KES (1993) Logo
Precise & Efficient
Personal Data Protection Policy    

KES respects the privacy of individuals and recognizes the importance of the personal data you have entrusted to us and believe that it is our responsibility to properly manage, protect, process and disclose your personal data. We are committed to adhering to the provisions and principles of the Personal Data Protection Act 2012.

PURPOSE

This policy deals with the following matters:

    1. Having reasonable purpose, notifying purposes and obtaining consent for the collection, use or disclosure of personal data;
    2. Allow individuals to access and correct their personal data;
    3. Taking care of personal data (which relates to ensuring accuracy), protecting personal data (including protection in the case of international transfers) and not retaining personal data if no longer needed; and
    4. Having practices to comply with the PDPA.

DEFINITION

“Personal Data”, as defined in the Personal Data Protection Act 2012 (the “PDPA”), means personal information, whether true or not, about an individual who can be identified from that data; or from that data and other information to which the organization has or likely to have access.

Examples of personal data include

    1. Name
    2. Address
    3. NRIC/FIN/Passport number
    4. Photograph or video image
    5. Mobile/Telephone number
    6. Personal email addresses
    7. Thumb print and DNA profile

OVERVIEW OF DATA PROTECTION PROVISIONS

The data protection provisions contain nine main obligations which the organization is required to comply with when we undertake activities relating to the collection, use or disclosure of personal data.  These obligations are summarized below:

  1. The Consent Obligation – the organization must obtain the consent of the individual before collecting, using or disclosing his/her personal data for a purpose

    2. Personal data may be collected by the organization from individual in one or more of the following ways:

    1. when we receive information about the individual from 3rd party social networking services when he/she choose to connect with those services;
    2. when the individual request that we contact him/her, be included in an email;
    3. when we receive references from business partners and third parties, for examples, where the individual has been referred by them;
    4. during CCTV recordings when the individual visits our premises will be only for security and safety reasons;
    5. when the individual submits his / her Personal Data to us for any other reasons; and/or
    6. when we collect the individual Personal Data by other lawful means.

    We will not collect Personal Data without the individual’s consent. However, this requirement does not apply if consent is not required under written law.

  1. The Purpose Limitation Obligation – the organization must collect, use or disclose personal data about an individual only for purposes that a reasonable person would consider appropriate in the circumstances and, if applicable, have been notified to the individual concerned.

    2. The organization may be collected, used and/or disclosed an individual’s Personal Data for the following purposes:

    1. To respond and deal with enquiries, especially job application related;
    2. To enforce our legal rights and obligations;
    3. For other purposes which we have obtained the individual’s consent

    Individual’s Personal Data may be disclosed for the purposes indicated above to our employees, third parties, overseas subsidiaries, service providers, which include without limitation, the following entities:

    • Banks
    • Relevant government regulators or authorities or law enforcement agencies;
    • Our insurers and advisors, including consultants, auditors and lawyers;
    • Any other party to whom the individual authorizes us to disclose his/her Personal Data to.

    Save for relevant government regulators and authorities or law enforcement agencies, we will ensure that such parties receiving the individual’s Personal Data are under duty of confidentiality to us with respect to the use, holding, processing, retention and/or transfer of his/her Personal Data, and have the need to know or handle such Personal Data.

  1. TheNotification Obligation – the organization must notify the individual of the purpose(s) for which it intends to collect, use or disclose the individual’s personal data on or before such collection, use or disclosure of the personal data.

    2. The organization endeavours to notify the individual about the purpose of collecting, use or disclosing the Personal Data during the collection of such information.

  1. The Access and Correction Obligation – the organization must, upon request,

    1. provide an individual with his/her personal data in the possession or under the control of the organization and information about the ways in which the personal data may have been used or disclosed during the past year; and
    2. correct an error or omission in an individual’s personal data that is in the possession or under the control of the organization.

    The organization endeavours to provide the individual with an account of their Personal Data that is in our possession or control.

  1. The Accuracy Obligation – the organization must make a reasonable effort to ensure that personal data collected by the organization is accurate and complete if the personal data is likely to be used by the organization to make a decision that affects the individual concerned or disclosed by the organization to another organization.

    2. The organization endeavours to ensure the individual’s Personal Data we use is sufficiently accurate and complete in making any decision that impacts him/her. To maintain the accuracy of Personal Data, we encourage all employees, suppliers and customers to inform us when there is any change to his/her Personal Data which they have provided us by informing the DPO. The organization will correct or complete the individual’s Personal Data as soon as reasonably practicable.

  1. The Protection Obligation– the organization must protect personal data in its possession or under its control by making reasonable, security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal or similar risks.

    2. We endeavour to protect Personal Data in our possession or control against risks of unauthorized access, collection, use, disclosure, copying, modification, disposal or destructions, through reasonable and appropriate security measures.  We strive to ensure that our systems are secure and that they meet industry standards.  To prevent unauthorized access, maintain data accuracy and ensure the correct use of information, we have put in place appropriate physical, electronic, and management procedures to safeguard and secure the Personal Data we collect.

  1. The Retention Limitation Obligation– the organization must cease to retain documents containing personal data, or remove the means by which the personal data can be associated with particular individuals as soon as it is reasonable to assume that

    1. the purpose for which the personal data was collected is no longer being served by retention of the personal data, and
    2. retention is no longer necessary for legal or business purposes.

    We will retain an individual’s Personal Data as long as necessarily required or relevant for business or legal purposes.

  1. The Transfer Limitation Obligation– the organization must not transfer personal data to a country or territory outside Singapore except in accordance with the requirements prescribed under the PDPA.

    2. Personal Data of an individual may be transferred, stored and/or processed in overseas, our subsidiary included, and he/she consent to such transfer, storage and/or processing of his/her Personal Data outside Singapore.  We will however, ensure that any party to whom we transfer the Personal Data outside Singapore provides a standard of protection at least comparable to the protection under the Act. This includes without limitation ensuring that any party coming into contact with the Personal Data outside Singapore:

    • Complies with the ACT
    • Takes all appropriate measures to ensure such compliance by implementing such data handling procedures;
    • Protects the Personal Data by making reasonable security arrangements to prevent unauthorized access, use, disclosure or modification.

  1. The Openness Obligation – the organization must implement the necessary policies and procedures in order to meet its obligation under the PDPA and shall make information about its policies and procedures publicly available.

    2. The Act also imposes certain responsibilities on all those who process personal data in the organization.  These obligations include holding and using data in secure manner, making sure that data is handled in line with what individuals have been told, having appropriate arrangements in place for the access to (and sharing of) data, and making sure that individual’s data is accurate and retained for a suitable period.  If a data breach occurs (e.g. personal data is lost, stolen, inadvertently disclosed to an external party, or accidently published), this should be reported immediately to the DPO so that the circumstances can be reviewed and liaison with both internal and external authorities can be carried out.

    The organization implements this Policy and procedures diligently.


CONTACTING US

If you have any questions or complaints relating to the use or disclosure of your Personal Data, or if you wish to know more about our data protection policies and practices, please contact our Data Protection Office via email at dpo.kes93@sunright.com
 
© 2011 KES Systems & Service (1993) Pte Ltd. All Rights Reserved. Please read our disclaimer.