What Churches (and other religious organizations) need to do to comply with the Personal Data Protection Act (Singapore). Churches collect and use a lot of personal data from members as well as visitors, and need to be careful about the data privacy and legal issues that arise because the current Singapore legislation.
These are adapted from a presentation that I gave to a local church that was concerned about what the law required them to do.
2. What is Personal Data?
• Data about an individual who
can be identified
• from that data;
• or from that data and other
information to which the
organisation has or is likely to
have access.
• Examples
• Name
• NRIC
• Telephone number
• Photograph
• Address
• E-mail
• Social media ID
• Medical history
• Criminal record
3. Who is NOT covered by PDPA?
• Any individual acting in a
personal or domestic
basis.
• Any employee acting in
the course of his or her
employment
• Any public agency
• Business contact
information
• name,
• position name or title,
• business telephone
• business address,
• business e-mail address .
4. 1. Consent Obligation
Hi, new visitor. We are COLLECTING your
Personal Data, and we are going to USE it to invite
you to Church events. We may DISCLOSE it to
Church staff. Do you consent?
OK but what if I
change my mind?
You can
WITHDRAW at
any time
5. • An organisation may collect, use or disclose personal
data about an individual for the purposes that a
reasonable person would consider appropriate in the
circumstances and for which the individual has given
consent.
• An organisation may not, as a condition of providing a
product or service, require the individual to consent to
the collection, use or disclosure of his or her personal
data beyond what is reasonable to provide that product
or service.
6. 2. Purpose Limitation Obligation
Please give us your NAME,
PHONE NUMBER, and
ADDRESS
Sure
Also give us your
BLOOD TYPE.
Or else you can’t
come back
7. • An organisation may collect, use or disclose personal
data about an individual for the purposes that a
reasonable person would consider appropriate in the
circumstances and for which the individual has given
consent.
• An organisation may not, as a condition of providing a
product or service, require the individual to consent to
the collection, use or disclosure of his or her personal
data beyond what is reasonable to provide that product
or service.
8. 3. Notification Obligation
Hi we want to
invite you to our
Church Musical!
We want to invite
your kids to
attend Bible
Camp!
9. Notify individuals of the purposes for which your
organisation is intending to collect, use or disclose their
personal data on or before such collection, use or
disclosure of personal data.
10. 4. Access and Correction Obligation
5. Accuracy Obligation
Hi, please let me know who
you’ve given my personal data
to. Please also correct the typo
in my name.
11. • Upon request, the personal data of an individual and
information about the ways in which his or her personal
data has been or may have been used or disclosed within
a year before the request should be provided.
• However, organisations are prohibited from providing
an individual access under certain risky situations listed
in the Act
12. • Organisations are also required to correct any error or
omission in an individual’s personal data upon his or her
request.
Make reasonable effort to ensure that personal data
collected by or on behalf of your organisation is accurate
and complete, if it is likely to be used to make a decision
that affects the individual, or if it is likely to be disclosed to
another organisation.
13. 6. Protection Obligation
Can I copy the names and
phone numbers of all of our
members onto my
thumbdrive, so I can call
them any time for soccer?
Sorry, no.
Wow, did you know that
XYZ lives in a huge
mansion?
14. Make reasonable security arrangements to protect the
personal data that your organisation possesses or controls
to prevent unauthorised access, collection, use, disclosure
or similar risks.
15. 7. Retention Limitation Obligation
Okay
Hi, I’ve moved to the other
side of the country and I will
be going to church there.
Please remove my data.
16. Cease retention of personal data or remove the means by
which the personal data can be associated with particular
individuals when it is no longer necessary for any business
or legal purpose.
17. 8. Transfer Limitation Obligation
Don’t worry, if you transfer the
personal data to us, we have the
same policies and safety
arrangements as you
18. Transfer personal data to another country only according
to the requirements prescribed under the regulations, to
ensure that the standard of protection provided to the
personal data so transferred will be comparable to the
protection under the PDPA, unless exempted by the
PDPC.
19. 9. Openness Obligation
What are your data protection
policies?
What if I need to make a
complaint?
Ask me, I am the
DATA
PROTECTION
OFFICER
20. • Make information about your data protection policies,
practices and complaints process available on request.
• Designate one or more individuals as a Data Protection
Officer to ensure that your organisation complies with
the PDPA, including the implementation of personal
data protection policies within your organisation.
• The business contact information of at least one of
such individuals should also be made available to the
public. Please note that compliance with the PDPA
remains the responsibility of the organisation.
21. Existing Data
• .
I gave you my personal data in
1995 when I joined the
Church
We are now going to
use it for a new
purpose …
22. • Your organisation may continue to use personal data
that has been collected before the data protection
provisions of the PDPA came into effect on 2 July 2014
for the purposes for which the personal data was
collected, unless the individual has withdrawn consent.
If there is a different purpose for the use of the
personal data, consent has to be obtained anew
25. • Designate at least one person to develop your organisation’s personal data
policies and oversee your organisation's compliance with the PDPA. This
person may be an existing employee in your organisation, and his or her role
may include the following:
• Developing good policies for handling personal data in electronic and/or
manual form, that suit your organisation’s needs and comply with the PDPA;
• Communicating the internal personal data protection policies and processes to
customers, members and employees;
• Handling queries or complaints about personal data from customers, members
and employees;
• Alerting your organisation to any risks that might arise with personal data; and
• Liaising with the PDPC, if necessary.
26. Step 2 - Map out a Data Inventory
• WHAT did we collect?
• HOW did we collect it? (Did we get consent)
• WHAT are we using it for?
• WHO did we share it with?
• WHO has access to it?
• WHERE are we storing it?
• HOW LONG are we storing it?
27. Step 3 - Implement Data Protection
Processes
Do our actions
match the PDPA?
Collection,
Use and
Disclosure
Access and
Correction
Care for
Data
28. Must the Church check the
Do Not Call Registry?
Messages that are
covered
• Offers to supply or
promote goods or services
• Advertising/promoting
suppliers
• Promoting business or
investment opportunities
Messages that are NOT
covered
• pure market survey or
research
• charitable or religious
causes
29. Does DNC Apply?
Do you want to buy
tickets to our Church
Musical?
Do your kids
want to attend
Bible Camp?
Can I share the Good
News of Jesus Christ
with you?
30. • Invitation to attend Bible camp = charitable or religious
causes = not covered by DNC
• Sharing the gospel = charitable or religious causes = not
covered by DNC
• Selling tickets to a musical = Offers to supply or
promote goods or services = covered by DNC
31. Special cases:
Photographs (e.g. Church events)
I’m taking
personal photos
I’m taking
official photos
We’re at the
wedding
We’re at the
open field
32. • Example: Deemed consent for photo-taking at private function
• Organisation ABC holds a private function for a select group of
invited clients and wishes to take photographs of attendees for its
internal newsletter. If Organisation ABC intends to rely on deemed
consent, measures that Organisation ABC may take to better ensure
that the attendees are aware of (and accordingly, more likely to be
deemed to have consented to) the purpose for which their
photographs are collected, used and disclosed, could include:
• a) Clearly stating in its invitation to clients that photographs of
attendees will be taken at the function for publication in its internal
newsletter; or
• b) Putting up an obvious notice at the reception or entrance of the
function venue to inform attendees that photographs will be taken
at the event for publication in its internal newsletter.
33. Special cases:
Photographs (e.g. Church events)
• Good practices to get consent
• State in your invitation that photos will be taken
• Put an obvious notice at the event
• Posing for photo = implied consent
I’m taking
official photos
I love posing.
Can I take a
selfie?
34. • Example: Posing for photo-taking
• Kevin attends Organisation ABC’s private function.
During the function, Organisation ABC’s photographer
informs Kevin that she is taking photographs for
publication in Organisation ABC’s internal newsletter,
and asks Kevin to pose for his photograph to be taken.
By voluntarily posing for his photograph to be taken,
Kevin would be deemed to have given consent
• for the photograph to be collected, used or disclosed for
the stated purpose.
35. Special cases:
Minors (e.g. Sunday School, Youth)
• The PDPA does not specify
• Commission will adopt the practical rule of thumb that
a minor who is at least 13 years can to consent on his
own behalf
• As a general guide, for <13 obtain consent from parent
or guardian
• Even for >13, do not apply undue influence on a minor
You must give us your
particulars, otherwise we
won’t be your friends