Data Protection Policy

A set of documents specifying the Personal Data Protection operational policies and procedures to govern the collection,

• To guide Management, board members of the various committees, and staff of SOS to perform their duties where it relates to Personal Data Protection of SOS as per the Personal Data Protection Act 2012.
• To minimize inconsistencies in formulating and implementing policies

• Purpose of the Personal Data Protection Act 2012 (“PDPA”)
  The PDPA aims to safeguard individuals’ personal data against misuse by regulating the proper management of personal data. Generally, individuals have the right to be informed of the purposes for which organisations are collecting, using or disclosing their personal data, giving them more control over how their personal data is used.
  • Personal data includes but is not limited to the following:-
    • Unique identifiers (e.g. NRIC number, passport number); photographs or video images of an individual (e.g. CCTV images);
    • Any set of data (e.g. name, age, address, telephone number, occupation, etc), which when taken together would be able to identify the individual, including images captured by CCTV Cameras within SOS premises.
    • PDPA does not apply to company or organisation data. Business contact information provided by individuals for business purposes are excluded from data protection requirements of PDPA.
• Levels of Responsibility for Personal Data Protection
  • The levels of responsibility in the management of Data Protection of the Society are:-
    • Staff
    • Data Protection Officer (“DPO”)
    • Chief Executive
  • It is the responsibility of all staff of SOS to:
    • Follow Data Protection Protocols and Policies enacted for PDPA Compliance by SOS.
    • Report any data breaches immediately to the DPO for follow-up using the Data Breach Incident Reporting Form (Appendix 1).
    • Assist the DPO without delay for any data related investigations that may arise from PDPA related inquiries.
  • The Data Protection Officer is supported by the Heads of Department who are entrusted to execute the Data Protection strategy for operations and has overall responsibility for the following areas:
    • Management of the organisation’s personal data collection, ratification and maintenance efforts and ensure its compliance to PDPA Regulations.
    • To facilitate as the contact point for all data protection incidents and/or query on SOS PDPA Policies and Procedures.
  • The Chief Executive shall oversee the day-to-day Personal Data Protection of SOS and is accountable through the Board to the General Membership of SOS.
• Consent, Purpose Limitation and Notification Obligations
  • SOS shall notify individuals of collection, use and disclosure purposes of Personal data.
  • Consent must be obtained unless the following exceptions apply (non-exclusive):-
    • The collection, use or disclosure is necessary for any purpose that is clearly in the interest of the individual, if consent for it cannot be obtained in a timely way or the individual would not reasonably be expected to withhold consent.
    • The collection, use or disclosure is necessary to respond to an emergency that threatens the life, health or safety of the individual or another individual.
    • The collection, use or disclosure is necessary in the national interest.
  • For additional exemptions, please find the following PDPA Schedules:-
    • Second Schedule (Collection Of Personal Data Without Consent) https://sso.agc.gov.sg/Act/PDPA2012#Sc2-
    • Third Schedule (Use Of Personal Data Without Consent) https://sso.agc.gov.sg/Act/PDPA2012#Sc3-
    • Fourth Schedule (Disclosure Of Personal Data Without Consent) https://sso.agc.gov.sg/Act/PDPA2012#Sc4-
  • In forms used to collect personal data, it is stated that SOS assumes individuals give deemed consent to collection, use or disclosure of personal data if they voluntarily provide such data to them or when they represent and disclose personal data about relevant third parties (e.g. dependents or immediate family members).
  • The purpose for collection of personal data for SOS include but are not limited to the following:-
    • Admission to SOS;
    • Assessment and management of volunteers as part of on boarding volunteers operations;
    • Collection of donations;
    • Employment ;
    • Communications with stakeholders and partners on the happenings of SOS as well as donation solicitation via appeal letter or other donation mediums; and
    • Regulatory and legal requirements.
  • The extent of collection of required personal data is dependent on the need to use the information for onward submission to relevant government agency for compliance purpose.
• Access and Correction Obligations
  • Individuals can place their requests in writing either through post or email to the DPO in order to access, correct or withdraw consent for the collection, use and disclosure of personal data.
    • Access
      SOS will provide an individual with their personal data under the control of SOS and ways in which the personal data was used and discussed during the past 12 calendar months. SOS will seek to give a reply in appropriate time.
      
      However, SOS will not accede to the request if it:
      • Threatens the physical/mental health of other individuals or the requestor;
      • Reveals personal data about other individuals or others who provided personal data about other individuals; and
      • Has reasonable grounds that such request is contrary to national interest.
    • Correction
      SOS shall amend errors or omissions in reported personal data within its collection.
    • Withdrawal of Consent
      
      SOS shall advise the individual that its ability to provide assistance may be impeded as a result of withdrawing consent given or deemed to have been given in respect to the collection, use and disclosure of personal data. Request to remove personal data from SOS may be denied if required by law and/or relevant authorities for retention.
      
      For stakeholders, partners, donors and volunteers, they may exercise the option of withdrawal by notifying SOS of their intentions either by mail or email.
• Accuracy Obligation
  • SOS will ensure that the personal data collected is accurate and complete through requests stated in all forms collecting personal data and publication materials.
  • It shall where appropriate take steps to authenticate the personal information collected.
• Protection Obligation
  • SOS will protect personal data by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.
  • In determining what security arrangements are reasonable and appropriate in the circumstances, SOS should take into account the following factors:-
    • Nature of the personal data;
    • Form in which the personal data is collected (e.g. physical or electronic); and
    • Possible impact to the individual concerned if an unauthorised person collected, modified or disposed such personal data.
• Retention Limitation Obligation
  • SOS will retain documents containing personal data in accordance with the regulatory and operational obligations:
    • Project files and printed records Printed records containing personal data are archived for a period of years. Thereafter, where the information is obsolete or not required, printed records shall be destroyed.

      Department	Recommended minimum retention Period
      Finance & Corporate Services	5 years
      Human Resources	5 years
      – Candidates application form	6 months
      – Ex-employee personal files	3 years
      Partnership & Engagement	5 years
      Public/Social Welfare Volunteer Management	5 years
      – Volunteers application form	2 years
      – Ex-volunteer personal data	3 years
      Clinical	6-5 years
      Training Programme/contents	5 years
      IT and Administration	5 years

    • Should there is a need to keep than the record longer than the periods prescribed, it shall be supported with clear reasons, which explicitly noted on the record.
    • SOS will conduct a review of personal data every 2 years or within 2 months after the PDPA has been updated to determine the requirement of the personal information stored is still needed to serve its purposes.
• Managing Data Breaches
  

  Department	Who?	Data Protection Procedures	Appendix	PDPA Breach Scenarios
  Partnership & Engagement	Donors Volunteers Delivery Facilitators Event Organizer Sponsors Partners? Clients (for promotion of Training prog)	SOS will enact measures to monitor and pre-emptively act before data breaches occur, including but not limited to the following Outbound/inbound traffic monitoring of websites and databases for abnormal network activities Security camera usage for internal and external parameters of secured areas such as server rooms and data centres. SOS shall follow its Crisis Communication Plan to respond swiftly in managing data breaches in a systematic manner.	Data Breach Incident Reporting Form	Theft, loss or unauthorised disposal, disclosure or modification of volunteers/employees/donors/ clients? personal data Loss of documents or thumb drives or laptops containing personal information of stakeholders
  Finance & Corporate Services	Donors Volunteers Employees Board members Committee members Volunteers Funders
  Human Resources	Job applicants Employees Contract Staff Vendors Interns
  Operations	Clients Volunteers
  Administration & Training	Facility Vendors IT Contractors Volunteers Trainees

  S/N	Type of Data	Classification	Data to be Protected
  1	Personal data	Any information relating to a living individual who can be directly or indirectly identified from it.	Name of individual, identification number, address, family history, corporate/ membership affiliations, contact information, items sponsored, monetary donation/in Kind, volunteer activities, events organised/ attended.
  2	Not personal data	About organisations or people who are not identifiable or no longer living.	Name of corporate, UEN, bank details, organisation structure – including leadership information, liaison officers, contact details, affiliations, items sponsored, monetary donations, volunteer activities, events organised/ attended.