Personal data in Singapore is protected under the Personal Data Protection Act 2012 (PDPA). The PDPA establishes a data protection law that comprises various rules governing the collection, use, disclosure and retention of personal data. It recognises both the rights of individuals to protect their personal data, including rights of access and correction, and the needs of organisations to collect, use or disclose personal data for legitimate and reasonable purposes.

The PDPA provides for the establishment of a national Do Not Call (DNC) Registry. The DNC Registry allows individuals to register their Singapore telephone numbers to opt-out of receiving marketing phone calls, mobile text messages such as SMS or MMS, and faxes from organisations.

“Personal Data” refers to any data about an individual who can be identified (a) from that data; or (b) from that data and other information to which SINDA has or are likely to have access to.

Examples of such Personal Data include (depending on the nature of interactions) name, NRIC, passport or any other identification number, telephone number(s), mailing address, email addresses, transactional data and any other information relating to any individuals provided through any forms submitted or via other modes of interactions

Generally, we collect Personal Data:

1. when forms are submitted, including but not limited to the application (manual/online), declaration, or referral forms;
2. through interactions with staff, including front desk officers, via telephone calls (which may be recorded), letters, fax, face-to-face meetings and email;
3. when images are captured via CCTV cameras of persons within SINDA  premises, or via photographs or videos taken by SINDA representatives or  staff,  of attendees of events hosted by SINDA;
4. when persons request to be contacted, be included in an email or another mailing list; or when they respond to SINDA’s request for additional Personal Data;
5. when employment applications,  documents or other  information including resumes and/or curriculum vitae in connection with any appointment as a staff officer, volunteer or any other position are submitted;
6. when electronic services are used, interactions with SINDA via its website or when availing its services;
7. when Personal Data is submitted for any other reason.

When providing Personal Data relating to a third party (e.g. information of dependent, spouse, children and/or parents) to us, it is implied that  the consent of that third party has been obtained for the collection, use and disclosure of the Personal Data for the purposes listed above

Information on the beneficiary and any other third party (e.g. dependents, spouse, children and/or parents), may be collected and retained by SINDA on software and technologies provided by third-party vendors. These vendors include

1. 365 Smart SMS
2. Apsis Asia
3. Google (and related services)
4. HireRabbit
5. InMotion Hosting
6. Mailchimp
7. Microsoft Dynamics CRM
8. Paypal
9. SingHost
10. Survey Monkey
11. WordPress
12. Wufoo
13. Zapier
14. Zendesk

The respective third-party vendor’s privacy and data collection policies will apply in the above case. SINDA reserves the right to amend the above list of the third party at its discretion.

Use of Cookies

Aggregate information is collected concerning the

1. use of this Web Site, including which pages are most frequently visited, how many visitors this Web Site receives daily, and how long visitors stay on each page.
2. users of SINDA’s website (for example, store users’ preferences and record session information) and the information that we collect is then used to ensure a more personalised service level.

Settings can be adjusted in the browser for receiving notification when receiving a cookie. Should there be a need to be disabling the cookies associated with these technologies, it can be done by changing the settings on the browser. However, by doing so, certain functions or enter certain part(s) of its website may not be usable.

NRIC Handling

From 1 September 2019, under the Personal Data Protection Commission (PDPC) Advisory Guidelines on NRIC, organisations are generally not allowed to collect, use or disclose NRIC number (or copies of NRIC), but they may do so when:

1. the collection, use or disclosure of NRIC numbers (or copies of NRIC) is required under the law (or an exception under PDPA applies); and
2. the collection, use or disclosure of NRIC numbers (or copies of NRIC) is necessary to accurately establish or verify the identities of the individuals to a high degree of fidelity

SINDA will continue to collect full NRIC details for verification and/or record purposes for the following:

1. Provision of social services
2. Application for government subsidy or schemes
3. Assessment for suitability for referral grants, subsidies and services
4. Process applications and respond to enquiries for its programmes
5. Verify identity for provision of SINDA services and granting programme fee subsidy
6. Compliance with the legal process or requirements of any government agency

There are instances where SINDA will not collect NRIC, and these will involve areas where there is no requirement for verification or record purposes as identified above.

Pursuant to provisions in the PDPA, SINDA has policies and practices in place for compliance. As a good practice, SINDA will continue to notify the individual of the purpose for the collection, use or disclosure, as the case may be.

Generally, we use Personal Data in the following ways:

1. programmes and services hosted by SINDA;
2. programmes and services hosted by any agency selected by SINDA;
3. responding to, processing and handling complaints, queries, requests, feedback and suggestions;
4. verifying identity;
5. managing the administrative and business operations of the organisation and complying with internal policies and procedures;
6. matching any Personal Data held by us for any of the purposes listed herein;
7. requesting feedback or participation in surveys, as well as analysis for statistical, profiling or other purposes for us to design its services, understand client, preferences, and to review, develop and improve the quality of its programmes and services;
8. managing the safety and security of its premises and services (including but not limited to carrying out CCTV surveillance and conducting security clearances);
9. project management;
10. providing media announcements, interviews and responses;
11. organising community-based events;
12. managing and preparing reports on incidents and accidents;
13. preventing and detecting crime;
14. complying with any applicable rules, laws and regulations, codes of practice or guidelines or assisting  in law enforcement and investigations by relevant authorities; and/or
15. Any other purpose relating to any of the above

Generally accepted standards of technology and operational security have been implemented to protect the personal data under its possession or control and to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.

All SINDA staff follows a network-wide security policy. Only authorised SINDA staffs are provided access to personally identifiable information.

Personal data will be retained only for such period of time the purpose of collection of that personal data is still being served, and retention is still necessary for legal or business purposes.

Personal data that is kept will be destroyed after a reasonable period in line with its retention policy from the time when it becomes outdated or is no longer required for the purpose for which it was collected or when we receive the request to delete it.

Thereafter, we will decide on the appropriate means by which we will cease to retain the personal data depending on the nature of the personal data and the media it is kept/stored. This may include but not be limited to the destruction of documents or deletion of electronic data.