Management of Personal Data
in Grace Methodist Church
Contents
A1 Introduction
A2 Objective
A3 Purpose of Personal Data Protection Act
A4 Concept
A5 Data Protection Officer
A6 Consent, Purpose Limitation and Notification Obligations
A7 Accuracy Obligation
A8 Protection Obligation
A9 Disclosure to Third-Parties
A10 Retention Limitation Obligation
A11 Openness Obligation
A12 Access Obligation
A13 Compliance
Annex A Personal Data Protection Checklist
A1. Introduction
1.1 In Grace Methodist Church (the Church), members' and visitors' personal data are collected and used for various Ministries and Church activities. With the implementation of the Personal Data Protection Act (PDPA), a data protection regime to govern the collection, use and disclosure of personal data is necessary to comply with the Act as well as to maintain individuals' trust and confidence in the Church in the handling of these data.
A2. Objective
2.1 To ensure that the Church is in compliance with the PDPA in the collection, use, disclosure, maintaining accuracy, handling and security of personal data in a manner that recognizes both the right of individuals to protect their personal data and the need of the Church to collect, use and disclose personal data for the purpose of maintaining the membership records and/or organizing of Church/Ministries activities.
2.2 This policy defines the responsibilities of the Church in ensuring compliance with the PDPA by ensuring proper management, security and control in the collection, usage and disclosure of the personal data in the Church.
A3. Purpose of Personal Data Protection Act
3.1 The PDPA establishes a data protection law that comprises various rules governing the collection, use, disclosure and care of personal data. It recognizes both the rights of individuals to protect their personal data, including rights of access and correction, and the needs of organizations to collect, store, maintain accuracy, use or disclose personal information for legitimate and reasonable purposes.
3.2 Personal data refers to data, whether true or not, about an individual who can be identified from that data; or from that data and other information to which the organization has or is likely to have access. This includes personal particulars, medical records, educational records, and financial records, whether the data is stored in electronic or non-electronic form.
A4. Concept
4.1 The PDPA is intended to set the minimum standards that all organizations in Singapore
must observe. The PDPA will operate concurrently with other sectorial legislative and regulatory frameworks. This means that the Church will have to comply with the PDPA as well as the common law and other relevant policies stipulated by the Methodist Church Of Singapore, when handling personal data in its possession.
4.2 The PDPA takes into account the following concepts:
4.2.1 Consent - the Church may collect, use or disclose personal data only with the member's knowledge and consent (with some exceptions);
4.2.2 Purpose -- the Church may collect, use or disclose personal data in an appropriate manner for the circumstances, and only if it has informed the member of the purposes for the collection, use or disclosure;
4.2.3 Reasonableness — the Church may collect, use or disclose personal data only for purposes that would be considered appropriate to a reasonable person in the given circumstances.
A5. Data Protection Officer
5.1 The Data Protection Officer of the Church is accountable to the Pastor-In-Charge of the Church and be responsible for ensuring that the Church complies with the PDPA. The appointed staff are responsible to review the Church's personal data policies with the Church Governance Committee and oversee the compliance of the PDPA. His or her responsibilities may include the following:
5.1.1 Develop processes for handling personal data in electronic and/or manual form, that suit the Church's needs and comply with the PDPA;
5.1.2 Communicate Church's internal personal data protection policies and processes to staff and members;
5.1.3 Handle queries or complaints about personal data from staff, members and visitors;
5.1.4 Alert Pastor-In-Charge, LCEC Chairman and Church Governance Committee Chairperson to any risks that might arise from personal data; and
5.1.5 Liaise with General Conference (GC) and/or the Personal Data Protection Commission (PDPC), when required.
A6. Consent, Purpose Limitation and Notification Obligations
6.1 Collection of Personal Data.
All registration forms are to provide a clause or separate notice to clearly state and seek consent for the following:
6.1.1 the purpose for the collection of data collected;
6.1.2 the usage of the data collected; and
6.1.3 the ways the personal data may be disclosed.
6.2 Clause to be printed in Church’s bulletin.
In view of the provisions of the Personal Data Protection Act , the Church is committed to protect your personal data. In the course of the year, the Church will be collecting, using and/ or disclosing your data for the purposes of maintaining the membership records or for organizing of the Church related activities/services for you. We seek your understanding to grant us your consent when the Church approaches you for your written consent.
6.3 Clause to be printed in Church’s Pledge Card.
We acknowledge that the Church is collecting my/our personal data in this pledge card in relation to my/our membership in the Church or my/our making my/our financial pledge to the Church. I/We hereby consent to the Church collecting, using or disclosing my/our personal data for the purposes of maintaining and updating the Church's records in respect of my/our pledge.
I/We also consent to the Church contacting me/us by post, telephone or sending phone or email messages to me/us in relation to the pledge which I/we have made to the Church.
6.4 Clause suggested to be printed in letter/form for Church’s COSC matters.
I acknowledge that the Church is collecting my personal data in this [letter/form] in relation to my participation in the activities endorsed by the Church. I hereby consent to the Church collecting, using or disclosing my personal data to enable the Church to continue to provide services to me.
I also consent to the Church contacting me by post, telephone or sending phone or email messages to me in relation to any of the activities and/or services endorsed by the Church.
6.5 Clause suggested to be printed in letter/form for children below 21 years old.
I/We acknowledge that the Church is collecting my/our personal data and the personal data of my/our child/ward [insert name & BC/NRIC] in this [letter/form] in relation to my/our child's/ward's participation in the activities of the Church/in the tuition programme endorsed by the Church. I/We hereby consent to the Church collecting, using or disclosing my/our personal data and that of my/our child/ward to enable the Church to continue to provide services to me and/or my child/ward.
I/We also consent to the Church contacting me/us by post, telephone or sending phone or email messages to me/us in relation to any of the activities and/or services endorsed by the Church.
[Signature portion should include full details of the signing parent/guardian and of the child/ward].
A7. Accuracy Obligation
7.1 The Church will ensure that the data collected is accurate and complete; when in doubt, a request will be made to the individual for a verbal or written declaration that the personal data provided is accurate and complete.
7.2 The Church will ensure that personal data is updated and amended when requested.
A8. Protection Obligation
8.1 Confidentiality.
8.1.1 The Church will ensure that all personal data is kept confidential and accessible only by the Data Protection Officers or authorized
personnel for the purposes for which that information was sought.
8.2 Church Office.
8.2.1 All staff working areas must be secured, including work stations, meeting/discussion areas, filling cabinets, printers and fax machines. Access to work areas must be limited by appropriate security measures.
8.2.2 Access to office equipment containing such information must be password locked.
8.2.3 Use a shredder or a document disposal service to dispose of documents containing personal data.
8.2.4 Do not throw away or recycle paper containing personal data.
8.2.5 Keep all documents with personal data in secured cabinets.
8.2.6 Do not expose confidential files on staff desks or shelves where
unauthorized persons can see or take easily.
8.2.7 Record and track persons who have access to keys to cabinets and drawers where confidential files are kept.
8.3 Databases and registration files/forms.
8.3.1 Soft copy databases must be password protected where applicable and stored by the dedicated Ministries during planning and destroyed when the information is no longer required after the activity.
8.3.2 All staff are not allowed to save any copies of databases in their own computer hard drives or portable storage devices.
8.3.3 Records of members/visitors for the collection, usage and disclosure (or withdrawal of) must be informed and kept with the Data Protection Officer.
8.3.4 Hardcopy registration files/forms containing personal information must be kept strictly under the Ministries' care during planning and destroyed when the information is no longer required after the activity.
A9. Disclosure to Third-Parties
9.1 The Church will not disclose personal data to third parties without the written consent of the individual.
A10. Retention Limitation Obligation
10.1 The Church will retain and maintain its personal data records for the key purpose of memberships, Cell Ministry and financial pledge management.
A11. Openness Obligation
11.1 Request
The Church will make information on data protection policies, practices and complaints available on written request to the Data Protection Officer.
11.2 Feedback.
11.2.1 All feedbacks must be documented in the Feedback Record and submitted to the Pastor-In-Charge, LCEC Chairman and Church Governance Committee Chairperson.
11.2.2 The response to the query must be carried out within 5 working days upon receiving the feedback.
11.2.3 Follow-up action must be carried out within reasonable time.
A12. Access Obligation
12.1 Requests for information on ways of usage and disclosure of their data, will be on a “need- to- know” basis to be assessed by the Data Protection Officer and in consultation with the Pastor-in-charge and/or Church Governance Committee, if there is a need .
12.1.1 For queries by post, telephone, staff must perform the following verification checks on the requester before disclosure of personal information:
· Full name as in NRIC
· NRIC/FIN number
· Home Address
· Contact number
· E-mail address
· Use of data (need-to-know basis)
12.1.2 For queries through email or post, staff must follow-up with a telephone call to verify the identity of the requester before disclosure of personal information.
12.1.3 Staff are to provide the requested information only on verification of identity.
A13. Compliance
13.1 The Church Governance Committee is to conduct an internal audit annually and could use the Personal Data Protection Checklist promulgated by the Personal Data Protection Commission as stipulated in Annex A.
13.2 After the audit, the Data Protection Officer is to review and complete the Checklist in Annex A.
ANNEX A
PERSONAL DATA PROTECTION CHECKLIST
This self-assessment checklist designed by the Personal Data Protection Commission is based on the personal data protection obligations underlying the Personal Data Protection Act (PDPA) and is designed to assist the Church in reviewing its policies and to consider ways in which it can protect the personal data in its custody.