Personal Data Protection Policy
Your privacy is important to us. Boys’ Town takes our responsibility to protect your personal data seriously and are committed to comply strictly with our obligations under the Personal Data Protection Act 2012 (PDPA).
This Personal Data Protection Policy (“Policy”) sets out the basis on how Boys’ Town (“we”, “us”, or “our”) collects, uses, discloses, or otherwise processes your personal data in accordance with the PDPA. Terms used in this Policy shall have the meanings given to them in the PDPA (where the context so permits).
This Policy supplements but does not supersede nor replace any other consents which you may have previously provided to us in respect of your personal data, nor does it affect any right that we may have at law in connection with the collection, use, disclosure and/or retention of your personal data.
1. Your Personal Data
In this Policy, “personal data” means data, whether true or not, about an individual who can be identified (a) from that data; or (b) from that data and other information to which we have or are likely to have access to, including data in our records as may be updated from time to time.
Depending on the nature of your interaction with us, examples of personal data which we may collect from you include but are not limited to:
-
Your full name, other identification data such as NRIC/FIN, passport, or birth certificate
-
Contact information, such as personal mobile number, personal email address, residential/mailing address, and phone number
-
Facial image (in photo, video or CCTV recording), voice recording and/or any other audio-visual information
-
Health and medical records (physical, mental, or emotional health).
-
Educational and employment data
-
Payment related data, such as your bank, financial or credit card details
and/or any other personal data, which you have submitted to us in any other form or provided through other forms of interaction with us.
2. Collection, Use and Disclosure of your Personal Data
2.1 Consent, Notice and Purpose
We generally do not collect, use and/or disclose your personal data unles
a) it is provided to us voluntarily by you directly or via a third party who has been duly authorised by you to disclose your personal data to us (your “authorised representative”) after
i. you (or your authorised representative) have been notified of the purpose(s)
for which the data is collected, used and/or disclosed; and
ii. you (or your authorised representative) have provided written consent to the collection, use and/or the disclosure of your personal data for the purpose(s); or
b) you are deemed to have given your consent under the PDPA; or
c) collection, use and disclosure of personal data without consent is permitted or required by the PDPA or other laws.
For existing personal data collected before the Data Protection Provisions come into effect, Boy’s Town may continue to use it for the same purpose(s) for which it was collected. If the existing data is to be used for a different purpose or disclosed on or after 2 July 2014, Boy’s Town will obtain your approval or notify you accordingly, pursuant to section 2.3 of this policy.
2.2 Purposes for Collecting, Using or Disclosing Your Personal Data
In addition to verifying your identity, examples of purposes for which we may collect, use and/or disclose your personal data to any third party (in accordance with 2.1 above) include, but are not limited to:
Service User – if you are a prospective or existing user of our Key Domains - Residential/ Social Work, Fostering, Sanctuary Care, Clinical Intervention Centre and/or related services:
-
Processing enquiries and/or applications for services
-
Case management of primary client(s), parents, foster parents, family members, guardians, carers, and other relevant persons (where applicable)
-
Handling of personal data necessary for or incidental to the purpose of case management including but not limited to sharing and disclosure of personal data to schools, educational institutes, MSF and other governmental, regulatory authorities, community, family services and relevant agencies
-
Disclosure and sharing of social and financial data for purposes of grants and subsidies
-
Referral to medical services, mental health specialists including psychologists, therapists, counsellors, and/or other professionals
User of or Participant in Programmes, Events, Activities – if you are a prospective or existing user or participant in our Adventure, Youth Reach, or other Boys’ Town programmes, activities, or events:
-
Processing enquiries, applications and bookings for our programme, activities and/or events
-
Provision and management of programmes, events and activities applied for, booked and/or requested by you
-
Handling of personal data necessary for or incidental to the purpose of providing the programmes, events and/or activities
Donor – if you are a prospective or existing donor donating through our website, third party platforms, physical forms transmitted by post or email and/or by other means:
-
Managing our relationship with you
-
Processing your donations including tax deductions, where applicable
-
Where you voluntarily provide your personal data to make donations, transmitting your personal data to third-party websites, including payment portals, credit card companies and other payment applications
Volunteer – if you are a prospective or existing volunteer, volunteering through our website or by other means:
-
Processing your application through our website or otherwise
-
Assessing your suitability as a volunteer including transiting your personal data for background /MSF security screening purposes, if applicable
-
Establishing, managing, and monitoring your volunteer relationship with us
In addition to and/or for the furtherance of the purposes above, we may collect, use and/or disclose your personal data (with your prior consent, where necessary):
-
For responding to, handling and processing queries, requests, applications, complaints and feedback.
-
For updating your personal data and contact information.
-
For database management including the processing, hosting or storage of personal data through third-party data intermediaries, servers, systems and/or other service providers engaged to perform any of the functions with reference to the above – mentioned purposes.
-
For communications, publicity, public relations, marketing, fund raising and generally for raising awareness of our services, programmes, activities and events, such personal data may include photos, videos, audio recordings (with your consent, where necessary).
-
For managing the safety and security of our premises, services, and events including but not limited to carrying out CCTV surveillance.
-
For data evaluation, statistical analysis, research, planning, and development.
-
For audit, risk management and/or compliance.
-
For processing payments including tax deductions and insurance claims.
-
For complying with any applicable laws, regulations, codes of practice, guidelines, or requests by public agencies or to assist in law enforcement and investigations conducted by any government and/or regulatory authorities.
-
For any other incidental purposes related to or in connection with the above to perform the obligations necessary for the provision of the services, programmes, events, and activities required by you.
The purposes listed above may continue to apply even in situations where your relationship with us (for example, pursuant to a contract) has been terminated or altered in any way, for a reasonable period thereafter (including where applicable, a period to enable us to enforce our rights under any contract with you).
Deemed Consent
For your information, an individual is deemed to have given consent under the PDPA where the individual (i) voluntarily provides personal data; (ii) is aware of the purpose for which the personal data is collected; and (iii) where it is reasonable in the circumstances that the personal data would be provided.
Examples of purposes, for which you may be deemed to have given consent under the PDPA include but are not limited to:
Deemed consent by conduct - where your images are captured on our CCTV cameras within our premises or if you voluntarily pose for photos/videos taken by our photographer at one of our events.
Deemed consent for contractual necessity- where you (ii) have consented to the use of your personal data for a particular purpose and (ii) the use and/or disclosure of that personal data to other parties is reasonably necessary for the performance or conclusion of the contract.
Deemed consent by notification - where you are (i) notified of the intended use of your personal data (for example, a photo/video for publicity purposes); (ii) you are given a period of 14 days’ notice to opt out (in this example, of the publication of the photo/video) but you do not opt out within the specified time.
Exceptions to Consent under the PDPA
For your information, examples of exceptions to consent under the PDPA include but are not limited to:
-
publicly available data
-
an emergency that threatens life, health, or safety
-
legitimate interests- where the collection, use or disclosure of personal data without consent is in the lawful interest of an organisation or for a segment of the public
If you have any queries related to deemed consent, exceptions to consent under the PDPA or otherwise on the collection, use or disclosure of your personal data, please contact our Data Protection Officers (see contact details below).
2.3 Changing Purpose and Additional Data
Should your Personal Data be needed for a new purpose, your approval will be obtained prior to the use of your Personal Data for that purpose or you will be notified accordingly, provided that no exemption to the consent or notification obligation applies according to the PDPA.
3. Rights to Withhold and/or Withdraw Your Consent
3.1 Right to Withhold Consent
You have the right to withhold consent to the collection, use or disclosure of your personal data by giving notice of your intention to halt such collection, use, or disclosure to the Data Protection Officers (see contact details below).
3.2 Validity of your Consent
The consent that you provide for the collection, use and disclosure of your personal data will remain valid until such time it is being withdrawn by you or your authorised representative in writing.
3.3 Request to Withdraw Consent
You may withdraw your consent and request us to stop collecting, using and/or disclosing your personal data by submitting your request in writing or via email to our Data Protection Officers (see contact details below).
3.4 Processing a Request to Withdraw Consent
Upon receipt of your written request to withdraw your consent, we may require reasonable time (depending on the complexity of the request and its impact on our relationship with you) for your request to be processed and for us to notify you of the consequences of us acceding to the same, including any legal consequences which may affect your rights and liabilities to us.
In general, we shall seek to process your request within ten (10) business days of receiving it. Should we require more time to give effect to a withdrawal notice, we shall inform the individual of the timeframe by which the withdrawal of consent will take effect.
3.5 Notification of Consequences of Withholding or Withdrawing your Consent
Whilst we respect your decision to withhold or withdraw your consent, please note that depending on the nature and scope of your request, we may not be in a position to continue providing our services to you and we shall, in such circumstances, notify you before completing the processing of your request.
Should you decide to cancel your request to withhold or to withdraw consent, please inform our Data Protection Officers in writing or via email.
3.6 Post Withdrawal of Consent
Please note that withdrawing consent does not affect our right to continue to collect, use and disclose personal data in accordance with the Data Protection Provisions, where such collection, use and disclosure without consent is permitted or required under applicable laws.
4. Access to and Correction of Personal Data
If you wish to make
a) an access request:
i. for access to a copy of the personal data which we hold about you; or
ii. information about the ways in which we have, or may have used or disclosed your personal data within (1) year before the date of your request: or
b) correction request to correct or update any of your personal data which we hold about you,
You may submit your request in writing or via email to our Data Protection Officers (see contact details below), subject to the exceptions referred to in Section 21(2) of the PDPA.
Please note that a reasonable fee may be charged for an access request. If so, we will inform you of the fee before processing your request.
We will respond to your request as soon as reasonably possible. In general, our response will be within thirty (30) business days. Should we not be able to respond to your request within thirty
(30) business days after receiving your request, we will inform you in writing (within those thirty
(30) business days of the request) of the time by which we will be able to respond to your request.
If we are unable to provide you with any personal data or to make a correction requested by you, we shall generally inform you of the reasons why we are unable to do so except where we are not required to do so under the PDPA.
5. Accuracy of Personal Data
We make reasonable efforts to ensure that personal data that we collect about you is accurate and complete. In order to ensure that your personal data is current, complete, and accurate, please update us if there are changes to your personal data by informing our Data Protection Officers in writing or via email (see contact details below).
We will not be responsible for relying on inaccurate or incomplete personal data arising from you not updating us of any changes to the personal data that you had initially provided to us. Failure to provide accurate and complete information may result in our inability to provide you with services you have requested and/or to process the necessary information.
We may, with your consent, send the corrected personal data only to specific organisations to which the personal data was disclosed by the organisation within a year before the date the correction was made.
6. Protection of Personal Data
All collection, storage and transmission of personal data is secured with appropriate physical, technical, and administrative security measures.
You should be aware, however, that no method of transmission over the internet or method of electronic storage is completely secure. Whilst security cannot be guaranteed, we strive to protect the security of your personal data and are constantly reviewing and enhancing our security
measures.
7. Retention of Personal Data
We may retain your personal data for as long as it is necessary to fulfil the purpose for which it was collected, or as required or permitted by applicable laws.
We will cease to retain your personal data or remove the means by which the data can be associated with you, as soon as it is reasonable to assume that such retention no longer serves the purpose for which the personal data was collected and is no longer necessary for legal or business purposes.
8. Transfers of Personal Data Outside of Singapore
We generally do not transfer your personal data to countries outside of Singapore. However, if we do so, we will obtain your consent for the transfer to be made and we will take steps to ensure that your personal data continues to receive a standard of protection that is at least comparable to that provided under the PDPA.
9. Data Protection Officers
Boys’ Town has appointed Data Protection Officers (DPOs) to ensure compliance with our personal data protection obligations. Please contact our DPOs, if you:
-
have any enquiries relating to your personal data and/or our data protection policies, practices, and procedures.
-
would like to withhold or withdraw your consent to any use of your personal data.
-
would like to obtain access and make corrections/updates to your personal data records.
-
if you have any feedback or complaints.
Contact details: Telephone No: +65 6690 5420
Email address: DPO@boystown.org.sg
Address: Boys’ Town, 624 Upper Bukit Timah Road, Singapore 678212
10. Changes to Policy
We may revise this Policy from time to time without any prior notice. You may determine if any such revision has taken place by referring to the date that this Policy was last updated which is located at the bottom of the page.
Your continued use of our services constitutes your acknowledgement and acceptance of such changes.
11. Effect of Policy
This Policy applies in conjunction with any other policies, contractual clauses and consent clauses that apply in relation to the collection, use and disclosure of personal data by us.
Updated May 2021