Error
  • JUser: :_load: Unable to load user with ID: 1308

FAQs - Data Protection

Frequently Asked Questions (Member/Employee related)

 

1. What are the types of Member information kept by The Club about me?

 

The following are examples of personal data kept by The Club:

-          Full name

-          NRIC or FIN

-          Passport number

-          Photograph or video image

-          Mobile telephone number

-          Personal email address

-          Credit Card information

-          Bank Account information (GIRO payments)

-          Name and residential address

-          Name and residential telephone

 

2. Do I need to do anything immediately?

 

There are two parts to the answer. Firstly, if you are a Member, the answer is no. The Club has been and will continue to safeguard your data and to make sure that it is only used for the intended and communicated purposes. As a Member, you have access to information that you have voluntarily shared via Membership Application Form. Throughout the course of your membership, The Club may collect information about you and your interactions with staff via the daily Duty Manager’s Report or through Incident Reports (e.g. accidents) and that information is not covered under the PDPA, meaning, Members do not have access to that information. If you wish to view the rest of your personal data provided by you during the membership application process, you may do so in writing via email to dataprotection@amclub.org.sg

 

As an individual and not a Member, you are entitled to ask organizations to stop sending you telemarketing messages (Voice/SMS/FAX). However, organizations are allowed to send you marketing messages if there is an existing relationship. For example, if you have taken a loan from a bank in the past, the bank may continue to send you marketing messages about credit cards and other loan information until you inform them otherwise.

 

3. I run a business myself, what’s protecting me from unreasonable requests to access personal data?

 

The PDPA does protect organizations from unreasonable requests. There are many exceptions to the Access obligation. Under PDPA, organizations may charge an administrative fee to process a request. Organizations are also not required to provide access if the request is frivolous or vexatious, or if the burden or expense of providing access would be unreasonable to the organization or disproportionate to the individual’s interest.

 

Scenario 1

Member, John Doe would like to access CCTV footage while he was at the Lobby on a Sunday afternoon while waiting for his turn to enter the Eagle’s Nest. In this instance, The Club has every right to reject his request for access because it is considered frivolous. John did not seek access to the CCTV due to an accident or because an item belonging to him was stolen. He was requesting access for the fun of it. Such requests will be rejected.

 

Scenario 2

Member, Jane Doe would like to access CCTV footage because she lost her iPhone while she was at the Lobby on a Sunday afternoon while waiting for her turn to enter the Eagle’s Nest. While she has cause and the right to access In this instance, The Club has to reject her request for access because there are many other Members in the Lobby at that time. In order to let her view the footage, The Club would need to seek the permission of everyone at the Lobby and that would potentially be vexatious to other Members. In this instance, The Club can conduct the investigation on the Member’s behalf and inform the Member of the results of the investigation.

 

3. If I think my personal data has been comprised at The Club, who should I contact?

 

Please contact The Club’s Data Protection Officer via email at dataprotection@amclub.org.sg.

 

4. What happens to the information of prospective Members/Employee who apply and don’t join eventually?

 

According to The Club's Data Retention Policy, The Club will destroy the records by shredding the information after a period of three months.

 

For unsuccessful job applicants, The Club will only keep information for a period of three months after which, the information such as CV, educational certificates or other supporting documents will be shredded completely.

 

5. What are some of the policies you have put in place to safeguard the personal data of Members, prospective member, employees and job applicants?

 

A total of 20 policy papers have been developed for Members, employees and job applicants to meet the 9 obligations of the Act. The policies and procedures will be implemented across the departments that are responsible for the collection and use of personal data. These departments include Membership, Finance, Information Technology, Marketing and People Developer (PD).

 

6. What about emails and are they covered under the Act?

 

Emails are covered under the Spam Control Act (SCA) which sets out a framework to manage unsolicited commercial electronic messages sent in bulk through electronic mail, text and multimedia messaging, otherwise known as "spam". The SCA requires organizations to, among others, provide an unsubscribe facility within an email message and include an header in the subject field of the message or where there is no subject field, as the first words in the message.

 

If you do not wish to receive email messages from the Club, you may do so in writing by sending an email to info@amclub.org.sg. We highly encourage our Members to not unsubscribe to emails from the President, General Manager, Annual General Meeting Notices and What’s On. These messages are important to keep Members apprised of what’s happening at The Club.

 

 

(Adapted from the PDPC website – For detailed list, please click here.)

 

1. What is 'personal data'?

 

Personal data refers to data, whether true or not, about an individual who can be identified from that data; or from that data and other information to which the organization has or is likely to have access.

 

This includes unique identifiers (e.g. NRIC number, passport number); as well as any set of data (e.g. name, age, address, telephone number, occupation, etc), which when taken together would be able to identify the individual.

 

For example, Jack Lim, 36 years old, civil servant, lives at Block 123 Bishan Street 23.

 

2. When will the Personal Data Protection Act (PDPA) come into force?

 

To allow time for organizations to adjust to the new law, the PDPA will be implemented in phases. The provisions relating to the Do Not Call (DNC) Registry came into effect on 2 January 2014 and the provisions relating to the personal data protection will come into force on 2 July 2014.

 

3. What are the objectives of the PDPA?

 

Complementing sector-specific frameworks, the PDPA will safeguard individuals’ personal data against misuse by regulating the proper management of personal data. Generally, individuals have the right to be informed of the purposes for which organizations are collecting, using or disclosing their personal data, giving individuals more control over how their personal data is used.

 

The PDPA also aims to enhance Singapore’s competitive advantages as a location for data hosting and management activities by strengthening Singapore’s reputation as a secure location for data, and giving assurance to businesses looking for safeguards to protect sensitive data sets.

 

4. What is 'deemed' consent?

 

An individual is deemed to consent to the collection, use or disclosure of personal data by an organization for a purpose if the individual voluntarily provides the personal data to the organization for that purpose; and it is reasonable that he or she would do so, example would be the providing of information via the Membership Application Form to join The Club.

 

For example, an individual seeking medical treatment in a medical facility, such as a clinic or hospital, would voluntarily provide his or her personal data for the purpose of seeking medical treatment. He or she would also have deemed to have consented to the collection and use of his or her personal data by the medical facility hospital for that purpose.

 

5. What can an organization do with respect to existing personal data collected before the effective date of the data protection rules on 2 July 2014?

 

Generally an organization can continue to use the personal data that was collected prior to the effective date of the data protection rules, for the reasonable purposes for which the personal data was collected.

 

Consent will need to be obtained if the existing data is to be used for a new purpose different from the purpose for which it was collected, or if the existing data is to be disclosed to another organization or individual, unless any exception applies. The exceptions from the need to seek consent for collection, use or disclosure are set out in the Second, Third and Fourth Schedule of the PDPA respectively. This includes exceptions catering to certain emergency situations, investigations, publicly available data or where the personal data is used for evaluative purposes.

 

As an example, if a company has been using its customer’s personal data to provide after-sales customer support prior to the PDPA, it can continue to do so after the PDPA comes into effect, even if it did not obtain consent previously. However, if it now intends to use the same personal data for direct marketing where it had not collected the personal data for this purpose, consent will need to be obtained for such a purpose.

 

Access & Correction

 

6. Must an organization always provide access to an individual's personal data when a request is made?

 

An organization is required to respond to an access request in respect of personal data in its possession as well as personal data that is under its control.

 

However, organizations are prohibited from providing an individual access if the provision of the data could reasonably be expected to:

 

  • - cause immediate or grave harm to the individual’s safety or physical or mental health;
  • - threaten the safety or physical or mental health of another individual;
  • - reveal personal data about another individual;
  • - reveal the identity of another individual who has provided the personal data, and the individual has not consented to the disclosure of his or her identity; or
  • - be contrary to national interest.

 

In addition, there are cases where organizations may deny access requests.

 

For example, organizations will not be required to provide access to personal data if it is subject to legal professional privilege, or if the disclosure of the information would reveal confidential commercial information that could harm the competitive position of the organization. There are also exclusions for access to and correction in respect of any examination conducted by an education institution, examination scripts and examination results prior to their release. Organizations may also refuse access to or correction of opinion data kept solely for an evaluative purpose as defined in the PDPA.

 

The specific exceptions may be found in section 21 and the Fifth Schedule of the PDPA.

 

7. What personal data must an organization provide when an individual submits an access request?

 

An organization that receives an access request from an individual is required to provide the information requested by the individual. This may include:

 

  • - some or all of the individual’s personal data (as specified in the request); and
  • - information about the ways the personal data has been or may have been used or disclosed by the organization (as specified in the request).
  •  

8. Can an organization charge a fee for access and correction requests?

 

Organizations may charge an individual a minimal fee for access to personal data about the individual. The purpose of the fee is to allow organizations to recover the incremental costs of responding to the access request. There is no prescribed amount of fees imposed on organizations, to allow for greater flexibility; organizations should exercise their discretion in deriving the minimal fee they charged based on their incremental costs of providing access.

 

Care of Personal Data

 

9. How long can an organization retain its customers' personal data for?

 

The PDPA does not prescribe the retention period. However, an organization shall cease to retain personal data as soon as the purpose of collection is no longer served by the retention; and retention is no longer necessary for business or legal purposes.

 

10.So what has The Club done to meet compliance?

 

Data protection is not new to The Club. All the major departments including Membership Office and the People Development Departments have implemented stringent procedures over the years in accordance to other statutory guidelines prior to the enactment of the Personal Data Protection Act 2012. In fact, The Club has not only met but exceeded the minimum requirements of the Act. An example would be other organization’s use of telephone/SMS/fax to market products and services to customers. The Club has deliberately steered away from using these platforms to promote products and services to the Membership.

 

The Club has also appointed a member of the Senior Management team to oversee the implementation of the Club’s policy. Realizing that Data Protection is not only the responsibility of one individual or one department, The Club has also convened a Data Protection Committee (DPC) reporting to the Data Protection Officer (DPO). The committee is made up of department heads who have attended Data Protection Workshops and briefing conducted by the Personal Data Protection Commission.

 

The Club has and will continue to work with our Club appointed lawyers to get the latest information pertaining to the Act and to make adjustments to the policies and procedures governing the collection, use and disclosure of Personal Data.