Personal Data Protection for your Church

Personal Data

Protection

for your Church

Benjamin Ang

www.visual-lawschool.com

What is Personal Data?

• Data about an individual who can be identified

• from that data;

• or from that data and other information to which the organisation has or is likely to have access.

• Examples

• Name

• NRIC

• Telephone number

• Photograph

• Address

• E-mail

• Social media ID

• Medical history

• Criminal record

Who is NOT covered by PDPA?

• Any individual acting in a

personal or domestic

basis.

• Any employee acting in

the course of his or her

employment

• Any public agency

• Business contact

information

• name,

• position name or title,

• business telephone

• business address,

• business e-mail address .

1. Consent Obligation

Hi, new visitor. We are COLLECTING your

Personal Data, and we are going to USE it to invite

you to Church events. We may DISCLOSE it to

Church staff. Do you consent?

OK but what if I

change my mind?

You can

WITHDRAW at

any time

• An organisation may collect, use or disclose personal data about an individual for the purposes that a reasonable person would consider appropriate in the circumstances and for which the individual has given consent.

• An organisation may not, as a condition of providing a product or service, require the individual to consent to the collection, use or disclosure of his or her personal data beyond what is reasonable to provide that product or service.

2. Purpose Limitation Obligation

Please give us your NAME,

PHONE NUMBER, and

ADDRESS

Sure

Also give us your

BLOOD TYPE.

Or else you can’t

come back

• An organisation may collect, use or disclose personal data about an individual for the purposes that a reasonable person would consider appropriate in the circumstances and for which the individual has given consent.

• An organisation may not, as a condition of providing a product or service, require the individual to consent to the collection, use or disclosure of his or her personal data beyond what is reasonable to provide that product or service.

3. Notification Obligation

Hi we want to

invite you to our

Church Musical!

We want to invite

your kids to

attend Bible

Camp!

Notify individuals of the purposes for which your

organisation is intending to collect, use or disclose their

personal data on or before such collection, use or

disclosure of personal data.

4. Access and Correction Obligation

5. Accuracy Obligation

Hi, please let me know who

you’ve given my personal data

to. Please also correct the typo

in my name.

• Upon request, the personal data of an individual and

information about the ways in which his or her personal

data has been or may have been used or disclosed within

a year before the request should be provided.

• However, organisations are prohibited from providing

an individual access under certain risky situations listed

in the Act

• Organisations are also required to correct any error or

omission in an individual’s personal data upon his or her

request.

Make reasonable effort to ensure that personal data

collected by or on behalf of your organisation is accurate

and complete, if it is likely to be used to make a decision

that affects the individual, or if it is likely to be disclosed to

another organisation.

6. Protection Obligation

Can I copy the names and

phone numbers of all of our

members onto my

thumbdrive, so I can call

them any time for soccer?

Sorry, no.

Wow, did you know that

XYZ lives in a huge

mansion?

Make reasonable security arrangements to protect the

personal data that your organisation possesses or controls

to prevent unauthorised access, collection, use, disclosure

or similar risks.

7. Retention Limitation Obligation

Okay

Hi, I’ve moved to the other

side of the country and I will

be going to church there.

Please remove my data.

Cease retention of personal data or remove the means by

which the personal data can be associated with particular

individuals when it is no longer necessary for any business

or legal purpose.

8. Transfer Limitation Obligation Don’t worry, if you transfer the

personal data to us, we have the

same policies and safety

arrangements as you

Transfer personal data to another country only according

to the requirements prescribed under the regulations, to

ensure that the standard of protection provided to the

personal data so transferred will be comparable to the

protection under the PDPA, unless exempted by the

PDPC.

9. Openness Obligation

What are your data protection

policies?

What if I need to make a

complaint?

Ask me, I am the

DATA

PROTECTION

OFFICER

• Make information about your data protection policies, practices and complaints process available on request.

• Designate one or more individuals as a Data Protection Officer to ensure that your organisation complies with the PDPA, including the implementation of personal data protection policies within your organisation.

• The business contact information of at least one of such individuals should also be made available to the public. Please note that compliance with the PDPA remains the responsibility of the organisation.

Existing Data

• .

I gave you my personal data in

1995 when I joined the

Church

We are now going to

use it for a new

purpose …

• Your organisation may continue to use personal data

that has been collected before the data protection

provisions of the PDPA came into effect on 2 July 2014

for the purposes for which the personal data was

collected, unless the individual has withdrawn consent.

If there is a different purpose for the use of the

personal data, consent has to be obtained anew

How the Church can

Manage Personal Data

DPO

Handle queries/

complaints

Tell others about the policies Make

good policies

Step 1 - Appoint a Data Protection

Officer

• Designate at least one person to develop your organisation’s personal data policies and oversee your organisation's compliance with the PDPA. This person may be an existing employee in your organisation, and his or her role may include the following:

• Developing good policies for handling personal data in electronic and/or manual form, that suit your organisation’s needs and comply with the PDPA;

• Communicating the internal personal data protection policies and processes to customers, members and employees;

• Handling queries or complaints about personal data from customers, members and employees;

• Alerting your organisation to any risks that might arise with personal data; and

• Liaising with the PDPC, if necessary.

Step 2 - Map out a Data Inventory

• WHAT did we collect?

• HOW did we collect it? (Did we get consent)

• WHAT are we using it for?

• WHO did we share it with?

• WHO has access to it?

• WHERE are we storing it?

• HOW LONG are we storing it?

Step 3 - Implement Data Protection

Processes

Do our actions match the PDPA?

Collection, Use and

Disclosure

Access and Correction

Care for Data

Must the Church check the

Do Not Call Registry?

Messages that are

covered

• Offers to supply or

promote goods or services

• Advertising/promoting

suppliers

• Promoting business or

investment opportunities

Messages that are NOT

covered

• pure market survey or

research

• charitable or religious

causes

Does DNC Apply?

Do you want to buy

tickets to our Church

Musical?

Do your kids

want to attend

Bible Camp?

Can I share the Good

News of Jesus Christ

with you?

• Invitation to attend Bible camp = charitable or religious

causes = not covered by DNC

• Sharing the gospel = charitable or religious causes = not

covered by DNC

• Selling tickets to a musical = Offers to supply or

promote goods or services = covered by DNC

Special cases:

Photographs (e.g. Church events)

I’m taking

personal photos

I’m taking

official photos

We’re at the

wedding

We’re at the

open field

• Example: Deemed consent for photo-taking at private function

• Organisation ABC holds a private function for a select group of invited clients and wishes to take photographs of attendees for its internal newsletter. If Organisation ABC intends to rely on deemed consent, measures that Organisation ABC may take to better ensure that the attendees are aware of (and accordingly, more likely to be deemed to have consented to) the purpose for which their photographs are collected, used and disclosed, could include:

• a) Clearly stating in its invitation to clients that photographs of attendees will be taken at the function for publication in its internal newsletter; or

• b) Putting up an obvious notice at the reception or entrance of the function venue to inform attendees that photographs will be taken at the event for publication in its internal newsletter.

Special cases:

Photographs (e.g. Church events)

• Good practices to get consent

• State in your invitation that photos will be taken

• Put an obvious notice at the event

• Posing for photo = implied consent

I’m taking

official photos I love posing.

Can I take a

selfie?

• Example: Posing for photo-taking

• Kevin attends Organisation ABC’s private function. During the function, Organisation ABC’s photographer informs Kevin that she is taking photographs for publication in Organisation ABC’s internal newsletter, and asks Kevin to pose for his photograph to be taken. By voluntarily posing for his photograph to be taken, Kevin would be deemed to have given consent

• for the photograph to be collected, used or disclosed for the stated purpose.

Special cases:

Minors (e.g. Sunday School, Youth)

• The PDPA does not specify

• Commission will adopt the practical rule of thumb that

a minor who is at least 13 years can to consent on his

own behalf

• As a general guide, for <13 obtain consent from parent

or guardian

• Even for >13, do not apply undue influence on a minor

You must give us your

particulars, otherwise we

won’t be your friends

DPO

Handle queries/

complaints

Tell others about the policies Make

good policies

Appoint a Data Protection Officer

and work together