KES respects the privacy of individuals and recognizes
the importance of the personal data you have entrusted to us and believe that
it is our responsibility to properly manage, protect, process and disclose your
personal data. We are committed to adhering to the provisions and principles of
the Personal Data Protection Act 2012.
PURPOSE
This policy deals with the following matters:
- Having reasonable purpose, notifying purposes and
obtaining consent for the collection, use or disclosure of personal data;
- Allow individuals to access and correct their personal data;
- Taking care of personal data (which relates to ensuring accuracy), protecting personal data (including protection in the case of international transfers) and not retaining personal data if no longer needed; and
- Having practices to comply with the PDPA.
DEFINITION
“Personal Data”,
as defined in the Personal Data Protection Act 2012 (the “PDPA”), means
personal information, whether true or not, about an individual who can be
identified from that data; or from that data and other information to which the
organization has or likely to have access.
Examples of personal data include
- Name
- Address
- NRIC/FIN/Passport number
- Photograph or video image
- Mobile/Telephone number
- Personal email addresses
- Thumb print and DNA profile
OVERVIEW OF DATA PROTECTION PROVISIONS
The data protection provisions contain nine
main obligations which the organization is required to comply with when we
undertake activities relating to the collection, use or disclosure of personal
data. These obligations are summarized below:
- The Consent Obligation – the organization
must obtain the consent of the individual before collecting, using or
disclosing his/her personal data for a purpose
Personal data may be collected by the
organization from individual in one or more of the following ways:
- when we receive information about the individual from 3rd party social networking
services when he/she choose to connect with those services;
- when the individual request that we contact him/her, be included in an email;
- when we receive references from business partners and third parties, for examples, where the
individual has been referred by them;
- during CCTV recordings when the individual visits our premises will be only for security and safety reasons;
- when the individual submits his / her Personal Data to us for any other reasons; and/or
- when we collect the individual Personal Data by other lawful means.
We will not collect Personal Data without
the individual’s consent. However, this requirement does not apply if consent
is not required under written law.
- The Purpose Limitation Obligation – the organization must collect, use or disclose personal data about an
individual only for purposes that a reasonable person would consider appropriate in the circumstances and, if applicable, have been notified to the individual concerned.
The organization may be collected, used and/or disclosed an individual’s Personal Data for the following purposes:
- To respond and deal with enquiries, especially job application related;
- To enforce our legal rights and obligations;
- For other purposes which we have obtained the individual’s consent
Individual’s Personal Data may be disclosed
for the purposes indicated above to our employees, third parties, overseas
subsidiaries, service providers, which include without limitation, the
following entities:
- Banks
- Relevant government regulators or authorities or law enforcement agencies;
- Our insurers and advisors, including consultants, auditors and lawyers;
- Any other party to whom the individual authorizes us to disclose his/her Personal Data to.
Save for relevant government regulators and
authorities or law enforcement agencies, we will ensure that such parties
receiving the individual’s Personal Data are under duty of confidentiality to
us with respect to the use, holding, processing, retention and/or transfer of
his/her Personal Data, and have the need to know or handle such Personal Data.
- TheNotification Obligation – the organization must notify the individual of the purpose(s) for
which it intends to collect, use or disclose the individual’s personal data on
or before such collection, use or disclosure of the personal data.
The organization endeavours to notify the
individual about the purpose of collecting, use or disclosing the Personal Data
during the collection of such information.
- The Access and Correction Obligation – the organization must, upon request,
- provide an individual with his/her personal data in the possession or under the control of the organization and information about the ways in which the personal data may have been used or disclosed during the past year; and
- correct an error or omission in an individual’s personal data that is in the possession or under the control of the organization.
The organization endeavours to provide the
individual with an account of their Personal Data that is in our possession or
control.
- The Accuracy Obligation – the organization
must make a reasonable effort to ensure that personal data collected by the
organization is accurate and complete if the personal data is likely to be used
by the organization to make a decision that affects the individual concerned or
disclosed by the organization to another organization.
The organization endeavours to ensure the
individual’s Personal Data we use is sufficiently accurate and complete in
making any decision that impacts him/her. To maintain the accuracy of Personal
Data, we encourage all employees, suppliers and customers to inform us when
there is any change to his/her Personal Data which they have provided us by informing
the DPO. The organization will correct or complete the individual’s Personal
Data as soon as reasonably practicable.
- The Protection Obligation– the organization must protect personal data in its possession or under its
control by making reasonable, security arrangements to prevent unauthorized
access, collection, use, disclosure, copying, modification, disposal or similar
risks.
We endeavour to protect Personal Data in
our possession or control against risks of unauthorized access, collection,
use, disclosure, copying, modification, disposal or destructions, through
reasonable and appropriate security measures. We strive to ensure that our
systems are secure and that they meet industry standards. To prevent
unauthorized access, maintain data accuracy and ensure the correct use of
information, we have put in place appropriate physical, electronic, and management
procedures to safeguard and secure the Personal Data we collect.
- The Retention Limitation Obligation– the organization must cease to retain documents containing personal data, or
remove the means by which the personal data can be associated with particular
individuals as soon as it is reasonable to assume that
- the purpose for which the personal data was collected is no longer being served by retention of the personal data, and
- retention is no longer necessary for legal or business purposes.
We will retain an individual’s Personal
Data as long as necessarily required or relevant for business or legal
purposes.
- The Transfer Limitation Obligation– the organization must not transfer personal data to a country or territory
outside Singapore except in accordance with the requirements prescribed under
the PDPA.
Personal Data of an individual may be
transferred, stored and/or processed in overseas, our subsidiary included, and
he/she consent to such transfer, storage and/or processing of his/her Personal
Data outside Singapore. We will however, ensure that any party to whom we
transfer the Personal Data outside Singapore provides a standard of protection
at least comparable to the protection under the Act. This includes without
limitation ensuring that any party coming into contact with the Personal Data
outside Singapore:
- Complies with the ACT
- Takes all appropriate measures to ensure such compliance by implementing such data handling procedures;
- Protects the Personal Data by making reasonable security arrangements to prevent unauthorized access, use, disclosure or modification.
- The Openness Obligation – the organization must implement the necessary policies and procedures
in order to meet its obligation under the PDPA and shall make information about its policies and procedures publicly available.
The Act also imposes certain
responsibilities on all those who process personal data in the organization.
These obligations include holding and using data in secure manner, making sure
that data is handled in line with what individuals have been told, having appropriate
arrangements in place for the access to (and sharing of) data, and making sure
that individual’s data is accurate and retained for a suitable period. If a
data breach occurs (e.g. personal data is lost, stolen, inadvertently disclosed
to an external party, or accidently published), this should be reported
immediately to the DPO so that the circumstances can be reviewed and liaison
with both internal and external authorities can be carried out.
The organization implements this Policy and procedures diligently.
CONTACTING US
If you have any questions or complaints relating to the use or disclosure of your Personal Data, or if you
wish to know more about our data protection policies and practices, please contact our Data Protection Office via email at
dpo.kes93@sunright.com
|