Data Protection Policy
Data Protection Policy
Introduction
1. The Singapore Personal Data Protection Act - 2012 (‘PDPA’) establishes a general data protection law in Singapore which governs the collection, use and disclosure of personal data by organisations in a manner that recognises both the rights of individuals to protect their personal data and the need of organisations to collect, use or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances.
2. The purpose of this Data Protection Policy (DPP) is to inform individuals of how Crest Secondary School (‘the school’) manages personal data in accordance with the Personal Data Protection Act 2012 (“the Act”). This DPP supplements but does not supersede nor replace any other consent you may have previously provided to the School. The School may from time to time update this protection policy to ensure that it is consistent with our future developments, and/or any changes in legal or regulatory requirements.
Consent, Purpose Limitation and Notification Obligations
3. Under this DPP, “Personal Data” refers to any data or information about an individual who can be identified either (a) from that data; or (b) from that data and other information to which the School has or is likely to have access.
4. Collection of Personal Data
4.1. The School collects data on staff employment and student enrolment including but not limited to:
4.1.1. Staff - photographs, personal details, contact information, resume, educational information, employment information, terms of employment, payroll related information, performance appraisal details, medical information, attendance and training records.
4.1.2. Student – photographs, personal details, contact information, family details, household information, schooling information, test/examination results, achievements and contributions, CCA, attendance information, offences, medical and learning needs information.
4.2. The personal data are collected and stored in the School’s data management systems by authorized staff. Hardcopies of the personal data records are also kept with restricted access to the information.
5. Consent and Deemed Consent
5.1. For the School’s students (as minors), consent shall be obtained from the parent/guardian for the collection, use and disclosure of the personal data by the School. The consent form shall contain information on specific purposes for which such personal data will be collected, used and/or disclosed.
5.2. By voluntarily providing the School with your personal data, you shall be deemed to consent the School to collect, use and disclose the data provided for the purpose. Examples of such situations are staff employment and student enrolment. The School shall also highlight such situations and obtain explicit consent.
5.3. Individuals can withdraw the consent in respect of the collection, use or disclosure of their personal data for specific purpose by submitting the Withdrawal of Consent form via email or in person by giving 2 weeks’ notice. All withdrawal requests will be responded by the School within 30 days from the time of the request is made.
5.4. The School may collect, use and/or disclose the personal data without the consent of the individual as set out in the Fourth Schedule of the PDPA. Some of these circumstances include:
5.4.1. To respond to an emergency that threatens the life, health or safety of the individual or another individual;
5.4.2. For the purpose of contacting the next-of-kin or a friend of any injured, ill or deceased individual;
5.4.3. For cases in which the disclosure is necessary for any investigation or proceedings.
6. Use and Disclosure of Personal Data
6.1. The School may continue to use the personal data collected before the data protection requirements of the PDPA take effect on 2 July 2014 for the purposes for which the personal data was collected, unless the individual has withdrawn consent. If there is a fresh purpose for the use of such personal data, consent shall be obtained.
6.2. The personal data collected by the School is used for the following purposes:
6.2.1. To determine the suitability, eligibility or qualifications for employment, promotion in employment and/or continuance or removal of employment;
6.2.2. For admission of students to the School, awarding of awards and financial / social assistance, monitoring of the students’ progress, assessment of performance of students and the School as whole, delivery of health services administered by the public agency and other uses associated with students matters or activities of a specialized school;
6.2.3. To provide personal data to the external auditors for audit purpose, and use of personal data for any other uses normally associated with this provision in a specialized school environment.
6.3. Data may be shared, as necessary, with third party vendors to provide services such as insurance, transport, travel services, health screening, information systems support and online services such as registration of training courses for staff. In particular, the School may:
6.3.1. Make use of the photographs, videos or sound recordings of staff and students in School publications, the School website and other official School communication channels such as Facebook;
6.3.2. Make personal data available to internal staff for planning of school- related activities, programmes and trips;
6.3.3. Retain and use personal data after a staff or student has left employment/graduated to provide references, employment/educational history or for alumni services.
6.4. When sharing data with the third parties, the School will only share data for the purposes of engaging a necessary service from these third party organisations.
6.5. When the School signs explicit contracts with these organisations, it will include the personal data protection clauses (Personal Data Privacy Statement & Declaration for Third Parties) to ensure that the organizations acknowledge that the data is used solely for the intended purpose of providing the required service and that it is taking appropriate measures to safeguard the data.
Access and Correction of Personal Data
7. The School, upon request by an individual, shall provide the individual with his/her personal data that is collected by the School and/or information about the ways in which the personal data has been used or disclosed by the School. However, the School retains the rights to refuse access to:
7.1. Opinion data kept for evaluative purposes;
7.2. Examination papers or the results of examinations;
7.3. Confidential references written for students;
7.4. Data or material that provides personal data about other individuals in contravention of this policy or the PDPA.
8. The School, upon request by an individual to correct an error or omission in his/her personal data, shall response to the request by making a correction, unless the School is satisfied on reasonable grounds that the correction should not be made.
9. The School is not required to make a correction in respect of the matters set out in the Sixth Schedule of the PDPA. Examples of such exceptions are:
9.1. opinion data kept solely for an evaluative purpose;
9.2. any examination conducted by the School, examination scripts and, prior to the release of examination results, examination results;
9.3. related to a prosecution if all proceedings related to the prosecution have not been completed;
9.4. any other materials deemed “confidential” by the School that may not be disclosed to the requestor.
10. All access and correction requests will be responded by the School within 30 days from the time of the request is made.
Protection and Retention of Personal Data
11. The School undertakes reasonable efforts to take appropriate and preventive measures to ensure that the individual’s personal data is adequately protected and secured. Appropriate security arrangements is implemented to prevent any unauthorized access, collection, use, disclosure, copying, modification, leakage, loss, damage and/or alteration of the personal data. In particular, to safeguard the personal data, all electronic storage and transmission of personal data are secured with appropriate security technologies.
12. All personal data shall be retained by the School as long as there is a necessity to provide the services specified or outlined above.
Contacting Us – Withdrawal of Consent, Access and Correction of your Personal Data
13. The School respects your privacy and assures you that your personal data will be kept securely according to the Personal Data Protection Act. If you have any questions or feedback relating to your personal data or our DPP, would like to withdraw your consent to any use of your personal data as set out in this DPP; or would like to obtain access and make corrections to your personal data records, please contact the designated Data Protection Officers via email or walk-in:
Data Protection Officer: Ms Lee Siu Yuen
Email: info@crestsec.edu.sg
Address: Crest Secondary School, 561 Jurong East Street 24, Singapore 609561