PERSONAL DATA PROTECTION POLICY BY THE CROSSING CHURCH LTD
To ensure that The Crossing Church Ltd (“TCC”) is in compliance with the Singapore Personal Data Protection Act 2012 (Act 26 of 2012) (“PDPA”) in processing, handling and managing the entrusted to it by individuals.
TCC is committed to safeguarding the personal data of individuals in a manner which recognises both the right of individuals to protect their personal data and the need for TCC to collect, use and disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances.
This Policy outlines the responsibilities of TCC and the principles and practices adopted by TCC in ensuring proper security, control and supervision in the collection, usage and disclosure of personal data and compliance with the PDPA.
Personal data is defined as “any data, whether true or not, about an individual who can be identified from that data; or from that data and other information to which the organisation has or is likely to have access”. This includes personal particulars, medical records, educational records, financial records, pictures and videos, whether the data is stored in electronic or non-electronic form.
An individual is defined as a natural person, whether living or deceased.
For TCC, individuals include, but not limited to, the following:
- Volunteers (including interns)
APPOINTMENT OF DATA PROTECTION OFFICER(S) (“DPO”)
TCC will appoint a DPO for The Crossing Church Ltd who will be responsible to ensure that the organization complies with the PDPA and implements the principles and practices outlined in this Policy.
DATA COLLECTION, USAGE AND DISCLOSURE
Collection of Personal Data
The avenues by which TCC may collect personal data include, but are not limited to:
- Connect forms,both electronic and physical forms, submitted by visitors who wish to connect with the Church or receive further information about the Church;
- Application form(s) submitted by an individual to the Church, such as membership application forms or other forms relevant to events and activities organized or managed by TCC;
- Where an individual contacts staff or representatives of TCC to make enquiries or in relation to pastoral care, whether such contact is by email, voice calls, or otherwise; and
- Where an individual makes a donation to TCC.
Types of personal data collected include an individual’s:
- Name, handphone number(s), mailing address, email address or any other contact information;
- Personal identification and/or passport number;
- Date of birth, sex, marital status, nationality;
- Christian background (church, theological studies etc.);
- Camera or video footage that identifies individuals; or
- Any other personal information that an individual may offer voluntarily.
Consent/ Purpose Limitation/ Notification Obligation
TCC shall seek consent from individuals to collect, use or disclose the individual’s personal data, except in specific circumstances where collection, use or disclosure without consent is authorized or required by law.
Exceptions from the consent obligation include:
- in an emergency situation
- for investigation purpose
- where information is available publicly
- when information is required for evaluative purposes
Prior to or during the collection of personal data, TCC shall inform the individual of the purposes for which the personal data was collected and how the data would be used and disclosed.
TCC shall only collect personal data relevant to the purposes of the collection. The data collection forms shall also indicate the data fields which are mandatory in order to accomplish the purpose. Individuals shall be informed of the purpose of collecting optional data (e.g. the birth date of the individual to enable TCC to organise celebrations for the relevant individual).
Consent may be collected through written documentation or in electronic form.
All forms (written and electronic) collecting personal data are to include TCC’s standard consent clause and purpose notification in the manner as annexed to this Policy and labelled “Appendix 1”.
With regards to photographs and videos which may be taken during Church activities:
- notices shall be put up to inform visitors that photographs and videos taken may be used by the Church for communication and publicity purposes in print or electronic media.
- for church events, it should be stated in the invitation and/or sign-up form that photographs and videos of attendees may be taken at the said event for communication and publicity in print and electronic media.
Written Parental/Guardian consent will be required for the collection of personal data of minors (below the age of 13) or those with certified medical/mental conditions.
TCC may deem that an individual’s consent was obtained for personal data collected prior to 2nd July, 2014 for the purpose for which the personal data was collected. The consent may include for TCC’s usage and where applicable includes disclosure.
Withdrawal of Consent
Any individual may withdraw their consent to TCC’s use and disclosure of their personal data for any particular purpose. Such withdrawal of consent shall be sent via email to the relevant DPO at the contact information specified in this Policy.
TCC shall, within 3 weeks of receiving the withdrawal of consent, cease its collection, use or disclosure of the information for the specified purpose(s), unless the collection, use or disclosure of the information is required or authorised under the PDPA or any other written law.
TCC shall also inform the individual if such withdrawal will affect the services and arrangements between the individual and TCC. TCC may cease such services or arrangements as a result of the withdrawal. In certain circumstances, TCC may not be able to comply with a withdrawal of consent due to legal reasons or where the individual insists that services or arrangements requiring the use of such information continue.
Data Disclosure and Transfer of Personal Data Outside Singapore
TCC may disclose personal data to external third party organisations (local or overseas) on a required basis for the purposes that the personal data have been collected for.
These external third party organisations will be required to undertake legally binding obligations to protect the personal data released and an agreement that the personal data will only be used for the purpose specified by TCC.
TCC shall ensure that such transfers (local or overseas) shall be done in a manner that is secure and compliant with the requirements of the PDPA.
SECURITY AND STORAGE
TCC will make every reasonable effort to ensure that personal data collected and retained is accurate and complete; when in doubt, a request will be made to the individual for a verbal or written declaration that the personal data provided is accurate and complete.
Staff are to inform the respective DPO in writing of all requests for changes to information of personal data to their knowledge.
Save as provided above, the respective DPO are responsible for the integrity of the personal data protection. No changes can be made to personal data except through the DPO.
TCC will ensure that all personal data is kept confidential and accessible only to authorised personnel for the purpose for which that information was sought. The authorised persons and their level of access include, amongst others, the following:
- pastors (including senior pastor, associate pastors and ministry workers) and associates (excluding interns) (“staff”) and deacons shall have access to personal data as required for purposes of the performance of their duties and responsibilities;
- bible study group leaders and co-leaders shall be allowed access to personal data of the members in their bible study group only; and
- persons working on ad hoc initiatives, projects or events of TCC shall only be allowed access to personal data of persons who have signed up.
In the course of undertaking their work, all staff must ensure the security of all personal data that they access. Such areas of work include:
- work stations;
- meeting/ discussion areas;
- filing cupboards/cabinets;
- printers; and
- fax, copier machines,
and to the extent applicable, whether the above areas of work are at home, in a public area or any area where work is undertaken.
Access to work areas must be limited by appropriate security measures. Access to office equipment containing such information must be password protected
Databases and Forms
- Soft copy databases must be password protected.
- Access to the softcopy databases should only be given to authorized staff of TCC.
- Only authorized staff are allowed to save any copies of databases in their own computer hard drives or portable storage drives. Authorisation shall only be given by the church elders or deacons, and a record of authorized personnel shall be kept by the DPO.
- Hardcopy forms such as Connect Slips and other Application Forms containing personal information under the ministries’ care must be kept in secured cabinets.
Retention Limitation Obligation
TCC shall retain an individual’s personal data only for as long as it is reasonable to fulfill the purposes for which the information was collected for or as required by law.
TCC will continue to retain and maintain personal data records for the purpose of engagement, operational planning of activities, as well as communication of events, programmes and church-related information.
TCC will retain members’ data such as baptism, membership, marriage and death data indefinitely for records purposes.
Other records will be kept up to 7 years thereafter and will be disposed of or anonymized if no longer needed.
ACCESS AND CORRECTION OBLIGATION
Access to Personal Data
Individuals may request that TCC provides information about the personal data in relation to the individual that is in the possession or under the control of TCC and the usage and disclosure history of such personal data one year prior to the date of request.
Correction of Personal Data
Individuals can make a correction request to TCC, informing TCC of any changes, error or omission in their personal data. TCC shall notify all other organisations of such corrections, if the individual’s personal data was disclosed by TCC to that organisation one year prior to this correction. Such notification shall take place except if TCC deems the personal data is no longer relevant or needed by the organization for the purpose that TCC’s disclosure was made earlier.
Access and Correction Requests
All access and correction requests can be submitted to the respective DPOs at the following address and contact information:
The Crossing Church Limited
171 Tras Street
The DPO are to provide the requested information only after verification of the identity of the requestor.
In a situation where a third party is making an access request on behalf of an individual, TCC shall take reasonable steps to ensure that the third party has the legal authority to validly act on behalf of the individual.
The DPO shall make a record of such requests and responses for future reference and verification.
TCC shall comply with an access and/or correction request as soon as reasonably possible from the time the access request is received. If TCC is unable to respond to an access request or correct the data within 30 days after receiving the request, TCC shall inform the individual in writing within 30 days of the time by which it will be able to respond to the request or be able to correct the personal data.
TCC will make information on its data protection policies, practices and complaints processes available on written request.
TCC shall also communicate to its staff, including part time staff and volunteers, information on its data protection policies and practices.
All feedback must be documented in a Feedback Report and submitted to the DPO. Response to the query must be carried out within 3 working days, upon receiving the feedback.
Follow-up action must be carried out soonest within reasonable time.
Any enquiries on TCC’s data protection policies and practices, including any complaints, shall be submitted to TCC in writing to the DPO at the following address and contact information:
The Crossing Church Limited
171 Tras Street
This Personal Data Protection Policy shall be maintained and updated by the DPO.
By interacting with, submitting information to or signing up for any organised activity offered by The Crossing Church , you agree and consent to The Crossing Church collecting, using, disclosing and sharing of your personal data, for the purpose of engagement, operational planning of activities, as well as communication of events, programmes and church-related information.
The Crossing Church respects personal data and privacy, and will only share such information with third parties (such as but not limited to our corporate secretarial agents or professionals) on a required basis. These third parties would be under legally binding obligations to maintain the confidentiality of the information, apply commercially reasonable levels of security to the information, and only use the information as instructed by The Crossing Church.
You have the option to withdraw or limit your consent at any time. You may also update or correct your personal data. If you wish to do any of the foregoing, please write with full particulars to our Data Protection Officer at the following address:
The Crossing Church Limited
171 Tras Street