”). This Policy sets out what we must do when any personal data of an individual is collected, used or disclosed and it also seeks to provide general guidance as to how to collect, handle, store or transmit personal data that we may receive in the course of administering the affairs of the Church.
1.3 This Policy applies to all personnel of the Church, which includes all Pastoral Staff and Office Staff, whether employed or voluntary, and all Ministry leaders. All personnel of the Church must familiarize themselves and comply with the obligations, policies and practices set out in this Policy.
1.4 Compliance with the PDPA is important, because a failure to observe the obligations under the PDPA could potentially expose the Church, the Pastoral Staff, the Office Staff and Ministry Leaders to complaints, criminal charges and/or bad publicity. Any failure by a personnel of the Church to comply with the PDPA may lead to disciplinary action for serious or repeated breaches and/or a report being made to the Police, the Personal Data Protection Commission and any other relevant government authority.

OVERVIEW OF THE PDPA

2. The PDPA came into effect on 2 January 2013 with the main personal data protection provisions coming into force on 2 July 2014.

3. Purpose

3.1 The PDPA is concerned with the protection of “Personal Data”, which is defined as any data, whether true or not, about an individual who can be identified from that data or from that data and other information that an organisation has access to. The PDPA seeks to balance the rights of an individual to protect his/her personal data and the need of organisations to collect, use and disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances.

4. Business Contact Information

4.1 The PDPA does not apply to “Business Contact Information”, such as an individual’s name, position or title, business telephone number and fax number, business address, business email address and any other similar information about the individual, which was given for commercial purposes or for a non-personal purpose.
4.2 However, if a person gives his Business Contact Information to the Church to receive goods or services from the Church for his personal purposes (in other words, he/she wants the Church to contact him/her at his/her office rather than his/her home), then the business contact information of that person will be personal data for the purposes of the PDPA.

OBLIGATIONS UNDER THE PDPA

5. Consent for Collection, Use or Disclosure of Personal Data
5.1 We will obtain the consent of our members, regular worshippers and visitors (collectively “Congregants”) before we collect use or disclose their personal data. In obtaining consent, we will use reasonable efforts to ensure that the Congregant is advised of the identified purposes for which his/her personal data is being collected, used or disclosed. Purposes will be stated in a manner that can be reasonably understood by the Congregant.
5.2 We will seek consent to use and disclose personal data at the same time as we collect the personal data. If we intend to use or disclose the personal data for a new purpose that was not previously identified, we will seek consent to use and disclose the personal data before it is used or disclosed for the new purpose.
5.3 We will collect personal data directly from Congregants, but we may also collect personal data from other sources including relatives or personal references or other third parties provided they have the right to disclose such personal data.
5.4 We will limit the type of personal data collected to that which is necessary for the purposes that we have identified.
5.5 A Congregant may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. A Congregant may contact us for more information regarding the implications of withdrawing consent.
5.6 In certain circumstances, personal data can be collected, used or disclosed without the consent of the individual. For example:
(a) the collection, use or disclosure is necessary for any purpose that is clearly in the interest of the individual, if consent for its collection, use or disclosure cannot be obtained in a timely way or the individual would not reasonably be expected to withhold consent, such as when the individual is seriously ill or mentally incapacitated;
(b) the collection, use or disclosure is necessary to respond to an emergency that threatens the life, health or safety of the individual or another individual;
(c) the collection, use or disclosure is necessary for any investigation or proceedings, if it is reasonable to expect that seeking the consent of the individual would compromise the availability or the accuracy of the personal data;
(d) the collection, use or disclosure is necessary for evaluative purposes;
(e) the personal data was provided to the Company by another individual to enable the Company to provide a service for the personal or domestic purposes of that other individual.

6. Notification of Purpose

6.1 We will identify the purposes for which we collect, use or disclose personal data on or before we collect, use or disclose the personal data of Congregants. Upon receipt of the personal data, we will use or disclose the personal data only for the identified purpose and for purposes that a reasonable person would consider appropriate in the circumstances.
6.2 As a religious organisation, we generally collect, use and disclose personal data for the following purposes:
(a) To identify our members and those who regular worship with us and visitors to the Church;
(b) To carry out the ministry programmes and activities of the Church;
(c) To manage the administration and operations of the Church;
(d) To establish and maintain responsible relationships among Congregants; and
(e) To meet our legal and regulatory obligations.
6.3 When personal data that has been collected is to be used or disclosed for a purpose not previously notified, the new purpose will be notified to Congregants prior to use. Unless the new purpose is permitted or required by law, consent will be required before the personal data will be used or disclosed for the new purpose.

7. Use of Existing Personal Data

7.1 Personal data collected prior to 2 July 2014, when the main provisions of the PDPA on the protection of personal data came into force, can continue to be used or disclosed but only for the purpose that the personal data was originally collected, unless a Congregant has withdrawn his/her consent for such continued use or disclosure of his/her personal data.
7.2 If there is a new purpose for the use or disclosure of existing personal data, a fresh consent has to be obtained from the Congregants for this new purpose.

8. Disclosure of Personal Data

8.1 Generally, only the Pastoral Staff, the Office Staff, members of the Session, members of the Elders and Deacons Court, and Ministry Leaders with a need to know or whose duties or services reasonably require access to personal data are granted access to personal data about the Congregants.
8.2 As a member of the Presbyterian Church in Singapore, we may, however, disclose personal data of the Congregants to the relevant Presbytery and the Synod of the Presbyterian Church in Singapore in order for each of us to fulfil our respective roles and responsibilities as constituents of the Presbyterian Church in Singapore.

9. Access to Personal Data

9.1 Upon receipt of a request from a Congregant, we will provide the Congregant with a reasonable opportunity to review the personal data that we have about the Congregant in our possession or under our control. Personal data will be provided within a reasonable time and at minimal cost to cover administrative expenses.
9.2 Upon receipt of a request from a Congregant, we will provide an account of the use and disclosure of the personal data of the Congregant. In providing an account of disclosure, we will provide a list of the organisations to which we may have disclosed personal data about the Congregant.
9.3 In certain situations we may not be able to provide access to all of the personal data we hold about a Congregant; for instance:
(a) If doing so would likely reveal personal data about another individual or could reasonably be expected to threaten the life or security of another individual;
(b) If doing so would reveal any confidential information;
(c) If the information is protected by legal privilege;
(d) If the information was generated in the course of a formal dispute resolution process; or
(e) If the information was collected in relation to the investigation of a contravention of a law
or a breach of an agreement.
9.4 In such a case, we will provide the reasons for denying access to the personal data.

10. Accuracy and Correction of Personal Data

10.1 We will endeavor to ensure that the personal data collected will be as accurate, complete and up-to-date as is necessary for the purposes for which it is to be used. Ensuring that the personal data that we possess is sufficiently accurate, complete and up-to-date will help minimize the possibility that inappropriate decisions are being made based on inaccurate or incomplete or out-dated information.
10.2 We will promptly correct or complete any personal data found to be inaccurate or incomplete. Upon receipt of a request from a Congregant to correct or update his/her personal data, we will promptly correct or update his/her personal data.
10.3 Where we are not able to confirm the accuracy or completeness of a Congregant’s personal data (such as those Congregants who have emigrated or who are no longer contactable), a note will be made against that Congregant’s personal data of potential unresolved differences.
10.4 Where appropriate, we will inform third parties having access to the personal data in question of any amended personal data or the existence of any unresolved differences.
10.5 We will conduct an exercise periodically to update the personal data of the Congregants.

11. Transfer of Personal Data Outside of Singapore

11.1 We will protect personal data disclosed to third parties by contractual or other means stipulating the purposes for which it is to be used and the necessity to provide a comparable level of protection.
11.2 We will not transfer any personal data to any organisation located in a country or territory outside Singapore unless that other organisation is subject (whether by way of legislation or contractual arrangement) to obligations of protection of personal data that are comparable to those under the PDPA.

12. Security

12.1 We have the responsibility under the PDPA to make reasonable security arrangements to protect the personal data that we possess or control to prevent unauthorised access, collection, use, disclosure or similar risks.
12.2 We will use appropriate security measures to protect personal data against such risks as loss or theft, unauthorized access, disclosure, copying, use, modification or destruction, regardless of the format in which the personal data is held.
12.3 We operate close circuit television (CCTV) cameras in the Church premises for security and operational purposes. Except for security purposes, we do not use these CCTV cameras to identify an individual personally.

13. Retention and Destruction

13.1 We will keep personal data only as long as it remains necessary or relevant for the identified purposes or as required by law.
13.2 Once the personal data in our possession or control is no longer necessary for administrative or legal purpose, we will destroy or erase the personal data or remove the means by which the personal data can be associated with particular individuals (such as by way of anonymising the personal data).

14. Complaints

We will attend to and investigate any complaints concerning any possible breach of this Policy. If a complaint is found to be justified, we will take appropriate measures to resolve the complaint including, if necessary, amending our policies and procedures. The complainant will be informed of the outcome of the investigation regarding his/her complaint.

15. Church Directory

15.1 The Church publishes the Church Directory as a record and reference of its members, regular worshippers and persons associated with the Church, such as missionaries supported by the Church. The purpose of the Church Directory is to keep such a record of such persons to enable them to familiarize themselves with those who worship in our Church or who are associated with our Church and to keep in touch with each other.
15.2 The Church Directory is intended for internal circulation only and will be distributed only to members, regular worshippers and those associated with the Church. As the Church Directory contains contact details of members, regular worshippers and those associated with the Church, the Church Directory will include a notice that the Church Directory is intended for internal circulation only and no copy of the Church Directory shall be given to any unauthorized persons and that the Church Directory must be used for personal and domestic purposes only and under no circumstances can it be used for any commercial purposes.
15.3 The Church Directory will be updated periodically to ensure that the contact details of members, regular worshippers and those associated with the Church are kept up-to-date, accurate and complete.

16. Handling of Personal Data of Church Staff

16.1 The personal data of Pastoral Staff and Office Staff, whether permanent or temporary, (collectively “Church Staff”) will be used only for purposes connected with their employment with the Church and for as long a period as is necessary following the termination of their employment.
16.2 We value the privacy of our Church Staff and shall process the personal data of our Church Staff in a fair and lawful manner. We will endeavour to comply with the obligations under the PDPA on the use of personal data in an employer-employee relationship.
16.3 From time to time, we may need to disclose some information held about Church Staff to government agencies, such as the Ministry of Manpower and the Central Provident Fund Board, and other relevant third parties, such as insurers, medical clinics and hospitals, solely for purposes connected with managing the employment of the Church Staff and providing for his/her welfare during his/her employment with the Church.

17. Consequences of Non-Compliance

17.1 Failure to comply with the provisions of the PDPA may expose the Church to an investigation by the Personal Data Protection Commission (the “PDPC”) of the non-compliance.
17.2 If the PDPC is satisfied that the Church is not complying with its obligations under the PDPA, the PDPC may give the Church such directions as it thinks fit in the circumstances, which may include directions to:
(a) stop collecting, using or disclosing personal data in contravention of the PDPA;
(b) destroy personal data collected in contravention of the PDPA;
(c) provide access to or correct the personal data in such manner and within such time as the PDPC may specify; or
(d) pay a financial penalty of up to S$1 million.

18. Appointment and Duties of the Data Protection Officer

18.1 The Church is required, as part of its compliance with the PDPA, to designate at least one person as its Data Protection Officer (“DPO”).
18.2 It should be noted that the designation of a DPO does not relieve the Church of its legal obligations under the PDPA.
Responsibilities of the DPO
18.3 The DPO is responsible for ensuring that the Church complies with the PDPA. The DPO must keep fully up to date with the requirements of the PDPA and ensure that all personnel who handle personal data are fully aware of these requirements.
18.4 Where appropriate, the DPO may delegate some of his responsibilities as DPO to other individuals to ensure that the Church complies with the PDPA.
18.5 In addition to ensuring that the Church complies with the PDPA, the DPO is also responsible for dealing with queries and requests from individuals in relation to the Church’s data protection policies and practices.
18.6 The contact information of the DPO must be made available to the public. It may be in the form of the Church office address or a general e-mail address.

19. Frequently Asked Questions

[The copyright in the following FAQ belongs to the Personal Data Protection Commission and is reproduced below for internal, non-commercial and informational purposes only. No part of the FAQ shall be displayed, distributed or otherwise used for any commercial purpose except with the prior written consent of the Personal Data Protection Commission.]

Collection, Use & Disclosure

1. How much personal data can an organisation collect, use or disclose?
Under the PDPA, an organisation may collect, use or disclose personal data only for purposes that a reasonable person would consider appropriate in the circumstances and that the organisation has notified to the individual unless an exception under the PDPA applies.
In addition, the organisation must obtain the consent of the individual to such collection, use or disclosure, unless any exception under the PDPA applies.
In this regard, organisations shall not, as a condition of supplying a product or service, require an individual to consent to the collection, use or disclosure of personal data beyond what is reasonable to provide the product or service. For example, an organisation selling a consumer product to an individual should not require him or her to reveal his or her annual household income as a condition of selling him or her the product, although it may still ask him or her to provide such personal data as an optional field.
If the organisation wishes to collect any additional personal data, the organisation shall provide the individual the option of whether to consent to this.
2. What can an organisation do with respect to existing personal data collected before the effective date of the data protection rules on 2 July 2014?
Generally an organisation can continue to use the personal data that was collected prior to the effective date of the data protection rules, for the reasonable purposes for which the personal data was collected.
Consent will need to be obtained if the existing data is to be used for a new purpose different from the purpose for which it was collected, or if the existing data is to be disclosed to another organisation or individual, unless any exception applies. The exceptions from the need to seek consent for collection, use or disclosure are set out in the Second, Third and Fourth Schedule of the PDPA respectively. This includes exceptions catering to certain emergency situations, investigations, publicly available data or where the personal data is used for evaluative purposes.
As an example, if a company has been using its customer’s personal data to provide after-sales customer support prior to the PDPA, it can continue to do so after the PDPA comes into effect, even if it did not obtain consent previously. However, if it now intends to use the same personal data for direct marketing where it had not collected the personal data for this purpose, consent will need to be obtained for such a purpose.
3. How can an organisation obtain an individual’s consent for the collection, use or disclosure of his or her personal data?
Consent can be obtained in a number of different ways. As a best practice, an organisation should obtain consent that is in writing or recorded in a manner that is accessible for future reference, for example, if the organisation is required to prove that it had obtained consent.
An organisation may also obtain consent verbally although it may correspondingly be more difficult for an organisation to prove that it had obtained consent. For such situations, it would be prudent for the organisation to document the consent in some way.
4. Is the failure to opt out a form of consent?
Deeming that an individual has given his consent through inaction on his/her part will not be regarded as consent in all situations. Whether or not a failure to opt out can be regarded as consent will depend on the actual circumstances and facts of the case. Organisations are advised to obtain consent from an individual through a positive action of the individual to consent to the collection, use and disclosure of his personal data for the stated purposes.
5. Can an organisation selling databases containing personal data to other organisations continue to do so after the PDPA comes into effect?
An organisation may use personal data collected before 2 July 2014 for the purposes for which the personal data was collected, unless consent for such use is withdrawn or the individual has indicated to the organisation that he does not consent to the use of the personal data.
If an organisation intends to disclose the personal data on or after the appointed day (other than disclosure that is necessarily part of the organisation’s use of the personal data), the organisation must comply with the data protection provisions in relation to such disclosure. As the sale of databases containing personal data involves a disclosure of personal data, organisations must obtain valid consent from the relevant individuals before doing so.

Access & Correction

1. Must an organisation always provide access to an individual’s personal data when a request is made?
An organisation is required to respond to an access request in respect of personal data in its possession as well as personal data that is under its control.
However, organisations are prohibited from providing an individual access if the provision of the data could reasonably be expected to:

cause immediate or grave harm to the individual’s safety or physical or mental health;
threaten the safety or physical or mental health of another individual;
reveal personal data about another individual;
reveal the identity of another individual who has provided the personal data, and the individual has not consented to the disclosure of his or her identity; or
be contrary to national interest.

In addition, there are cases where organisations may deny access requests.
For example, organisations will not be required to provide access to personal data if it is subject to legal professional privilege, or if the disclosure of the information would reveal confidential commercial information that could harm the competitive position of the organisation. There are also exclusions for access to and correction in respect of any examination conducted by an education institution, examination scripts and examination results prior to their release. Organisations may also refuse access to or correction of opinion data kept solely for an evaluative purpose as defined in the PDPA.
The specific exceptions may be found in section 21 and the Fifth Schedule of the PDPA.
2. What personal data must an organisation provide when an individual submits an access request?
An organisation that receives an access request from an individual is required to provide the information requested by the individual. This may include:
some or all of the individual’s personal data (as specified in the request); and
information about the ways the personal data has been or may have been used or disclosed by the organisation (as specified in the request).
3. Can an organisation charge a fee for access requests?
Organisations may charge an individual a minimal fee for access to personal data about the individual. The purpose of the fee is to allow organisations to recover the incremental costs of responding to the access request. There is no prescribed amount of fees imposed on organisations, to allow for greater flexibility; organisations should exercise their discretion in deriving the minimal fee they charged based on their incremental costs of providing access.
4. Must an organisation provide correction to an individual’s personal data when a request is made?
Upon request, an organisation is generally required to correct an error or omission and send the corrected personal data to every other organisation to which the personal data was disclosed by the organisation within a year before the correction, unless the other organisation does not need the corrected personal data for any legal or business purpose. For example, the organisation may have disclosed a customer’s name and address to a delivery company it engaged on a once-off basis to deliver a product that the customer has purchased. Since the delivery has been completed, the organisation will not be required to send the corrected personal data to the delivery company.
The corrected data may be sent only to specific organisations to which the data was disclosed by the organisation, if the individual consents to it.
An organisation need not make a correction where it is satisfied on reasonable grounds that a correction should not be made. In this case, the organisation shall annotate the personal data in its possession or under its control with the correction that is requested but not made.
An organisation is also not required to alter an opinion, including a professional or expert opinion.
Exceptions from correction requirement may be found in the Sixth Schedule of the PDPA.
5. Can an organisation charge a fee for correction requests?
Organisations are not entitled to impose a charge for the correction of personal data, as it is the organisation’s obligation under the Accuracy Obligation to obtain personal data that is accurate and complete.

Care of Personal Data

1. How long can an organisation retain its customers’ personal data for?
The PDPA does not prescribe the retention period. However, an organisation shall cease to retain personal data as soon as the purpose of collection is no longer served by the retention; and retention is no longer necessary for business or legal purposes.
2. What must an organisation do to ensure the personal data collected is protected?
An organisation shall make reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.
3. What are the rules on cross-border transfer of personal data?
The PDPA will apply to all personal data collected, used or disclosed in Singapore. As such, organisations that collect personal data overseas and host and/or process it in Singapore will still be subject to relevant obligations under the PDPA from the point that such personal data is brought into Singapore.
For organisations that collect personal data here and transfer such data overseas, the PDPA requires that measures be put in place by the organisation here transferring the personal data, to provide a comparable standard of protection overseas. These measures include the use of contractual agreements among the organisations involved in the transfer and the conditions are documented in the Advisory Guidelines on Key Concepts in the Personal Data Protection Act.
20. The Personal Data Protection Act 2012
[A copy of the Personal Data Protection Act 2012 will be inserted in this section.]