1. CONSENT OBLIGATION
1.1 MCS-GC shall collect, use and disclose personal data in accordance with the PDPA and any other applicable written law. Without limiting the foregoing, MCS-GC may collect, use and disclose personal data of an individual:
(a) With the individual’s consent or deemed consent, as described below;
(b) Where the collection, use or disclosure of the individual’s personal data is required or permitted under the PDPA or any written law. Without limiting the foregoing, this includes (amongst others) the circumstances set out in the PDPA where such collection, use or disclosure:
(i) is in the vital interests of the individual;
(ii) is in the public interest or relates to matters affecting the public;
(iii) is in the legitimate interests of MCS-GC or another organisation; or
(c) Where required for any purpose reasonably related to, and/or necessary for us to fulfil the above purposes for collection, use or disclosure of personal data.
1.2 Prior to obtaining the consent of an individual for the collection, use or disclosure of his or her personal data, MCS-GC will inform the individual of the purposes for the collection, use and disclosure of the personal data.
1.3 MCS-GC may deem the individual has consented to the collection, use and disclosure of their personal data as follows:
(a) Deemed consent by conduct – where an individual: (i) voluntarily provides personal data to MCS-GC; (ii) is aware of the purpose for which the personal data is collected; and (iii) where it is reasonable in the circumstances that the personal data would be provided.
(b) Deemed consent by contractual necessity – where the individual provides such information for the purpose of a transaction and it is reasonably necessary in order for MCS-GC to fulfil the contract or conclude the transaction.
(c) Deemed consent by notification – where an individual has been notified of the purpose and how to opt out, but has not taken any action to opt out.
1.4 Generally, MCS-GC will collect personal data directly from the individuals. However, MCS-GC may also collect the individual’s personal data from third parties if required or permitted under the PDPA or any other written law, including where the individual has provided consent or is deemed to consent to such collection.
1.5 MCS-GC may collect, use and disclose personal data for its legitimate interests including (without limitation) for the purposes of security and prevention of misuse of services e.g. detecting or preventing illegal activities, threats to physical safety and security, and IT security.
1.6 Where MCS-GC has collected an individual’s personal data with his or her consent, the individual may withdraw consent in accordance with the PDPA, that is, with reasonable notice, and MCS-GC shall inform them of the likely consequences of withdrawal. Upon withdrawal of consent to the collection, use or disclosure of personal data for any purpose, MCS-GC shall cease to collect, use or disclose the personal data.
1.7 Depending on the nature and scope of the withdrawn consent, MCS-GC may not be able to fulfil certain services if individuals are unwilling to provide consent to the collection, use or disclosure of certain personal data. Please note that withdrawing consent does not affect our right to continue to collect, use and disclose personal data where such collection, use and disclosure without consent is permitted or required under the PDPA or any written law.
2. PURPOSE LIMITATION OBLIGATION
2.1 MCS-GC shall only collect, use or disclose personal data for the purposes that a reasonable person would consider appropriate under the given circumstances.
2.2 MCS-GC collects, uses and discloses personal data for purposes stated below, but not limited to the following:
- Education and training;
- Event and programme organisation and management;
- Fundraising, donations, and activities for charitable causes;
- Human resource administration;
- Meeting regulatory requirements (Charity portal declaration);
- Members services;
- Missions organisation and management;
- Publicity and communications;
- Queries and requests handling;
- Service intermediation (insurance and banking); and
- Tenancy management.
3. NOTIFICATION OBLIGATION
3.1 MCS-GC shall notify individuals of the purposes for collection, use or disclosure of their personal data, on or before such collection, use or disclosure, unless notification is not required under the PDPA, including where an individual is deemed to consent to such collection, use or disclosure or such collection, use or disclosure without consent is required or permitted under the PDPA or any other written law.
3.2 MCS-GC may disclose an individual’s personal data (in accordance with the PDPA and this Policy) to the following group of external organisations for appropriate purposes:
- Agents, contractors, data intermediaries or third-party service providers who provide services to MCS-GC, such as telecommunications, mailing, information technology, payment, payroll, insurance, training, storage and archival;
- Banks and financial institutions;
- MCS-GC’s professional services providers such as lawyers and auditors;
- Relevant government regulators, statutory boards or authorities or law enforcement agencies to comply with any laws, rules, guidelines and regulations or schemes imposed by relevant government;
- Charity organisations; and
- Any relevant person related to achieving the intended purposes.
4. COLLECTION, USE AND DISCLOSURE OF NATIONAL REGISTRATION IDENTIFICATION CARD (NRIC)
4.1 In compliance with the Advisory Guidelines on the Personal Data Protection Act for NRIC and other National Identification Numbers published on 31 August 2018, MCS-GC will only collect, use or disclose the NRIC data (e.g. NRIC number or photocopy the NRIC) of an individual, as required by:
- The law or the Government authorities; or
- MCS-GC to accurately establish or verify the identity of an individual to a high degree of fidelity.
4.2 Hence, MCS-GC will continue to collect and use NRIC data for the purposes stated below, but not limited to the following:
- Activities and programmes where details are required by event venue, travel, insurance, or other logistics arrangements;
- Church membership and baptism;
- Holy matrimony form; and
- Primary school registration.
5. VIDEO, AUDIO RECORDING AND PHOTOGRAPHY
5.1 Video footage, audio recording, and photographs may constitute personal data if an image of an identifiable individual is captured in a photography or video recording or identified from the audio recording. Thus, MCS-GC shall state clearly in its invitations or put up appropriate notices to inform volunteers and participants at events, about the use of photography and videography, and use of closed-circuit television (CCTV) and its purpose.
5.2 MCS-GC shall obtain the individual’s consent before using photographs and videos of them, if taken out of the context.
6. ACCESS AND CORRECTION OBLIGATION
MCS-GC shall allow individuals to request for access to, and correction of, their personal data that is in the possession or under the control of MCS-GC.
6.1 Access to the personal data
6.1.1 MCS-GC shall provide the information (including the use and disclosure history of the personal data that has occurred within a year of the date of request) as soon as reasonably possible or within 30 days after receiving the request. MCS-GC shall inform the individual in writing within 30 days of the time by which it will be able to respond to the request, if it is unable to respond within the stipulated timeframe.
6.1.2 MCS-GC is prohibited from providing an individual access if the provision of the personal data or other information could reasonably be expected to:
- Cause immediate or grave harm to the individual’s safety or physical or mental health;
- Threaten the safety or physical or mental health of another individual;
- Reveal personal data about another individual;
- Reveal the identity of another individual who has provided the personal data, and the individual has not consented to the disclosure of his or her identity; or
- Be contrary to national interest.
6.2 Correction of personal data
6.2.1 MCS-GC recognises that the individual’s participation is essential in informing MCS-GC of any changes, error, or omission in his or her personal data, and shall provide facilities and processes to allow the individual to submit corrections to it.
6.2.2 MCS-GC shall correct an error or omission in an individual’s personal data upon his or her request, unless MCS-GC is satisfied on reasonable grounds that the correction should not be made.
6.2.3 If the individual’s personal data was disclosed by MCS-GC to any other organisation within one year prior to the correction request, MCS-GC shall notify those organisations of such corrections as soon as practicable, except if MCS-GC deems that the personal data is no longer relevant or needed by the organisation for the purpose that the disclosure was made earlier.
6.2.4 An individual need not submit a correction request under the PDPA if his or her intention is to update MCS-GC of any change in personal particulars (for example, contact information).
6.3 Request for access or correction
6.3.1 Request for access or correction of personal data by individuals shall be submitted to MCS-GC in writing.
6.3.2 MCS-GC may ask for additional information from the requestor to aid in processing the request. MCS-GC may respond to the requestor via telephone call, written note, or electronic mail.
6.3.3 MCS-GC may charge a reasonable fee to process a request for access to personal data.
7. ACCURACY OBLIGATION
7.1 MCS-GC shall make reasonable effort to ensure that personal data collected by or on behalf of MCS-GC is accurate and complete, if the personal data is likely to be used by MCS-GC to make a decision that affects the individual, or to be disclosed to another organisation.
8. PROTECTION OBLIGATION
8.1 MCS-GC shall adopt reasonable security arrangements to protect the personal data in its possession or under its control (whether in physical or electronic form), in order to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal, or similar risks, and the loss of any storage medium or device on which personal data is stored.
9. RETENTION LIMITATION OBLIGATION
9.1 MCS-GC shall cease to retain an individual’s personal data (or remove the means by which it can be associated with particular individuals) when it is reasonable to assume that retention no longer serves the purposes for which the personal data was collected and retention is no longer necessary for legal or business purposes.
9.2 MCS-GC shall ensure the disposal of personal data is performed appropriately with minimal possibility of recovering the information from the disposal process.
10. TRANSFER LIMITATION OBLIGATION
10.1 MCS-GC shall only transfer personal data to a country or territory outside Singapore when required for business purposes. Such transfer shall be done in a manner that is secure and appropriately aligned with the requirements prescribed under the PDPA.
11. DATA BREACH NOTIFICATION OBLIGATION
11.1 In the event of a data breach, MCS-GC shall assess whether the data breach is notifiable, and notify the affected individuals and/or the Personal Data Protection Commission (PDPC) where it is assessed to be notifiable in accordance with the PDPA.
12. ACCOUNTABILITY OBLIGATION
12.1 MCS-GC shall publish its personal data protection policy on the MCS-GC website.
12.2 All enquiries, complaints, or requests (including withdrawal of consent, or access or correction of personal data) relating to the policy shall be submitted to the Data Protection Officer (DPO) in writing to this address: email@example.com
13. CHANGE POLICY
13.1 MCS-GC reserves the right to alter any of the clauses contained herein in compliance with local legislation, and for any other purpose deemed reasonably necessary by MCS-GC. You should look at these terms regularly. If you do not agree to the modified terms, you should inform us as soon as possible of the terms to which you do not consent. Pending such notice, if there is any inconsistency between these terms and the additional terms, the additional terms will prevail to the extent of the inconsistency.
1 The Personal Data Protection Act 2012 establishes a general data protection law in Singapore which governs the collection, use and disclosure of individuals’ personal data by organisations.
2 Organisation includes any individual, company, association or body of persons, corporate or unincorporated whether or not (a) formed or recognised under the law of Singapore; or (b) resident, or having an office or place of business, in Singapore.