PERSONAL DATA PROTECTION POLICY BY THE CROSSING CHURCH LTD
To ensure that The Crossing Church Ltd (“TCC”) is in compliance with the Singapore Personal Data Protection Act 2012 (Act 26 of 2012) “(PDPA”) in processing, handling and managing the entrusted to it by individuals.
TCC is committed to safeguarding the personal data of individuals in a manner which recognises both the right of individuals to protect their personal data and the need for TCC to collect, use and disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances.
This Policy outlines the responsibilities of TCC and the principles and practices adopted by TCC in ensuring proper security, control and supervision in the collection, usage and disclosure of personal data and compliance with the PDPA.
Personal data is defined as “any data, whether true or not, about an individual who can be identified from that data; or from that data and other information to which the organisation has or is likely to have access”. This includes personal particulars, medical records, educational records, financial records, pictures and videos, whether the data is stored in electronic or non-electronic form.
An individual is defined as a natural person, whether living or deceased.
For TCC, individuals include, but not limited to, the following:
- Volunteers (including interns)
APPOINTMENT OF DATA PROTECTION OFFICER(S) (“DPO”)
TCC will appoint Data Protection Officer(s) for the three church congregations who will be responsible to ensure that the organization complies with the PDPA and implements the principles and practices outlined in this Policy.
DATA COLLECTION, USAGE AND DISCLOSURE
Collection of Personal Data
The avenues by which TCC may collect personal data include, but are not limited to:
- Connect Slips for visitors who attend the weekly Church services at TCC;
- Application form(s) submitted by an individual to the Church, such as membership application forms or other forms relevant to events and activities organized or managed by TCC;
- Where an individual contacts staff or representatives of TCC to make enquiries or in relation to pastoral care, whether such contact is by email, voice calls, or otherwise; and
- Where an individual makes a donation to TCC.
Types of personal data collected include an individual’s:
- Name, handphone number(s), mailing address, email address or any other contact information;
- Personal identification and/or passport number;
- Date of birth, sex, marital status, nationality;
- Christian background (church, theological studies etc.);
- Camera or video footage that identifies individuals;
- Or any other personal information that an individual may offer voluntarily.
Consent/ Purpose Limitation/ Notification Obligation
TCC shall seek consent from individuals to collect, use or disclose the individual’s personal data, except in specific circumstances where collection, use or disclosure without consent is authorized or required by law.
Exceptions from the consent obligation include:
- in an emergency situation
- for investigation purpose
- where information is available publicly
- when information is required for evaluative purposes
Prior to or during the collection of personal data, TCC shall inform the individual of the purposes for which the personal data was collected and how the data would be used and disclosed.
TCC shall only collect personal data relevant to the purposes of the collection. The data collection forms shall also indicate the data fields which are mandatory in order to accomplish the purpose. Individuals shall be informed of the purpose of collecting optional data (e.g. the birth date of the individual to enable TCC to organise celebrations for the relevant individual).
Consent may be collected through written documentation or in electronic form.
All forms (written and electronic) collecting personal data are to include TCC’s standard consent clause and purpose notification in the manner as annexed to this Policy and labelled “Appendix 1”.
With regards to photographs and videos which may be taken during Church activities:
- notices shall be put up to inform visitors that photographs and videos taken may be used by the Church for communication and publicity purposes in print or electronic media.
- for church events, it should be stated in the invitation and/or sign-up form that photographs and videos of attendees may be taken at the said event for communication and publicity in print and electronic media.
Written Parental/Guardian consent will be required for the collection of Personal Data of Individuals (below the age of 16) or those with certified medical/mental conditions.
TCC may deem individual’s consent were obtained for personal data collected prior to 2nd July, 2014 for the purpose of which the personal data was collected. The consent may include for TCC’s usage and where applicable include disclosure.
Withdrawal of Consent
Any individual may withdraw their consent to the use and disclosure of their personal data at any time, unless such personal data is necessary for TCC to fulfill its legal obligations.
TCC shall, on written notice of withdrawal of consent, appropriately dispose of or anonymize the information within 4 weeks of the date of receipt of the request.
TCC shall also inform the individual if such withdrawal will affect the services and arrangements between the individual and TCC. TCC may cease such services or arrangements as a result of the withdrawal.
Data Disclosure and Transfer of Personal Data Outside Singapore
TCC will disclose personal data to external third party organisations (local or overseas) on a required basis for the purposes that the personal data have been collected for.
These external third party organisations will be required to give an undertaking to protect the personal data released and an agreement that the personal data will only be used for the purpose that it had been released.
TCC shall ensure that such transfers (local or overseas) shall be done in a manner that is secure and compliant with the requirements of the PDPA.
SECURITY AND STORAGE
TCC will make every reasonable effort to ensure that data collected is accurate and complete; when in doubt, a request will be made to the individual for a verbal or written declaration that the personal data provided is accurate and complete.
Staff are to inform the respective DPOs in writing of all requests for changes to information of personal data to their knowledge.
Save as provided above, the respective DPOs are responsible for the integrity of the personal data protection. No changes can be made to personal data except through the DPO.
TCC will ensure that all personal data is kept confidential and accessible only to authorised personnel for the purpose for which that information was sought. The authorised persons and their level of access include, amongst others, the following:
- pastors (including senior pastor, associate pastors and ministry workers) and associates (excluding interns) (“staff”) and deacons shall have access to personal data as required for purposes of the performance of their duties and responsibilities;
- bible study group leaders and co-leaders shall be allowed access to personal data of the members in their bible study group only; and
- persons working on ad hoc initiatives, projects or events of TCC shall only be allowed access to personal data of persons who have signed up.
In the course of undertaking their work, all staff must ensure the security of all personal data that they access. Such areas of work include:
- work stations;
- meeting/ discussion areas;
- filing cupboards/cabinets;
- printers; and
- fax, copier machines,
and to the extent applicable, whether the above areas of work are at home, in a public area or any area where work is undertaken.
Access to work areas must be limited by appropriate security measures. Access to office equipment containing such information must be password protected
Databases and Forms
- Soft copy databases must be password protected.
- Access to the softcopy databases should only be given to authorized staff of TCC.
- Only authorized staff are allowed to save any copies of databases in their own computer hard drives or portable storage drives. Authorisation shall only be given by the church elders or deacons, and a record of authorized personnel shall be kept by the Data Protection Officers.
- Hardcopy forms such as Connect Slips and other Application Forms containing personal information under the ministries’ care must be kept in secured cabinets.
Retention Limitation Obligation
TCC shall retain individual’s personal data only for as long as it is reasonable to fulfill the purposes for which the information was collected for or as required by law.
TCC will continue to retain and maintain personal data records for the purpose of engagement, operational planning of activities, as well as communication of events, programmes and church-related information.
TCC will retain members’ data such as baptism, membership, marriage and death data indefinitely for records purposes.
Other records will be kept up to 7 years and will be disposed or anonymized if no longer needed.
ACCESS AND CORRECTION OBLIGATION
Access to Personal Data
Individuals whose personal data are kept by TCC shall be allowed to access to their personal data. TCC shall disclose such information, including the usage and disclosure history of the personal data that has occurred within a year of the date of request.
Correction of Personal Data
Individual can make a correction request to TCC, informing TCC of any changes, error or omission in their personal data. TCC shall notify all other organisations of such corrections, if the individual’s personal data was disclosed by TCC to that organisation one year prior to this correction. Such notification shall take place except if TCC deems the personal data is no longer relevant or needed by the organization for the purpose that TCC’s disclosure was made earlier.
Access and Correction Requests
All access and correction requests can be submitted to the respective DPOs at the following address and contact information:
9 AM Congregation
The DPOs are to provide the requested information only after verification of the identity of the requestor.
In a situation where a third party is making an access request on behalf of an individual, TCC shall ensure that the third party has the legal authority to validly act on behalf of the individual.
The DPOs shall make a record of such requests and responses for future reference and verification.
TCC shall comply with an access and/or correction request as soon as reasonably possible from the time the access request is received. If TCC is unable to respond to an access request or correct the data within 30 days after receiving the request, TCC shall inform the individual in writing within 30 days of the time by which it will be able to respond to the request or be able to correct the personal data.
TCC will make information on its data protection policies, practices and complaints processes available on written request.
TCC shall also communicate to its staff, including part time staff and volunteers, information on its data protection policies and practices.
All feedback must be documented in a Feedback Report and submitted to the respective DPOs. Response to the query must be carried out within 3 working days, upon receiving the feedback.
Follow-up action must be carried out soonest within reasonable time.
Any enquiries on TCC’s data protection policies and practices, including any complaints, shall be submitted to TCC in writing to the respective DPOs at the following address and contact information:
The Crossing Church
452 North Bridge Road #03-00
9 AM Congregation
This Personal Data Protection Policy shall be maintained and updated by the DPOs and reviewed and approved by staff of TCC.
By interacting with, submitting information to or signing up for any organised activity offered by The Crossing Church , you agree and consent to The Crossing Church collecting, using, disclosing and sharing of your personal data, for the purpose of engagement, operational planning of activities, as well as communication of events, programmes and church-related information.
The information provided herein may also be used by a third party (such as but not limited to o enable us to process your application. These third parties would be under duty of care to maintain the appropriate levels or security and confidentiality and only use the information as instructed by The Crossing Church.
The Crossing Church respects personal data and privacy, and will only share such information with third parties (such as but not limited to our corporate secretarial agents or professionals) on a required basis. These third parties would be under duty of care to maintain the appropriate levels or security and confidentiality and only use the information as instructed by The Crossing Church.
You have the option to withdraw or limit your consent anytime. You may also update or amend your personal data with the Data Protection Officer. If you wish to do any of the foregoing, please write with full particulars to our Data Protection Officer at the following address:
The Crossing Church
452 North Bridge Road #03-00
9 AM Congregation