personal data protection for your church
TRANSCRIPT
Personal Data
Protection
for your Church
Benjamin Ang
www.visual-lawschool.com
What is Personal Data?
• Data about an individual who can be identified
• from that data;
• or from that data and other information to which the organisation has or is likely to have access.
• Examples
• Name
• NRIC
• Telephone number
• Photograph
• Address
• Social media ID
• Medical history
• Criminal record
Who is NOT covered by PDPA?
• Any individual acting in a
personal or domestic
basis.
• Any employee acting in
the course of his or her
employment
• Any public agency
• Business contact
information
• name,
• position name or title,
• business telephone
• business address,
• business e-mail address .
1. Consent Obligation
Hi, new visitor. We are COLLECTING your
Personal Data, and we are going to USE it to invite
you to Church events. We may DISCLOSE it to
Church staff. Do you consent?
OK but what if I
change my mind?
You can
WITHDRAW at
any time
• An organisation may collect, use or disclose personal data about an individual for the purposes that a reasonable person would consider appropriate in the circumstances and for which the individual has given consent.
• An organisation may not, as a condition of providing a product or service, require the individual to consent to the collection, use or disclosure of his or her personal data beyond what is reasonable to provide that product or service.
2. Purpose Limitation Obligation
Please give us your NAME,
PHONE NUMBER, and
ADDRESS
Sure
Also give us your
BLOOD TYPE.
Or else you can’t
come back
• An organisation may collect, use or disclose personal data about an individual for the purposes that a reasonable person would consider appropriate in the circumstances and for which the individual has given consent.
• An organisation may not, as a condition of providing a product or service, require the individual to consent to the collection, use or disclosure of his or her personal data beyond what is reasonable to provide that product or service.
3. Notification Obligation
Hi we want to
invite you to our
Church Musical!
We want to invite
your kids to
attend Bible
Camp!
Notify individuals of the purposes for which your
organisation is intending to collect, use or disclose their
personal data on or before such collection, use or
disclosure of personal data.
4. Access and Correction Obligation
5. Accuracy Obligation
Hi, please let me know who
you’ve given my personal data
to. Please also correct the typo
in my name.
• Upon request, the personal data of an individual and
information about the ways in which his or her personal
data has been or may have been used or disclosed within
a year before the request should be provided.
• However, organisations are prohibited from providing
an individual access under certain risky situations listed
in the Act
• Organisations are also required to correct any error or
omission in an individual’s personal data upon his or her
request.
Make reasonable effort to ensure that personal data
collected by or on behalf of your organisation is accurate
and complete, if it is likely to be used to make a decision
that affects the individual, or if it is likely to be disclosed to
another organisation.
6. Protection Obligation
Can I copy the names and
phone numbers of all of our
members onto my
thumbdrive, so I can call
them any time for soccer?
Sorry, no.
Wow, did you know that
XYZ lives in a huge
mansion?
Make reasonable security arrangements to protect the
personal data that your organisation possesses or controls
to prevent unauthorised access, collection, use, disclosure
or similar risks.
7. Retention Limitation Obligation
Okay
Hi, I’ve moved to the other
side of the country and I will
be going to church there.
Please remove my data.
Cease retention of personal data or remove the means by
which the personal data can be associated with particular
individuals when it is no longer necessary for any business
or legal purpose.
8. Transfer Limitation Obligation Don’t worry, if you transfer the
personal data to us, we have the
same policies and safety
arrangements as you
Transfer personal data to another country only according
to the requirements prescribed under the regulations, to
ensure that the standard of protection provided to the
personal data so transferred will be comparable to the
protection under the PDPA, unless exempted by the
PDPC.
9. Openness Obligation
What are your data protection
policies?
What if I need to make a
complaint?
Ask me, I am the
DATA
PROTECTION
OFFICER
• Make information about your data protection policies, practices and complaints process available on request.
• Designate one or more individuals as a Data Protection Officer to ensure that your organisation complies with the PDPA, including the implementation of personal data protection policies within your organisation.
• The business contact information of at least one of such individuals should also be made available to the public. Please note that compliance with the PDPA remains the responsibility of the organisation.
Existing Data
• .
I gave you my personal data in
1995 when I joined the
Church
We are now going to
use it for a new
purpose …
• Your organisation may continue to use personal data
that has been collected before the data protection
provisions of the PDPA came into effect on 2 July 2014
for the purposes for which the personal data was
collected, unless the individual has withdrawn consent.
If there is a different purpose for the use of the
personal data, consent has to be obtained anew
How the Church can
Manage Personal Data
DPO
Handle queries/
complaints
Tell others about the policies Make
good policies
Step 1 - Appoint a Data Protection
Officer
• Designate at least one person to develop your organisation’s personal data policies and oversee your organisation's compliance with the PDPA. This person may be an existing employee in your organisation, and his or her role may include the following:
• Developing good policies for handling personal data in electronic and/or manual form, that suit your organisation’s needs and comply with the PDPA;
• Communicating the internal personal data protection policies and processes to customers, members and employees;
• Handling queries or complaints about personal data from customers, members and employees;
• Alerting your organisation to any risks that might arise with personal data; and
• Liaising with the PDPC, if necessary.
Step 2 - Map out a Data Inventory
• WHAT did we collect?
• HOW did we collect it? (Did we get consent)
• WHAT are we using it for?
• WHO did we share it with?
• WHO has access to it?
• WHERE are we storing it?
• HOW LONG are we storing it?
Step 3 - Implement Data Protection
Processes
Do our actions match the PDPA?
Collection, Use and
Disclosure
Access and Correction
Care for Data
Must the Church check the
Do Not Call Registry?
Messages that are
covered
• Offers to supply or
promote goods or services
• Advertising/promoting
suppliers
• Promoting business or
investment opportunities
Messages that are NOT
covered
• pure market survey or
research
• charitable or religious
causes
Does DNC Apply?
Do you want to buy
tickets to our Church
Musical?
Do your kids
want to attend
Bible Camp?
Can I share the Good
News of Jesus Christ
with you?
• Invitation to attend Bible camp = charitable or religious
causes = not covered by DNC
• Sharing the gospel = charitable or religious causes = not
covered by DNC
• Selling tickets to a musical = Offers to supply or
promote goods or services = covered by DNC
Special cases:
Photographs (e.g. Church events)
I’m taking
personal photos
I’m taking
official photos
We’re at the
wedding
We’re at the
open field
• Example: Deemed consent for photo-taking at private function
• Organisation ABC holds a private function for a select group of invited clients and wishes to take photographs of attendees for its internal newsletter. If Organisation ABC intends to rely on deemed consent, measures that Organisation ABC may take to better ensure that the attendees are aware of (and accordingly, more likely to be deemed to have consented to) the purpose for which their photographs are collected, used and disclosed, could include:
• a) Clearly stating in its invitation to clients that photographs of attendees will be taken at the function for publication in its internal newsletter; or
• b) Putting up an obvious notice at the reception or entrance of the function venue to inform attendees that photographs will be taken at the event for publication in its internal newsletter.
Special cases:
Photographs (e.g. Church events)
• Good practices to get consent
• State in your invitation that photos will be taken
• Put an obvious notice at the event
• Posing for photo = implied consent
I’m taking
official photos I love posing.
Can I take a
selfie?
• Example: Posing for photo-taking
• Kevin attends Organisation ABC’s private function. During the function, Organisation ABC’s photographer informs Kevin that she is taking photographs for publication in Organisation ABC’s internal newsletter, and asks Kevin to pose for his photograph to be taken. By voluntarily posing for his photograph to be taken, Kevin would be deemed to have given consent
• for the photograph to be collected, used or disclosed for the stated purpose.
Special cases:
Minors (e.g. Sunday School, Youth)
• The PDPA does not specify
• Commission will adopt the practical rule of thumb that
a minor who is at least 13 years can to consent on his
own behalf
• As a general guide, for <13 obtain consent from parent
or guardian
• Even for >13, do not apply undue influence on a minor
You must give us your
particulars, otherwise we
won’t be your friends
DPO
Handle queries/
complaints
Tell others about the policies Make
good policies
Appoint a Data Protection Officer
and work together