SAFYC PERSONAL DATA PROTECTION POLICY
1. The objective of this policy is to provide guidelines for the collection, usage and disclosure of personal data.
TYPES OF PERSONAL DATA
2. ‘Personal Data’ (PD) refers to any data and/or information (whether true or false) about an individual who could be identified by, either (a) from that data; or (b) from other information to which the Club has legitimate access to. PD includes but are not limited to:
a. Full Name.
b. NRIC, FIN (Foreign Identification Number, Passport number or other identification number.
c. Photograph or video image of an individual.
d. Mobile telephone number.
e. Personal email address.
f. Thumbprint or any biometric records.
h. Residential address.
3. It is important to note that the PD Protection Policy / PDPA does not apply to business contact information. Business contact information refers to individual’s position name or title within the business and other business information such as telephone number, address, electronic mail address, fax number and any other similar information related to his commercial business.
4. The Club is not required to obtain consent before collecting, using or disclosing any business contact information or comply with any other obligations in the Data Protection Provisions in relation to business contact information.
COLLECTION, USAGE AND DISCLOSURE OF PD
5. General Rules. The Club may collect, use and disclose PD only for the purpose(s) that the individual has given, or deemed to have given his consent for . Collection, usage and disclosure of PD should be kept to the minimum required to fulfill the specific purpose.
6. Withdrawal of Consent. The Club shall inform Members or Guests who wish to withdraw their consent to any use or disclosure of their PD that the effective provision of membership or related services may be compromised.
7. Accuracy. The Club aims to keep all PD as accurate, complete, not misleading, up-to-date and reliable as possible. It is the Members’ responsibility to inform the Club of any updates of their PD via email@example.com. The Club will correct or update the PD found to be inaccurate or incomplete as soon as practicable. The Club must send the corrected data to all third parties to which the PD was disclosed within one year before the date when the correction was made, unless the third party no longer requires the data for legal or business purpose.
a. Employees who wish to correct or update their PD shall contact the HR Department.
b. The Club may refuse to correct or update PD as requested if the Club is unable to confirm the Members’ identity or where such refusal is permitted under the PDPA.
8. Retention. The Club shall retain the Members’ and Employees’ PD up to 7 years for audit purposes unless otherwise permitted by applicable law or in order to defend legal claims. Where there is no longer any requirements to retain the PD for the purposes stated in this policy unless its further retention is required to satisfy a longer retention period to meet operational, legal, regulatory, tax or accounting requirements, the Club shall then purge or destroy the PD from the Club’s system and records.
9. The individual shall be informed of:
a. The purposes for the collection, use and disclosure of their PD, on or before collecting the PD; and
b. Of the use or disclosure of the PD which the individual has not been informed of, before the use or disclosure of PD for that purpose.
10. The Club may collect, use, disclose PD for the following reasons.
a. Onboarding and Offboarding. When members and employees apply for Membership and employment respectively in the Club, the Club may collect PD for identity verification, processing and approval. Likewise, for termination of Membership and employment. The Club may collect information pertaining to Member’s spouse and/or other dependents for Membership services on their behalf.
b. Usage of Club’s Facilities, Services and Benefits. The Club may use PD when Members and employees seek to use Club’s facilities, services and benefits. Members are to provide required PD when registering for Club events, courses and activities. For sailing certification, PD will be provided to Singapore Sailing Federation to process their certification. Likewise, employees undergoing workforce development, training and development are to provide PD when required. The Club may also utilise PD when employees seek Club employment benefits and services.
c. Usage of Club Network. The Club may use PD when Members access the Club’s network for online transactions. The Club may collect PD when members and guests browse the Club’s website or related online platforms to collect and analyse information. This serves to improve the Member’s experience when visiting the Club’s website.
d. Enquiries and Records. The Club may use PD when members and guests have enquiries and feedback. This allows the Club to keep track of complaints and requests. Employees may also use PD when members request for the Club to contact them personally.
e. Finance. The Club may collect and use PD when processing payment for Club Membership and any other Member-related transactions such as fuel payment. PD may also be provided to a debt collecting agency to retrieve outstanding debts from Members. Likewise, the Club may use employees’ PD when conducting headcount, payroll planning and execution. Lastly, PD may be used when there is a need to change the authorized signature at the bank.
f. Human Resource. The Club may utilize employee’s PD for HR administrations such as maintenance of emergency contacts, performance management, training, audits, risk and security management, internal investigation and other legal proceedings. This is to ensure that the Club continues to comply with applicable State laws and proceedings.
g. Marketing. The Club may utilize PD to contact and update Members on Club-related benefits, services and activities. Members may seek to be excluded from the marketing list by contacting the Club via email firstname.lastname@example.org . The Events and Marketing Department will acknowledge the exclusion request and remove the member from their list within 7 days. The member will continue to receive notifications regarding other transactions and services as required for their Club membership subscription.
h. Marina Operations. The Club may utilize Members’ PD to assist Members in applying for port clearance.
i. Audit. The Club may share the PD for audit purposes.
11. The Club may continue to use PD of an individual collected before 2 July 2014 (the effective date of the data protection provisions of the PDPA), for the purposes for which PD was collected as stated in para 10 above unless the individual has withdrawn consent.
12. Ad hoc requests of PD usage by employees must be approved in writing by GM and, state the specific time duration and event in which the PD is used. Management and deletion of PD after the event must also be included in the requests. Recurring or long use of PD must be approved by GM and included in para 10 above.
13. The Club may monitor or record phone calls and customer-facing interactions for quality assurance, employee training and performance evaluation, identity verification purposes, feedback, respond to Members and Guests’ queries or requests to resolve complaints and other related purposes. Such monitoring or recording will be in accordance with applicable law.
TRANSFER OF PD OUTSIDE SINGAPORE OR TO THIRD PARTIES
14. The Club shall not transfer any PD to an external party or to a country/territory outside Singapore unless the PD transferred is provided with a standard of protection comparable to this chapter or the PDPA.
15. The Club shall be accountable for the PD released to third parties (e.g. contractors), and should ensure that these third parties have appropriate measures to safeguard and protect PD. The Club should also ensure that procedures are instituted for these third parties to report any PD breaches to MINDEF/SAF immediately.
PD PROTECTION MEASURES
16. PD Protection. The Club shall implement the following measures to ensure the security of the PD against risks of unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks, in accordance with applicable laws.
a. Application of Sensitivity Classification. Sensitivity of personal data shall be evaluated based on the direct consequence that can be reasonably expected (i.e. envisaged impact is likely to occur) as a result of an unauthorised disclosure. All documents containing PD classified Sensitive Normal or Sensitive High shall be clearly marked.
Sensitivity Classification Potential Impact to Individual as Direct Consequence of Unauthorised Disclosure Examples
Sensitive High Causes serious physical, financial, or sustained emotional damage or social stigma to the individual, if leaked.
E.g. Loss of life or physical harm to an individual, loss of employability, reputation and insurability on prolonged or permanent basis Case information that reveals the identity of victims of sexual assault, criminal or investigative records.
Sensitive Normal Causes some temporary and minor emotional distress or disturbance to the individual, if leaked. Name combined with other attributes, personal email address, home address, photographic images, height, weight, etc.
Non-Sensitive Negligible or no physical, financial, or emotional damage to the individual; OR is personal information that generally available or is reasonably expected to be generally available. Name only, business contact information, vaccination status
b. General ICT Security Awareness.
(i) Educate employees on ICT security threats and protection measures for PD. This includes the organisation’s ICT security policies, standards and procedures.
(ii) Keep ICT security awareness training for employees updated and conduct such training at least twice a year.
(iii) Employees are to sign an undertaking form to indicate their commitment and understanding of their responsibilities and liabilities in handling PD.
c. Data Base Security.
(i) Control access to the database.
(ii) Password used has a length of at least 8 characters containing at least 1 alphabetical character and 1 numeric character.
(iii) Ensure that the database is physically secured.
(iv) Ensure there are routine updates and patches.
(v) Ensure that member data is encrypted at rest (i.e. when not in use).
(vi) Log database activities, such as any changes to the database and data access activities to track unauthorised activities or anomalies.
d. Electronic Security.
(i) Before sending out emails, review all recipients to ensure there is no unintended recipient and use BCC function if sending mass email.
(ii) Encrypt or password protect attachments containing 5 or more individual personal data that has a higher risk of adversely affecting the individual should it be compromised. The password should be communicated separately via different medium. If password hint is used (e.g. a known secret between sender and receiver), it can be sent via the same medium.
(iii) Include the PD Cautionary Statement in the email if it consists PD.
(iv) PD shall not be sent to/via staff’s personal email addresses.
(v) Minimise printing of PD.
(vi) Sensitive High PD or 30 or more PD records shall not be transmitted over commercial messaging apps.
(vii) PD shall be purged out of staff’s personal electronic devices once official transmission is completed.
e. Physical Security.
(i) All hardcopies of employees’ personal files shall be maintained by the HR Department and locked securely when not in use. Likewise, hardcopies of members’ data will be maintained by the Events and Membership Department and locked securely when not in use.
(ii) Minimise reproduction of physical PD (e.g. photocopying).
(iii) No transmission of PD via fax.
(iv) Add a Cover Note for hardcopy documents with PD, and place them in an opaque/covered file.
(v) Approval needs to be sought from the respective HODs if the PD will be brought out of the Club’s premise.
(vi) If the PD will be brought out of Club premise, the documents need to be sealed in an envelope.
(vii) For PD which is no longer required, the PD needs to be destroyed either by shredding or incineration.
17. The Club shall regularly review and implement appropriate security measures.
18. All employees shall handle all PD with the strictest confidentiality, failing which they will be subjected to the Club’s disciplinary action. The Club shall impose compliance with data confidentiality requirements on its agents, third-party service providers, consultants and professional advisors in its working relationships and/or agreements with these parties.
19. Members, guests or employees can write in formally to email@example.com for any questions or complaints relating to the collection, use or disclosure of PD, data protection policies and practices.
PD INCIDENT MANAGEMENT
20. The staff and/or third party vendor who detect the PD incident shall report to GM and HRM immediately.
21. The HRM shall report the PD incidents within the first hour of detection to the POC of its Sponsoring Agency NLD immediately upon discovery.
22. When reporting to NLD, the Club needs to provide information on the 5Ws and 1H – Who, What, When, Where, Why and How. For example, who discovered, what was missing, what was discovered, when was the discovery made, when did the incident occur, where did the incident occur, why did the incident occur and how the incident occurred.
23. The Club shall continue to support NLD throughout the incident reporting process until case closure. Thereafter, MROs will continue their own investigation and update SA if necessary.