Outline of NUSSU commIT’s Personal Data Protection Policy
Personal Data Protection Act 2012 (PDPA) of Singapore came into effect on July 2nd, 2014. PDPA establishes a data protection law that comprises various rules governing the collection, use, disclosure and care of personal data. It recognizes both the rights of individuals to protect their personal data and also the needs of organizations to collect, use or disclose personal data for legitimate and reasonable purposes.
As part of the compliance effort by National University of Singapore (NUS), a Compliance Guidelines, Policies and Processes was devised to deal with the PDPA. Those guidelines are enforced to all student organizations in NUS and are part of the student leaders’ obligations.
As a student organization which provides IT services to the NUS community, NUSSU commIT is of no exception. With the understanding that NUSSU commIT has its own unique operations and organisational complexities, NUSSU commIT Personal Data Protection Policy is crafted. It sets out how NUSSU commIT comply with the provisions of the Personal Data Protection Act 2012 (PDPA) of Singapore and NUS Compliance Guidelines and Policies. Through this, NUSSU commIT aims to address the concerns of their members and to maintain their trust in the personal data management by NUSSU commIT.
This policy will set out how NUSSU commIT manage their members’ Personal Data, the types of Personal Data to be collected, used, disclosed and/or retained, how and when NUSSU commIT collect, use, disclose and/or retain their members’ Personal Data, and the purpose(s) for which NUSSU commIT collect, use, disclose and/or retain their members’ Personal Data.
From time to time, update of this Personal Data Protection Policy may be done to ensure the consistency of the policy with Singapore and NUS regulatory changes.
What is Personal Data?
“Personal Data” refers to any information about an individual from which the individual can be identified with, either provided directly by the individual or from other legally accessible sources of information.
In this Personal Data Protection Policy, “Personal Data” will include but not limited to:
- Name, NRIC/FIN, Matriculation Number, Passport Number or other identification numbers, telephone/mobile number, email address, home address, mailing address and any other information related to the individuals which he/she has provided in any forms of interactions;
- Personal Data of family members or guardians;
- Information relating to payments, such as bank account number, debit and credit card information.
Collection of Personal Data
Collection of Personal Data by NUSSU commIT will always be done after consent are given by whom whose personal data is intended to be collected, either verbally or in written form.
In NUSSU commIT, collection of Personal Data may be done:
- During registration for NUSSU commIT memberships;
- During registration for NUSSU commIT workshops;
- During registration for NUSSU commIT welfare events;
- During registration for NUSSU commIT major events;
- Through photographs taken during application interview, training workshops, welfare and major events for documentation purposes
- When requested by the main committee for accuracy checking purposes;
- When there are other valid reasons for the collection purposes.
Platforms used in the collection of personal data (Verbal or Written) are:
- Consent and Indemnity Forms
- commIT Duty Website
- commIT Emails
- Social Media Platform (e.g. Facebook or Whatsapp, as consented by whom whose personal data is intended to be collected)
- Verbal Collection through Phone Calls (as consented by whom whose personal data is intended to be collected)
Purpose of Personal Data collected
Personal Data collected by NUSSU commIT will be used for the following purposes, but not limited to:
- To manage commIT membership including recruitment, interview, processing and termination of the membership when requested;
- To provide necessary information to NUSSU when required and requested;
- To assist in scheduling purposes e.g. duty schedule, meeting, etc;
- To provide information required for duty payment;
- To provide information required for reimbursement purposes;
- To provide individuals with trainings and workshops information;
- To provide members with welfare events information;
- To provide members with major events information;
- To conduct feedbacks and surveys;
- To keep members updated with volunteer, job, and events opportunities;
- To assist with enquiries;
- Photographs for event documentation purposes;
- To provide evidence or future references when requested by authorized parties;
- To comply with NUS and Singapore Regulations.
Accuracy of Personal Data
NUSSU commIT will make a reasonable effort to ensure that personal data collected is accurate, complete and up-to-date. The accuracy of the personal data will be ensured when it needs to be disclosed to authorized parties.
Individuals, who sign, agree and give consent for NUSSU commIT to access their personal data, are responsible to provide an accurate and updated personal data at the time of consent. They are also required to update NUSSU commIT when their personal data change.
In the event when inaccurate personal data is found, NUSSU commIT will request for the updated information from the individuals within 24 hours and update the information in NUSSU commIT database within 5 working days after the updated information is received.
Personal Data of NUSSU commIT members will be checked and verified at the beginning of each semester i.e two times in one academic year to ensure the accuracy of members’ personal data.
Access, Correction and Update of Personal Data
Individuals have a right to request for access from NUSSU commIT the following:
- Their details of personal data that is in NUSSU commIT’s possession or control;
- The information on how NUSSU commIT has used or disclosed, or may have used or disclosed such personal data, in the 1 year preceding the date of the individual’s request.
When individuals have changed their personal data, they are obliged to update NUSSU commIT in writing, either in electronic or physical form of writing. The request will be processed and confirmation reply will be sent to the individuals within 5 working days after NUSSU commIT receive the request. Updating of database information will be within the stated time frame as well.
In the event that the individual’s personal data has been disclosed to the third parties prior to the update or correction, NUSSU commIT will have the responsibility to inform the related third parties regarding the update or correction.
All requests for access, correction and update of personal data should be in writing, either in electronic or physical form of writing.
Disclosure of Personal Data
NUSSU commIT respects the confidentiality of the personal data that is provided to us.
NUSSU commIT will not disclose any of the individual’s personal data to any third parties without first obtaining his/her consent. However, disclosure of personal data can be done without prior consent in following situations (which is not exhaustive):
- When disclosure is required based on the laws and regulations;
- When disclosure is required by NUS Students’ Unions and its affiliations;
- When disclosure is required for investigation purposes;
- When disclosure is deemed appropriate and in individual’s interests by NUSSU commIT, if and only when a timely consent by the individual cannot be obtained.
When individuals’ personal data is being disclosed to the third parties, NUSSU commIT will employ their best effort to ensure that the third parties exercise the protection of their personal data.
Retention of Personal Data
Individual’s personal data would be retained as long as the individuals are still members of NUSSU commIT for the reason to provide the services outlined above.
Period of retention and accessibility to the information will apply according to the timeline stated in the next section, following which the rationale for the retention will be stated.
Removal of Personal Data
Time effect of the removal of individual’s Personal Data would depend on the relation of the individual to NUSSU commIT .
Personal data provided by unsuccessful applicants will be removed 1 month after the start of the recruitment period. Promising applicants would be placed on the waiting list and may be selected as a member should any of the selected new members refuse to take up membership.
Personal data provided in duty claim form will be kept for 5 years for audit purposes. This will include name, phone number, email address, bank account details and address listed in the duty claim hardcopy form and the softcopy details accessible to only Treasurer and Assistant Treasurer of NUSSU commIT. Other softcopy and hardcopy information handled by other positions will be removed.
Personal data, with the exception of those provided in duty claim form, provided by NUSSU commIT’s members will be removed within 1 month after he/she cease to be a member of NUSSU commIT. NUSSU commIT define end of membership as the time when members requested, verbally or in writing, to their respective cell heads, that they are not planning to continue as a NUSSU commIT member.
Personal data provided by workshop applicants will be removed at the end of the workshop they registered for unless they explicitly request to subscribe to NUSSU commIT’s mailing list for latest updates on our workshops and major events. Personal data of NUSSU commIT’s mailing list subscribers will be removed in the upcoming academic semester.
Review and Update of Personal Data Protection Policy
NUSSU commIT reserve the right to update and amend this Personal Data Protection Policy from time to time. NUSSU commIT will notify affected parties of any amendments to this Personal Data Protection Policy via announcements on our website or other appropriate means.
This policy will be reviewed at the end of every Academic Year to determine its appropriateness for the needs of NUSSU commIT. NUSSU commIT will also take the responsibility to update their personal data protection policy to abide by the latest changes of the Personal Data Protection Act.