executive ship management hr (shore staff manual)

EXECUTIVE SHIP MANAGEMENT HR (SHORE STAFF MANUAL)

HR MANUAL Rev 22 Sec 0 Date -- Page: 1

1.5 PERSONAL DATA PROTECTION POLICY FOR EMPLOYEES 2

1.5.1 REVIEW OF POLICY 2

1.5.2 REVIEW OF POLICY FLOWCHART 4

1.5.3 ESM PRIVACY PRINCIPLES 5

1.5.4 DATA INVENTORY MAP 5

1.5.5 WHAT PERSONAL DATA IS COLLECTED 5

1.5.6 HOW PERSONAL DATA IS COLLECTED 6

1.5.7 HOW PERSONAL DATA IS USED 6

1.5.8 THIRD PARTIES TO WHOM YOUR PERSONAL DATA MAY BE DISCLOSED 6

1.5.8.1 THIRD PARTY DUE DILIGENCE PROCEDURE 7

1.5.8.2 THIRD PARTY SOURCE 7

1.5.8.3 THIRD PARTY DUE DILIGENCE FLOWCHART 8

1.5.9 HOW PERSONAL DATA IS PROTECTED 9

1.5.10 WITHDRAWAL OF CONSENT, RETENTION AND DISPOSAL OF PERSONAL DATA 9

1.5.10.1 WITHDRAWAL OF CONSENT PROCEDURE 9

1.5.10.2 WITHDRAWAL OF CONSENT FLOWCHART 11

1.5.10.3 RETENTION PERIOD 12

1.5.10.4 DATA DISPOSAL PROCEDURE 12

1.5.10.5 DATA DISPOSAL FLOWCHART 13

1.5.11 ACCURACY OF PERSONAL DATA 14

1.5.12 ACCESS TO AND CORRECTION OF PERSONAL DATA 14

1.5.12.1 ACCESS REQUEST PROCEDURE 14

1.5.12.2 ACCESS REQUEST FLOWCHART 16

1.5.12.3 CORRECTION REQUEST PROCEDURE 17

1.5.12.4 CORRECTION REQUEST FLOWCHART 18

1.5.13 THIRD PARTY SITES 19

1.5.14 DATA BREACH MANAGEMENT 19

1.5.14.1 TYPES OF DATA BREACHES 19

1.5.14.2 CIRCUMSTANCES UNDER WHICH DATA BREACH MANAGEMENT TEAM TO BE ALERTED: 19

1.5.14.3 REPORTING A DATA BREACH INTERNALLY 20

1.5.14.4 RESPONDING TO A DATA BREACH 20

1.5.14.5 DATA BREACH DISCOVERED BY DATA INTERMEDIARIES 23

1.5.15 GOVERNING LAW 23

1.5.16 ENQUIRY OR COMPLAINTS HANDLING PROCEDURE 24

1.5.17 ENQUIRY OR COMPLAINTS HANDLING FLOWCHART 25


HR MANUAL Rev 22 Sec 1 Date 14/12/2020 Page: 2

1.5 PERSONAL DATA PROTECTION POLICY FOR EMPLOYEES

This policy has been prepared by Executive Ship Management Pte Ltd (ESM) in connection with the

Personal Data Protection Act (PDPA) to inform you how we manage personal data (as defined below) which

is subject to the Act.

The security of your personal data is important to us. To ensure there is appropriate safeguards in place to

secure personal data and prevent unauthorised use of personal data, we will conduct a Data Protection

Impact Assessment (DPIA) at least once a year to determine:

1. The level of organisation’s compliance to PDPA requirements;

2. Risks associated with the organisation’s current practices of handling Personal Data; and

3. Action plans to be taken to ensure that organisation’s policies, procedures, and systems are in line with

PDPA requirements.

This policy describes how we may collect, use, disclose, process, and manage your personal data.

Your agreement to join our employment and signing of declaration regarding personal data shall be deemed

as your acceptance and agreement to be bound by the provisions of this notice and PDPA.

1.5.1 REVIEW OF POLICY

The following procedure is to be followed when reviewing and revising this policy.

1. Review of Requirements

The organisation’s “Personal Data Protection Policy” is to be reviewed annually and/or as and when

necessary.

The organisation’s DPO shall be in charge of reviewing the requirements based on the directives from the

PDPC and other relevant regulatory bodies. He/she has the responsibility to determine the gaps between

(a) the current directives vs (b) the policy and its corresponding procedures/practices.

The organisation shall also conduct an internal audit on the policy and procedures/practices. The HR3

PDPA Compliance Checklist shall be used to determine gaps between (a) the best practices guidelines for

“Personal Data Protection” vs (b) the policy and its corresponding procedures/practices.

2. Process for Policy Revision

The DPO shall ensure that all gaps identified are reviewed. The DPO shall be responsible for collating the

following upon completion of the “Review of Requirements”:

• Summary of gaps and corresponding required changes as per requirements from PDPC and other

relevant regulatory bodies; and

• Summary of internal audit findings and corresponding actions required.



The summary shall stipulate the following:

• Updates required to existing method of collection;

• Updates required on data storage, transfer or disposal methods; and

• Updates required to organisation’s “Personal Data Protection Policy”.

3. Approval for Proposed Changes

The summary of all the changes required to the organisation’s “Personal Data Protection Policy” and

its corresponding procedures/practices shall be reviewed by the Management. Once proposals are

approved, the DPO shall spearhead in identifying the implementation timeline and allocating the

responsibilities.



1.5.2 REVIEW OF POLICY FLOWCHART

No

Yes

Yes

No

Yes

Yes

Yes

Yes

No

No

No

No



1.5.3 ESM PRIVACY PRINCIPLES

We only collect and update personal information that we believe to be relevant and required in connection

with your employment and services with our organisation. Information will not be disclosed otherwise than

for the purpose made known to you, authorised by you or permitted by the law. Staff and all parties with

permitted access to your personal information are required to observe our confidentiality obligations.

1.5.4 DATA INVENTORY MAP

The Data Inventory Map is a comprehensive overview of personal data flow within the organisation The

Data Inventory Map documents how we handle personal data in the various stages, such as:

1. Types of personal data and purpose of collection;

2. How we notify and obtain consent;

3. How personal data is used;

4. How personal data is stored;

5. To whom personal data is disclosed to; and

6. Retention policy and how personal data are disposed.

The Data Inventory Map will be reviewed and updated annually and/or as and when necessary to ensure

that the organisation’s policies and practices are aligned.

1.5.5 WHAT PERSONAL DATA IS COLLECTED

"Personal data" is data that can be used to identify a natural person. This includes:

1. Personal particulars of employees and dependents (e.g. name, contact details, residential address,

date of birth, identity card and/ or passport details, next of kin, education details, specimen

signature);

2. Employment details (e.g. employment history, salary, benefits, tax Information, bank details);

3. Copies of our communications with you (e.g. emails, feedback forms);

4. Medical examination records; and/or

5. Photographs.

If you refuse to provide us with your personal data listed in the above clauses or if you provide us with

incomplete personal data, we may not be able to fulfil our obligation as your employer, where applicable.

You may provide us with personal data relating to other individuals from time to time. You undertake that

the data provided by you is accurate and that you have obtained valid consent from the individuals for the

purpose, use and disclosure of their personal data.

We shall seek your consent before collecting any additional personal data and before using your personal

data for a purpose which has not been notified to you (except to public agencies, courts and law

enforcement agencies when required for purposes of investigations or proceedings under the PDPA or

other written law).



1.5.6 HOW PERSONAL DATA IS COLLECTED

Personal data is retrieved from submitted employment applications and documents included in your

resumes. Data may include information received from business partners, public agencies, your ex-employer

and relevant authorities. Personal data may also be collected from you prior and during your employment

with the organisation via the following collection medium:

1. Employment Application Form;

2. Email; or

3. Relevant Forms, as applicable.

1.5.7 HOW PERSONAL DATA IS USED

Data is used to verify your identity for the purpose of using your services in our employ and/ or providing

you with any of our services as an employer;

1. Performing obligations under or in connection with your contract of employment with us, including

payment of remuneration and tax;

2. All administrative and human resources related matters within our organisation, including

administering payroll, granting access to our premises and computer systems, processing leave

applications, administering your insurance and other benefits, processing your claims and

expenses, investigating any acts or defaults (or suspected acts or defaults) and developing human

resource policies;

3. Managing and terminating our employment relationship with you, including monitoring your internet

access and your use of our intranet email to investigate potential contraventions of our internal or

external compliance regulations, and resolving any employment related grievances;

4. Assessing and evaluating your suitability for employment / appointment or continued employment/

appointment in any position within our organisation;

5. Ensuring business continuity for our organisation in the event that your employment with us is or

will be terminated; and

6. Facilitating our compliance with any laws, customs and regulations which may be applicable to us.

1.5.8 THIRD PARTIES TO WHOM YOUR PERSONAL DATA MAY BE DISCLOSED

We will take reasonable steps to protect your personal data against unauthorised disclosure.

Subject to the provisions of any applicable law, your personal data may be provided, for the purposes listed

above on a need-to-know basis, to the following entities or parties: -

1. Any person in connection with the services you have requested us to provide for you, including but

not limited to medical insurance provider;

2. Parties in relation to loans, CPF applications or outsourced payroll service providers or other

transactions taken or applied by you.



3. Any government department, agency, ministry, court, tribunal regulator (including national and/or

international regulator) body; and/or

4. Relevant authority for statutory and legal requirements.

1.5.8.1 THIRD PARTY DUE DILIGENCE PROCEDURE

Effective from 1st November 2020, A Data Protection Clause will be included in all contractual agreements

with third party providers, where applicable, in accordance with our personal data protection policy.

The organisation shall ensure that relevant due diligence checks are conducted when appointing new third

party providers. These due diligence checks may be conducted either on-site or remotely. The entire

process should ensure that there are appropriate security safeguards in place to protect personal data.

The following are included in the due diligence checks:

1. Privacy Policy on third-party provider’s website;

2. Data Protection Officer’s Business Contact Information;

3. Data Breach Management Plan;

4. Any External Certifications Relating to Data Protection (as applicable); and

5. Contractual Agreement between organisation and third-party provider.

The Data Breach Management Plan should include the third-party provider’s procedure in informing the

organisation when there is an actual data breach.

The same due diligence checks will also be done to all existing relevant third-party providers to ensure their

continuous compliance to PDPA.

The HR5 Due Diligence Third Party Checklist shall be used to evaluate third-party provider’s compliance.

New third-party provider can only be appointed with management’s approval using TA-003A Initial Approval

Form - Stores/ Spares/ Services Provider or TA-003B Medical/ Travel/ Other Services Provider

Assessment/ Evaluation Form.

1.5.8.2 THIRD PARTY SOURCE

The organisation may obtain personal data from third party source (i.e. Agents). The organisation ensures

that these third-party source practice similar level of personal data protection as the organisation and is

able to provide proof of consent.



1.5.8.3 THIRD PARTY DUE DILIGENCE FLOWCHART



1.5.9 HOW PERSONAL DATA IS PROTECTED

To safeguard your personal data from unauthorised access, collection, use, disclosure, copying,

modification, disposal or similar risks, we have introduced appropriate administrative, physical and technical

measures.

Employee access is only limited to authorised employees who are responsible for handling your information.

Authorised agents or service providers with whom your personal data have been disclosed to, have to

appropriately safeguard the information. Your personal data may be transferred / shared to other companies

within Executive Group, which are within Singapore or outside of Singapore. With this regard, reasonable

steps will be taken to ensure that your personal data continues to receive a standard of protection that is at

least comparable to that provided under the PDPA.

Regardless of internal or external, all email communications containing personal data shall be secured and

encrypted with a password. The password shall be communicated to authorised personnel/s separately.

Where encryption of the email is not possible, the number of recipients shall be kept only to relevant

personnel to limit the exposure.

As our company’s internal system (i.e. Human Resources Management System) is used across Executive

Group, we will ensure that access to your personal data through the system is only limited to authorised

employees.

1.5.10 WITHDRAWAL OF CONSENT, RETENTION AND DISPOSAL OF PERSONAL

DATA

The organisation shall comply with the government’s requirement for the retention period of personal data.

Personal data will only be retained for as long as necessary to fulfil the purpose(s) for which it was collected

or to comply with legal, regulatory and internal requirements.

1.5.10.1 WITHDRAWAL OF CONSENT PROCEDURE

Any employee who wishes to withdraw the consent or disclosure of his/her personal data should contact

the organisation’s DPO in writing.

Upon receipt of your written request (i.e. by email) to withdraw your consent, we shall send you an

acknowledgement and notify you of any consequences of your request within two working days upon receipt

of your request. Once you acknowledge and/or agree to proceed with the withdrawal in spite the

consequences, we will then inform the involved parties, who possess your personal data to complete your

request. Involved parties will be as follows:

• Internal Parties (i.e. Data Protection Team and IT Team); and

• External Parties (i.e. Third-Party Service Providers).

In general, we shall seek to process and effect your request within 10 calendar days of receiving it.



Please note that withdrawing consent does not affect our right to continue to collect, use and disclose

personal data where such collection, use and disclose without consent as permitted or required under

applicable laws.



1.5.10.2 WITHDRAWAL OF CONSENT FLOWCHART



1.5.10.3 RETENTION PERIOD

The following minimum retention periods shall apply depending on the form of the personal data that the

organisation maintains:

1. Retention period is 1 year for personal data collected from enquirer and/or job applicants who are

not hired. The data may be retained solely for the purpose of business requirement and/or any

suitable future job opportunity for the applicants;

2. Retention period is 7 years from the employee’s last working day for Personal data in physical form

(i.e. Personal data in hardcopy/paper form or stored in physical media or read-only storage, such:

as CD and DVD) and in electronic form (i.e. Personal data stored in HRMS or in HR server or in

any electronic media which allows unlimited underwriting of data, such as: hard disc). The data

may be retained solely for the purpose of

a. Reference for Future Hires, Annual Performance Report, Forecasting;

b. Providing Verification of Experience as and when requested by ex-employee or other

organisation for the purpose of recruitment.

1.5.10.4 DATA DISPOSAL PROCEDURE

Checks will be conducted every 6 months to determine the personal data due for disposal. The following

are factors that will determine when personal data are due for disposal:

1. Date of email receipt for enquiry;

2. Unsuccessful applicant’s date of application; and

3. Employee’s last working day with the organisation.

All forms of personal data shall be securely disposed through the following methods:

1. Personal data in physical form must be disposed by shredding or other appropriate means;

2. Personal data in electronic form stored in database must be erased permanently by the IT

Management Team; and

3. Storage device used to store personal data in electronic form must be destroyed physically before

its disposal or when it becomes obsolete by the IT Management Team.

The DPO has the responsibility to keep and maintain records of all disposals done using HR 7 Personal

Data Storage (Physical & Electronic) Disposal for future reference. He/she also must ensure that all

disposals were completed as per the above-listed methods.

There may be instances that unsolicited personal data is received by employees through email. In such

cases, the employee has the responsibility to remove the personal data from the system (i.e. email)

immediately to cease retention, usage, and disclosure. The IT Management Team may also be sanctioned

to remove the information from the system entirely.



1.5.10.5 DATA DISPOSAL FLOWCHART



1.5.11 ACCURACY OF PERSONAL DATA

We generally rely on personal data provided by you (or your authorised representative). In order to ensure

that your personal data is current, complete and accurate, please update us if there are changes to your

personal data by informing the relevant party (i.e. HR Department) in writing or via email.

To ensure accuracy of your personal data, at the time of joining, we shall request for original copies of your

documents to verify the personal data that you have provided to us. We will also request you to verify the

accuracy of your personal data in our possession annually.

From time to time, we may request you to verify and/or update your personal data to ensure that it is

complete and accurate prior to usage or disclosure to third-party providers.

In some instance, personal data disclosed to third-party providers may be inaccurate, incomplete or out-

dated. In such cases, the organisation shall inform the affected third-party provider as soon as practicable

(i.e. upon being alerted and upon receiving corrected data).

1.5.12 ACCESS TO AND CORRECTION OF PERSONAL DATA

If you wish to make (a) an access request for access to a copy of the personal data which we hold about

you or information about the ways in which we use or disclose your personal data, or (b) a correction request

to correct or update any of your personal data which we hold, you may submit your request in writing or via

email to our Data Protection Officer.

1.5.12.1 ACCESS REQUEST PROCEDURE

All access requests shall be relayed to the DPO in writing. Upon receipt of request, we will check our records

to confirm that we are holding your personal data. The request shall generally be acknowledged within 2

working days.

If the requestor is an applicant or ex-employee, we shall reserve the right to ask for proof of identity. If the

requestor is making the request on behalf of another individual, we shall verify that the requestor has

obtained valid authorisation to act on behalf of the individual.

Upon verification, we will check for the reasonableness of the request. If we are unable to provide the

requestor with any personal data, we shall generally inform him/her of the reasons why we are unable to

do so (except where we are not required to do so under the PDPA).

If the access request is rejected, we will preserve a copy of the withheld personal data for a period of at

least 30 calendar days after rejecting the access request.

In the event an application for review is submitted to the PDPC, the following process shall be followed:

1. PDPC determines that it will take up the review application;

2. We receive a Notice of Review Application from the PDPC; and



3. We will preserve the withheld personal data until the review is concluded and any right of the

individual to apply for reconsideration and appeal is exhausted.

Depending on the type of access request, we will inform you if you are required to pay a fee for the request.

Upon receipt of the payment, if applicable, we will notify the relevant personnel (i.e. Accounts, HR and/or

IT Team) to process the request. The DPO will compile all relevant documents/information and respond to

the request accordingly.

In general, our response will be within 30 calendar days. Should we not be able to respond to your access

request within 30 days after receiving your access request, we will inform you in writing within 30 days of

the time by which we will be able to respond to your request.

Please note that depending on the request that is being made, we will only need to provide you with access

to the personal data contained in the documents requested, and not to the entire documents themselves.

In those cases, it may be appropriate for us to simply provide you with confirmation of the personal data

that our organisation has on record, if the record of your personal data forms a negligible part of the

document.

The DPO shall document the entire course of action using HR6 Personal Data Request Form for future

reference.



1.5.12.2 ACCESS REQUEST FLOWCHART



1.5.12.3 CORRECTION REQUEST PROCEDURE

All correction request shall be relayed to the DPO in writing. Upon receipt of request, we will check our

records to confirm that we are holding your personal data. The DPO shall generally acknowledge the

request within 2 working days.

If the requestor is an applicant or ex-employee, the DPO shall reserve the right to ask for proof of identity.

The request shall also be verified through supporting documents to ensure accuracy.

Depending on the personal data to be corrected, the DPO will inform the relevant internal personnel (i.e.

Accounts Team, HR Team and/or IT Team) and/or external personnel (i.e. third party agent) to process the

request. Upon confirmation that the necessary correction is done, the DPO shall respond to the request

accordingly.

In general, the response will be within 30 calendar days. Should we not be able to respond to your access

request within 30 days after receiving your correction request, we will inform you in writing within 30 days

of the time by which we will be able to respond to your request.

Please note that depending on the request that is being made, we may not correct the personal data if we

are satisfied on reasonable grounds that a correction should not be made. We will maintain record of such

cases and the reasons for rejection. If you are unsatisfied with our reason for rejection, you may submit an

appeal for our consideration.


reference.



1.5.12.4 CORRECTION REQUEST FLOWCHART



1.5.13 THIRD PARTY SITES

Our website may contain links to other websites operated by third parties that are linked to our website. We

encourage you to learn about the privacy policies of such third-party websites.

1.5.14 DATA BREACH MANAGEMENT

Data breach generally refers to the unauthorised access and retrieval of information that may include

corporate and personal data. Data breaches may cause the company to lose stakeholder’s trust and lead

to costly security failures for the company.

The organisation shall check the effectiveness of its Data Breach Management by undergoing possible

scenario exercise once a year using HR4 Data Breach Checklist.

1.5.14.1 TYPES OF DATA BREACHES

1. Deliberate and unauthorised breaches:

This threat refers to an individual who changes data value intentionally for which person is not authorised.

Example:

1. Hacking incidents/Illegal access to databases containing personal data.

2. Theft of computer notebooks, data storage devices or paper records containing personal data

3. Scams that trick organisations into releasing personal data of individuals.

4. Misusing legitimate privileged access to sensitive systems and data.

5. Errors or bugs in the programming code of websites, databases and other software which may

be exploited to gain access to personal data stored on computer systems.

2. Unintentional and Accidental Breaches:

This threat refers to individuals who either unintentionally/accidentally create risk through actions such as:

1. Stealing intellectual property from business partners for personal gain.

2. Misusing legitimate privileged access to sensitive systems and data.

3. Creating weak passwords.

4. Loss of computer notebooks, data storage devices or paper records containing personal data

5. Unauthorised access or disclosure of personal data by employees

6. Improper disposal of personal data (e.g. hard disk, storage media or paper documents containing

personal data sold or discarded before data is properly deleted)

7. Sending personal data to wrong e-mail or physical address or disclosing data to wrong recipient.

1.5.14.2 CIRCUMSTANCES UNDER WHICH DATA BREACH MANAGEMENT

TEAM TO BE ALERTED:

1. If the organisation receives any enquiry from internal/external individuals or organisation with

respect to data breach with substantial evidences.



2. If any unauthorised access to the data via computers/servers or physical records is detected or

observed

1.5.14.3 REPORTING A DATA BREACH INTERNALLY

All form of data breach (suspected/confirmed) shall be notified to the Data Breach Management Team:

Cyber-related data breach:

Mr. Bimalkant Gauda – Data Protection Officer (Mobile: 9850 4668)

Ms. Leona Tan – Data Protection Officer (Mobile: 9368 9082)

Mr. S. Rathinakumar - Cyber Security Officer (Mobile: 9297 9688)

Non-cyber related data breach:

Mr. Bimalkant Gauda – Data Protection Officer (Mobile: 9850 4668)

Ms. Leona Tan – Data Protection Officer (Mobile: 9368 9082)

1.5.14.4 RESPONDING TO A DATA BREACH

1. Contain

The Data Breach Management Team shall conduct an initial assessment of the data breach should be

conducted to determine the severity of the data breach. This includes:

• Cause of the data breach and whether the breach is still ongoing

• Number of affected individuals

• Type(s) of personal data involved

• The affected systems and/or services

• Whether help is required to contain the breach

The following Contingency Plan will come into force, where applicable:

• Isolate the system. This includes removing the wired or wireless Local Area Network (LAN).

• Where possible, check on the latest virus update edition in the affected system and run the Anti-

Virus Software.

• Keep the backup systems (such as Backup Hard Disk etc.) ready for immediate use.

• Prevent further unauthorised access to the system. Reset passwords if accounts and passwords

have been compromised

• Isolate the causes of the data breach in the system, and where applicable, change the access

rights to the compromised system

• Stop the identified practices that led to the data breach



• Establish whether the lost data can be recovered and steps that can be taken to minimise any

harm or impact caused by the data breach (e.g. remotely disabling a lost notebook containing

personal data of individuals)

• Engage external parties in the event required consultation to contain the breach.

2. Assess

Once the data breach is contained, an in-depth assessment of the data breach shall be conducted to

assess the extent and likely impact of the data breach. The assessment shall be completed no later than

30 calendar days after establishing that there is a data breach. The assessment includes the following:

a. Context of the data breach

• Establish whose personal data had been breached

• Establish the type of personal data that were leaked

• How many people were affected?

• Any additional measures to minimize the impact of data breach? (Example: lost device with

encryption or strong password protection)

b. Impact on organisation

• What caused the data breach?

• When and how did the breach happen?

• Who might have gained access to the compromised personal data?

• Will compromised data affect transactions with any other third parties?

c. Data breach notification

• Does the data breach meet the criteria of data breach notification under PDPA?

• The PDPC stipulates the following criteria for data breach notification:

(a) Significant harm to affected individuals

i. Where a data breach involves any of the prescribed personal data, the organisation will

be required to notify the affected individuals and the PDPC of the data breach.

Individual’s full name or full national identification number in combination with any of the

following personal data:

- Financial information which is not publicly disclosed;

- Life/health insurance information which is not publicly disclosed;

- Specified medical information. by a medical professional;

- Information leading to identification of a vulnerable adult, child or young person

who is the subject of an investigation or relating to court proceedings involving a

child and young person; and

- Private key used to authenticate or sign an electronic record or transaction.



ii. Individual’s account information in combination with any required biometric data, security

code, access code, password or answer to security question used to permit access to or

use of the account, where the account can be subsequently misused for fraudulent

transactions or to access any information in point (a).

(b) Significant scale of breach

i. Data breaches that meet the criteria of significant scale are those that involve the

personal data of 500 or more individuals. Where a data breach affects 500 or more

individuals, the organisation is required to notify the PDPC, even if the data breach does

not involve any prescribed personal data in point (a)(i) and (a)(ii).

ii. If an organisation is unable to determine the actual number of affected individuals in a

data breach, the organisation should notify the PDPC when it has reason to believe that

the number of affected individuals is at least 500. This may be based on the estimated

number from a preliminary assessment of the data breach. The organisation may

subsequently update the PDPC of the actual number of affected individuals when it is

established.

3. Report

Identifying Need to Notify

Where applicable, the organisation shall notify the PDPC and/or affected

individuals of the data breach if:

• it is likely to result in significant harm or impact to the individuals to whom the information relates; or

• it is of a significant scale (i.e. data breach involves personal data of 500 or more individuals)

When to Notify The PDPC – as soon as practicable, no later than 3 calendar days after establishing that the data breach is likely to result in significant harm or impact to the individuals to whom the individual relates, or of a significant scale. Affected Individuals/Others (e.g. family members) – where applicable, as soon as practicable.

How to Notify To the PDPC: Submit the notification at https://eservice.pdpc.gov.sg/case/db. For urgent notification of major cases, organisations may also contact the PDPC at +65 6377 3131 during working hours. To affected individuals/parents: Depending on situation, the most effective way to reach out to individuals affected will be used (e.g. media releases, social media, e-mails, telephone calls, faxes and letters).

Details to be Included

To the PDPC:

• Extent of the data breach;

• Type(s) and volume of personal data involved;

• Cause or suspected cause of the breach;

• Whether the breach has been rectified;

• Measures and processes that the organisation had put in place at the time of the breach;

• Information on whether affected individuals of the data breach were notified and if not, when the organisation intends to do so; and



• Contact details of person(s) whom the PDPC could contact for further information or clarification.

To affected individuals/parents:

• How and when the data breach occurred;

• Types of personal data involved in the data breach;

• What the organisation has done or will be doing in response to the risks brought about by the data breach;

• Specific facts on the data breach where applicable, and actions individuals can take to prevent that data from being misused or abused;

• Contact details and how affected individuals can reach the organisation for further information or assistance (e.g. helpline numbers, e-mail addresses or websites); and/or

• Where applicable, what type of harm/impact the individual may suffer from the compromised data.

4. Evaluate

An essential part of following up data-breach incident is to document, communicate and build on lessons

learned. This should be viewed as an on-going process in order to learn from previous mistakes, incidents

and experiences.

Communication to all stakeholders should be clear, concise and focused on problem resolution and control

improvement. It should clearly identify any gaps that remain and propose efforts to mitigate them.

An action plan should be created that explains how the organisation will leverage lessons learned from the

incident to become more resilient in the face of future breach. The action plan should include projects or

initiatives, technical and nontechnical, that will help reduce the chance of a successful breach and respond

to a breach more rapidly and effectively. In the event of a cyber-related breach, analysis of the incident

should consider whether technical capability gaps contributed to the success of the breach or whether

people or process gaps were the main culprit.

1.5.14.5 DATA BREACH DISCOVERED BY DATA INTERMEDIARIES

In the event that a data breach is discovered by a Data Intermediary (DI) processing personal data on

behalf of our organisation, the DI is required to notify our data breach management team without undue

delay from the time it has credible grounds to believe that the data breach has occurred.

The data breach management team shall take immediate, necessary actions to contain the breach and

assess whether the breach is notifiable to PDPC and affected individuals. The actions to be taken is

stipulated in HR Manual Section 1.5.14.4.

1.5.15 GOVERNING LAW

This Notice and our data protection policy shall be governed in all respects by the laws of Singapore.

Nothing in this notice limits or seeks to limit your rights under the Act.

Subject to your rights at law, you agree to be bound by the prevailing terms of our data protection policy.



1.5.16 ENQUIRY OR COMPLAINTS HANDLING PROCEDURE

If you have any questions, feedback, queries or complaints relating to your personal data or our data

protection policy, you may call or write to our Data Protection Officer (DPO) at Email address:

[email protected].

Primary Contact (Main DPO)

Mr. Bimalkant Gauda, HR Department

Secondary Contact

Mr. Subramanian Rathinakumar, IT Department

Ms. Leona Tan, HR Department

Upon receipt of official complaint or email, the DPO shall endeavour to acknowledge within 1 working day.

If required, further information may be requested from the sender to evaluate the nature of enquiry or

complaint.

If the email is related to a general query or complaint, the DPO shall respond to the sender within 10 working

days. Where applicable, relevant policies will be reviewed and revised as necessary with management’s

approval.

During the investigation of a complaint, if there is an indication of any possible scenario of a Data Breach,

the DPO shall follow the Data Breach Management Procedure using the HR4 Data Breach Checklist no

later than 3 calendar days. Where applicable, relevant policies and the Data Breach Management Plan will

be reviewed and revised as necessary with management’s approval.


reference.

mailto:[email protected]



1.5.17 ENQUIRY OR COMPLAINTS HANDLING FLOWCHART

executive ship management hr (shore staff manual)

Documents