personal data protection act

personal data protection act

Background

The Singapore Personal Data Protection Act ­ (PDPA) establishes a data protection law that comprises various rules governing the collection, use, disclosure and care of personal data. It recognises both the rights of individuals to protect their personal data, including rights of access and correction, and the needs of organisations to collect, use or disclose personal data for legitimate and reasonable purposes.

The PDPA takes into account the following concepts:

  • Consent – Organisations may collect, use or disclose personal data only with the individual's knowledge and consent (with some exceptions);

  • Purpose – Organisations may collect, use or disclose personal data in an appropriate manner for the circumstances, and only if they have informed the individual of purposes for the collection, use or disclosure; and

  • Reasonableness – Organisations may collect, use or disclose personal data only for purposes that would be considered appropriate to a reasonable person in the given circumstances.

Consent

The consent may be agreed to as a separate form or as part of the general terms and conditions.

 

Parental Consent Clause

Danza Stella Data Protection Policy sets out how we collect and use personal data about you, so that we can provide the services necessary to you and appropriate to your membership in the Danza Stella community. The policy is written in accordance with the Singapore Personal Data Protection Act.

The Data Protection Policy is available on the Danza Stella website and may be amended from time to time.

  •  I agree to the online shop using my data in accordance with the stated policy.

Buyer Consent Clause

The Danza Stella Data Protection Policy sets out how we collect and use personal data about you and your family, so that we can provide the services necessary to your education and appropriate to your membership in Danza Stella community. The policy is written in accordance with the Singapore Personal Data Protection Act.

The Data Protection Policy is available on the Danza Stella website and may be amended from time to time.

  •  I agree to the online shop using my data in accordance with the stated policy.

Implied Consent

Where a person has made a free decision to opt in to a process or situation where the collection or use of personal data can be reasonably expected, then implied permission can be assumed, but should still be highlighted.

Situations where implied consent should be highlighted:

  • Employment applications submitted online (when applications are submitted)

  • Buyers Admissions Applications (the admissions process prior to acceptance)

  • Events held on either campus

  • CCTV at either campus

Data Collected and Purpose

Danza Stella holds personal data on its buyers, including: contact details, assessment/examination results, attendance information, behaviour, characteristics such as ethnic group, special educational needs, any relevant medical information and photographs.

The data is used in order to support the education of the buyers, to monitor and report on their progress, to provide appropriate personal and social care, and to assess the performance of Danza Stella as a whole, together with any other uses normally associated with this provision in an independent school environment.

Danza Stella recognises that whilst we hold personal data about individuals it is normal for schools to interact with families as a whole and not as separate individuals. So whilst we will obtain individual consent to use data for adults and students in Grade 8 and above, we will share data between family members as a matter of routine and allow family members to update each other information without further permission. The family in this case will be defined as a group of individuals identified to us as a single family during the application process and normally related as wife/husband, mother/father, brother/sister or any similar step relationship or legal guardianship.
Any changes to these relationships should be notified to Danza Stella in writing.

Danza Stella may make use of limited personal data (such as contact details) relating to buyers, their parents or guardians to maintain relationships with students of schools and for fundraising, marketing or promotional purposes.

Data is shared as necessary with third party companies to provide extended services, examples include transport, medical, catering, travel services and online services such as email.

In particular, Danza Stella may:

  1. Make available information to any internal organisation or society set up for the purpose of maintaining contact with buyers or for administration, fundraising, marketing or promotional purposes relating to Danza Stella, e.g. Alumni. Danza Stella will remain as the data controller and this policy will govern data usage.

  2. Make use of photographs, videos or sound recordings of students in publications, the website and other official communication channels, as well as in external media.

  3. Make personal data, including sensitive personal data, available to staff for planning activities and school trips, both in and outside of Singapore.

  4. Retain and use personal data after a student has graduated to provide references, meet local educational requirements, educational history and alumni services consistent with an independent school environment.

Data Security

Danza Stella undertakes to:

a) implement appropriate security measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular when the processing of data involves the transmission or storage on or within a network.

These security measures will include:

  • industry standard firewall and other network security features

  • clear guidelines for staff on the device and network security expectations placed on them

  • robust data backup and recovery processes

  • periodic external security audits of online systems

b) notify data subjects about any accidental or unauthorised access of their data that may lead to damage or harm.

 

Data Retention & Removal

Danza Settla undertakes that it shall only keep the data collected as long as is necessary to provide the services outlined above.

Right of Access and Correction

Individuals have a right to see the data held about them (subject to the exemptions listed below) and to request for data to be corrected if it is incorrect.

Buyers will be provided access to data held at Danza Settla within the limitations of this policy.

Buyers can access the majority of personal data held about them via communications with Danza Stella.

To request for data to be changed that you do not have edit rights to, please contact us.

To request access to other data that may be recorded please contact the Admissions department with details of the data that you would like to see and your reasons. Danza Stella will consider the request and respond within five working days. The response may be to decline the request with reasons or to provide a time scale in which the data will be supplied.

 

Exemptions to Right of Access

The PDPA does not provide the right of access to any and all information held by an organisation. Therefore Danza Stella retains the right to refuse access to:

  • Opinion data kept for evaluative purposes

  • Examination papers or the results of examinations

  • Confidential references written to support a student's application to other educational institutions or courses

  • Data or material that would provide personal data about other individuals in contravention of this policy or the PDPA.

Sharing Data with Third Parties

Danza Stella shares personal data with a variety of third parties for the purposes of the third party providing a relevant service to the institution and the members of its community. Examples of these services include transport, catering, travel services, accommodation and medical care.

Danza Stella will only share data for the purposes of eliciting a necessary service from these third party organisations and not for commercial gain.

Where Danza Stella signs explicit contracts with these organisations it will include clauses from “Appendix A ­ Contracts with Third Parties” to ensure that the organisation is using the data purely for the intended purpose of providing the required service and that it is taking appropriate precautions to safeguard the data.

In some instances, for example for online services provided by companies outside of Singapore, explicit signed contracts do not exist. In these instances Danza Stella will ensure that the terms & conditions of the service include clauses that:

  • Danza Stella remains the owner of the data

  • the service provider is not entitled to use any data held on its service for any purpose other than to provide the required service

  • the service provider is taking reasonable precautions to ensure the security of the data

  • once Danza Stella terminates its agreement with the service provider, that any and all data held will be deleted and not used for any other purpose

Point of Contact

In the event of any queries or complaints in relation to data protection, please contact us @ enquiry.danzastella@gmail.com.

 

 

APPENDIX A - CONTRACTS WITH THIRD PARTIES

When signing contracts with any third party organisations that Danza Stella will share personal data with the contract should include the following clauses or entries to the same effect.

Data Protection and Danza Stella

Danza Stella collects and uses personal data about staff, students and families in accordance with the Singapore Data Protection Act (2012) and other relevant laws and requirements in Singapore.

As a result of the provision of your obligations under this agreement, you may have access to personal data about Danza Stella’s employees, buyers and/or other contacts. You must (and must ensure that your employees, agents, sub­contractors and representatives will) keep all such data secure and protected against improper disclosure or use as detailed in this agreement.

Definitions:

a) ‘Personal data’ shall refer to data, whether true or not, about an individual who can be identified from that data; or from that data and other information to which the organisation has or is likely to have access and all other data deemed protected under the Personal Data Protection Act 2012

b) ‘PDPA’ shall mean the personal Data Protection Act (2012)

c) ‘Danza Stella’ shall mean the entity who transfers the data to be used

d) ‘the company’ shall mean the processor who agrees to accept Danza Stella’s personal data intended for processing and use in accordance with this agreement.

1. Data Use

The store agrees and warrants:

a. that any personal data shared by Danza Stella or collected by the company as a result of providing the services covered in this agreement will be used solely for the purposes of providing the service detailed in this agreement

b. that no personal data collected or shared will be used to offer or solicit further services from the individuals concerned.

c. to process the personal data only on behalf of Danza Stella and in compliance with its instructions.

d. that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law and do not violate the relevant laws of the Republic of Singapore in which Danza Stella resides.

e. that it shall promptly notify Danza Stella about any request for disclosure received directly from any authority or individual.

2. Data Security

The store agrees and warrants:

a. to implement appropriate security measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular when the processing of data involves the transmission or storage on or within a network.

b. that it shall promptly notify Danza Stella about any accidental or unauthorised access of the data, or any loss of the data whether leading to unauthorised access or not.

3. Data Retention obligations after the termination of contract or services

The company agrees and warrants:

a. that on the termination of the contract or services that required data processing services, that the store shall, at the request of Danza Stella transfer all the data transferred and copies thereof to the data exporter or shall destroy all the personal data and certify that he has done so, unless legislation imposed on the data importer prevents him from returning or destroying all or part of the data transferred. In that case the store warrants that he will guarantee the confidentiality of the personal data and will not actively process the personal data transferred anymore. Once the legal requirement for retention has passed the store warrants that it will destroy all data retained.

4. Data Correctness and Right of Correction

The store agrees and warrants:

a. to provide Danza Stella on request all the personal details of individuals that have been collected as the result of this agreement and to amend or delete such data on request within the lifetime of the agreement.

5. Liability

a. The parties agree that if one party is held liable for a violation of the clauses committed by the other party in contravention of the PDPA, the latter will, to the extent he is liable, indemnify the first party from any cost, charge, damages, expenses or losses it has incurred.